[Federal Register Volume 75, Number 10 (Friday, January 15, 2010)]
[Rules and Regulations]
[Pages 2598-2722]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-31362]
[[Page 2597]]
-----------------------------------------------------------------------
Part II
Department of Transportation
-----------------------------------------------------------------------
Federal Railroad Administration
-----------------------------------------------------------------------
49 CFR Part 229, 234, 235, et al.
Positive Train Control Systems; Final Rule
��Federal Register / Vol. 75 , No. 10 / Friday, January 15, 2010 /
Rules and Regulations��
[[Page 2598]]
-----------------------------------------------------------------------
DEPARTMENT OF TRANSPORTATION
Federal Railroad Administration
49 CFR Parts 229, 234, 235, and 236
[Docket No. FRA-2008-0132, Notice No. 3]
RIN 2130-AC03
Positive Train Control Systems
AGENCY: Federal Railroad Administration (FRA), Department of
Transportation (DOT).
ACTION: Final rule; request for comment on specific issues.
-----------------------------------------------------------------------
SUMMARY: FRA is issuing regulations implementing a requirement of the
Rail Safety Improvement Act of 2008 that defines criteria for certain
passenger and freight rail lines requiring the implementation of
positive train control (PTC) systems. This final rule includes required
functionalities of PTC system technology and the means by which PTC
systems will be certified. This final rule also describes the contents
of the PTC implementation plans required by the statute and contains
the process for submission of those plans for review and approval by
FRA. These regulations could also be voluntarily complied with by
entities not mandated to install PTC systems. This is a final rule;
however, FRA has identified specific provisions for which we are
considering making changes to the final rule, if warranted by the
public comments received. We expect to publish our response to those
comments, including any possible changes to the rule made as a result
of them, as soon as possible following the end of the comment period.
However, the limited areas of this rule open for additional comment do
not affect the requirement for railroads to prepare and submit plans in
accordance with the deadlines established in this final rule.
DATES: This final rule is effective March 16, 2010. Petitions for
reconsideration must be received on or before March 16, 2010. Comments
must be received on or before February 16, 2010.
ADDRESSES: Petitions for reconsideration and comments: Any petitions
for reconsideration or comments related to Docket No. FRA-2008-0132,
may be submitted by any of the following methods:
Web site: The Federal eRulemaking Portal, http://www.regulations.gov. Follow the Web site's online instructions for
submitting comments.
Fax: 202-493-2251.
Mail: Docket Management Facility, U.S. Department of
Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC
20590.
Hand Delivery: Room W12-140 on the Ground level of the
West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9
a.m. and 5 p.m. Monday through Friday, except Federal holidays.
Instructions: All submissions must include the agency name and
docket number or Regulatory Identification Number (RIN) for this
rulemaking. Note that all petitions received will be posted without
change to http://www.regulations.gov including any personal
information. Please see the Privacy Act heading in the SUPPLEMENTARY
INFORMATION section of this document for Privacy Act information
related to any submitted petitions, comments, or materials.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov or to Room W12-140
on the Ground level of the West Building, 1200 New Jersey Avenue, SE.,
Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except
Federal holidays.
FOR FURTHER INFORMATION CONTACT: Thomas McFarlin, Office of Safety
Assurance and Compliance, Staff Director, Signal & Train Control
Division, Federal Railroad Administration, Mail Stop 25, West Building
3rd Floor, Room W35-332, 1200 New Jersey Avenue, SE., Washington, DC
20590 (telephone: 202-493-6203); or Jason Schlosberg, Trial Attorney,
Office of Chief Counsel, RCC-10, Mail Stop 10, West Building 3rd Floor,
Room W31-217, 1200 New Jersey Avenue, SE., Washington, DC 20590
(telephone: 202-493-6032).
SUPPLEMENTARY INFORMATION: FRA is issuing this final rule to provide
regulatory guidance and performance standards for the development,
testing, implementation, and use of Positive Train Control (PTC)
systems for railroads mandated by the Rail Safety Improvement Act of
2008 Sec. 104, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008)
(codified at 9 U.S.C. 20157) (hereinafter ``RSIA08''), to implement PTC
systems. These regulations may also be voluntarily complied with by
entities not mandated to install PTC in lieu of the requirements
contained in subpart H of part 236. The final rule establishes
requirements for PTC system standard design and functionality, the
associated submissions for FRA PTC system approval and certification,
requirements for training, and required risk-based criteria. The RSIA08
mandates that widespread implementation of PTC across a major portion
of the U.S. rail industry be accomplished by December 31, 2015. This
final rule intends to provide the necessary Federal oversight,
guidance, and assistance toward successful completion of that
congressional requirement. This final rule also necessitates or results
in some minimal revision or amendment to parts 229, 234, and 235, as
well as previously existing subparts A through H of part 236.
Table of Contents for Supplementary Information
I. Introduction
II. Background
A. The Need for Positive Train Control Technology
B. Earlier Efforts To Encourage Voluntary PTC Implementation
C. Technology Advances Under Subpart H
III. The Rail Safety Improvement Act of 2008
IV. Public Participation
A. RSAC Process
B. Public Hearing and Comments Filed
V. Overview: The Proposed Rule, Comments, and Resolution of Comments
VI. Seeking Further Comments
VII. Section-by-Section Analysis
VIII. Regulatory Impact and Notices
A. Executive Order 12866 and DOT Regulatory Policies and
Procedures
B. Regulatory Flexibility Act and Executive Order 13272
C. Paperwork Reduction Act
D. Federalism Implications
E. Environmental Impact
F. Unfunded Mandates Reform Act of 1995
G. Energy Impact
H. Privacy Act
IX. The Rule
I. Introduction
This final rule provides new performance standards for the
implementation and operation of PTC systems as mandated by the RSIA08
and as otherwise voluntarily adopted. This final rule also details the
process and identifies the documents that railroads and operators of
passenger trains are to utilize and incorporate in their PTC
implementation plans required by the RSIA08. The final rule also
details the process and procedure for obtaining FRA approval of such
plans.
While developing this final rule, FRA applied the performance-based
principles embodied in existing subpart H of part 236 to identify and
remedy any weaknesses discovered in the subpart H regulatory approach,
while exploiting lessons learned from products developed under subpart
H. FRA has continued to make performance-based safety decisions while
supporting railroads in their development and implementation of PTC
system technologies. Development of this final rule was enhanced with
the participation of the Railroad Safety
[[Page 2599]]
Advisory Committee (RSAC), which tasked a PTC Working Group to provide
advice regarding development of implementing regulations for PTC
systems and their deployment that are required under the RSIA08. The
PTC Working Group made a number of consensus recommendations, which
were identified and included in the proposed rule, and has contributed
further refinements in the form of recommendations for resolution of
the public comments. The preamble discusses the statutory background,
the regulatory background, the RSAC proceedings, the alternatives
considered and the rationale for the options selected, the proceedings
to date, as well as the comments and conclusions on general issues.
Other comments and resolutions are discussed within the corresponding
section-by-section analysis.
II. Background
A. The Need for Positive Train Control Technology
Since the early 1920s, systems have been in use that can intervene
in train operations by warning crews or causing trains to stop if they
are not being operated safely because of inattention, misinterpretation
of wayside signal indications, or incapacitation of the crew. Pursuant
to orders of the Interstate Commerce Commission (ICC)--whose safety
regulatory activities were later transferred to FRA when it was
established in 1967--cab signal systems, automatic train control, and
automatic train stop systems were deployed on a significant portion of
the national rail system to supplement and enforce the indications of
wayside signals and operating speed limitations. However, these systems
were expensive to install and maintain, and with the decline of
intercity passenger service following the Second World War, the ICC and
the industry allowed many of these systems to be discontinued. During
this period, railroads were heavily regulated with respect to rates and
service responsibilities. The development of the Interstate Highway
System and other factors led to reductions in the railroads' revenues
without regulatory relief, leading to bankruptcies, railroad mergers,
and eventual abandonment of many rail lines. Consequently, railroads
focused on fiscal survival, and investments in expensive relay-based
train control technology were economically out of reach. The removal of
these train control systems, which had never been pervasively
installed, permitted train collisions to continue, notwithstanding
enforcement of railroad operating rules designed to prevent them.
As early as 1970, following its investigation of the August 20,
1969, head-on collision of two Penn Central Commuter trains near
Darien, Connecticut, in which 4 people were killed and 45 people were
injured, the National Transportation Safety Board (NTSB) asked FRA to
study the feasibility of requiring a form of automatic train control
system to protect against train operator error and prevent train
collisions. Following the Darien accident, the NTSB continued to
investigate one railroad accident after another caused by human error.
During the next two decades, the NTSB issued a number of safety
recommendations asking for train control measures. Following its
investigation of the May 7, 1986, rear-end collision involving a Boston
and Maine Corporation commuter train and a Consolidated Rail
Corporation (Conrail) freight train in which 153 people were injured,
the NTSB recommended that FRA promulgate standards to require the
installation and operation of a train control system that would provide
for positive train separation. NTSB Recommendation R-87-16 (May 19,
1987), available at http://www.ntsb.gov/Recs/letters/1987/R87_16.pdf.
When the NTSB first established its Most Wanted List of Transportation
Safety Improvements in 1990, the issue of Positive Train Separation was
among the improvements listed, and it remained on the list until just
after enactment of the RSIA08. Original ``Most Wanted'' list of
Transportation Safety Improvements, as adopted September 1990,
available at http://www.ntsb.gov/Recs/mostwanted/original_list.htm.
The NTSB continues to follow the progress of the technology's
implementation closely and participated through staff in the most
recent PTC Working Group deliberations.
Meanwhile, enactment of the Staggers Rail Act of 1980 signaled a
shift in public policy that permitted the railroads to shed
unprofitable lines, largely replace published ``tariffs'' with
appropriately priced contract rates, and generally respond to
marketplace realities, which increasingly demanded flexible service
options responsive to customer needs. The advent of microprocessor-
based electronic control systems and digital data radio technology
during the mid-1980s led the freight railroad industry, through the
Association of American Railroads (AAR) and the Railway Association of
Canada, to explore the development of Advanced Train Control Systems
(ATCS). With broad participation by suppliers, railroads, and FRA,
detailed specifications were developed for a multi-level ``open''
architecture that would permit participation by many suppliers while
ensuring that systems deployed on various railroads would work in
harmony as trains crossed corporate boundaries. ATCS was intended to
serve a variety of business purposes, in addition to enhancing the
safety of train operations. Pilot versions of ATCS and a similar system
known as Advanced Railroad Electronic Systems (ARES) were tested
relatively successfully, but the systems were never deployed on a wide
scale primarily due to cost. However, sub-elements of these systems
were employed for various purposes, particularly for replacement of
pole lines associated with signal systems.
Collisions, derailments, and incursions into work zones used by
roadway workers continued as a result of the absence of effective
enforcement systems designed to compensate for the effects of fatigue
and other human factors. Renewed emphasis on rules compliance and
federal regulatory initiatives, including rules for the control of
alcohol and drug use in railroad operations, operational testing and
inspection programs designed to verify railroad rules compliance,
requirements for qualification and certification of locomotive
engineers, and negotiated rules for roadway worker protection, led to
substantial reductions in risk. However, the lack of an effective
collision avoidance system allowed the continued occurrence of
accidents, some involving tragic losses of life, serious injury, and
significant property damage.
B. Earlier Efforts To Encourage Voluntary PTC Implementation
As the NTSB continued to highlight the opportunities for accident
prevention associated with emerging train control technology through
its investigations and findings, Congress showed increasing interest,
mandating three separate reports over the period of a decade. In 1994,
FRA reported to Congress on this problem, calling for implementation of
an action plan to deploy PTC systems (Report to Congress on Railroad
Communications and Train Control (July 1994) (hereinafter ``1994
Report'')). The 1994 Report forecasted substantial benefits of advanced
train control technology in supporting a variety of business and safety
purposes, but noted that an immediate regulatory mandate for PTC could
not be justified based upon normal cost-benefit principles relying on
direct safety
[[Page 2600]]
benefits. The report outlined an aggressive Action Plan implementing a
public-private sector partnership to explore technology potential,
deploy systems for demonstration, and structure a regulatory framework
to support emerging PTC initiatives.
Following through on the 1994 Report, FRA committed approximately
$40 million through the Next Generation High-Speed Rail Program and the
Research and Development Program to support development, testing, and
deployment of PTC prototype systems in the Pacific Northwest, Michigan,
Illinois, Alaska, and on some Eastern railroads. FRA also initiated a
comprehensive effort to structure an appropriate regulatory framework
for facilitating voluntary implementation of PTC and for evaluating
future safety needs and opportunities.
In September of 1997, FRA asked the RSAC to address the issue of
PTC. The RSAC accepted three tasks: Standards for New Train Control
Systems (Task 1997-06), Positive Train Control Systems-Implementation
Issues (Task 1997-05), and Positive Train Control Systems-Technologies,
Definitions, and Capabilities (Task 1997-04). The PTC Working Group was
established, comprised of representatives of labor organizations,
suppliers, passenger and freight railroads, other federal agencies, and
interested state departments of transportation. The PTC Working Group
was supported by FRA counsel and staff, analysts from the Volpe
National Transportation Systems Center (Volpe Center), and advisors
from the NTSB staff.
In 1999, the PTC Working Group provided to the Federal Railroad
Administrator a consensus report (Report of the Railroad Safety
Advisory Committee to the Federal Railroad Administrator,
Implementation of Positive Train Control Systems (August 1999)
(hereinafter ``1999 Report'')) with an indication that it would be
continuing its efforts. The 1999 Report defined the PTC core functions
to include: prevention of train-to-train collisions (positive train
separation); enforcement of speed restrictions, including civil
engineering restrictions (curves, bridges, etc.) and temporary slow
orders; and protection for roadway workers and their equipment
operating within their limits of authority. The PTC Working Group
identified additional safety functions that might be included in some
PTC architectures: provide warning of on-track equipment operating
outside their limits of authority; receive and act upon hazard
information, when available, in a more timely or more secure manner
(e.g., compromised bridge integrity, wayside detector data); and
provide for future capability by generating data for transfer to
highway users to enhance warning at highway-rail grade crossings. The
PTC Working Group stressed that efforts to enhance highway-rail grade
crossing safety must recognize the train's necessary right of way at
grade crossings and that it is important that warning systems employed
at highway-rail grade crossings be highly reliable and ``fail-safe'' in
their design.
As the PTC Working Group's work continued, other collaborative
efforts, including development of Passenger Equipment Safety Standards
(including private standards through the American Public Transit
Association), Passenger Train Emergency Preparedness rules, and
proposals for improving locomotive crashworthiness (including improved
fuel tank standards) have targeted reduction in collision and
derailment consequences.
In 2003, in light of technological advances and potential increased
cost and system savings related to prioritized deployment of PTC
systems, the Appropriations Committees of Congress requested that FRA
update the costs and benefits for the deployment of PTC and related
systems. As requested, FRA carried out a detailed analysis that was
filed in August of 2004, Benefits and Costs of Positive Train Control
(Report in Response to Committees on Appropriations, August 2004)
(``2004 Report''), which indicated that under one set of highly
controversial assumptions, substantial public benefits would likely
flow from the installation of PTC systems on the railroad system.
Further, the total amount of these benefits was subject to considerable
controversy. While many of the other findings of the 2004 Report were
disputed, there were no data submitted to challenge the 2004 Report
finding that reaffirmed earlier conclusions that the safety benefits of
PTC systems were relatively small in comparison to the large capital
and maintenance costs. Accordingly, FRA continued to believe that an
immediate regulatory mandate for widespread PTC implementation could
not be justified based upon traditional cost-benefit principles relying
on direct railroad safety benefits.
Despite the economic infeasibility of PTC based on safety benefits
alone, as outlined in the 1994, 1999, and 2004 Reports, FRA continued
with regulatory and other efforts to facilitate and encourage the
voluntary installation of PTC systems. As part of the High-Speed Rail
Initiative, and in conjunction with the National Railroad Passenger
Corporation (Amtrak), the AAR, the State of Illinois, and the Union
Pacific Railroad Company (UP), FRA created the North American Joint
Positive Train Control (NAJPTC) Program, which set out to describe a
single standardized open source PTC architecture and system. UP's line
between Springfield and Mazonia, Illinois was selected for initial
installation of a train control system to support Amtrak operations up
to 110 miles per hour, and the system was installed and tested on
portions of that line. Although the system did not prove viable as then
conceived, the project hastened the development of PTC technology that
was subsequently employed in other projects. Promised standards for
interoperability of PTC systems also proved elusive.
In addition to financially supporting the NAJPTC Program, FRA
continued to work with the rail carriers, rail labor, and suppliers on
regulatory reforms to facilitate voluntary PTC implementation. The
regulatory reform effort culminated when FRA issued a final rule on
March 7, 2005, establishing a technology neutral safety-based
performance standard for processor-based signal and train control
systems. This new regulation, codified as subpart H to part 236, was
carefully crafted to encourage the voluntary implementation and
operation of processor-based signal and train control systems without
impairing technological development. 70 FR 11,052 (Mar. 7, 2005).
FRA intended that final rule--developed through the RSAC process in
close cooperation with rail management, rail labor, and suppliers--to
further facilitate individual railroad efforts to voluntarily develop
and deploy cost effective PTC technologies that would make system-wide
deployment more economically viable. It also appeared very possible
that major railroads would elect to make voluntary investments in PTC
to enhance safety, improve service quality, and foster efficiency
(e.g., better asset utilization, reduced fuel use through train
pacing).
C. Technology Advances Under Subpart H
While FRA and RSAC worked to develop consensus on the regulations
that would become subpart H, the railroads continued with PTC prototype
development. The technology neutral, performance-based regulatory
process established by subpart H proved to be very successful in
facilitating the development of other PTC implementation approaches.
Although the railroads prototype development efforts were generally
technically
[[Page 2601]]
successful and offered significant improvements in safety, costs of
nationwide deployment continued to be untenable in the judgment of
those determining allocation of railroad capital. Information gained
from prototype efforts did little to reduce the estimated costs for
widespread implementation of the core PTC safety functions on the
nation's railroads.
Working under subpart H, the BNSF Railway Company (BNSF), CSX
Transportation, Inc. (CSXT), the Norfolk Southern Corporation (NS), and
UP undertook more aggressive design and implementation work. The new
subpart H regulatory approach also made it feasible for smaller
railroads, such as the Alaska Railroad and the Ohio Central Railroad,
to begin voluntary design and implementation work on PTC systems that
best suited their needs. FRA provided, and continues to provide,
technical assistance and guidance regarding regulatory compliance to
enable the railroads to more effectively design, install, and test
their respective systems.
In December 2006, FRA approved the initial version of the
Electronic Train Management System (ETMS[supreg]) product for
deployment on 35 of BNSF's subdivisions (``ETMS I Configuration'')
comprising single track territory that was either non-signaled or
equipped with traffic control systems. ETMS is a registered trademark
of Wabtec Railway Electronics. BNSF Railway has also referred to its
application of this technology as ``ETMS.''
In a separate proceeding, FRA agreed that ETMS could be installed
in lieu of restoring a block signal system on a line for which
discontinuance had been authorized followed by a significant increase
in traffic. During the same period, BNSF successfully demonstrated a
Switch Point Monitoring System (SPMS)--a system that contains devices
attached to switches that electronically report the position of the
switches to the railroad's central dispatching office and to the crew
of an approaching train--and a Track Integrity Warning System (TIWS)--a
system that also electronically reports to the railroad's central
dispatching office and to the crew of an approaching train if there are
any breaks in the rail that might lead to derailments or the condition
of track occupancy. FRA believes both of these technologies help to
reduce risk in non-signaled territory and are forward-compatible for
use with existing and new PTC systems. To be forward-compatible, not to
be confused with the similar concept of extensibility, a system must be
able to gracefully provide input intended for use in later system
versions. The introduction of a forward-compatible technology implies
that older devices can partly understand and provide data generated or
used by new devices or systems. The concept can be applied to
electrical interfaces, telecommunication signals, data communication
protocols, file formats, and computer programming languages. A standard
supports forward-compatibility if older product versions can receive,
read, view, play, execute, or transmit data to the new standard. In the
case of wayside devices, they are said to be forward-compatible if they
can appropriately communicate and interact with a PTC system when later
installed. A wayside device might serve the function of providing only
information or providing information and accepting commands from a new
system.
In addition to scheduling the installation of the ETMS I
configuration as capital funding became available, BNSF voluntarily
undertook the design and testing of complementary versions of ETMS that
would support BNSF operations on more complex track configurations, at
higher allowable train speeds, and with additional types of rail
traffic. Meanwhile, CSXT was in the process of redesigning and
relocating the test bed for its Communications Based Train Management
(CBTM) system, which it has tested for several years, and UP and NS
were working on similar systems using vital onboard processing.
As congressional consideration of legislation that resulted in the
RSIA08 commenced, all four major railroads had settled on the core
technology developed for them by Wabtec Railway Electronics
(``Wabtec''). As the legislation progressed, the railroads and Wabtec
worked toward greater commonality in the basic functioning of the
onboard system with a view toward interoperability. PTC applications of
ETMS include the non-vital PTC systems of BNSF's ETMS I and ETMS II,
CSXT's CBTM, UP's Vital Train Management System (VTMS), and NS's
Optimized Train Control (OTC). Further work is being undertaken by BNSF
to advance the capability of ETMS by integrating Amtrak operations
(ETMS III). For a description of system enhancements planned by BNSF as
per the Product Safety Plan filed in accordance with subpart H, see FRA
Docket No. 2006-23687, Document 0017, at pp. 40-43.
While the freight railroads' efforts for developing and installing
PTC systems progressed over a relatively long period of time, starting
with demonstrations of ATCS and ARES in the late 1980s and culminating
in the initial ETMS Product Safety Plan approval in December of 2006,
Amtrak demonstrated its ability to turn on revenue-quality PTC systems
on its own railroad in support of high-speed rail. Beginning in the
early 1990s, Amtrak developed plans for enhanced high-speed service on
the Northeast Corridor (NEC), which included electrification and other
improvements between New Haven and Boston and introduction of the Acela
trainsets as the premium service from Washington to New York and New
York to Boston. In connection with these improvements, which support
train speeds up to 150 miles per hour, Amtrak undertook to install the
Advanced Civil Speed Enforcement System (ACSES) as a supplement to
existing cab signals and automatic train control (speed control).
Together, these systems deliver PTC core functionalities. In support of
this effort, FRA issued an order for the installation of the system,
which required all passenger and freight operators in the New Haven-
Boston segment to equip their locomotives with ACSES. See 63 FR 39,343
(July 22, 1998). ACSES was installed between 2000 and 2002, and has
functioned successfully between New Haven and Boston, and on selected
high-speed segments between Washington and New York, for a number of
years.
Amtrak voluntarily began development of an architecturally
different PTC system, the Incremental Train Control System (ITCS), for
installation on its Michigan Line. Amtrak developed and installed ITCS
under waivers from specific sections of 49 CFR part 236, subparts A
through G, granted by FRA. ITCS was applied to tenant NS locomotives as
well as Amtrak locomotives traversing the route. Highway-rail grade
crossings on the route were fitted with ITCS units to pre-start the
warning systems for high-speed trains and to monitor crossing warning
system health in real time. The ITCS was tested extensively in the
field for safety and reliability, and it was placed in revenue service
in 2001. As experience was gained, FRA authorized increases in speed to
95 miles per hour; and FRA is presently awaiting final results of an
independent assessment of verification and validation for the system
with a view toward authorizing operations at the design speed of 110
miles per hour.
Despite these successes, the widespread deployment of these various
train control systems, particularly on the general freight system,
remained very much constrained by prohibitive capital costs. While the
railroads were committed to installing these new systems to enhance the
safety afforded
[[Page 2602]]
to the public and their employees, the railroads' actual widespread
implementation remained forestalled due to an inability to generate
sufficient funding for these new projects in excess of the capital
expenditures necessary to cover the ongoing operating and maintenance
costs. Accordingly, the railroads continued to plan very slow
deployments of PTC system technologies.
III. The Rail Safety Improvement Act of 2008
On May 1, 2007, H.R. 2095 was introduced in the House of
Representatives, which would, among other things, mandate the
implementation and use of PTC systems. The bill passed the House, as
amended, on October 17, 2007. The bill was then amended and passed by
the Senate on August 1, 2008. While the bill was awaiting final
passage, the FRA Administrator testified before Congress that ``FRA is
a strong supporter of PTC technology and is an active advocate for its
continued development and deployment.'' Senate Commerce Committee
Briefing on Metrolink Accident, 110th Cong. (Sept. 23, 2008) (written
statement of Federal Railroad Administrator Joseph H. Boardman),
available at http://www.fra.dot.gov/downloads/PubAffairs/09-23-08FinalStatementFRAAdministratorPTC_Sen_Boxer_Meeting.pdf.
On September 24, 2008, the House concurred with the Senate
amendment and added another amendment pursuant to H. Res. 1492. When
considering the House's amendment, various Senators made statements
referencing certain train accidents that were believed to be PTC-
preventable. For instance, Senator Lautenberg (NJ) took notice of the
collision at Graniteville, South Carolina, in 2005, and Senators
Lautenberg, Hutchinson (TX), Boxer (CA), Levin (MI), and Carper (DE)
took notice of an accident at Chatsworth, California, on September 12,
2008. According to Senator Levin, federal investigators have said that
a collision warning system could have prevented that crash and the
subject legislation would require that new technology to prevent
crashes be installed in high risk tracks. Senators Carper and Boxer
made similar statements, indicating that PTC systems are designed to
prevent train derailments and collisions, like the one in Chatsworth.
154 Cong. Rec. S10283-S10290 (2008). Ultimately, on October 1, 2008,
the Senate concurred with the House amendment.
The Graniteville accident referenced by Senator Lautenberg occurred
in the early morning hours of January 6, 2005, when a northbound NS
freight train, operating within non-signaled (dark) territory,
encountered an improperly lined switch that diverted the train from the
main line onto an industry track, where it struck the locomotive of an
unoccupied, parked train. The collision derailed both locomotives and
16 of the 42 freight cars of the moving train, as well as the
locomotive and 1 of the 2 cars of the parked train. Among the derailed
cars from the moving train were three tank cars containing chlorine,
one of which was breached, releasing about 60 tons of chlorine gas. The
train engineer and eight other people died as a result of chlorine gas
inhalation. About 554 people complaining of respiratory difficulties
were taken to local hospitals. Of these, 75 were admitted for
treatment. Because of the chlorine release, about 5,400 people within a
1-mile radius of the derailment site were evacuated for almost 2 weeks.
The Chatsworth train collision occurred on the afternoon of
September 12, 2008, when a UP freight train and a Metrolink commuter
train collided head-on on a single main track equipped with a Traffic
Control System (TCS) in the Chatsworth district of Los Angeles,
California. Although NTSB has not yet released its final report,
evidence summarized at the NTSB's public hearing suggested that the
Metrolink passenger train was being operated on the main track past an
absolute signal at a control point displaying a stop indication, when
it trailed through a power-operated switch lined against its movement,
and entered a section of single track where the opposing UP freight
train was operating on a permissive signal indication. The UP train was
lined to enter the siding at the control point, after which the switch
would have been lined for the Metrolink train to proceed. As a
consequence of the accident, 25 people died and over 130 more were
seriously injured.
Prior to the accidents in Graniteville and Chatsworth, the
railroads' slow incremental deployment of PTC technologies--while not
uniformly agreed upon by the railroads, FRA, and NTSB--was generally
deemed acceptable by them in view of the tremendous costs involved.
Partially as a consequence and severity of these very public accidents,
coupled with a series of other less publicized accidents, Congress
passed the RSIA08 and it was signed into law by the president on
October 16, 2008, marking a public policy decision that, despite the
implementation costs, railroad employee and general public safety
warranted mandatory and accelerated installation and operation of PTC
systems.
As immediately relevant to this rulemaking, the RSIA08 requires the
installation and operation of PTC systems on all rail main lines,
meaning all intercity and commuter lines--with limited exceptions
entrusted to FRA--and on freight-only rail lines when they are part of
a Class I railroad system, carrying at least 5 million gross tons of
freight annually, and carrying any amount of poison- or toxic-by-
inhalation (PIH or TIH) materials. While the statute vests certain
responsibilities with the Secretary of the U.S. Department of
Transportation, the Secretary has since delegated those
responsibilities to the FRA Administrator. See 49 CFR 1.49(oo); 74 FR
26,981 (June 5, 2009); see also 49 U.S.C. 103(g).
In the RSIA08, Congress established very aggressive dates for PTC
system build-out completion. Each subject railroad is required to
submit to FRA by April 16, 2010, a PTC Implementation Plan (PTCIP)
indicating where and how it intends to install PTC systems by December
31, 2015.
In light of the timetable instituted by Congress, and to better
support railroads with their installation while maintaining safety, FRA
decided that it is appropriate for mandatory PTC systems to be reviewed
by FRA differently than the regulatory approval process provided under
subpart H. FRA believes that it is important to develop a process more
suited specifically for PTC systems that would better facilitate
railroad reuse of safety documentation and simplify the process of
showing that the installation of the intended PTC system did not
degrade safety. FRA also believes that subpart H does not clearly
address the statutory mandates and that such lack of clarity would
complicate railroad efforts to comply with the new statutory
requirements. Accordingly, FRA hereby amends part 236 by modifying
existing subpart H and adding a new subpart I.
IV. Public Participation
A. RSAC Process
In March 1996, FRA established the RSAC, which provides a forum for
collaborative rulemaking and program development. The RSAC includes
representatives from all of the agency's major stakeholder groups,
including railroads, labor organizations, suppliers and manufacturers,
other government agencies, and other interested parties. When
appropriate, FRA assigns a task to the RSAC, and after consideration
and debate, the RSAC may accept or reject
[[Page 2603]]
the task. If accepted, the RSAC establishes a working group comprised
of persons that possess the appropriate expertise and representation of
interests to develop recommendations to FRA for action on the task.
These recommendations are developed by consensus. The working group may
establish one or more task forces or other subgroups to develop facts
and options on a particular aspect of a given task. The task force, or
other subgroup, reports to the working group. If the working group
comes to consensus on recommendations for action, the package is
presented to the RSAC for a vote. If the proposal is accepted by a
simple majority of the RSAC, the proposal is formally recommended to
FRA. FRA then determines what action to take on the recommendation.
Because FRA staff has played an active role at the working group and
subgroup levels in discussing the issues and options and in drafting
the language of the consensus proposal, and because the RSAC
recommendation constitutes the consensus of some of the industry's
leading experts on a given subject, FRA is generally favorably inclined
toward the RSAC recommendation. However, FRA is in no way bound to
follow the recommendation and the agency exercises its independent
judgment on whether the recommended rule achieves the agency's
regulatory goals, is soundly supported, and was developed in accordance
with the applicable policy and legal requirements. Often, FRA varies in
some respects from the RSAC recommendation in developing the actual
regulatory proposal.
In developing the proposed rule in this proceeding, FRA adopted the
RSAC approach by re-convening the PTC Working Group that had produced
the rule recommendation resulting in subpart H. As part of this effort,
FRA worked with the major stakeholders affected by this rulemaking in
collaborative a manner as possible. FRA believes establishing a
collaborative relationship early in the product development and
regulatory development cycles can help bridge the divide between the
railroad carrier's management, railroad labor organizations, the
suppliers, and FRA by ensuring that all stakeholders are working with
the same set of data and have a common understanding of product
characteristics and functionality or their related processes production
methods, including the regulatory provisions, with which compliance is
mandatory. However, where the group failed to reach consensus on an
issue, FRA used its authority to resolve the issue, attempting to
reconcile as many of the divergent positions as possible through
traditional rulemaking proceedings.
On December 10, 2008, the RSAC accepted a task (No. 08-04) entitled
``Implementation of Positive Train Control Systems.'' The purpose of
this task was defined as follows: ``To provide advice regarding
development of implementing regulations for Positive Train Control
(PTC) systems and their deployment under the Rail Safety Improvement
Act of 2008.'' The task called for the RSAC PTC Working Group to
perform the following:
Review the mandates and objectives of the Act related to
deployment of PTC systems;
Help to describe the specific functional attributes of
systems meeting the statutory purposes in light of available
technology;
Review impacts on small entities and ascertain how best to
address them in harmony with the statutory requirements;
Help to describe the details that should be included in
the implementation plans that railroads must file within 18 months of
enactment of the Act;
Offer recommendations on the specific content of
implementing regulations; and
The task also required the PTC Working Group to:
Report on the functionalities of PTC systems;
Describe the essential elements bearing on
interoperability and the requirements for consultation with other
railroads in joint operations; and
Determine how PTC systems will work with the operation of
non-equipped trains.
The PTC Working Group was formed from interested organizations that
are members of the RSAC. The following organizations contributed
members:
American Association of State Highway and Transportation Officials
(AAHSTO)
American Chemistry Council (ACC)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
Association of American Railroads (AAR)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Maintenance of Way Employes Division (BMWED)
Brotherhood of Locomotive Engineers and Trainmen Division (BLET)
Brotherhood of Railroad Signalmen (BRS)
Federal Transit Administration* (FTA)
International Brotherhood of Electrical Workers (IBEW)
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Transport Canada*
Tourist Railway Association Inc.
United Transportation Union (UTU)
------------
*Indicates associate (non-voting) member.
From January to April 2009, FRA met with the entire PTC Working
Group 5 times over the course of 12 days. During those meetings, in
order to efficiently accomplish the tasks assigned to it, the PTC
Working Group empowered three task forces to work concurrently. These
task forces were the passenger, short line and regional railroad, and
the radio and communications task forces. Each discussed issues
specific to its particular interests and needs and produced proposed
rule language for the PTC Working Group's consideration. The majority
of the proposals were adopted into the proposed rule as agreed upon by
the working group, with rule language related to a remaining few issues
being further discussed and enhanced for inclusion into the rule by the
PTC Working Group.
The passenger task force discussed testing issues relating to parts
236 and 238 and the definition of ``main line'' under the statute,
including possible passenger terminal and limited operations exceptions
to PTC implementation. Recommendations of the task force were presented
to the PTC Working Group, which adopted or refined each suggestion.
The short line and regional railroad task force was formed to
address the questions pertaining to Class II and Class III railroads.
Specifically, the group discussed issues regarding the trackage rights
of Class II and III railroads using trains not equipped with PTC
technology over a Class I railroad's PTC territory, passenger service
over track owned by a Class II or Class III railroads where PTC would
not otherwise be required, and rail-to-rail crossings-at-grade
involving a Class I railroad's PTC equipped line and a Class II or III
railroad's PTC unequipped line. After much discussion, there were no
consensus resolutions reached to any of the main issues raised.
However, the discussion yielded insights utilized by FRA in preparing
this final rule.
The radio and communications task force addressed wireless
communications issues, particularly as they relate to communications
security, and recommended language for Sec. 236.1033.
FRA staff worked with the PTC Working Group and its task forces in
[[Page 2604]]
developing many facets of the final rule. FRA gratefully acknowledges
the participation and leadership of representatives who served on the
PTC Working Group and its task forces. These points are discussed to
show the origin of certain issues and the course of discussion on these
issues at the task force and working group levels. We believe this
helps illuminate the factors FRA weighed in making its regulatory
decisions regarding this final rule and the logic behind those
decisions.
In general, the PTC Working Group agreed on the process for
implementing PTC under the statute, including decisional criteria to be
applied by FRA in evaluating safety plans, adaptation of subpart H
principles to support this mandatory implementation, and refinements to
subpart H and the part 236 appendices necessary to dovetail the two
regulatory regimes and take lessons from early implementation of
subpart H, including most aspects of the training requirements. Notable
accords were reached, as well, on major functionalities of PTC and on
exceptions applicable to passenger service (terminal areas and limited
main line exceptions). Major areas of disagreement included whether to
allow non-equipped trains on PTC lines, extension of PTC to lines not
within the statutory mandate, and whether to provide for onboard
displays or terminals visible and accessible to employees other than
the locomotive engineer when two or more persons are regularly assigned
duties in the cab. Some additional areas of concern were discussed but
could not be resolved in the time available. It was understood that
where discussion did not yield agreement, FRA would make proposals
within a Notice of Proposed Rulemaking (NPRM) and receive public
comment.
B. Public Hearing and Comments Filed
FRA issued an NPRM on July 21, 2009, and accepted comments on this
proposed regulation until August 20, 2009. A public hearing was also
held in connection with the NPRM in Washington, DC, on August 13, 2009,
as further described below.
During the comment period, a number of entities filed comments
requesting that FRA extend the comment period to the proposed rule in
this proceeding. FRA regrettably denied those requests due to the
urgent need to prepare, process, and publish a final rule at the
earliest possible date. Since railroads subject to the rules are each
required to file a PTCIP by April 16, 2010, under the terms of the
RSIA08, it was important that FRA provide reliable guidance for this
process to occur in a timely manner. However, FRA responded to two of
those requests on the record, indicating that it is FRA's policy to
consider late-filed comments to the extent practicable and inviting the
railroads to supplement their comments as soon as possible even if it
is necessary to file after the formal comment period has closed.
On August 13, 2009, FRA held a hearing to provide interested
parties an opportunity to enter oral statements into the record. The
AAR, Amtrak, BNSF, and CSXT entered prepared statements into the record
and UP and NS indicated their concurrence with those statements. An
oral statement was also entered into the record by a representative of
six (6) rail labor organizations, including the American Train
Dispatchers Association (ATDA), BLET, BMWED, BRS, IBEW, and UTU
(collectively, the ``Rail Labor Organizations'' or ``RLO''). AASHTO
also provided an oral statement at the hearing, indicating that it
fully supports the implementation of the proposed rule. Copies of the
prepared statements and of the hearing transcript can be found in the
docket to this proceeding.
Subsequently, written comments were filed by the American Shortline
and Regional Railroad Association (ASLRRA), Amtrak, APTA, ACC, AAR,
BNSF, Caltrain, Canadian Pacific (CP), The Chlorine Institute (CI),
CSXT, Friends of the Earth, GE Transportation (GE), HCRQ, Inc. and
Cattron Group International (collectively, ``HCRQ/CGI''), Invensys Rail
Group--Safetran Systems (``Safetran''), NTSB, New York State
Metropolitan Transportation Authority (NYSMTA), NJ Transit, Northern
Indiana Commuter Transportation District (NICTD), Pacific Southwest
Railway Museum, RLO, Railroad Passenger Car Alliance, San Bernardino
Railway Historical Society, Southern California Regional Rail Authority
(SCRRA or Metrolink), The Fertilizer Institute (TFI), Tourist Railway
Association, Trinity Railway Express (TRE or Trinity), Utah Transit
Authority (UTA) and a number of individuals.
After the comment period closed on August 20, 2009, the RSAC PTC
Working Group was reconvened for 3 days. The PTC Working Group agreed
on a number of recommendations for resolution of comments which were
presented to the full RSAC on September 10. In voting by mail ballot
that concluded on September 24, the RSAC adopted the recommendations,
which are discussed below in the context of the specific issues that
they address.
V. Overview: The Proposed Rule, Comments, and Resolution of Comments
In broad summary, the proposed rule provided for joint filing of
PTCIPs by all railroads engaged in joint operations. Each PTCIP was to
be accompanied or preceded by a PTC Development Plan (PTCDP) or PTC
Safety Plan (PTCSP) detailing the technology to be employed, or by a
Type Approval obtained by another railroad through approval of a PTCDP.
As further discussed below, this overall structure was generally
embraced by the industry parties and the commenters; but the extended
period for delivery of interoperability standards has given rise to the
need for some significant adjustments that are included in the final
rule.
Under the NPRM language, Class I freight railroads would be
required to describe in their PTCIPs the routes to be equipped based on
traffic densities (lines carrying more than 5 million gross tons) and
presence of PIH traffic during calendar year 2008. They would be
permitted to amend those plans if FRA found that removal of a line was
``consistent with safety and in the public interest.'' The discussion
below reflects the serious objections of the Class I railroads to this
``base year'' approach and adjustments that FRA makes in this final
rule to provide somewhat greater flexibility on the face of the
regulation. The discussion and final rule also provide FRA's response
to a suggestion by the AAR that FRA create a ``de minimis'' exception
to the requirement that lines carrying PIH traffic be equipped with
PTC, an issue raised for the first time in response to the NPRM.
FRA proposed to adapt the performance-based structure of subpart H,
which had been developed through the consensus process to encourage
deployment of PTC and related technologies to provide a means of
qualifying PTC systems under the RSIA08. In order to promote completion
of PTC deployment by the end of 2015, as required by law, FRA proposed
functional requirements that could be met by available technology.
These provisions continue to enjoy broad support from the industry
parties and commenters, but the final rule makes numerous perfecting
changes to the implementing language in response to specific comments.
The NPRM set forth requirements for equipping of trains with PTC
that reflected FRA's perception of practical considerations (e.g., not
all locomotives can be equipped at once, and switching out locomotives
to commit them to
[[Page 2605]]
equipped routes would involve significant cost and safety exposure),
historic tolerance for some incidental unequipped movements under
circumstances where strict adherence would create obvious hardship
without commensurate safety benefits (e.g., locomotives of Class II and
III railroads generally spend little time on Class I railroads and have
a good safety record, yet requiring that they be equipped could result
in expenditures greater than the previous value of the locomotives),
and movement restrictions applicable where controlling locomotives
might have failed onboard PTC equipment. These proposals elicited some
strong objections and proposals for improvement. Several commenters
asked that occasional movement of trains led by historic locomotives be
permitted without equipping the locomotives with PTC technology. The
final rule makes a number of changes, while endeavoring to carry
forward the lessons of many decades and while recognizing the need for
regulatory flexibility.
Relying on existing train control requirements, the NPRM proposed
that each assigned crew member be able to view the PTC display and
perform assigned functions from their normal position in the cab. The
NPRM also addressed the need to avoid task overload on the locomotive
engineer by having that person perform functions that could distract
from attention to current safety duties. FRA has considered the Class I
railroads' argument that, if a single display was acceptable under
subpart H, it should be acceptable under the proposed subpart I.
Although FRA has considered carefully the carriers' arguments on this
point, the final rule carries forward principles of crew resource
management by ensuring that each crew member has the information and
ability to perform their assigned function and, therefore, where a PTC
overlay system is used, that all of the safety features of the
underlying operation to which PTC is added will be kept.
One of the critical choices assigned to FRA under the law was
specification of any exceptions to passenger ``main track'' requiring
installation of PTC. The NPRM carried forward narrow exceptions crafted
at the request of commuter and intercity railroads. Amtrak followed
with comments on the NPRM asking for a broader exception. They noted in
particular that the incremental costs of PTC on some lines with limited
freight traffic and relatively few Amtrak trains might need to be borne
by states that support particular services, and the funding might not
be available to do so. Following recommendations from the RSAC Working
Group, FRA is including additional latitude to bring forward specific
exceptions for FRA review and approval, with or without conditions.
The NPRM was technology neutral and directed at the outcomes
desired. A number of the comments addressed the issue of market
concentration and absence of effective choices in selecting PTC
technology. In this regard, some felt that FRA should specify
attributes of interoperability in the form of open standards. The final
rule continues to rely on safety performance as the basis for FRA
certification of PTC systems. FRA declines at this time to deprive
those railroads that have served as technology leaders in developing
PTC systems of the latitude to implement their systems, given their
apparent willingness to provide open standards for attributes of the
technology over which they have control, and given the predictable
delays that would ensue should alternative approaches be specified. FRA
is aware that this creates a degree of reliance on others with respect
to those railroads that stood back and waited for others to develop PTC
technology. Further, some degree of market concentration may exist on
the general freight network, in particular, given the dominance of one
vendor or supplier with respect to the core of the onboard systems. FRA
financially supported development of interoperability standards through
the North American Positive Train Control Program (the technology
selected for demonstration was not deployed, and no standards were
delivered) and again through the American Railway Engineering and
Maintenance Association (standards have been published and are
available, but no railroad has signaled an intention to employ them).
The choice of technology that will be deployed should, in FRA's view,
be made by those who are making the investments.
Finally, the NPRM took a traditional approach to recognition of
technology, requiring that railroads step forward, individually or with
their suppliers, to request recognition of PTC systems. Suppliers
commented that they should be able to step forward without railroad
participation and receive recognition for systems, subsystems, and
components that would later be incorporated in PTC systems approved by
FRA. They noted that the NPRM would burden them with reporting
obligations while not conferring status to receive direct product
recognition. While recognizing the commenters' logic, FRA could not
find a means in the final rule to relieve these concerns, given limited
technical staffing at FRA, the potential for filings representing
technology that the industry would not employ, the inherent difficulty
associated with addressing the safety of technology below the system
level, and the critical need to provide rapid responses to necessary
filings.
Each of the comments on the NPRM, including comments not within the
scope of this overview, is discussed in relation to the topic addressed
in the section-by-section analysis below.
VI. Seeking Further Comments
While this final rule is effective on the date indicated herein,
FRA believes that certain issues warrant further discussion.
Accordingly, FRA will continue to seek comments limited to increasing
the clarity, certainty, and transparency of the criteria governing the
removal from a PTCIP (and therefore from the requirement to install
PTC) of any track segments on which PTC systems have yet to be
installed for which a railroad seeks relief from the requirement to
install PTC. FRA considers this issue separate and distinct from the
discontinuance of any already installed or existing PTC systems, which
is governed under Sec. 236.1021, part 235 of this title, and the
``Signal Inspection Act'' (codified at 49 U.S.C. 20501-20505). Any
further comments should be limited to the scope of the issues indicated
in this preamble to which FRA seeks further comments.
In Sec. 236.1005(b)(4)(i)(A)(2), the final rule provides certain
factors that FRA will consider when determining whether to approve
exclusion of a line from the PTCIP in the case of cessation of PIH
traffic over a particular track segment. For instance, under Sec.
236.1005(b)(4)(i)(A)(2)(ii), the requesting railroad must show that any
rerouting of PIH traffic from the subject track segment is justified
based upon the route analysis submitted. FRA seeks comments on how the
elements of a route analysis should be weighed by FRA when determining
whether rerouting as provided under this paragraph is sufficiently
justified.
Section 236.1005(b)(4)(i)(A)(2)(iii) concerns the risk remaining on
a track segment if PIH traffic were to be removed. FRA also seeks
comments on how to measure the appropriate level of risk established in
Sec. 236.1005(b)(4)(i)(A)(2)(iii) to require the installation of PTC
on lines not carrying PIH or passenger traffic. No railroad has
supplied data supporting further track exceptions from PTC system
installation consistent with
[[Page 2606]]
statutory and safety requirements. Thus, FRA requests additional data
to support commenters' positions. FRA also seeks comment and
information on ways that it might consider risk mitigations other than
by a compensating extension of PTC or PTC technologies.
In Sec. 236.1005(b)(4)(i), the final rule provides an exception to
PTC system implementation where such implementation would provide only
a de minimis PIH risk. While in the proposed rule FRA sought means to
reduce the railroads' burdens associated with this rule, no specific de
minimis exception was proposed. The AAR mentioned this possibility in
its comment filed during the comment period and offered in
supplementary comments filed after the comment period to work with FRA
on this issue. FRA believes that the de minimis exception provided in
this final rule falls within the scope of the issues set forth in the
proposed rule. However, since none of the parties has had an
opportunity to comment on this specific exception as provided in this
final rule, FRA seeks comments on the extent of the de minimis
exception.
As further explained below, this final rule uses 2008 traffic data
as an initial baseline in each PTCIP to determine the breadth and scope
of PTC system implementation and, in recognition of the fact that
traffic patterns are likely to change to some degree before December
31, 2015, provides means of adjusting the track segments on which PTC
must be installed where adjustments are appropriately justified. These
issues relate to the potential scaling back of the breadth and scope of
that baseline through the request by the railroads--made
contemporaneously or subsequently to PTCIP submission and prior to
actual PTC system implementation--on the subject track segments for FRA
to apply certain regulatory exceptions. Under the procedures set forth
in this final rule, requests for such amendments may be made after
PTCIP submission. Since these issues should not affect the PTCIP
required to be filed by the April 16, 2010, statutory deadline, FRA
believes that time is available for some further consideration.
VII. Section-by-Section Analysis
Unless otherwise noted, all section references below refer to
sections in title 49 of the Code of Federal Regulations (CFR). FRA
sought comments on all proposals made in the NPRM. This portion of the
preamble discusses the comments received, FRA's assessment of those
comments, and the basis for the final rule provisions. Any analysis in
the NPRM that is not explicitly modified in this final rule remains
applicable.
Proposed Amendments to 49 CFR Part 229
Section 229.135 Event Recorders
The proposed amendment to the existing event recorder section of
the Locomotive Safety Standards is intended to make that section
parallel to the additions in Sec. 236.1005(d) below. No comments were
received, and the section is adopted as proposed.
Proposed Amendments to 49 CFR Part 234
Section 234.275 Processor-Based Systems
Section 234.275 presently requires that each processor-based
system, subsystem, or component used for active warning at highway-rail
grade crossings that is new or novel technology, or that provides
safety-critical data to a railroad signal or train control system which
is qualified using the subpart H process, shall also be governed by
those requirements, including approval of a Product Safety Plan.
Particularly with respect to high-speed rail, FRA anticipates that PTC
systems will in some cases incorporate new or novel technology to
provide for crossing warning system pre-starts (eliminating the
necessity of lengthening the approach circuits for high-speed trains),
to verify crossing system health between the wayside warning system and
approaching trains, or to slow trains approaching locations where
vehicle storage has been detected on a crossing, among other options.
Indeed, each of these functions is presently incorporated in at least
one train control system, and others may one day be feasible (including
in-vehicle warning). There would appear to be no reason why such a
functionality intended for inclusion in a PTC system mandated by
subpart I could not be qualified with the rest of the PTC system under
subpart I. On the other hand, care should be taken to set an
appropriate safety standard taking into consideration highway users,
occupants of the high-speed trains, and others potentially affected.
In fact, with new emphasis on high-speed rail, FRA needs to
consider the ability of PTC systems to integrate this type of new
technology and thereby reduce risk associated with high-speed rail
service. Risk includes derailment of a high-speed train with
catastrophic consequences after encountering an obstacle at a highway-
rail grade crossing. To avoid such consequences, as many crossings as
possible should be eliminated. To that end, 49 CFR 213.347 requires a
warning and barrier plan to be approved for Class 7 track (speeds above
110 miles per hour) and prohibits grade crossings on Class 8 and 9
track (above 125 miles per hour). That leaves significant exposure on
Class 5 and 6 track (80 miles per hour for freight and 90 miles per
hour for passenger trains, up to 110 miles per hour for either) which
is currently not specifically addressed by regulation.
At the public hearing in this proceeding, the RLO indicated its
agreement with FRA's interpretation of 49 CFR 213.347 and stated that
significant exposure remains at highway-rail grade crossings for Class
5 and 6 track, because ``such plans or prohibitions are not currently
addressed by Federal Regulation.'' In addition to the proposed
amendments to Sec. 234.275, however, the RLO believes that PTC systems
should also be mandated under subpart I to incorporate technology that
would verify a highway-rail grade crossing warning system's activation
for an approaching train and slow a train approaching a location where
such system activation could not be verified. The RLO believes that
such verification and speed restriction enforcement would significantly
lower the exposure for a potential collision between a highway motor
vehicle and a train. According to the RLO, this function is currently
incorporated into at least one deployed train control system and is
therefore feasible. In addition, the RLO propose that certain existing
highway-rail grade crossing warning system regulations and
requirements, including those in parts 213 and 234, and in subpart H to
part 236, could be cross referenced or included in subpart I to ensure
regulatory harmony.
While AAR understands the safety concern, it asserts that this
function is not related to the core PTC functions mandated by Congress.
Furthermore, asserts AAR, the cost of installing wayside interface
units at grade crossings on PTC routes would be prohibitively expensive
and would divert resources that would otherwise be devoted to meeting
the mandated PTC deadline.
The NTSB recommends that the warning and barrier protection plans
similar to those for Class 7 track at grade crossings in 49 CFR 213.347
should also apply to Class 5 and 6 tracks. According to the NTSB, such
protection at crossings (similar to protection at crossings afforded
within the ITCS project) should be integrated as part of an approved
PTC plan to reduce the risk
[[Page 2607]]
of high-speed catastrophic derailments at such grade crossings.
FRA, while certainly recognizing these concerns, does not choose to
provide further prescriptive requirements for highway-rail grade
crossings beyond those set forth in Sec. 213.347. FRA will, however,
require that highway-rail grade crossing safety at Class 5 and 6 track
speeds be specifically addressed within a railroad's PTCDP and PTCSP
(see Sec. Sec. 236.1013 and 236.1015 respectively) subject to FRA
approval. FRA has separately developed Guidelines for Highway-Rail
Grade Crossing Safety for high-speed rail that will be employed in the
grant review and negotiation process under the American Recovery and
Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (2009)
(ARRA). These Guidelines encourage use of sealed corridor strategies
for Emerging High-Speed Rail systems and integration of highway-rail
warning systems with PTC where feasible. See Docket No. FRA-2009-0095.
Proposed Amendments to 49 CFR Part 235
Section 235.7 Changes Not Requiring Filing of Application
FRA amends Sec. 235.7, which allows specified changes within
existing signal or train control systems be made without the necessity
of filing an application. The amendments consist of adding allowance
for a railroad to remove an intermittent automatic train stop system in
conjunction with the implementation of a PTC system approved under
subpart I of part 236, and a couple of minor editorial corrections.
The changes allowable under this section, without filing of an
application, are those identified on the basis that the resultant
condition will be at least no less safe than the previous condition.
The required functions of PTC within subpart I provide a considerably
higher level of functionality related to both alerting and enforcing
necessary operating limitations than an intermediate automatic train
stop system does. Additionally, in the event of the loss of PTC
functionality (see Sec. 236.1029 regarding a failure en route), the
operating restrictions required will provide the needed level of safety
in lieu of the railroad being expected to keep and maintain an
underlying system such as intermittent automatic train stop for use
only in such cases. Therefore, FRA believes that with the
implementation of PTC under the requirements of subpart I, the safety
value of any previously existing intermittent automatic train stop
system is entirely obviated. There were no objections in the PTC
Working Group to this amendment.
The AAR submitted comment that within Sec. 236.1021, paragraphs
(j)(2) and (j)(3) should be revised to recognize the allowance for
removal of a signal used in lieu of an electric or mechanical lock in
the same manner as removal of the electric or mechanical lock. These
two paragraphs are intended to recognize that where train speed over
the switch does not exceed 20 miles per hour, or where trains are not
permitted to clear the main track at such switch, removal of the
devices intended to provide the necessary protection without filing for
approval is appropriate.
The regulation requiring the installation of an electric or
mechanical lock identifies the allowance for a signal used in lieu
thereof (see Sec. 236.410). FRA agrees with the AAR that when the
requirement for an electric or mechanical lock, or a signal used in
lieu thereof, are eliminated, the removal of any of these devices in
their entirety without filing for approval is appropriate. FRA is
therefore amending paragraphs (j)(2) and (j)(3) of Sec. 236.1021 as
recommended in order to clarify these allowances.
For the same reasoning and in a consistent manner, FRA is amending
paragraphs (b)(2) and (b)(3) in existing Sec. 235.7 in order to
provide the same allowances for removal of a signal used in lieu of an
electric or mechanical lock within block signal systems without filing
for approval.
Proposed Amendments to 49 CFR Part 236
Section 236.0 Applicability, Minimum Requirements, and Penalties
FRA amends this existing section of the regulation to remove manual
block from the methods of operation permitting speeds of 50 miles per
hour or greater for freight trains and 60 miles per hour or greater for
passenger trains. Manual block rules create a reasonably secure means
of preventing train collisions. However, where the attributes of block
signal systems are not present, misaligned switches, broken rails, or
fouling equipment may cause a train accident. FRA believes that
contemporary expectations for safe operations require this adjustment,
which also provides a more orderly foundation for the application of
PTC to the subject territories. There were no objections in the PTC
Working Group to this change and the NTSB supports the removal of
manual block from a method of operation permitting train speeds of
above 49 and 59 miles per hour for freight and passenger trains,
respectively. According to the NTSB, manual block does not afford the
level of safety that block signal or PTC systems provide for the
detection of misaligned switches, broken rails, or fouling equipment
that may cause a train accident.
After review of the NPRM, AAR stated that paragraph (c)(1)(ii)(A)
seemed to preclude the operations identified in paragraph (c)(1)(ii)(B)
and that it was unclear whether paragraph (c)(1)(ii)(A) applies to
opposing trains or some other condition. Therefore, the AAR recommended
that paragraphs (c)(1)(ii)(A) and (c)(1)(ii)(B) be revised. FRA agrees
and has therefore revised paragraphs (c)(1)(ii)(A) and (c)(1)(ii)(B),
and added paragraphs (c)(1)(ii)(C) and (c)(1)(ii)(D), in the final rule
to improve clarity.
FRA has also added paragraph (d)(2) in the final rule to address
the use of automatic cab signal, automatic train stop, or automatic
train control systems on or after December 31, 2015. On or after
December 31, 2015, the method of protecting high-speed train operations
will be through the use of PTC. FRA recognizes that there may be
justifiable reasons for continued use of automatic cab signal,
automatic train stop, or automatic train control systems on or after
December 31, 2015 on certain lines, where the installation of PTC would
be inappropriate. In situations where the automatic cab signal,
automatic train stop, or automatic train control systems are an
integral part of the PTC system design, no action will be required by a
railroad. In any other situation, however, FRA will only allow
continued use of an automatic cab signal, automatic train stop, or
automatic train control system on a case-by-case basis after sufficient
justification has been provided to the Associate Administrator.
FRA has also added a preemption provision at the end of section
236.0. Part 236, which FRA inherited from the Interstate Commerce
Commission at the time FRA was created, has had preemptive effect by
operation of law at least since enactment of the Federal Railroad
Safety Act of 1970 (Pub. L. 111-43). However, no preemption provision
was ever added, largely as an historical accident. Since enactment of
the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/
11 Commission Act of 2007), Public Law 110-53, which amended 49 U.S.C.
20106 significantly, FRA has been updating the preemption provisions of
its regulations to conform to the current statute as opportunities to
do so are
[[Page 2608]]
presented. New subsection 236.0(i) is added to accomplish that and to
recite the preemptive effect of the Locomotive Boiler Inspection Act
(49 U.S.C. 20701-20703), which has been held by the U.S. Supreme Court
to preempt the entire field of locomotive safety; therefore, this part
preempts any state law, including common law, covering the design,
construction, or material of any part of or appurtenance to a
locomotive.
The text of section 236.0(i)(1) and (2) directly reflects FRA's
interpretation of 49 U.S.C. 20106, as amended. Read by itself, 49
U.S.C. 20106(a) preempts state standards of care, including common law
standards, Norfolk Southern Ry. v. Shanklin, 529 U.S. 344, 358-359
(2000), CSX Transp., Inc. v. Easterwood, 507 U.S. 658, 664 (1993), but
does not expressly state whether anything replaces the preempted
standards of care for purposes of tort suits. The focus of that
provision is clearly on who regulates railroad safety: The federal
government or the states. It is about improving railroad safety, for
which Congress deems nationally uniform standards to be necessary in
the great majority of cases. That purpose has collateral consequences
for tort law which new statutory section 20106 paragraphs (b) and (c)
address. New paragraph (b)(1) creates three exceptions to the possible
consequences flowing from paragraph (a). One of those exceptions
(paragraph (b)(1)(B)) precisely addresses an issue presented in Lundeen
v. Canadian Pacific Ry., 507 F.Supp.2d 1006 (D.Minn. 2007) that
Congress wished to rectify: It allows plaintiffs to sue a railroad in
tort for violation of its own plan, rule, or standard that it created
pursuant to a regulation or order issued by either of the secretaries.
None of those exceptions covers a plan, rule, or standard that a
regulated entity creates for itself in order to produce a higher level
of safety than federal law requires, and such plans, rules, or
standards were not at issue in Lundeen. The key concept of section
20106(b) is permitting actions under state law seeking damages for
personal injury, death, or property damage to proceed using a federal
standard of care. A plan, rule, or standard that a regulated entity
creates pursuant to a federal regulation logically fits the paradigm of
a federal standard of care--federal law requires it and determines its
adequacy. A plan, rule, or standard, or portions of one, that a
regulated entity creates on its own in order to exceed the requirements
of federal law does not fit the paradigm of a federal standard of
care--federal law does not require that the law be surpassed and, past
the point at which the requirements of federal law are satisfied, says
nothing about its adequacy. That is why FRA believes that section
20106(b)(1)(B) covers the former, but not the latter. The basic purpose
of the statute--improving railroad safety--is best served by
encouraging regulated entities to do more than the law requires and
would be disserved by increasing potential tort liability of regulated
entities that choose to exceed federal standards, which would
discourage them from ever exceeding federal standards again.
In this manner, Congress adroitly preserved its policy of national
uniformity of railroad safety regulation expressed in section
20106(a)(1) and assured plaintiffs in tort cases involving railroads,
such as Lundeen, of their ability to pursue their cases by clarifying
that federal railroad safety regulations preempt the standard of care,
not the underlying causes of action in tort. Under this interpretation,
all parts of the statute are given meanings that work together
effectively and serve the safety purposes of the statute.
Section 236.410 Locking, Hand-Operated Switch; Requirements
In this final rule, FRA is removing the Note following paragraph
(b) of this section. During FRA's review of the requirements contained
in this part, FRA discovered that the Note following paragraph (b),
which had previously been removed as part of FRA's 1984 amendments to
this part, was inadvertently reprinted in the rule text several years
later and has remained there. As reflected in the preamble discussion
of the 1983 proposed rule, FRA moved the provisions for removal of
electric or mechanical locks to Sec. 235.7 based on FRA's
determination that the industry was capable of achieving compliance of
train operations in procedures more suitable to individual properties.
In light of the history of this section, FRA is taking the
opportunity within this rulemaking to remove the Note following
paragraph (b), which presents information in conflict with the
allowances that have been added into Sec. Sec. 235.7(b)(2) and (b)(3).
Section 236.909 Minimum Performance Standard
FRA is modifying paragraph (e)(1) of this section to include a
requirement for the risk metric sensitivity analysis to be an integral
part of the full risk assessment that is required to be provided in the
Product Safety Plan (PSP) submittal in accordance with Sec.
236.907(a)(7). Paragraph (e)(2) of this section is also being modified
to eliminate an alternative option for a railroad to use a risk metric
in which consequences of potential accidents are measured strictly in
terms of fatalities.
Prior to the modification of this section, paragraph (e)(1)
discussed how safety and risk should be measured for the full risk
assessment, but did not accentuate the need for running a sensitivity
analysis on chosen risk metrics to ensure that the worst case scenarios
for the proposed system failures or malfunctions are accounted for in
the risk assessment. On the other hand, Appendix B to this part
mandates that each risk metric for the proposed product must be
expressed with an upper bound, as estimated with a sensitivity
analysis. The FRA's experience gained while reviewing PSP documents
required by subpart H of this part and submitted to FRA for approval
revealed that railroads did not consider it mandatory to run a
sensitivity analysis for the chosen risk metrics. Thus, an additional
effort was required from the FRA staff reviewing PSP submittals to
demonstrate to the railroads the validity and significance of such a
request. Therefore, this final rule amends paragraph (e)(1) to
explicitly require the performance of a sensitivity analysis for the
chosen risk metrics. The language in paragraph (e)(1) of this section
explains why the sensitivity analysis is needed and what key input
parameters must be analyzed.
FRA received comments on the proposed modification to paragraph
(e)(1) of this section. While the RLO expressed support for making the
risk metric sensitivity analysis an integral part of the full risk
assessment, GE sought clarification and a sample regarding the proposed
amendment to the clause regarding the risk assessment sensitivity
analysis. GE believes that a literal interpretation of this clause
would mean that the risk analysis must evaluate the risk sensitivity to
variations in every individual electronic and mechanical component of
the system. If so interpreted, GE asserts that the combinatorial
calculations would present a significant barrier to the safety analysis
and delay PTC system approval. GE further asserts that safety coverage
of discrete component failures can be assured through other techniques
in the overall system design. GE believes that the intent of this rule
is that ``component'' should mean ``functional subsystem,'' as system
safety can be completely addressed by performing the sensitivity
analysis at that level. Accordingly, GE proffers that paragraph (e)(1)
of this section should be modified to allow the level of detail
[[Page 2609]]
of the risk analysis to be chosen based on the system safety philosophy
and technology chosen.
Similar concerns were expressed by HCRQ/CGI, which questioned the
need for an additional requirement in the rule that would require the
sensitivity analysis to document the sensitivity to worst case failure
scenarios. In the alternative, HCRQ/CGI suggested that the final rule
should require a reasonable justification for all failure rates.
In response to these comments, FRA would like to clarify that the
lowest level of system elements constructing the overall system that
would be subject to risk analysis and the following sensitivity
analysis are ``components,'' ``modules,'' ``pieces of equipment,'' or
``subsystems'' that are processor-based in nature, the functionality
and performance of which are governed by this part. FRA declines,
however, to provide a sample sensitivity analysis in this rulemaking
document, as the technique of sensitivity analysis has been well
covered by a number of system safety engineering studies.
FRA notes that the term, ``worst case failure scenario'' is a
subject of general theory of system safety and reliability. Therefore,
it does not appear to be necessary to provide an interpretation of this
term. Nonetheless, in response to comments that have been received on
this issue, FRA would like to add a clarifying statement. A sensitivity
analysis must be conducted by defining the range of values (i.e., lower
bound, upper bound, and associated distribution) for key input
parameters and assessing the impact of variations over those ranges on
the overall system risk. The worst case analysis must consider
realistic combinations of the key input parameters as they tend toward
their worst case values. Justification must be provided for the ranges
and process used in the design of the sensitivity analysis.
Another comment from HCRQ/CGI relates to the requirement that ``the
sensitivity analysis must confirm that the risk metrics of the system
are not negatively affected by sensitivity analysis input parameters. *
* *'' HCRQ/CGI requested that the meaning of the phrase ``negatively
affected'' be specified. FRA agreed to provide such an explanation and
therefore offered an interpretation of the words ``negatively
affected'' in paragraph (e)(1).
The modification to paragraph (e)(2) of this section is intended to
clarify how the exposure and its consequences, as main components of
the risk computation formula, must be measured. As stated in paragraph
(e)(2), the exposure must be measured in train miles per year over the
relevant railroad infrastructure where a proposed system is to be
implemented. When determining the consequences of potential accidents,
the railroad must identify the total costs involved, including those
relating to fatalities, injuries, property damage, and other
incidentals. This final rule eliminates the option of using an
alternative risk metric, which would allow the measurement of
consequences strictly in terms of fatalities. It is FRA's experience
that measuring consequences of accidents strictly in term of fatalities
did not serve as an adequate alternative to metrics of total cost of
accidents for two main reasons. First, the statistical data on railroad
accidents shows that accidents involving fatalities also cause injuries
and significant damage to railroad property and infrastructure for both
freight and especially passenger operations. Even though the cost of
human life is often the highest component of monetary estimates of
accident consequences, the dollar estimates of injuries, property
losses, and damage to the environment associated with accidents
involving fatalities cannot and should not be discounted in the risk
analysis. Second, allowing fatalities to serve as the only risk metrics
of accident consequences confused the industry and the risk assessment
analysts attempting to determine the overall risk associated with the
use of certain types of train control systems. As a result, some risk
analysts inappropriately converted injuries and property damages for
observed accidents into relative estimates of fatalities. This method
cannot be considered acceptable because, while distorting the overall
picture of accident consequences, it also raises questions on
appropriateness of conversion coefficients. Therefore, FRA considers it
appropriate to eliminate from the rule the alternative option for
consequences to be measured in fatalities only. This approach gained
the support of the RLO, who in their comments concur with a
modification of paragraph (e)(2) that is eliminating an option of risk
consequences to be measured in fatalities only.
Subpart I--Positive Train Control Systems
Section 236.1001 Purpose and Scope
This section describes both the purpose and the scope of subpart I.
Subpart I provides performance-based regulations for the development,
test, installation, and maintenance of PTC systems, and the associated
personnel training requirements, that are mandated for installation by
FRA. This subpart details the process and identifies the documents that
railroads and operators of passenger trains are to utilize and
incorporate in their PTC implementation plans. This subpart also
details the process and procedure for obtaining FRA approval of such
plans.
A number of railroads indicated concern with a potentially
significant reprogramming of funds due to the statutorily mandated
implementation of PTC systems. These railroads claim that the costs
associated with PTC system implementation will lead to deferred capital
improvements and maintenance elsewhere in the general railroad system,
including degraded track, bridge, or drainage conditions, which may
then lead to accidents. Thus, according to these railroads, the
mandated PTC implementation, within an extremely aggressive timeframe,
may lead to an overall reduced level of safety. FRA recognizes that the
cost of PTC will be substantial. FRA does note that capital
expenditures can often be financed; and the Railroad Rehabilitation and
Improvement Financing (RRIF) program is one source of such financing.
Other potential sources include private financing, public bond
authority, and state and federal appropriations. It is the
responsibility of each public and private railroad to determine
appropriate funding sources to meet its needs.
Various railroads also urge FRA to not use its discretion to
require more than the minimum mandated by the RSIA08. These railroads
note that under FRA's economic analysis, the costs of PTC
implementation outweigh its benefits by a ratio of 15 to 1. While these
railroads acknowledge that these costs are mostly unavoidable due to
the congressional mandate, they believe that there are ways FRA may
mitigate these and other costs associated with this rule. FRA has
crafted this final rule to limit the cost of implementation and to
avoid further PTC development that could require additional funding and
additional time. Accordingly, in the proposed and final rule, FRA
indicates a willingness to approve suitable systems employing non-vital
onboard processing, to recognize wayside signal logic as an appropriate
means of protecting movements over switches, to recognize systems that
enforce the upper limit of restricted speed as suitable collision
avoidance in the case of following trains and joint authorities, to
avoid any requirements for monitoring of derails off the main line in
conventional speed territory, to allow for conventional arrangements at
rail-to-rail crossings at-
[[Page 2610]]
grade where speeds are moderate, and to recognize to the maximum extent
possible safety case showings made under subpart H prior to the
effective date of this rule. In addition, FRA has made allowances for
operation of Class II and III locomotives in PTC territory and
significant ``main line'' exceptions for passenger routes. Together,
these actions will save the railroads billions of dollars of initial
expense, as well as continuing expense in maintenance over the coming
years.
Section 236.1003 Definitions
Given that a natural language such as English contains, at any
given time, a finite number of words, any comprehensive list of
definitions must either be circular or leave some terms undefined. In
some cases, it is not possible and indeed not necessary to state a
definition. Where possible and practicable, FRA prefers to provide
explicit definitions for terms and concepts rather than rely solely on
a shared understanding of a term through use.
Paragraph (a) reinforces the applicability of existing definitions
of subparts A through H. The definitions of subparts A through H are
applicable to subpart I, unless otherwise modified by this part.
Paragraph (b) introduces definitions for a number of terms that
have specific meanings within the context of subpart I. Paragraph (b)
has been modified in the final rule by adding a definition for the
term, ``Notice of Product Intent.''
In lieu of analyzing each definition here, however, some of the
delineated terms will be discussed as appropriate while analyzing other
sections below.
As a general matter, however, FRA believes it is important to
explain certain organizational changes required pursuant to the RSIA08.
The statute establishes the position of a Chief Safety Officer within
FRA. The Chief Safety Officer has been designated as the Associate
Administrator for Railroad Safety. Thus, the use of the term Associate
Administrator in this subpart refers to the Associate Administrator for
Railroad Safety and Chief Safety Officer, or as otherwise referenced,
the Associate Administrator for Railroad Safety/Chief Safety Officer.
The NPRM defined ``host railroad'' to mean ``a railroad that has
effective operating control over a segment of track.'' This term is
used in Sec. 236.1005(b) to identify the party responsible for
installing PTC and in Sec. 236.1007 with respect to attributes of PTC
systems for high-speed service. The host railroad is also responsible
for planning and filing requirements (see, e.g., Sec. 236.1009). In
proposing this definition, FRA sought to capture in a word the essence
of fundamental responsibility for the rail operation. FRA considered
terms such as ``track owner'' (used in the Track Safety Standards), but
found that the alternatives had drawbacks of one kind or another. There
are places, for instance, where a non-railroad State or local
government or private corporation owns the underlying fee beneath the
railroad infrastructure but is not engaged in any way in managing or
benefitting from the railroad (except in some cases by receiving
revenue from a lease). There are also situations where multiple
railroads are dispatched from a common location, either by one of the
railroads or by a third party. It is increasingly the case that
commuter service is provided by a public authority through multiple
contractors who are responsible for discrete portions of service as
agents of the sponsoring entity (e.g., equipment maintenance, track and
signal maintenance, train operations, dispatching). In short, it is
hard to describe, in a common way, who is responsible here;
nevertheless, in any concrete case, there can be but one entity
ultimately responsible.
The Southern California Regional Rail Authority submitted comments
requesting that FRA provide additional clarification to what
constitutes ``effective operating control'' as stated in the definition
of the term ``host railroad.'' Specifically, SCRRA questioned whether
FRA would consider control of dispatching as ``effective operating
control'' even if responsibilities for the installation and maintenance
of wayside devices and infrastructure are under a different party than
the dispatcher. Although FRA does not find it necessary to change the
definition contained in the regulation, FRA will offer clarification as
to the intended meaning. As noted above, very often railroads cooperate
in dispatching trains that traverse contiguous lines in order to
maximize tactical planning and efficiency. Whether one railroad might
dispatch another railroad's territory would not cause the dispatching
railroad to take on the responsibilities of the host. Similarly, the
fact that a railroad might contract with another railroad to dispatch
all or a portion of its lines would not relieve the former railroad of
responsibilities of the host.
In the example of SCRRA's Metrolink operations, we would expect
SCRRA, which defines its route structure and timetable for passenger
operations, to undertake the duties of the host for the lines for which
it enjoys effective control in the sense that it has the right to
determine who operates over the lines and under what conditions. In
general, those are the lines it owns directly or through public
authorities that cooperate in the joint powers arrangement. Lines owned
and operated by BNSF or UP and over which Metrolink trains operate
would be the responsibility of BNSF and UP, respectively, even if SCRRA
or its contractor has day-to-day responsibility for dispatching some of
them.
GE Transportation expressed concern regarding the definition and
use of the term Type Approval in Sec. 236.1003 and subsequent
sections, including Sec. 236.1031. GE Transportation notes that under
the proposed rule Type Approvals apply only to complete PTC systems,
although it is generally recognized in the industry that there are five
core component subsystems in a PTC system configuration: (1) A
locomotive onboard subsystem; (2) a dispatch center supervisory control
and data acquisition (SCADA) subsystem; (3) a PTC server (central or
wayside) if a server is required; (4) wayside interface units; and (5)
a data communications network connecting the other subsystems. When a
Type Approval is granted to a PTC system, GE Transportation suggests
that core subsystems of that PTC system should be granted Component
Type Approval under certain conditions. According to GE Transportation,
the granting of such Component Type Approvals will drive simplified
filings, faster approval, and faster deployment for new system
configurations using a building block approach. In addition, states GE
Transportation, it reduces the risks associated with PTC deployment by
simplifying substitution of components in the event of a problem, the
market for PTC system components becomes less restrictive, and the next
logical step is for a supplier to be permitted to introduce a core
subsystem component for approval. GE Transportation asserts that this
will encourage market development and further reduce risks for PTC
deployment and sustained operation.
FRA understands GE's concern. However, it appears to be based on a
misunderstanding of FRA's definition of ``Type Approval.'' In
developing the ``Type Approval'' concept, FRA looked to the Federal
Aviation Administration (FAA) model of system approval as a basis.
However, FRA modified the FAA approach to better fit FRA's regulatory
mandate and resources. FRA considers the ``Type Approval'' to be more
akin to the FAA concept of an ``Airworthiness Certificate.'' Under FAA
rules, an airworthiness certificate is only issued
[[Page 2611]]
to a system (and, in the case of the FAA, this system is an aircraft).
This analogy is made only to make a minor clarification and should not
necessarily be construed to entirely equate subpart I's Type Approval
concept with that of FAA's Airworthiness Certificate concept.
FRA has also considered GE's position that an FRA failure to issue
component level approvals could restrict the development of new
products. FRA notes that the current industry practice is based on
vendor or supplier determination that there will be a market for a
particular product. This determination may be based on a specific
request from a customer, or on the vendor's or supplier's perception
that there is a need for the product. While this process may consider
the regulatory requirements that may be applicable to a component, it
has not required FRA to issue an ``approval'' for any particular
component. Given the number of new products that have been brought to
market, FRA believes that this development model has worked very
successfully. Further, the requirements of the RSIA08 require FRA to
certify that the PTC system, not the PTC system components, meets the
regulatory requirements. The ``Type Approval'' does not in any way
certify a PTC system as required by statute; it only indicates to the
system developer/integrator that FRA believes that the proposed system,
if properly implemented, may meet the statutory requirements. FRA
therefore declines, at this time, to issue component level ``type
approvals''.
The AAR believes that the definition of ``safe state'' includes
conditions not necessarily applicable. According to AAR, this term may
be utilized to describe the operation of a system in non-failure
scenarios and, in fact, is arguably used in this fashion even within
the NPRM preamble (see, e.g., 74 FR 35,966 (July 21, 2009) (``If a
switch is misaligned, the PTC system shall provide an acceptable safe
state of train operations.'')). Accordingly, the AAR asserts that the
definition of ``safe state'' should be modified to strike the clause
``when the system fails.''
Some other commenters expressed the opinion that in the current
definition of ``safe state,'' the clause ``cannot cause harm'' lacks
specificity. FRA agrees to modify the definition of ``safe state'' by
replacing the clause ``system configuration that cannot cause harm when
the system fails'' with the clause ``system state that, when the system
fails, cannot cause death, injury, occupational illness, or damage to
or loss of property, or damage to the environment.'' This definition
corresponds to that of the safe state definition in the U.S. Department
of Defense Military Standard (MIL-STD) 882C. FRA, however, disagrees
with AAR that the term ``safe state'' should be also applicable for the
description of system state in non-failed conditions. The definition of
the term ``safe state'' should not be confused with the term ``safe
operation'' or ``operating safely.'' The term ``safe state'' was added
in Sec. 236.1003 strictly for the purpose of defining a ``protective''
state (safe state) of the system, which the system must take when it
fails. At the same time, FRA admits erroneous use of the term ``safe
state'' in the section quoted by AAR (74 FR 35,966) and amends it to
read: ``If a switch is misaligned, the PTC system shall provide an
acceptable level of safety of train operations.''
Section 236.1005 Requirements for Positive Train Control Systems
The RSIA08 specifically requires that each PTC system be designed
to prevent train-to-train collisions, overspeed derailments, incursions
into established work zone limits, and the movement of a train through
a switch left in the wrong position. Section 236.1005 includes the
minimum statutory requirements and provides amplifying information
defining the necessary PTC functions and the situations under which PTC
systems must be installed. Each PTC system must be reliable and perform
the functions specified in the RSIA08.
Train-to-train collisions. Paragraph (a)(1)(i) applies the
statutory requirement that a mandatory PTC system must be designed to
prevent train-to-train collisions. FRA understands this to mean head-
to-head, rear-end, and side and raking collisions between trains on the
same, converging, or intersecting tracks. Currently available PTC
technology can meet these needs by providing current and continuous
guidance to the locomotive engineer and enforcement using predictive
braking to stop short of known targets. FRA notes that the technology
associated with currently available PTC systems may not completely
eliminate all collisions risks. For instance, a PTC system mandated by
this subpart is not required to prevent a collision caused by a train
that derails and moves onto a neighboring or adjacent track (known in
common parlance as a ``secondary collision'').
During discussions regarding available PTC technology, it has been
noted that this technology also has inherent limitations with respect
to prevention of certain collisions that might occur at restricted
speed. In signaled territory, there are circumstances under which
trains may pass red signals, other than absolute signals without verbal
authority, either at restricted speed or after stopping and then
proceeding at restricted speed. To avoid rear end collisions, available
PTC technology does not always track the rear-end of each train, but
instead relies on the signal system to indicate the appropriate action.
In this example, the PTC system would display ``restricted speed'' to
the locomotive engineer as the action required and would enforce the
upper limit of restricted speed (i.e., 15 or 20 miles per hour,
depending on the railroad). This means that more serious rear end
collisions will be prevented, because the upper limit of restricted
speed is enforced. This also means that fewer low speed rear-end
collisions will occur because a continuous reminder of the required
action will be displayed to the locomotive engineer (rather than the
engineer relying on the aspect displayed by the last signal, which may
have been passed some time ago). However, some potential for a low
speed rear-end collision will remain in these cases, and the rule is
clear that this limitation has been accepted. Similar exposure may
occur in non-signaled territory where trains are conducting switching
operations or other activities under joint authorities. The PTC system
can enforce the limits of the authority and the upper limit of
restricted speed, but it cannot guarantee that the trains sharing the
authority will not collide. Again, however, the likelihood and average
severity of any potential collisions would be greatly reduced
considering such movements would be made under restricted speed. FRA
may address this issue in a later modification to subpart I if
necessary as technology becomes available.
FRA received comments on this discussion of the inherent
limitations of available PTC technology with respect to the prevention
of certain collisions that may occur at restricted speed from NYSMTA.
NYSMTA sought clarification that PTC is not intended to enforce
conformance of block entry speeds associated with wayside signal
aspects or similar cab signal aspects provided without speed control,
except when a train is operating under a wayside signal or cab signal
aspect requiring a speed not to exceed restricted speed. FRA noted in
the NPRM, and repeats here, that FRA recognizes that some PTC
architectures will not directly enforce speed restrictions imposed by
all intermediate signals. FRA does expect that the
[[Page 2612]]
PTCDP will be clear on how the system accomplishes train separation and
regulation of speeds over turnouts.
The final rule text, however, does provide an example of a
potential train-to-train collision that a PTC system should be designed
to prevent. Rail-to-rail crossings-at-grade--otherwise known as diamond
crossings--present a risk of side collisions. FRA recognizes that such
intersecting lines may or may not require PTC system implementation and
operation. Since a train operating with an unregulated PTC system
cannot necessarily recognize a train not operating with a PTC system or
moving on an intersecting track without a PTC system, the PTC system--
no matter how intelligent--may not be able to prevent a train-to-train
collision in such circumstances.
Accordingly, paragraph (a)(1)(i) requires certain protections for
such rail-to-rail crossings-at-grade. While these locations are
specifically referenced in paragraph (a)(1)(i), their inclusion is
merely illustrative and does not necessarily preclude any other type of
potential train-to-train collision. Moreover, a host railroad may have
alternative arrangements to the specific protections referenced in the
associated table under paragraph (a)(1)(i), which it must submit in its
PTCSP--discussed in detail below--and receive a PTC System
Certification associated with that PTCSP.
Rail-to-rail crossings-at-grade that have one or more PTC routes
intersecting with one or more routes without a PTC system must have an
interlocking signal arrangement in place developed in accordance with
subparts A through G of part 236 and a PTC enforced stop on all PTC
routes. FRA has also determined that the level of risk varies based
upon the speeds at which the trains operate through such crossings, as
well as the presence, or lack, of PTC equipped lines leading into the
crossing. Accordingly, under a compromise accepted by the PTC Working
Group, if the maximum speed on at least one of the intersecting tracks
is more than 40 miles per hour, then the routes without a PTC system
must also have either some type of positive stop enforcement or a
split-point derail on each approach to the crossing and incorporated
into the signal system, and a permanent maximum speed limit of 20 miles
per hour. FRA expects that these protections be instituted as far in
advance of the crossing as is necessary to stop the encroaching train
from entering the crossing. The 40 miles per hour threshold appears to
be appropriate given three factors. First, the frequency of collisions
at these rail intersections is low, because typically one of the routes
is favored on a regular basis and train crews expect delays until
signals clear for their movement. Second, the special track structure
used at these intersections, known as crossing diamonds, experiences
heavy wear; and railroads tend to limit speeds over these locations to
no more than 40 miles per hour. Finally, FRA recognizes that for a
train on either intersecting route, elevated speed will translate into
higher kinetic energy available to do damage in a collision-induced
derailment. Thus, for the small number of rail crossings with one or
more routes having an authorized train speed above 40 miles per hour,
including higher speed passenger routes, it is particularly important
that any collision be prevented. FRA believes that these more
aggressive measures are required to ensure train safety in the event
the engineer does not stop a train before reaching the crossing when
the engineer does not have a cleared route displayed by the
interlocking signal system and higher speed operations are possible on
the route intersected. The split-point derail would prevent a collision
in such a case by derailing the offending train onto the ground before
it reaches the crossing. Should the train encounter a split-point
derail as a result of the crew's failure to observe the signal
indication, the slower speed at which the unequipped train is required
to travel would minimize the damage to the unequipped train and the
potential affect on the surrounding area.
As an alternative to split-point derails, the non-PTC line may be
outfitted with some other mechanism that ensures a positive stop of the
unequipped crossing train. If a PTC system or systems are installed and
operated on all crossing lines, there are no speed restrictions other
than those that might be enforced as part of a civil or temporary speed
restriction. However, the crossing must be interlocked and the PTC
system or systems must ensure that each of the crossing trains can be
brought safely to a stop before reaching the crossing in the event that
another train is already cleared through or occupying the crossing.
The Rail Labor Organizations shares FRA's concerns regarding
diamond crossings, supporting the requirements for interlocking signal
arrangements, a PTC enforced stop on PTC routes, and installation of
split-point derails with a 20 miles per hour maximum authorized speed
on the approach of any intersecting non-PTC route. However, the RLO
believe that split-point derails should be required regardless of the
PTC route's maximum speed in order to protect the PTC route against a
non-equipped train passing through a stop indication and equipment
inadvertently rolling out (i.e., a roll away) from the non-PTC route.
AAR and CSXT challenge the imposition of split-point derails. CSXT
believes that the proposed rule merely shifts the safety risks
associated with Class II and III railroads, but does not eliminate them
altogether. For instance, CSXT points out that unlike a PTC-compliant
system, the split-point derail would not avoid derailment altogether;
rather, it would simply cause the non-PTC Class II or III train to
derail away from the crossing. According to CSXT, the most
comprehensive safety regime that would avoid both collisions and
derailments would be to require Class II and Class III railroads
operating on PTC routes also to be PTC equipped.
One commenter objected to the costs of derails being borne by PTC
equipped Class I railroads. The NPRM did not purport to address who
would pay this cost, but merely recited in a brief reference that the
assumption had been made in the Regulatory Flexibility Analysis that
the railroad installing PTC would bear the cost. FRA does not stipulate
who is responsible for the cost of split-point derails at rail-to-rail
crossings at-grade, as the cost will be borne in conformance with any
agreements between the railroads or prior rights arising out of
previous transactions under which property was acquired. FRA would have
appreciated some indication of how those costs are likely to fall, but
no information was provided on this point.
The commenter also proposes exploration of lower-cost alternatives
in lieu of split-point derails. FRA agrees that less expensive
alternatives to split-point derails at rail-to-rail crossings at-grade
can and should be proposed in a railroad's PTCIP or PTCDP. As FRA
stated in the preamble discussion of paragraph (a)(1)(i) in the
proposed rule, ``the non-PTC line may be outfitted with some other
mechanism that ensures a positive stop of the unequipped * * * train.''
(74 FR 35,950, 35,960). FRA expects, however, that any alternative to
the split-point derail will provide the same level of separation as
that afforded by the installation of the split-point derail.
CSXT submitted comments stating that the installation of split-
point derails would create a new danger, including a secondary
collision. However, FRA believes that these aggressive measures at
locations where train speeds exceed 40 miles per hour through rail-to-
rail crossings at-grade, where not all routes
[[Page 2613]]
have been equipped with a PTC system or positive stop enforcement, are
necessary in order to ensure train safety. FRA fully agrees that full
PTC technology that provides positive stop enforcement from all
directions is a more desirable method of protecting such locations.
However, where such technology has not been installed, the prescribed
use of split-point derails in approach to the crossing-at-grade is
deemed necessary in the event the engineer of a train operating on a
line without positive stop enforcement does not have a cleared route
and fails to stop the train prior to reaching the crossing. The split-
point derail, in combination with the required speed limitation of 20
miles per hour or less, would prevent a collision by derailing the
offending train onto the ground before it reached the crossing. Should
such a train encounter a split-point derail in its derailing position
as a result of the crew's failure to observe or adhere to the signal
indication, the slower speed at which an unequipped train is required
to travel would minimize damage to the unequipped train and the
potential effect on the surrounding area.
FRA has also considered the comments of the RLO that more secure
arrangements should be provided at each rail-to-rail crossing-at-grade,
regardless of speed. FRA believes that where the PTC-equipped and non-
PTC-equipped lines of the Class I railroads intersect, the railroads
will generally utilize the available PTC technology to ensure a
positive stop short of the crossing for any train required to stop
short of the interlocking. The WIU at the location and available
onboard capability supported by a radio data link should make this an
obvious solution. FRA will scrutinize Class I PTCDPs to ensure that
this is the case. FRA remains concerned that more aggressive solutions
for intersections with Class II and III lines could impose substantial
costs without returning significant benefits.
Overspeed derailments. Paragraph (a)(1)(ii) requires that PTC
systems mandated under subpart I be designed to prevent overspeed
derailments and addresses specialized requirements for doing so. FRA
notes that a number of passenger train accidents with a significant
number of injuries have been caused by trains exceeding the maximum
allowable speed at turnouts and crossovers and upon entering stations.
Accordingly, FRA emphasizes the importance of enforcement of turnout
and crossover speed restrictions, as well as civil speed restrictions.
For instance, in the Chicago region, two serious train accidents
occurred on the same Metra commuter line when locomotive engineers
operated trains at more than 60 miles per hour while traversing between
tracks using crossovers, which were designed to be safely traversed at
10 miles per hour. For illustrative purposes, the rule text makes clear
that such derailments may be related to railroad civil engineering
speed restrictions, slow orders, and excessive speeds over switches and
through turnouts and that these types of speed restrictions are to be
enforced by the system.
The UTA and APTA each submitted the same basic comment pertaining
to paragraph (a)(1)(ii), with which SCRRA concurred. They contend that
speed restrictions are often set at a speed that is far below a speed
that would cause a derailment. Therefore, they request that a PTC
system should allow or display a speed higher than the actual speed
restriction, but well short of a speed that may cause a derailment.
The RLO submitted a comment that, while the language ``prevent
overspeed derailments'' accurately reflects the language found in the
RSIA08, this paragraph misses the congressional intent of the statute
and appears to be unenforceable unless a derailment occurs in
conjunction with a PTC system that fails to enforce an overspeed event.
The RLO believe that FRA should amend this paragraph to establish that
it will be a violation of this section if the PTC system fails to
enforce an overspeed condition that is not corrected by the locomotive
engineer regardless of whether or not such overspeed results in a
derailment. Since most overspeed occurrences do not result in a
derailment, the RLO asserts that waiting for a derailment to happen
before declaring that the PTC system is not operating as intended is
contrary to the purpose of the law.
FRA intends and believes that the PTC core feature concerning
``overspeed derailments'' is such that the system shall enforce various
speed restrictions (i.e., civil speed restrictions, temporary slow
orders, excessive speeds over switches and through turnouts and
crossovers, etc.) regardless of whether a derailment actually occurs.
However, FRA elects to leave the rule text of paragraph (a)(1)(ii) as
it was written in the proposed rule. FRA is aware of various train
control systems that have a tolerance of 3 miles per hour before the
system displays a warning to the train operator and that apply a
penalty brake application when the train reaches a speed 5 miles per
hour above the posted speed restriction. Appropriate speed margins or
leeways associated with maximum authorized speed are expected, but they
must be presented, justified, and approved within the context of a
railroad's PTCDP and PTCSP.
Roadway work zones. Paragraph (a)(1)(iii) requires that PTC systems
mandated under subpart I be designed to prevent incursions into
established work zone limits. Work zone limits are defined by time and
space. The length of time a work zone limit is applicable is determined
by human elements. Working limits are obtained by contacting the train
dispatcher, who will confirm an authority only after it has been
transmitted to the PTC system's server. Paragraph (a)(1)(iii)
emphasizes the importance of each PTC system to provide positive
protection for roadway workers working within the limits of their work
zone. Accordingly, once a work zone limit has been established, the PTC
system must be notified. The PTC system must continue to obey that
limit until it is notified by the dispatcher or roadway worker in
charge, with verification from the other, either that the limit has
been released and the train is authorized to enter or the roadway
worker in charge has authorized movement of the train through the work
zone.
As a way to achieve this technological functionality, FRA's Office
of Railroad Development has funded the development of a Roadway Worker
Employee in Charge (EIC) Portable Terminal that allows the EIC to
control the entry of trains into the work zone. While no rule includes
the commonly used term EIC, FRA recognizes that it is the equivalent to
the term ``Roadway Worker In Charge'' as used in part 214. With the
portable terminal, the EIC can directly control the entry of trains
into the work zone and restrict the speed of the train through the work
zone. If the EIC does not grant authority for the train to enter the
work zone, the train is forced to a stop by the PTC system prior to
violating the work zone authority limits. If the EIC authorizes entry
of the train into the work zone, the EIC may establish a maximum
operating speed for the train consistent with the safety of the roadway
work employees. This speed is then enforced on the train authorized to
enter and pass through the work zone. The technology is significantly
less complex than the technology associated with dispatching systems
and the PTC onboard system. In view of this, FRA strongly encourages
deployment of such portable terminals as opposed to current methods
that only require the locomotive engineer to, in some manner,
``acknowledge'' his or her
[[Page 2614]]
authority to operate into or through the limits of the work zone (e.g.,
by pressing a soft key on the onboard display, even if in error).
Pending the adoption of more secure technology, such as the EIC
Portable Terminal, FRA will scrutinize each submitted PTCDP and PTCSP
to determine whether they leave any opportunity for single point human
failure in the enforcement of work zone limits. FRA again notes that
some methods in the past have allowed the locomotive engineer to simply
acknowledge a work zone warning, even if inappropriately, after which
the train could proceed into the work zone. FRA expects that more
secure procedures will be included in safety plans submitted under
subpart I.
The RLO submitted a comment that, in order for a PTC system to
effectively perform the core function of protecting roadway workers
operating within the limits of their authority, the PTC system must be
designed in a manner that prevents override of an enforced stop prior
to entering an established work zone through simple acknowledgement of
the existence of work zone limits by a member of the train crew (i.e.,
by pressing a soft key on the onboard display, even if in error). The
RLO expressed support for FRA's intention to closely scrutinize each
PTCSP to determine whether they leave any opportunity for a single
point human failure in the enforcement of work limits. The RLO strongly
encouraged FRA to withhold approval of any PTC system that does not
enforce a positive stop at the entrance to established work zones until
notified directly by the dispatcher or the roadway worker in charge,
with verification from the other, that the movement into the work zone
has been authorized by the roadway worker in charge.
FRA agrees with the concern expressed by the RLO on this issue.
However, in the spirit of staying strictly within the mandate of the
RSIA08 relating to required PTC functionality, FRA will require that
the actual method of enforcement and acknowledgement associated with
work zones be presented within the PTCDP and PTCSP and subject to FRA
approval. FRA continues to strongly encourage use of EIC portable
terminals with electronic handshake of acknowledgement and
authorizations to enter work zones.
Movement over main line switches. Paragraph (a)(1)(iv) requires
that PTC systems mandated under subpart I be designed to prevent the
movement of a train through a main line switch in the improper
position. Given the complicated nature of switches--especially when
operating in concert with wayside, cab, or other similar signal
systems--the final rule provides more specific requirements in
paragraph (e) as discussed further below.
In numerous paragraphs, the final rule requires various operating
requirements based primarily on signal indications. Generally, these
indications are communicated to the engineer, who would then be
expected to operate the train in accordance with the indications and
authorities provided. However, a technology that receives the same
information does not necessarily have the wherewithal to respond unless
it is programmed to do so. Thus, paragraph (a)(2) requires PTC systems
implemented under subpart I to obey and enforce all such indications
and authorities provided by these safety-critical underlying systems.
The integration of the delivery of the indication or authority with the
PTC system's response to those communications must be described and
justified in the PTCDP--further described below--and the PTCSP, as
applicable, and then must comply with those descriptions and
justifications. Again, FRA recognizes that in the case of intermediate
signals, this may not involve direct enforcement of the signal
indication.
APTA submitted a comment that the draft language of paragraph
(a)(2) appears to disallow systems such as moving block overlays that
may provide superior service. Since APTA does not believe this was the
intent of the provision, APTA suggests that FRA clarify the language in
this paragraph.
Paragraph (a)(2) is clear that the specified functions must be
performed ``except as justified'' in the PTCDP or PTCSP. Here, FRA
specifically intends to afford a means by which advanced systems
permitting moving block operations could be qualified, either as stand-
alone systems or as overlays integrated with the existing signal and
train control arrangements.
The PTC Working Group had extensive discussions concerning the
monitoring of main line switches and came to the following general
conclusions:
First, signal systems do a good job of monitoring switch position,
and enforcement of restrictions imposed in accordance with the signal
system is the best approach within signaled territory (main track and
controlled sidings). As a general rule, the enforcement required for
crossovers, junctions, and entry into and departure from controlled
sidings will be a positive stop, and the enforcement provided for other
switches (providing access to industry tracks and non-signaled sidings
and auxiliary tracks) will be display and enforcement of the upper
limit of restricted speed. National Transportation Safety Board
representatives were asked to evaluate whether this strategy meets the
needs of safety from their perspective. The NTSB returned with a list
of accidents caused by misaligned switches that it had investigated in
recent years, none of which was in signaled territory. Based on that
data, the NTSB staff decided that it was not necessary to monitor
individual switches in signaled territory.
In a filing to this proceeding, the NTSB indicated that switch
monitoring in both dark and signaled territories must demonstrate that
a train will be stopped before crossing through a misaligned switch.
Although the NTSB recognizes that signal systems currently provide
information about switch positions, it asserts that FRA must ensure
that any PTC system that uses the signal system to monitor switch
positions will provide adequate safeguards to prevent trains from being
routed through misaligned switches. Accordingly, the NTSB agreed with
FRA's decision to protect switches within sidings with speed limits
greater than 20 miles per hour to prevent switch misalignment
accidents.
Second, switch monitoring functions of contemporary PTC systems
provide an excellent approach to addressing this requirement in dark
territory. However, it is important to ensure that switch position is
determined with the same degree of integrity that one would expect
within a signaling system (e.g., fail-safe point detection, proper
verification of adjustment). The PTC Working Group puzzled over sidings
in dark territory and how to handle the requirement for switch
monitoring in connection with those situations. (While these are not
``controlled'' sidings, as such, they will often be mapped so that
train movements into and out of the sidings are appropriately
constrained.) At the final PTC Working Group meeting, a proposal was
accepted that would treat a siding as part of the main line track
structure requiring monitoring of each switch off of the siding if the
siding is non-signaled and the authorized train speed within the siding
exceeds 20 miles per hour. This issue is more fully discussed below.
Other functions. While FRA has included the core PTC system
requirements in Sec. 236.1005, there is the possibility that other
functions may be explicitly or implicitly required elsewhere in subpart
I. Accordingly, under paragraph (a)(3), each PTC system required by
subpart I must also perform
[[Page 2615]]
any other functions specified in subpart I. According to 49 U.S.C.
20157(g), FRA must prescribe regulations specifying in appropriate
technical detail the essential functionalities of positive train
control systems and the means by which those systems will be qualified.
In addition to the general performance standards required under
paragraphs (a)(1)-(3), paragraph (a)(4) contains more detailed
standards relating to the situations paragraphs (a)(1)-(3) intend to
prevent. Paragraph (a)(4) defines specific situations where FRA has
determined that specific warning and enforcement measures are necessary
to provide for the safety of train operations, their crews, and the
public and to accomplish the goals of the PTC system's essential core
functions. Under paragraph (a)(4)(i), FRA intends to prevent unintended
movements onto PTC main lines and possible collisions at switches by
ensuring proper integration and enforcement of the PTC system as it
relates to derails and switches protecting access to the main line.
Paragraph (a)(4)(ii) intends to account for operating restrictions
associated with a highway-rail grade crossing active warning system
that is in a reduced or non-operative state and unable to provide the
required warning for the motoring public. In this situation, the PTC
system must provide positive protection and enforcement related to the
operational restrictions of alternative warning that are issued to the
crew of any train operating over such crossing in accordance with part
234. Paragraph (a)(4)(iii) concerns the movement of a PTC operated
train in conjunction with the issuance of an after arrival mandatory
directive. While FRA recognizes that the use of after arrival mandatory
directives poses a risk that the train crew will misidentify one or
more trains and proceed prematurely, PTC provides a means to intervene
should that occur. Further, such directives may sometimes be considered
operationally useful. Accordingly, FRA fully expects that the PTC
system will prevent collisions between the receiving trains and the
approaching train or trains.
Numerous comments were received related to PTC system functional
requirements associated with highway-rail grade crossing active warning
systems. At the public hearing, the RLO asserted that the use of
technologies providing warning system pre-starts, activation
verification, and various health monitoring information related to the
warning system to approaching trains needs to be a required component
of the PTC system warning and enforcement functionalities where
warranted. AASHTO submitted comments expressing agreement that
inclusion of hazard warning detection in PTC systems for highway-rail
grade crossing warning systems is a significant enhancement to mitigate
potential risk. AASHTO also underlined its position of enhancing grade
crossing safety further by implementation of a program to fully
eliminate at-grade highway-rail crossings through consolidation and
grade separation wherever possible.
Some commenters expressed various logistic concerns with the
proposed rule language relating to operational restrictions issued in
response to a warning system malfunction as required by Sec. Sec.
234.105, 236.106, and 236.107 of this part. Other commenters asserted
that any PTC system functional requirements related to highway-rail
grade crossing warning systems fall entirely outside the scope of the
statutory mandate contained within the RSIA08 and therefore should not
be addressed in this rulemaking.
The AAR stated that, while they understand the safety concern, this
function is not even remotely related to the ``core'' PTC functions
mandated by Congress. Furthermore, the AAR asserts that the great cost
of installing wayside interface units at grade crossings on PTC routes
would be prohibitively expensive and would divert resources that would
otherwise be devoted to meeting the mandated PTC deadline.
NJ Transit stated that the RSIA08 does not indicate a requirement
for highway-rail grade crossing inclusion in the PTC system speed and
stop enforcement. Thus, the requirement contained in paragraph
(a)(4)(ii) to include warning and enforcement functionality simply adds
an additional effort to an already extremely aggressive December 31,
2015, mandate for PTC.
APTA and SCRRA stated that the requirements contained in proposed
paragraph (a)(4)(ii) were unclear. APTA and SCRRA recommended that FRA
should clarify that the language in paragraph (a)(4)(ii) is intended
solely to provide that a dispatcher can place a restriction on a
crossing that the PTC system must enforce in the event that a
malfunction is reported. However, according to APTA, paragraph
(a)(4)(ii) should not be read to require a PTC system to protect a
grade crossing and restrict or prevent a movement authority of a train
from being advanced across the crossing in the event of a failure being
detected in real time; nor should paragraph (a)(4)(ii) be interpreted
to require a grade crossing warning system to self-monitor and, if in a
degraded condition, impose a speed restriction or stop for an
approaching train.
NYSMTA states that the addition of highway-rail grade crossings to
this subpart falls outside the statutory mandate for PTC systems within
the RSIA08. This additional functionality presents an additional burden
for LIRR and Metro-North. Both railroads have hundreds of grade
crossings in their rail networks. NYSMTA further asserted that the
language in paragraph (a)(4)(ii) was ambiguous with respect to whether
``warning or enforcement'' of reported grade crossing failures would be
required, and what constitutes a ``warning.'' Required enforcement will
increase the capital cost of PTC, have an adverse impact on operations,
risk modifications to ACSES that could trigger verification and
validation, and create a further impediment to meeting the other
requirements of the proposed FRA regulations. NYSMTA therefore
recommended that the final rule be limited at this time to the four
requirements of the RSIA08.
FRA believes that, although the RSIA08 does not specifically
require PTC systems to cover highway-rail grade crossing warning system
malfunctions and associated operational requirements, it does stipulate
that FRA must develop rules and standards for PTC system functionality,
which include the four core features identified. In light of the
safety-critical nature of the specified operational limitations for
providing alternative warning to highway users pursuant to Sec. Sec.
234.105, 236.106, and 236.107, and the catastrophic consequences that
have often been experienced when those operational limitations have not
been accomplished (including actual and potential impacts with motor
vehicles involving serious injury and loss of life) and the fact that
these operational limitations equate to speed and stop targets that PTC
systems may surely warn and enforce, FRA intends to carry the language
contained within the proposed paragraph into this final rule. Although
FRA believes that the proposed rule was clear that its purpose was to
enforce dispatcher-issued ``stop-and-flag'' orders and slow orders
associated with credible reports of highway-rail grade crossing warning
device malfunctions, reference has been added to ``mandatory
directives,'' a term with a well-established meaning in FRA regulatory
parlance (see 49 CFR part 220).
While FRA recognizes that technologies exist to provide even
further interface with warning system activation and health, and
encourages railroads to include these technologies
[[Page 2616]]
to the extent possible, FRA elects to not require those interfaces
beyond that which has been already identified within this paragraph.
The NTSB submitted comments recommending that requirements for
warning and barrier protection plans for Class 7 track should also
apply to Class 5 and 6 tracks as part of an approved PTCSP in order to
reduce the risk of high-speed catastrophic derailments at associated
grade crossings. FRA notes that the requirements contained within Sec.
213.347 of this part require that a warning/barrier plan be approved
and adhered to for Class 7 track operations and prohibit grade
crossings on Class 8 and 9 track. Those requirements do not, however,
address Class 5 and 6 tracks specifically. Therefore, FRA believes that
this comment falls outside the scope of the present rulemaking. As
noted elsewhere in this preamble, FRA has developed Guidelines for
Highway-Rail Grade Crossing Safety on high-speed rail lines that
endeavor to improve engineering with a strong emphasis on closures.
Those Guidelines will be used to review and negotiate grants under
ARRA.
FRA recognizes that movable bridges, including draw bridges,
present an operational issue for PTC systems. Under subpart C, Sec.
236.312 already governs the interlocking of signal appliances with
movable bridge devices and FRA believes that this section should
equally apply to PTC systems governing movement over such bridges.
While subparts A through H apply to PTC systems--as stated in Sec.
236.1001--paragraph (a)(4)(iv) proposes to make this abundantly clear.
Accordingly, in paragraph (a)(4)(iv) and consistent with Sec. 236.312,
movable bridges within a PTC route are to be equipped with an
interlocked signal arrangement which is also to be integrated into the
PTC system. A train shall be forced to stop prior to the bridge in the
event that the bridge locking mechanism is not locked, the locking
device is out of position, or the bridge rails of the movable span are
out of position vertically or horizontally from the rails of the fixed
span. Effective locking of the bridge is necessary to assure that the
bridge is properly seated and thereby capable to support both the
weight of the bridge and that of a passing train(s) and preventing
possible derailment or other potential unsafe conditions. Proper track
rail alignment is also necessary to prevent derailments, either of
which again could result in damage to the bridge or a train derailing
off the bridge. No comments were received on this issue, and the
provision is carried forward in the final rule.
Paragraph (a)(4)(v) requires that hazard detectors integrated into
the PTC system--as required by paragraph (c) of this section or the FRA
approved PTCSP--must provide an appropriate warning and associated
applicable enforcement through the PTC system. There are many types of
hazard detection systems and devices. Each type has varying operational
requirements, limitations, and warnings based on the types and levels
of hazard indications and severities. FRA expects this enforcement to
include a positive stop where necessary to protect the train (e.g.,
areas with high water, flood, rock slide, or track structure flaws) or
to provide an appropriate warning with possible movement restriction
being acknowledged (i.e., hot journal or flat wheel detection). The
details of these warnings and associated required enforcements are to
be specifically addressed within a PTCDP and PTCSP subject to FRA
approval, and the PTC system functions are to be maintained in
accordance with the system specifications. FRA does not expect that all
hazard detectors be integrated into the PTC systems, but where they
are, they must interact properly with the PTC system to protect the
train from the hazard that the detector is monitoring. With the
exception of the RLO's strong emphasis on safety in PTC system
deployment, no comments were received on this issue; and the provision
is carried forward in the final rule.
Paragraph (a)(5) addresses the issue of broken rails, which is the
leading cause of train derailments. FRA proposes to strictly limit the
speed of passenger and freight operations in those areas where broken
rail detection is not provided. Under Sec. 236.0(c), as amended in
this final rule, 24 months after the publication of this final rule,
freight trains operating at or above 50 miles per hour, and passenger
trains operating at or above 60 miles per hour, are required to have a
block signal system unless a PTC system meeting the requirements of
this part is installed. Since current technology for block signal
systems relies on track circuits--which also provide for broken rail
detection--this final rule requires limiting speeds where broken rail
detection is not available to the maximums allowed under amended Sec.
236.0 when a block signal system is not installed. No comments were
received on this issue, and the provision is carried forward in the
final rule.
Deployment requirements. Paragraph (a) of 49 U.S.C. 20157, as
enacted by the RSIA08, reads as follows:
``(a) IN GENERAL.--
``(1) PLAN REQUIRED.--Not later than 18 months after the date of
enactment of the Rail Safety Improvement Act of 2008, each Class I
railroad carrier and each entity providing regularly scheduled
intercity or commuter rail passenger transportation shall develop
and submit to the Secretary of Transportation a plan for
implementing a positive train control system by December 31, 2015,
governing operations on--
``(A) its main line over which intercity rail passenger
transportation or commuter rail passenger transportation, as defined
in section 24102, is regularly provided;
``(B) its main line over which poison- or toxic-by-inhalation
hazardous materials, as defined in parts 171.8, 173.115, and 173.132
of title 49, Code of Federal Regulations,
are transported; and
``(C) such other tracks as the Secretary may prescribe by
regulation or order.
``(2) IMPLEMENTATION.--The plan shall describe how it will
provide for interoperability of the system with movements of trains
of other railroad carriers over its lines and shall, to the extent
practical, implement the system in a manner that addresses areas of
greater risk before areas of lesser risk. The railroad carrier shall
implement a positive train control system in accordance with the
plan.''
It is plain on the face of the statute that certain actions are
required and some are discretionary and that these actions must come
together progressively over a period beginning on April 16, 2010 (18
months after enactment) and ending on December 31, 2015. FRA has
included revisions in this final rule designed to fully express this
intent.
In paragraph (b) of Sec. 236.1005 in the NPRM, FRA proposed to use
2008 traffic levels as a baseline to fix the network that would receive
PTC, subject to any subsequently requested and approved amendments to
the PTCIP that would justify removal of the line, and subject to the
addition of lines that might qualify under the statutory mandate based
on later data. In addition to FRA's understanding of the rail lines
Congress intended to cover, FRA had several other fundamental reasons
for doing so. First, in order to reach completion by December 31, 2015,
as required by law, the railroads and FRA need to identify the relevant
route structure very early in the short implementation period and the
railroads need to stage the financing and logistics to reach
completion. Otherwise, the statutory deadline will not be met. Second,
2009 traffic levels will be notably atypical as a result of the
recession, which has caused overall traffic levels to fall by as much
as 20%. Third, the burden of installing PTC, which the statute applies
obligatorily to very large railroads but not to others, may create an
incentive to further ``spin off'' certain lines to avoid installing PTC
[[Page 2617]]
on lines Congress intended to cover. Finally, FRA was concerned about
responsive and anticipatory actions being taken by some railroads in
the face of emerging regulatory influences. Accordingly, FRA sought in
the NPRM to take a snapshot of the Class I system at the time the
Congress directed the implementation of PTC and then, using its
discretionary authority under the statute, to evaluate what adjustments
may be in order.
The Class I railroads responded with the suggestion that FRA is
without discretion to require inclusion of lines that do not qualify as
of 2015. However, FRA has already quoted the statute, which makes clear
the inclusion of FRA-identified lines in the 2015 mandate. The
statutory ``shall'' applies to these lines. Also, FRA and its
predecessor agency have long enjoyed the power to require installation
of train control under the ``Signal Inspection Act'' (codified at 49
U.S.C. 20501-20505). Further, FRA has been mandated since 1970 to issue
rules and standards covering ``every area of railroad safety'' (49
U.S.C. 20103). In conferring new responsibilities, the Congress in no
sense repealed what preceded them.
Arguing in the alternative, the Class I railroads said that FRA had
failed to rely on its discretionary authority to accomplish its
purpose. In fact, the subject statutory provisions were called out in
the authority section of the NPRM text, with the exception of the
Signal Inspection Act, as codified (an oversight remedied here).\1\ FRA
also explicitly stated in the preamble to the NPRM its intention to use
its statutory discretion to preserve congressional intent and tied that
intention to the use of 2008 traffic levels. The railroads' ancillary
claim is that, in effect, FRA would be ``arbitrary and capricious''
should the agency require PTC on lines not carrying PIH as of the end
of 2015 absent a further congressional mandate or a showing that PTC on
the subject lines would be ``cost beneficial.''
---------------------------------------------------------------------------
\1\ Here we recognize the interest of railroads that will be
making very costly investments to meet the requirements of the
statute and this rule. The ``Signal Inspection Act,'' as codified,
makes it explicit that the presence of a signal or train control
system on one line may not be considered in a civil action with
respect to an accident on another line. This law is also explicit
that, once installed, such a system may not be removed without
approval. 49 U.S.C. 20501-20505. It should have been cited in the
NPRM.
---------------------------------------------------------------------------
FRA is very conscious of the fact that PTC is expensive, and the
agency's regulatory evaluation for the proposed rule does not seek to
conceal it. The unit costs will be particularly high during the period
before December 31, 2015, and trying to do too much too fast could
result in significant disruption of rail transportation. Accordingly,
during the initial implementation period, FRA will not exercise its
authority to require a build out of the PTC network beyond something on
the order of what the Congress contemplated. However, FRA will exercise
its discretion to ensure that the network design reflects safety needs
and places a value on PTC that reflects an understanding of the value
applied by the Congress.
FRA understands the arguments surrounding PTC costs and benefits,
having filed three congressionally-required reports since 1994 with
information on the subject, having worked through the RSAC for several
years evaluating this issue, having funded PTC technology development
and overseen PTC pilot projects from the State of Washington to the
State of South Carolina, and having provided testimony to the Congress
on many occasions. However, FRA believes that the issue is now
presented in a different light than before. The Congress was aware that
the monetized safety benefits of PTC were not large in comparison with
the loss of life and injuries associated with PTC-preventable
accidents. With the passage of RSIA08, Congress has in effect set its
own value on PTC and directed implementation of PTC without regard to
the rules by which costs and benefits are normally evaluated in
rulemaking.
One could conclude that the Congress set the value only with
respect to passenger trains and PIH releases, but that would assume
that the interest expressed by the Congress over much more than a
decade and a half was so limited. In fact, longtime congressional
interest stemmed in large part from the loss of life among railroad
crew members in collisions, as well the potential for release of other
hazardous materials. Most of the NTSB investigations and investigations
pertaining to this ``most wanted'' transportation safety improvement in
fact derived from such events.
In this light, the focus of the statute on PIH and scheduled
passenger trains was clearly intended to provide specific guidance to
the agency--a minimum standard for action--and reflected the prominence
of passenger train accidents (Placentia, CA, April 23, 2002;
Chatsworth, CA); and PIH releases (Macdona, TX, June 28, 2004;
Graniteville, SC) in the most serious of the recent PTC-preventable
accidents. FRA does not take this to mean that the Congress meant us to
be indifferent to the crew fatality at Shepherd, Texas, on September
15, 2005, which resulted from a misaligned main track switch in a
collision very similar to the one at Graniteville. Nor do we believe
that FRA was expected to be indifferent to the collision between two
freight trains at Anding, Mississippi, on July 10, 2005, which killed
four crew members, or the collision with release of liquefied propylene
gas and ensuing explosion at Texarkana, Arkansas, on October 15, 2005,
which killed a resident of a community abutting the railroad.\2\ See,
e.g., Rail Safety Reauthorization: Hearing Before the Subcomm. on
Surface Transportation and Merchant Marine of the S. Comm. on Commerce,
Science, & Transportation, 110th Cong. (May 22, 2007) (statement of
Robert L. Sumwalt, Vice Chairman, National Transportation Safety
Board). Thus, FRA was provided latitude to require PTC system
installation and operation on lines beyond those specifically
prescribed by Congress. While FRA has enjoyed the same latitude under
pre-existing authority, RSIA08 indicates Congress' elevated concern
that FRA ensure the more serious and thoughtful proliferation of PTC
system technologies. Although, as noted above, FRA would expect to
exercise any such authority with significant reserve, given the high
costs involved, it would be an abdication of the agency's
responsibility not to determine that the basic core of the Class I
system is addressed, as would be the case based on 2008 traffic
patterns.
---------------------------------------------------------------------------
\2\ Unique among these events, the Texarkana collision may not
have been prevented by PTC technology now being perfected. However,
the consequences which ensued, including the fatality, destruction
of two residences and a highway bridge, and a significant evacuation
are illustrative of the consequences that can result from release of
flammable compressed gases in train accidents. There are
approximately 100,000 carloads of PIH commodities shipped each year.
There are approximately 228,000 carloads of flammable compressed
gases (other than those classified as PIH) shipped each year.
---------------------------------------------------------------------------
The tone of the Class I freight railroad comments justified FRA's
concerns that railroads might take the wrong lesson from the statutory
mandate. The lesson FRA perceives is that the core of the national rail
system, which carries passenger and PIH traffic, needs to be equipped
with PTC and that Congress used 5 million gross tons of freight
traffic, the presence of PIH traffic, and the presence of passenger
service as readily perceptible markers identifying the core lines on
which Congress wants PTC to be installed. In making its judgments,
Congress was necessarily looking at the national rail system as it
existed in 2008 when the statute was passed. A corollary of that lesson
is that the later disappearance or diminution of
[[Page 2618]]
one of those markers from a line does not necessarily mean that
Congress would no longer see that line as part of the core national
rail system meriting PTC. An alternative response would be to adopt
policies and tactics that penalize rail passenger service and attempt
to drive PIH traffic off the network, consolidating the traffic that
remains on the smallest possible route structure for PTC.
The freight railroads do not pretend that FRA is wrong in
perceiving that the freight railroads wish to remove PIH traffic from
the network. That is wise, since the public record is replete with
pleas from the Class I railroads to remove their common carrier
obligation to transport PIH traffic. Rather, they contend, in effect,
that FRA should not trouble itself with this issue, since the Congress
and the Surface Transportation Safety Board (STB) will ensure that PIH
shippers receive fair treatment, and the Pipeline and Hazardous
Materials Safety Administration (PHMSA) Rail Route Analysis Rule will
determine whether the traffic goes on the safest and most secure
routes.
There are significant problems with this contention. First, while
the Congress shows no interest in relieving the carriers of duty to
transport PIH commodities, and STB has likewise brushed back a recent
attempt by a Class I railroad to avoid this duty (see Surface
Transportation Board Decision, Union Pacific Railroad Company--Petition
for Declaratory Order, STB Finance Docket No. 35219 (June 11, 2009)),
it is by no means yet determined how the cost burden associated with
PTC will be borne. A railroad seeking to make the most favorable case
for burdening a PIH shipper with the cost of PTC installation would
first clear a line of overhead traffic through rerouting and then seek
to surcharge the remaining shipper(s) for the incremental cost of
installing the system. Under those circumstances, would the STB decide
that the railroad should transfer all of those costs to other shippers,
or would the STB uphold the surcharge in whole or in part, thereby
potentially making the cost of transportation unsupportable?
The carriers would have us rely on the PHMSA Rail Route Analysis
Rule in determining whether the PIH criterion requires installation of
PTC on a particular line. The Class I railroads' comments state that
``FRA is not even the DOT agency with substantive responsibility for
how railroads route TIH.'' This is an odd point, considering that: (1)
The statutory authority for both this rulemaking and the Rail Route
Analysis Rulemaking are vested in the Secretary of Transportation, and
FRA and PHMSA have a long and well established history of working
together for the safe transportation of hazardous materials; (2) as
reflected in the rulemaking documents, FRA initiated the Rail Routing
action in concert with PHMSA and participated in developing the
proposed rule well before the Congress mandated that the rulemaking be
concluded; (3) the final rule affirms that PHMSA issued the revision in
coordination with FRA and TSA; (4) by delegation from the Secretary,
FRA is the agency responsible for administering and enforcing the Rail
Route Analysis Rule and has issued a final rule (73 FR 72,194 (Nov. 26,
2008)) detailing the procedures railroads must follow when challenging
FRA enforcement decisions; and (5) FRA and has worked with TSA to
provide funding and oversight for development of the risk model
intended for use under the rule.
As it happens, FRA has good reason to be concerned with rail
routing of PIH commodities (as well as explosives and high level
radioactive waste, which are also covered by the PHMSA rule), both on
the merits of the routing decisions (as the agency responsible for
administering the rule) and in relation to the incidental impacts of
re-routing decisions on the network of lines that will be equipped with
PTC technology. Because the Rail Route Analysis Rule addresses both
security and safety risks, operations under that rule necessarily lack
the transparency typically afforded to safety risks.
Significant re-routing has already occurred since 2008 as a result
of the TSA Rail Transportation Security Rule (73 FR 72,130 (Nov. 26,
2008)). In its comments, CSXT states that the TSA rule ``required
railroads to modify their routing operations to ensure that only
attended interchanges are used for transporting TIH.'' The resulting
changes are said to be ``dramatic.'' Comment of CSX Transportation,
Inc., Docket FRA-2008-0132-0028.1, at 12 (Aug. 24, 2009). However, the
TSA regulation requires a secure chain of custody, not re-routing; and
so any re-routing resulting from the TSA regulation presumably resulted
not from the direct command of the rule itself but from the desire to
hold down costs by focusing the handoffs of these commodities where
personnel are already employed to oversee the transfers. This is
perfectly sensible, of course, to the extent that the re-routing did
not create greater safety or security concerns. However, since
railroads have contended for years that their current routings were
already optimized for safety, investigation is warranted.
The Rail Route Analysis Rule is only now being put into effect.
Most railroads will not complete their initial analysis until the first
quarter of 2009, using 12 months of 2008 data (per their request in the
subject rulemaking). While the rule requires railroads to consider the
use of interchange agreements when considering alternative routes, FRA
has not had the opportunity to verify that this has actually occurred
with the two railroads opting to comply with the September 2009 due
date for use of only six months of data.
The risk model intended to provide the foundation for the rail
routing process is still subject to considerable refinement. No
methodology is currently specified for evaluating the potential impact
of a PTC system (which would vary in risk reduction depending upon the
underlying or previous method of operation). Under these circumstances,
there is a distinct possibility the railroads may not give sufficient
weight to train control (existing or planned).\3\ Railroads are not
required to submit their route analysis and route selections to FRA for
approval. While FRA intends to aggressively oversee railroads' route
analysis and route selections during FRA's normal review process,
including their consideration of PTC, and require rerouting when
justified, this process will be resource-intensive and time-consuming
to complete. So FRA sees no reason necessarily to defer in this context
to decision making made under the Rail Route Analysis Rule, even as to
the role of PTC in safeguarding the transportation of traffic within
its ambit (PIH, certain explosives, and spent nuclear fuel). Instead,
those decisions are simply useful information under this rule. In April
of 2010 when railroads must complete their PTCIP's, a railroad may know
its own routing decisions under the Rail Route Analysis Rule, but not
FRA's evaluation of those decisions. Furthermore, the Rail Route
Analysis Rule analysis does not consider the safety risk posed by the
rail movement of hazardous materials it does not cover--but, as noted
above, this is a legitimate concern when deciding where to put PTC.
---------------------------------------------------------------------------
\3\ At least one Class I railroad consolidated some of its PIH
traffic on signalized lines prior to adoption of the Rail Route
Analysis Rule. This reflects a recognition that method of operations
matters, but that is not the same thing as having completed a fully
mature routing analysis against the 27 factors--something that will
occur only over time in the face of great complexity.
---------------------------------------------------------------------------
The Rail Route Analysis Rule considers both safety and security,
and PHMSA and FRA have worked with TSA to ensure that the inherently
[[Page 2619]]
speculative risk of a security incident does not overwhelm known safety
risks in the decision making. At the same time, the structure is very
responsive to known threats and special circumstances. However, FRA is
aware of at least one railroad that has balanced its evaluation of
safety and security risks under the rule affording equal weight to each
across the board. FRA will be working with that railroad to determine
the basis for this action and may later require the railroad to revise
its analysis and possibly reroute traffic. See Railroad Safety
Enforcement Procedures; Enforcement, Appeal and Hearing Procedures for
Rail Routing Decisions, 73 FR 72,194 (Nov. 26, 2008).
Since any given railroad may have thousands of origin-destination
pairs for its PIH traffic, and since railroads are just at the
threshold of cooperation to evaluate interline re-routing options, this
new program will settle out over a period of several years during which
lessons are learned. As custodian of this program, FRA is best situated
to conclude that using the products of initial analysis within a
framework that confers significant discretion to utilize judgment
should not control where PTC is built--particularly given the strong
incentives that carriers perceive to reduce the wayside mileage
equipped with PTC and the fact that installation of PTC might overwhelm
other considerations with respect to PIH routing.
In the proposed rule, FRA said that changes from the 2008 base
could be granted if ``consistent with safety.'' Even though this is a
familiar phrase drawn from FRA's basic safety statute, concern was
expressed regarding how this term might be applied. The final rule
further defines that standard by adding a rule for FRA decision making,
i.e., if the remaining safety risk on the line exceeds the average
safety risk per route mile on lines carrying PIH traffic, as determined
in accordance with Appendix B to 49 CFR part 236, FRA denies the
request. The provision leaves open the possibility of granting the
request if the railroad making application offers a compensating
further build out on another line where the resources would be better
spent because they would enhance safety to a greater degree. FRA has
available to it adequate data to construct a simple risk model for use
in this context and expects to do so when reviewing such requests. This
provision treats similarly risky rail lines similarly in carrying out
the perceived congressional intent for PTC to be installed on the
portion of the rail system Congress described, and it is an appropriate
exercise of FRA's statutory discretion because it is rationally related
to the reduction in risk Congress sought to achieve across the national
rail system.
The structure of paragraph (b) of Sec. 236.1005 is as follows:
Paragraph (b)(1) brings together the policy of the statute
requiring a phased, risk-based roll out of PTC with the types of lines
required to be equipped. FRA has included the additional language
``progressively equip'' to remind the industry that the law does not
expect a risk-based implementation in which no safety benefits are
achieved until December 31, 2015. To the contrary, the law and FRA
evidence a strong expectation that PTC safety benefits will be
increasingly achieved as lines and locomotives are equipped. See Sec.
236.1006. FRA was distressed to hear claims in the Class I railroad
testimonies and filings to the effect that, not only are the railroads
under no legal obligations to deploy incrementally and take advantage
of safety technology required by the law, FRA is without authority to
require PTC system operation until December 31, 2015. We consider both
claims to be without merit on the face of the law, including FRA's pre-
existing authority over signal and train control systems.
Paragraph (b)(2) describes the operation of the 2008 baseline as
the initial point of PTC implementation. The section is clear that if
any track segment mandated for PTC exclusively on the basis of PIH
traffic falls below 5 million gross tons for two consecutive years, the
line would be eligible for removal. The paragraph also identifies the
presence of PIH traffic in 2008 (or prior to filing the PTCIP) as
initially identifying the track segment in the PTCIP for PTC
implementation, but refers to paragraph (b)(4) as a means of removing
it.
Paragraph (b)(3) refers to changed conditions after the filing of
the PTCIP that might require a line or track segment to be added. This
could occur, inter alia, because overall freight volume increases, a
shipper requests PIH service on the line, or PIH traffic is (actually
or prospectively) rerouted over the line to satisfy the Rail Route
Analysis Rule. The provision requires ``prompt'' filing when conditions
change. It makes clear that the railroad will have at least 24 months
after approval of its RFA to install the PTC system on the line.
In the NPRM, FRA proposed that, in order to have a line segment no
longer carrying the PIH traffic be excepted from the requirement that
it be initially equipped, the railroad would need to provide estimated
traffic projections for the next 5 years (e.g., as a result of planned
rerouting, coordinations, location of new business on the line). In
addition, where the request involves prior or planned rerouting of PIH
traffic, the railroad would be required to provide a supporting
analysis that takes into consideration the rail security provisions of
the PHMSA rail routing rule, including any railroad-specific and
interline routing impacts. FRA proposed that it could approve an
exception if FRA finds that it would be consistent with safety and in
the public interest.
The AAR acknowledged in its comments that ``FRA does offer
railroads the ability to apply to FRA for approval to not install PTC
on a route which, in 2015, is no longer used for PIH traffic or which
no longer meets the definition of a main line.'' However, asserted AAR,
``FRA approval is predicated on the nebulous criteria of ``consistent
with safety and in the public interest.''
In this final rule, paragraph (b)(4) provides the methods by which
a railroad may seek the exclusion or removal of track segments from its
PTCIP. Paragraph (b)(4)(i) deals with the evaluation of track segments
that no longer carry 5 million gross tons or PIH traffic that the
railroad seeks to remove from the PTCIP, either at the time of initial
filing or through an RFA thereafter. A request to remove a line would
need to be accompanied by future traffic projections. FRA understands
that, in some cases, railroads will not be able to state with certainty
whether total tonnage or PIH traffic will return to a line; and
certainty is not required. However, in other cases a railroad may in
fact be able to make reasonable projections (because of control over a
parallel main line that is approaching capacity, planned coordination
with another railroad, etc.).
In the case of cessation of passenger service or a decline of
tonnage on a PIH line, FRA anticipates that approval of such requests
will normally be routine. However, in light of AAR's comments, the
final rule provides that, where PIH traffic has been removed (or is
projected to be removed), three conditions must be met in order for FRA
to approve such requests. First, it is not expected that there will be
any local PIH traffic on the subject track segment. Second, to the
extent overhead traffic has been (or will be) removed from the line,
the request must be supported by routing analysis justifying the
alternative routing of any traffic formerly traversing the line or
which might traverse the line as an alternative routing. This is not
the same routing analysis required under part 49 CFR part 172, but it
may be presented
[[Page 2620]]
in the same format. The difference is that, under the Rail Route
Analysis Rule, the current best route for the movement of security
sensitive materials (which included PIH materials) must be determined,
taking into consideration both safety and security and assuming the
existing method of operation, any changes that a carrier may reasonably
be anticipated to occur in the upcoming year, and any mitigation
measures that the carrier intends to implement. That is a tactical
question, which focuses on a particular geographical or logistical
area. The question that needs to be addressed for PTC planning is the
future best route, taking into consideration the fact that any route
used for PIH will need to be equipped within the schedule contained in
the approved PTCIP (but not later than December 31, 2015, for the least
risky lines that need to be equipped). This is a strategic question,
which applies to the carrier's entire network. Accordingly, this
analysis would need to show that, even by equipping the subject line
with PTC, it would not have an advantage over the route proposed to be
selected.
As noted in section VI of this preamble, FRA seeks comments on how
elements of a route analysis should be weighed by FRA when determining
whether rerouting under this paragraph is sufficiently justified.
FRA includes one additional requirement that invokes its
discretionary authority under the law. Even if a line has not or will
not carry PIH traffic after the 2008 base year or later time period
prior to filing of the PTCIP (i.e., for those filing a PTCIP for new
service initiated after the statutory deadlines), the final rule
requires an additional test that fleshes out the ``consistent with
safety'' notion contained in the proposed rule with the desired
objective of providing greater predictability, transparency, and
consistency in decision making. This test requires that, in order for a
track segment to be excluded, the remaining risk on the line not exceed
the average risk extant on lines required to be equipped with PTC
because they meet the threshold for tonnage of 5 million gross tons and
carry PIH traffic. The effect of this test should be to allow a
majority of lines that formerly carried PIH, which has been removed for
legitimate reasons, to be removed from the PTCIP. With no intercity/
commuter passenger traffic and no PIH, these will mostly be lines with
moderate traffic involving commodities such as coal or grain and
minimal quantities of other hazardous materials. However, with respect
to lines with higher risk, PTC may be required despite the
consolidation of PIH traffic on other lines. For instance, FRA does not
believe that consolidation of PIH traffic due to security reasons
should unduly influence PTC deployment. Train crews, roadway workers,
and communities along the routes have a strong interest in seeing PTC
provided for their benefit. Examples of lines that could be captured by
this requirement are very high density lines to coal fields or between
major terminals where collision risk is significant and other very
dangerous or environmentally sensitive hazardous materials are
transported in significant quantities (e.g., flammable compressed gas,
halogenated organic compounds). Non-signaled lines with traffic nearing
capacity and many manually operated switches, together with significant
hazardous materials, would also be candidates for retention.
As previously noted in the Introduction and section VI to this
preamble, FRA seeks further comments on paragraph (b)(4)(i). This
provision describes the specific considerations FRA will take into
account in determining whether a deviation from the baseline is
``consistent with safety.'' FRA believes that this final rule could
still benefit from input concerning this application of the
``consistent with safety'' standard FRA has applied for decades in
considering waivers under 49 U.S.C. 20103(d) and whether FRA should
interpret that standard differently or in greater detail here.
Accordingly, FRA continues to seek comments on this issue with the
desired objective of providing greater predictability, transparency,
and consistency in decision making. More specifically, FRA seeks
comments that would help clarify what issues, facts, standards, and
methodologies it should consider when determining whether to approve a
request for amendment made pursuant to paragraph (b)(4)(i). FRA also
seeks comments on how it should compare the levels of risk between
lines with PIH and lines without PIH for the purposes of paragraph
(b)(4)(i).
Paragraph (b)(4)(ii) contains a new provision that provides a basis
for a railroad to request removal of a track segment from a PTCIP
either at the time of initial filing or through an RFA thereafter. The
provision is being added in an effort to respond to comments submitted
on the NPRM requesting a de minimis exception for low density track
segments with minimal PIH traffic. The AAR noted that, under the
proposed regulations, even one car containing PIH on a main line would
require installation of PTC. AAR believes that this position is
untenable in light of the cost-benefit concerns (e.g., the 15-to-1 cost
to benefit ratio under FRA's economic analysis), especially on routes
with minimal PIH traffic. The AAR takes the position that it would
therefore be arbitrary and capricious for FRA to not employ a de
minimis exception. According to AAR, its preliminary analysis shows
that a meaningful de minimis exception could save the industry hundreds
of millions of dollars without significantly changing the safety
benefit calculation.
The AAR and some of its member railroads assert that FRA has the
authority to include a de minimis exception in the final rule. In
separate comments, CSXT also recommends that FRA recognize a de minimis
exception for PIH transport. CSXT asserts that, in cases where a
limited quantity of PIH materials are transported on a particular
route--or where a segment of track happens to carry PIH materials on a
single occasion because of mere happenstance--there are no safety
benefits that would justify costly PTC implementation. In addition, in
the absence of specific language in the RSIA08 that would preclude FRA
from recognizing a de minimis exception, CSXT asserts that FRA
possesses the requisite authority to do so. In support of this
assertion, CSXT points to three cases from the DC Circuit (Shays v.
FEC, 414 F.3d 76 (DC Cir. 2005); Environmental Def. Fund, Inc. v. EPA,
82 F.3d 451 (D.C. Cir. 1996); and State of Ohio v. EPA, 997 F.2d 1520
(DC Cir. 1993)), in which the DC Circuit acknowledged the inherent
authority conferred upon agencies, in the absence of an express
prohibition, to promulgate a de minimis exception as a tool for
implementing legislative design and avoiding pointless expenditures of
effort.
FRA has reviewed the suggestion of the Class I railroads that FRA
possesses an inherent, or at least reasonably inferred, authority to
withhold any requirement for deployment of PTC on lines with very low
risk. FRA agrees that, as a general matter, it has an inherent
authority to create de minimis exceptions in its regulations to
statutes FRA administers. In fact, FRA has utilized this inherent
authority in this final rule in the following areas: Providing limited
exceptions for yard operations; addressing the movement of equipment
with inoperative PTC systems; and providing for limited movements by
non-equipped trains operated by Class II and Class III
[[Page 2621]]
railroads over PTC equipped main line.\4\ FRA believes these are all
appropriate uses of its discretionary authority. Based on existing case
law, as well as its review of the comments provided in this proceeding,
FRA believes that a de minimis exception to the statutory mandate
requiring the installation of PTC systems on any and all main lines
transporting any quantity of PIH hazardous materials should also be
provided to low density main lines with minimal safety hazards that
carry a truly minimal quantity of PIH hazardous materials.
---------------------------------------------------------------------------
\4\ This is not to say that there are independent justifications
for each of these decisions. Yard operations involve a mix of
switching movements and train movements and have never been within
public expectations for PTC because of issues of impracticability
and inapplicability, as well as greatly reduced safety concerns.
Movement of trains with inoperative PTC equipment has historically
been allowed for and governed within Interstate Commerce Commission
and FRA regulations, and proceeding otherwise would be a virtual
impossibility. FRA does not understand RSIA08 to specify whether all
trains operating on PTC lines must be PTC equipped, and accordingly
FRA believes that it is required to make discretionary decisions in
that regard. That said, the de minimis concept clearly offers an
alternative justification for each of these decisions.
---------------------------------------------------------------------------
With this said, however, and as explained below, that discretionary
authority will not sustain the creation of the broad-brush exception
sought by the Class I railroads in this proceeding. United States
Circuit Court decisions recognize that federal agencies may promulgate
de minimis exemptions to statutes they administer. See, e.g., Shays v.
FEC, 414 F.3d 76, 113 (DC Cir. 2005); Ass'n of Admin. Law Judges v.
FLRA, 397 F.3d 957, 961-62 (DC Cir. 2005) (``[T]he Congress is always
presumed to intend that pointless expenditures of effort be avoided''
and that such authority ``is inherent in most statutory schemes, by
implication.''); Environmental Defense Fund, Inc. v. EPA, 82 F.3d 451,
466 (DC Cir. 1996) (``[C]ategorical exemptions from the requirements of
a statute may be permissible as an exercise of agency power, inherent
in most statutory schemes, to overlook circumstances that in context
may fairly be considered de minimis.'') (inner quotations and citation
omitted); Alabama Power Co. v. Costle, 636 F.2d 323, 360 (DC Cir. 1979)
(the ability to create a de minimis exemption ``is not an ability to
depart from the statute, but rather a tool to be used in implementing
the legislative design.''); New York v. EPA, 443 F.3d 880, 888 (DC Cir.
2006) (noting the maxim de minimis non curat lex--``the law cares not
for trifles.'').
However, ``a de minimis exemption cannot stand if it is contrary to
the express terms of the statute.'' Environmental Defense Fund, 82 F.3d
at 466 (citing Public Citizen v. Young, 831 F.2d 1108, 1122 (DC Cir.
1987)). In other words, agency authority to promulgate de minimis
exemptions does not extend to ``extraordinarily rigid'' statutes. See
Shays, 414 F.3d at 114 (``By promulgating a rigid regime, Congress
signals that the strict letter of its law applies in all
circumstances.''); Ass'n of ALJs, 397 F.3d at 962; Alabama Power, 636
F.2d at 360-61 (As long as the Congress has not been ``extraordinarily
rigid'' in drafting the statute, however, ``there is likely a basis for
an implication of de minimis authority.''). Furthermore, such authority
does not extend to situations ``where the regulatory function does
provide benefits, in the sense of furthering regulatory objectives, but
the agency concludes that the acknowledged benefits are exceeded by the
costs.'' Public Citizen v. FTC, 869 F.2d 1541, 1557 (DC Cir. 1989)
(quoting Alabama Power, 636 F.2d at 360-61) (emphasis removed); see
also Shays, 414 F.3d at 114; Kentucky Waterways Alliance v. Johnson,
540 F.3d 466, 483 (6th Cir. 2008). ``Instead, situations covered by a
de minimis exemption must be truly de minimis.'' Shays, 414 F.3d at
114. That is, they must cover only situations where ``the burdens of
regulation yield a gain of trivial or no value.'' Environmental Defense
Fund at 466 (inner quotations omitted) (citing Alabama Power, 636 F.2d
at 360-61).
In this case, where release of the contents of one PIH tank car can
have catastrophic consequences (e.g., the 2005 Graniteville accident),
FRA must determine whether the gain yielded by installing PTC on any
rail line that carries a minimal amount of PIH materials is ``of
trivial or no value.'' During the RSAC Working Group discussions
conducted on August 31-September 2, 2009, the major freight railroads
suggested that any track segment carrying fewer than 100 PIH cars
annually should be considered to present a de minimis risk and be
subject to an exception. (Their representatives were very clear that
the request did not extend to lines carrying intercity or commuter
passenger trains.) During the Working Group discussion, AAR was asked
to describe additional safety limitations that might apply to these
types of track segments (e.g., tonnage, track class, population
densities). The AAR elected not to do so, adhering to the simple less
than 100 car exception. Subsequently, in an October 7, 2009, docket
filing, AAR suggested that safety mitigations could be applied where
necessary to bring risk down to de minimis levels.
FRA has considered AAR's proposed exception and has noted that,
although the number of cars appears small, in fact only about 100,000
loaded PIH cars are offered for transportation in the United States
each year (approximately 200,000 loads and residue cars). Accordingly,
FRA would expect that such an exception might have a significant impact
on the number of miles of railroad subject to the PTC mandate. None of
the filings in this docket, and none of the discussion in the PTC
Working Group, shed light on the relevant facts despite an express
request from FRA to Class I railroads to supply facts bearing on their
requested exception. Based on the limited information available to FRA,
FRA believes that such an exception would excuse installation of PTC on
roughly 10,000 miles of railroad out of the almost 70,000 route miles
FRA has projected would need to be equipped based on the proposed
requirements. Based on the limited information available, it appears
that some of the lines within the AAR request carry very heavy tonnages
(with many train movements raising the risk for a collision) at freight
speeds up to 60 or 70 miles per hour (predicting severe outcomes when
accidents do occur). Putting trains with PIH bulk cargoes into this mix
in the absence of effective train control would not be a de minimis
risk as to those cars of PIH actually transported. Further, any public
policy decision to excuse PTC installation under these circumstances
would have to ignore other risk on those track segments. Creating a de
minimis exception for less than 100 PIH cars on a very busy and risk-
laden track segment simply on the basis of the number of PIH cars
would, accordingly, ignore the separate charge that the Congress gave
to the agency in 1970 to adopt regulations ``as necessary'' for ``every
area of railroad safety'' (49 U.S.C. 20103(a)) and the value that the
Congress has obviously placed on PTC as a means of reducing risk within
the reach of the four PTC core functions under the RSIA08. Further, it
would stand on its head the structure of 49 U.S.C. 20157, as added by
the RSIA08, which mandates completion by the end of 2015 of PTC on (1)
lines of intercity and commuter passenger trains, (2) lines of Class I
railroads carrying 5 million gross tons and PIH, and (3) ``such other
tracks as the Secretary may prescribe by regulation or order.''
FRA believes that the broad-based type of de minimis exception
sought by the AAR and its member railroads based
[[Page 2622]]
solely on the number of PIH cars transported annually is not supported
either legally or on a safety basis. However, FRA believes a limited
exception is necessary and justified for those main lines that
transport a truly limited quantity of PIH materials and that pose
little safety hazard to the general public by not being equipped with
an operational PTC system. Thus, FRA is including paragraph (b)(4)(ii)
in this final rule to permit railroads exclude these types of main
track segments from the statutory requirement to install a PTC system.
The initial qualifying criterion is that of less than 100 PIH cars per
year (loaded or residue), as suggested by the AAR.
In order to foster as much clarity as possible regarding the
exceptions provided, FRA has broken the concept into two separate
divisions. The first creates a presumption that a requested exception
will be provided based on existing circumstances on the line, plus an
operating restriction. The second involves more challenging
circumstances and involves no presumption, but the railroad may proffer
safety mitigations in order to drive down risk to demonstrably
negligible levels (subject to FRA review). Both are limited to lines
that carry less than 15 million gross tons of traffic annually, a
figure three times the threshold in the law. FRA has no confidence that
a railroad could assure ``negligible risk'' in a busier and therefore
more complex operation, and allowing for consideration of lines with
more traffic could lead to neglect of other risk of concern (e.g., harm
to train crews in collisions, casualties to roadway workers, release of
other hazardous materials).
Paragraph (b)(4)(ii)(B) specifies additional tests that apply to
the first exception:
The line segment must consist exclusively of Class 1 or 2
track under the Track Safety Standards (maximum authorized speed 25
mph);
The line segment must have a ruling grade of less than 1
percent; and
Any train transporting a car containing PIH materials
(including a residue car) must be operated under conditions of temporal
separation, as explained in Sec. 236.1019(e) and in Appendix A to part
211 of this title, from other trains using the line segment, as
documented by a temporal separation plan submitted with the request and
approved by FRA.
Limiting maximum authorized train speed reduces the kinetic energy
available in any accident, and the forces impinging on the tank should
be sustainable.\5\ Placing a limit on ruling grade helps to avoid any
situation in which a train ``gets away'' as a result of a failure to
invoke a brake application until momentum is such that no stop is
possible (as the surface between the brake shoe and wheel ``goes
liquid''). (PTC can prevent the initial overspeed and intervene early.)
Requiring that a train carrying PIH and other trains be ``temporally
separated'' can help prevent a collision in which a PIH car is struck
directly by the locomotive of another train while traversing a turnout
(potentially exceeding the force levels the tank can withstand). Given
these combinations of circumstances, a de minimis exception should
ordinarily be warranted. FRA would withhold approval only upon a
showing of special circumstances, such as where there might be a need
to protect movements over a moveable bridge. Should FRA identify such a
circumstance, the railroad might elect to proceed under the additional
exception.
---------------------------------------------------------------------------
\5\ See Engineering Studies on Structural Integrity of Railroad
Tank Cars Under Accident Conditions (DOT/FRA/ORD-9/18; October
2009); see also 78 FR 17,818, 17,821 (Apr. 1, 2008) (discussion of
proposed limitation on PIH train speeds in non-signaled territory
prior to introduction of fully crashworthy tank cars, which was
later withdrawn for other reasons).
---------------------------------------------------------------------------
Paragraph (b)(4)(ii)(C) provides an alternative path to a de
minimis exception by opening the door for proposed risk mitigations
that could drive risk down to negligible levels. The railroad could
offer any combination of operating procedures, technology, or other
means of risk reduction. Basically, the paragraph requires the railroad
to ``make its case'' to FRA as to why a limited exception should be
provided for the identified main line. The railroad must provide FRA
sufficient information to justify the application of a de minimis
exception to the identified track segment, including current and future
traffic predictions, detailed information regarding the safety hazards
present on the involved track segment, and an explanation of how the
proposed mitigations would reduce the risk to a negligible level. FRA
believes that, beyond the relatively narrow categorical exception
provided in (B), a separate case-by-case analysis of each request is
necessary to properly apply its inherent discretionary authority to
grant de minimis exceptions in this area. Approaching the issue in this
manner also permits full consideration of mitigations tailored to the
particular circumstances. FRA would evaluate the submittal and, if
satisfied that the proffered mitigations would be successful, approve
the exception of the line segment. FRA wishes to note that elements of
PTC technology may in some cases provide the means for accomplishing
this. Developing a track database for a line segment, installing an
intermittent data radio capability, and utilizing PTC-equipped
locomotives on the line could be used to enforce temporary speed
restrictions and enforce track warrants without the major expense on
the wayside. Where necessary, based on somewhat higher train speeds,
key switches could be monitored; or, alternately, only those trains
containing PIH cars could be speed restricted (with speed enforced on
board). The notion here is to leverage investments already made with
modest additional expenditures that capture the bulk of the safety
benefits while specially protecting trains with PIH cars.
FRA believes that the savings from these provisions should be
substantial. Most of the line segments falling within the criteria set
forth for de minimis risk will be non-signaled lines with limited
freight traffic. The ability to omit equipping these routes with full
data radio infrastructure and with switch position monitoring at all
switches should constitute a significant savings. In fact, based on
available information, FRA believes that as much as 3,500 miles of
railroad could be included in one of the exceptions provided. FRA
estimates that the gross savings from omitting PTC from these lines
might amount to about $175 million and that mitigations might offset
roughly $32 million of those savings, for net savings still exceeding
$140 million. Of that amount, approximately $15 million could come from
the first exception, which deals with very low risk lines left in their
current state and operated under temporal separation of trains
containing PIH traffic.
This provision was developed in the absence of a robust record. On
October 7, 2009, the AAR filed supplementary comments offering to work
with FRA on a more flexible process for de minimis exceptions that
would consider safety mitigations designed expressly to drive risk down
to de minimis levels on candidate line segments. FRA attempted to
respond to this late-filed comment in full recognition that the final
rule will impose substantial costs and that avoiding unnecessary cost
is desirable. However none of the parties has had an opportunity to
comment on the exception provided in this final rule. Accordingly, FRA
seeks comments on the extent of the de minimis exception. Such comments
should be supported by sufficient and applicable safety data. FRA notes
that the time required for
[[Page 2623]]
refinement of this provision should fit within the existing PTC system
implementation timetable, since any lines where risk is low will be
slated for PTC system installation relatively late in the
implementation period that ends on December 31, 2015.
Paragraph (b)(5) addresses an additional reason for proposing to
use 2008 data as a baseline for PTC installation, rather than de facto
conditions in 2015: i.e., the prospect that Class I railroads will
divest lines in order to avoid the PTC mandate. Based on past practice
at the Interstate Commerce Commission and STB, lines sales can occur
under circumstances where the new operator of the line is to a large
extent the alter ego of the seller. The seller may retain overhead
trackage rights or merely lease the line; or circumstances may be such
that the seller is the only available interchange partner and thus
continues to enjoy the ``long haul'' portion of the rate. Typically the
buyer will have a lower cost structure, and to the extent the sale is
merely a recognition that the line has declined in traffic and will
need to be redeveloped as a source of carload traffic, that may be the
best way to preserve rail service. However, to the extent that the
seller sheds costs while retaining significant practical control and
depriving the buyer of adequate revenues, safety issues can arise. FRA
has historically been reluctant to allow discontinuance of signal
systems in some of these cases, particularly where it remained within
the seller's ability to rebuild overhead traffic on the line
downstream, where the seller retained the right to repossess the
property at a later time, or where the line carried passenger traffic.
This background may help explain why FRA made reference to the
issue of whether omitting PTC on a line that carried PIH traffic in
2008 might be ``in the public interest'' in the proposed rule. In
references during the subsequent RSAC working group deliberations, some
question was raised about what that could mean. In light of that
confusion, FRA has omitted the phrase from the final rule but has added
language addressing the issue of line sales that expresses more
directly how FRA would handle line sales and modifications to a PTCIP.
FRA's purpose is to ensure that decisions regarding where PTC is
deployed are made in light of all the relevant circumstances. To the
extent that this approach represents an exercise of discretionary
authority (and should any such exercise in fact occur), FRA would
expect to make the decision based upon safety criteria after the STB
had determined the public interest with respect to rail service. Again,
FRA would expect to recognize the value that the Congress placed on PTC
as a means of risk reduction while not rewarding transactions designed
to avoid installation of PTC on the line in question.
Paragraph (b)(6) states that no new intercity or commuter passenger
service shall commence after December 31, 2015, until a PTC system
certified under this subpart has been installed and made operative. FRA
believes this is a clearly necessary requirement to satisfy the
statute. In response to the comments, FRA has removed the reference to
``continuing'' of previous passenger service. FRA agrees that the
remedy associated with any delays in completing PTC system installation
should be determined based upon circumstances at the time and without
disfavoring passenger service in relation to freight service.
General objections to a 2008 baseline. FRA is aware that the
approach embodied in the final rule may not play out as an elegantly
optimized risk reduction strategy. If FRA were writing on a blank
slate, the agency may have considered factors that drive risk and
thresholds for those factors, taking into consideration more than PIH
and intercity or commuter passenger traffic. Some lines that the
Congress has required to be equipped by the end of 2015 because of PIH
traffic would be left for deployment well downstream. Under such a
hypothetical scenario, others with heavy train counts or without signal
systems (and with robust traffic) may have been in theory added to the
list for deployment of PTC by the end of 2015. But FRA is not writing
on a clean slate. Rather, FRA is endeavoring to implement the statute
with fidelity both to its terms and its intent, utilizing the
discretion underscored by the law to get the job done.
Part of the complexity of this task is the schedule. FRA has
labored to publish this final rule as soon as humanly possible so that
the industry could be ready to file PTC Implementation Plans by the
statutory deadline of April 16, 2010. FRA will then be required, again
by the statute, to approve or disapprove each plan within a period of
90 days. Accordingly, establishing some degree of order in framing the
Implementation Plan requirements is clearly necessary. Taking the 2008
traffic base as a known starting point, and evaluating any deviations
from that base, will permit FRA to identify any potentially
inappropriate traffic consolidations and focus on those areas as
matters for review. FRA could, of course, take a different approach and
order a categorically broader implementation. However, that has been
understandably opposed by the railroads; and crafting any such approach
would likely not have been feasible during the time available for this
rulemaking. Accordingly, what we have done in Sec. 236.1011(b) is to
require the PTCIP to include a statement of criteria that the Class I
railroad will apply in planning future deployment of PTC and a
requirement that the railroad's Risk Reduction Program Plan (required
by the RSIA08 to be filed in 2013) contain a specification of
additional lines that will be equipped in full (meeting all of the
requirements of subpart I) or as a partial implementation (subset of
functionalities). Approaching the end of the initial deployment period,
therefore, FRA should be in a position to consider whether requiring
additional PTC deployments will be appropriate to address remaining
risk or whether elective actions by the railroads will meet that need.
Over time, then, any rough edges that remain should be smoothed over.
Another objection to the 2008 baseline is that more may need to be
accomplished (i.e., the need to capture more lines) in the period
between enactment and December 31, 2015. FRA responds as follows:
First, no more will need to be done than the Congress likely expected.
If FRA, an expert agency, did not foresee the ``dramatic''
consolidation of PIH traffic resulting from the TSA rule, it is fairly
unlikely that the Congress did. Second, the Class I freight industry
has had it within its control to get this done, and one of FRA's major
objectives in conducting this rulemaking has been to ensure success by
keeping the technology bar at a reasonable height and deferring as much
as possible to work already accomplished. During the September 10,
2009, RSAC meeting, the leaders of the Interoperable Train Control
project--an effort led by BNSF, CSXT, NS, and UP to develop
interoperability standards for the general freight system--advised that
those standards will not be available until the end of 2010 to the many
commuter railroads and Amtrak working in concert with a major freight
carrier. But the industry developed Advanced Train Control Standards in
the 1980s, standards that FRA pronounced mature in its 1994 Report,
after which the industry abandoned the project. PTC interoperability
standards were identified as a need in the consensus report of the
original PTC
[[Page 2624]]
Working Group to the FRA Administrator in 1999, and creation of such
standards was a major deliverable of the North American PTC Program
(funded jointly by the FRA, industry, and the State of Illinois). That
delivery was never made. In the interim, the major signal suppliers,
working through the American Railway Engineering and Maintenance
Association managed to produce interoperability standards (again with
FRA support), but these are not standards that the freight railroads
have elected to employ. Accordingly, FRA concludes that the principal
obstacle to completion of PTC is the perfection of technology,
including interoperability standards, by an industry that has had two
decades to work. Any further delays in that quadrant should not deprive
the Nation of a reasonably scaled PTC deployment.
Other comments. FRA received generally favorable comments on the
base year issue from Friends of the Earth\6\ and the Rail Labor
Organizations. The Chlorine Institute also urged the broadest
application of PTC to the national rail network, and the American
Chemistry Council submitted generally favorable comments without
lingering on this specific issue. The Fertilizer Institute commented
that limiting lines to the 2008 PIH network could restrict shipping
options in the future and also advocated a broader mandate.
---------------------------------------------------------------------------
\6\ Friends of the Earth also made detailed comments regarding
administration of the Rail Route Analysis Rule that are beyond the
scope of this proceeding.
---------------------------------------------------------------------------
Final rule adjustments. FRA has further considered the need to
optimize the risk reduction strategy captured in this final rule with
respect to lines that may no longer carry PIH traffic as of some point
(whether at filing of the PTCIP or thereafter). FRA has included a
requirement that the subject line from which PIH has been removed would
be required to be equipped with PTC only if the line's remaining
traffic involves a level of risk that is above the average for lines
that carry PIH traffic. As noted above, FRA would expect most lines
from which PIH traffic might be legitimately removed, exclusive of
those that carry intercity or commuter passenger traffic (which will
need to be equipped in any event), to fall below the average risk level
and be removed from the PTCIP. These will be primarily what are
referred to as branch lines or secondary main lines, carrying moderate
traffic volumes. However, if a line such as a very busy coal line with
intermixed general freight (including, e.g., flammable compressed gas
or halogenated organic compounds) were in question, FRA would expect
that line to remain equipped. Further optimization of this approach is
offered in the form of compensating risk reduction. That is, a railroad
could offer up a line that was not included in 2008 traffic base for
PTC implementation if it carries traffic that involves very substantial
risk. Although this option is offered, FRA does not expect any such
situation to arise. Based on FRA's review of known traffic flows and
densities, FRA expects that most lines omitted from those reported in
the PTCIP based on 2008 data will fall into a very low range of risk in
relation to lines carrying PIH traffic. Further, FRA believes it is
very unlikely that any legitimate consolidation of PIH traffic after
2008 would have utilized a line that was not previously carrying at
least some PIH traffic. In short, although the agency may not have
taken the same approach, there is wisdom behind the congressional
formulation based on conditions when the Congress acted.
In summary, FRA has fashioned an approach to review of candidate
track segments for PTC Implementation that seeks to uphold the letter
and the intent of the RSIA08, that utilizes FRA discretionary authority
sparingly but in a risk-informed manner, that it is administrable
within the time allowed by law to review PTCIPs, that offers the best
chance of creating some stability in deployment strategy by permitting
the agency to focus on areas of greatest sensitivity early in the
process (including, as necessary, a threshold evaluation of whether
Rail Route Analysis Rule decisions require further evaluation), and
that will ensure, to the extent possible, that safety alone is the
governing criterion in determining where PTC will be required to be
deployed.
Paragraph (c) provides amplifying information regarding the
installation and integration of hazard detectors into PTC systems.
Paragraph (c)(1) reiterates FRA's position that any hazard detectors
that are currently integrated into an existing signal and train control
system must be integrated into mandatory PTC systems and that the PTC
system will enforce as appropriate on receipt of a warning from the
detector. Paragraph (c)(2) states that each PTCSP submitted by a
railroad must identify any additional hazard detectors that will be
used to provide warnings to the crew which a railroad may elect to
install. If the PTCSP so provides, the PTCSP must clearly define the
actions required by the crew upon receipt of the alarm or other warning
or alert. FRA does not expect a railroad to install hazard detectors at
every location where a hazard might possibly exist.
Paragraph (c)(3) requires, in the case of high-speed service (as
described in Sec. 236.1007 as any service operating at speeds greater
than 90 miles per hour), that the hazard analysis address any hazards
on the route and provide a reason why additional hazard detectors are
not required to provide warning and enforcement for hazards not already
protected by an existing hazard detector. The hazard analysis must
clearly identify the risk associated with the hazard, and the
mitigations taken if a hazard detector is not installed and interfacing
with a PTC system. For instance, in the past, large motor vehicles with
parallel or overhead structures have been left fouling active passenger
rail lines. Depending upon the circumstances, such events can cause
catastrophic train accidents. Although not every such event can be
prevented, detection of such obstacles may make it more likely that the
accident could be prevented.
In its comments, Amtrak assumes that on those lines where FRA has
previously approved such speeds (e.g., portions of Amtrak's Northeast
Corridor (NEC) and Michigan line), a new hazard analysis, which would
serve only to allow that which is already allowed, will not be
required. If so, it asserts that the rule should make that explicit.
FRA has done so in the final rule. No further changes were indicated by
the comments.
Under paragraph (d), the final rule requires that each lead
locomotive operating with a PTC system be equipped with an operative
event recorder that captures safety-critical data routed to the
engineer's display that the engineer must obey, including all mandatory
directives that have been electronically delivered to the train,
maximum authorized speeds, warnings presented to the crew, including
countdowns to braking enforcement and warnings indicating that braking
enforcement is in effect, and the current system state (``ACTIVE'',
``FAILED'', ``CUTIN'', ``CUTOUT'', etc.)
FRA intends that this information be available in the event of an
accident with a PTC-equipped system to determine root causes and the
necessary actions that must be taken to prevent reoccurrence. Although
FRA expects implemented PTC systems will prevent PTC-preventable
accidents, in the event of system failure FRA believes it is necessary
to capture available data relating to the event. Further, FRA sees
value in capturing information regarding any accident that may occur
outside of the control of a PTC system
[[Page 2625]]
as it is currently designed--including the prevention of collisions
with trains not equipped with PTC systems--and accidents that could
otherwise have been prevented by PTC technology, but were unanticipated
by the system developers, the employing railroad, or FRA.
The data may be captured in the locomotive event recorder, or a
separate memory module. If the locomotive is placed in service on or
after October 1, 2009, the event recorder and memory module, if used,
shall be crashworthy, otherwise known as crash-hardened, in accordance
with Sec. 229.135. For locomotives built prior to that period, the
data shall be protected to the maximum extent possible within the
limits of the technology being used in the event recorder and memory
module.
One commenter stated that paragraph (d) was not clear. The
commenter is unsure if FRA is requiring that all of the operator's
display be recorded and replicated upon playback. FRA only requires
that the railroad capture the safety-critical data routed to the
display which the engineer must obey. The choice of format to play back
this data has been left to the railroad, keeping in mind that whatever
format used for data playback needs to be available to FRA for accident
investigations and other investigation activities.
As required by the RSIA08 and by paragraph (a)(1)(iv), as noted
above, a PTC system required by subpart I must be designed to prevent
the movement of a train through a main line switch in the wrong
position. Paragraph (e) provides amplifying information on switch point
monitoring, indication, warning of misalignment, and associated
enforcement. According to the statute, each PTC system must be designed
to prevent ``the movement of a train through a switch left in the wrong
position.'' FRA understands ``wrong position'' to mean not in the
position for the intended movement of the train. FRA believes that
Congress' use of the phrase ``left in the wrong position'' was
primarily directed at switches in non-signaled (dark) territory such as
the switch involved in the aforementioned accident at Graniteville,
South Carolina. FRA also believes that, in order to prevent potential
derailment or divergence to an unintended route, it is critical that
all associated switches be monitored by a PTC system in some manner to
detect whether they are in their proper position for train movements.
If a switch is misaligned, the PTC system must provide an acceptable
level of safety for train operations.
Prior to the statute, PTC provided for positive train separation,
speed enforcement, and work zone protection. The addition of switch
point monitoring and run through prevention would have eliminated the
Graniteville accident where a misaligned switch resulted in the
unintended divergence of a train operating on the main track onto a
siding track and the collision of that train with another parked train
on the siding. The resulting release of chlorine gas caused nine deaths
and required the evacuation of the entire town while remediation
efforts were in progress.
As discussed above, FRA considered requiring PTC systems to be
interconnected with each main line switch and to individually monitor
each switch's point position in such a manner as to provide for a
positive stop short of any misalignment condition. However, after
further consideration and discussion with the PTC Working Group, FRA
believes that such an approach may be overly aggressive and terribly
expensive in signaled territory.
Under paragraph (e), FRA instead provides to treat switches
differently, depending upon whether they are within a wayside or cab
signal system--or are provided other similar safeguards (i.e., distant
switch indicators and associated locking circuitry) required to meet
the applicable switch position standards and requirements of subparts A
through G--within non-signaled (dark) territory.
While a PTC system in dark territory would be required to enforce a
positive stop--as discussed in more detail below--a PTC system in
signaled territory would require a train to operate at no more than the
upper limit of restricted speed between the associated signal, over any
switch in the block governed by the signal, and until reaching the next
subsequent signal that is displaying a signal indication more
permissive than proceed at restricted speed.
Signaled territory includes various types of switches, including
power-operated switches, hand-operated switches, spring switches,
electrically-locked switches, electro-pneumatic switches, and hydra
switches, to name the majority. Each type of switch poses different
issues as it relates to PTC system enforcement. We will look at power-
and hand-operated switches as examples.
On a territory without a PTC system, if a power-operated switch at
an interlocking or control point were in a condition resulting in the
display of a stop indication by the signal system, an approaching train
would generally have to stop only a few feet from the switch, and in
the large majority of cases no more than several hundred feet away from
it. In contrast, in PTC territory adhering to the aforementioned overly
aggressive requirement, a train would have to stop at the signal, which
may be in close proximity to its associated switch, and operate at no
more than the upper limit of restricted speed to that switch, where it
would have to stop again. FRA believes that, since the train would be
required to stop at the signal, and must operate at no more than the
upper limit of restricted speed until it completely passes the switch
(with the crew by rule watching for and prepared to stop short of,
among other concerns, an improperly lined switch), a secondary enforced
stop at the switch would be unnecessarily redundant.
Operations using hand-operated switches would provide different,
and arguably greater, difficulties and potential risks. Generally, in
between each successive interlocking and control point, signal spacing
along the right of way can approximately be 1 to 3 miles or more apart,
determined by the usual length of track circuits and the sufficient
number of indications that would provide optimal use for train
operations. Each signal governs the movement through the entire
associated block up to the next signal. Thus, a train approaching a
hand-operated switch may encounter further difficulties since its
governing signal may be much further away than the governing signal for
a power-operated switch. If within signaled territory a hand-operated
switch outside of an interlocking or control point were in a condition
resulting in the display of a restricted speed signal indication by the
signal system, an approaching train may be required to stop before
entering the block governed by the signal and proceed at restricted
speed, or otherwise reduce its speed to restricted speed as it enters
the block governed by the signal. The train must then be operated at
restricted speed until the train reaches the next signal displaying an
indication more permissive than proceed at restricted speed, while
passing over any switch within the block. The governing signal,
however, may be anywhere from a few feet to more than a mile from the
hand-operated switch. For instance, if a signal governs a 3 mile long
block, and there is a switch located 1.8 miles after passing the
governing signal (stated in advance of the signal), and that switch is
misaligned, the train would have to travel that 1.8 miles at restricted
speed. Even if the train crew members were able to correct the
misaligned switch,
[[Page 2626]]
they would need to remain at restricted speed at least until the next
signal (absent an upgrade of a cab signal indication).
In signaled territory, to require a PTC system to enforce a
positive stop of an approaching train at each individual misaligned
switch would be an unnecessary burden on the industry, particularly
since movement beyond the governing signal would be enforced by the PTC
system to a speed no more than the upper limit of restricted speed.
Accordingly, in signaled territory, paragraph (e)(1) requires a PTC
system to enforce the upper limit of restricted speed through the
block. By definition, at restricted speed, the locomotive engineer must
be prepared to stop within one-half the range of vision short of any
misaligned switch or broken rail, etc., not to exceed 15 or 20 miles
per hour depending on the operating rule of the railroad. Accordingly,
if a PTC system is integrated with the signal system, and a train is
enforced by the PTC system to move at restricted speed past a signal
displaying a restricted speed indication, FRA feels comfortable that
the PTC system will meet the statutory mandate of preventing the
movement of the train through the switch left in the wrong position by
continuously displaying the speed to be maintained (i.e., restricted
speed) and by enforcing the upper limit of the railroads' restricted
speed rule (but not to exceed 20 mph). While this solution would not
completely eliminate human factors associated with movement through a
misaligned switch, it would significantly mitigate the risk of a train
moving through such a switch and would be much more cost effective.
Moreover, it would be cost prohibitive to require the industry to
individually equip each of the many thousands of hand-operated switches
with a wayside interface unit (WIU) necessary to interconnect with a
PTC system in order to provide a positive stop short of any such switch
that may be misaligned. Currently each switch in signaled territory has
its position monitored by a switch circuit controller (SCC). When a
switch is not in its normal position, the SCC opens a signal control
circuit to cause the signal governing movement over the switch location
to display its most restrictive aspect (usually red). A train
encountering a red signal at the entrance to a block will be required
to operate at restricted speed through the entire block, which can be
several miles in length depending on signal spacing. The signal system
is not capable of informing the train crew which switch, if any, in the
block may be in an improper position since none of switches are
equipped with an independent WIU. There could be many switches within
the same block in a city or other congested area. Thus, there is a
possibility that one or more switches may be not in its proper position
and the signal system would be unable to transmit which switch or
switches are not in normal position. The governing signal could also be
displaying a red aspect on account of a broken rail, broken bond wire,
broken or wrapped line wire, bad insulated joint, bad insulated switch
or gage rods, or other defective condition.
FRA believes that requiring a PTC system to enforce the upper limit
of restricted speed in the aforementioned situations is statutorily
acceptable. The statute requires each PTC system to prevent ``the
movement of a train through a switch left in the wrong position.''
Under this statutory language, the railroad's intended route must
factor into the question of whether a switch is in the ``wrong''
position. In other words, in order to determine whether a switch is in
the ``wrong position,'' we must know the switch's ``right position.''
The ``right position'' is determined by the intended route of the
railroad. Thus, when determining whether a switch is in the wrong
position, it is necessary to know the railroad's intended route and
whether the switch is properly positioned to provide for the train to
move through the switch to continue on that route. The intended route
is normally determined by the dispatcher.
Under the final rule, when a switch is in the wrong position, the
PTC system must have knowledge of that information, must communicate
that information to the railroad (e.g., the locomotive engineer or
dispatcher), and must control the train accordingly. Once the PTC
system or railroad has knowledge of the switch's position, FRA expects
the position to be corrected in accordance with part 218 before the
train operates through the switch. See, e.g., Sec. Sec. 218.93,
218.103, 218.105, 218.107.
If the PTC system forces the train to move at no more than the
upper limit of restricted speed, the railroad will have knowledge that
a misaligned switch may be within the subject block, and the railroad,
by rule or dispatcher permission, will then make the decision to move
through the switch (i.e., the railroad's intent has changed as
indicated by rule or dispatcher instructions), so the switch will no
longer be in the ``wrong position.'' The RSAC PTC Working Group was
unanimous in concluding that these arrangements satisfy the safety
objectives of RSIA08. Utilization of the signal system to detect
misaligned switches and facilitate safe movements also provides an
incentive to retain existing signal systems, with substantial
additional benefits in the form of broken rail detection and detection
of equipment fouling the main line.
Paragraph (e)(2) addresses movements over switches in dark
territory and under conditions of excessive risk, even within block
signal territory. In dark territory, by definition, there are no
signals available to provide any signal indication or to interconnect
with the switches or PTC system. Without the benefit of a wayside or
cab signal system, or other similar system of equivalent safety, the
PTC system will have no signals to obey. In such a case, the PTC system
may be designed to allow for virtual signals, which are waypoints in
the track database that would correspond to the physical location of
the signals had they existed without a switch point monitoring system.
Accordingly, paragraph (e)(2)(i) requires that in dark territory where
PTC systems are implemented and governed by this subpart, the PTC
system must enforce a positive stop for each misaligned switch whereas
the lead locomotive must be stopped short of the switch to preclude any
fouling of the switch. Once the train stops, the railroad will have an
opportunity to correct the switch's positioning and then continue its
route as intended.
Unlike in signaled territory, FRA expects that on lines requiring
PTC in dark territory, each switch will be equipped with a WIU to
monitor the switch's position. A WIU is a device that aggregates
control and status information from one or more trackside devices for
transmission to a central office and/or an approaching train's onboard
PTC equipment, as well as disaggregating received requests for
information, and promulgates that request to the appropriate wayside
device. Most of the switches in dark territory are hand-operated with a
much smaller number of them being spring and hydra switches. In dark
territory, usually none of the switches have their position monitored
by a SCC and railroads have relied on the proper handling of these
switches by railroad personnel. When it is necessary to throw a main
line switch from normal to reverse, an obligation arises under the
railroad's rules to restore the switch upon completion of the
authorized activity. Switch targets or banners are intended to provide
minimal visual indication of the switch's position, but in the typical
case trains are not required to operate at a speed permitting them to
stop short of open switches. As
[[Page 2627]]
evidenced by the issuance of Emergency Order No. 24 and the subsequent
Railroad Operating Rules Final Rule (73 FR 8,442 (Feb. 13, 2008)),
proper handling of main line switches cannot be guaranteed in every
case. However, now with the implementation and operation of PTC
technology, if a switch is not in the normal position, that information
will be transmitted to the locomotive. The PTC system will then know
which switch is not in the normal position and require a positive stop
at that switch location only.
In the event that movement through a misaligned switch would result
in an unacceptable risk, whether in dark or signaled territory,
paragraph (e)(2)(ii) requires the PTC system to enforce a positive stop
on each train before it crosses the switch in the same manner as
described above for trains operating in dark, PTC territory. FRA
acknowledges that regardless of a switch's position, and regardless of
whether the switch is in dark or signaled territory, movement through
certain misaligned switches--even at low speeds--may still create an
unacceptable risk of collision with another train.
FRA understands the term ``unacceptable risk'' to mean risk that
cannot be tolerated by the railroad's management (and in this case FRA
plays the role of ensuring consistency). It is a type of identified
risk that must be eliminated or controlled. For instance, such an
unacceptable risk may exist with a hand-operated crossover between two
main tracks, between a main track and a siding or auxiliary track, or
with a hand-operated switch providing access to another subdivision or
branch line. The switches mentioned in paragraph (e)(2)(ii) are in
locations where, if the switch is left lined in the wrong position, a
train would be allowed to traverse through the crossover or turnout and
potentially into the path of another train operating on an adjoining
main track, siding, or other route. Even if such switches were located
within a signaled territory, the signal governing movements over the
switch locations, for both tracks as may be applicable, would be
displaying their most restrictive aspect (usually red). This
restrictive signal indication would in turn allow both trains to
approach the location at restricted speed where one or both of the
crossover switches are lined in the reverse position. Since the PTC
system is not capable of actually enforcing restricted speed other than
its upper limits, the PTC system would enforce a 15 or 20 mile per hour
speed limit dependent upon the operating rules of the railroad.
However, there is normally up to as much as a 5 mile per hour tolerance
allowed for each speed limit before the PTC system will actually
enforce the applicable required speed. Thus, in reality, the PTC system
would not enforce the restricted speed condition until each train
obtained a speed of up to 25 miles per hour. In this scenario, it is
conceivable that two trains both operating at a speed of up to 25 miles
per hour could collide with each other at a combined impact speed
(closing speed) of up to 50 miles per hour. While these examples are
provided in the rule text, they are merely illustrative and do not
limit the universe of what FRA may consider an unacceptable risk for
the purpose of paragraph (e). FRA emphasizes that FRA maintains the
final determination as to what constitutes acceptable or unacceptable
risk in accordance with paragraph (e)(2)(ii).
Caltrain submitted a comment recommending the removal of the
following text from this section: ``Unacceptable risk includes
conditions when traversing the switch, even at low speeds, could result
in direct conflict with the movement of another train (including a
hand-operated crossover between main track, a hand-operated crossover
between main track and an adjoining siding or auxiliary track, or a
hand-operated switch providing access to another subdivision or branch
line, etc.)'' Caltrain asserted that the PTC Safety Plan is required
to, and will address, whether a particular configuration is an
acceptable risk. The examples cited can include a non-signaled siding
or auxiliary track several feet below the grade of the mainline track.
The possibility of the equipment on the auxiliary track conflicting
with movement on the main line track is no greater at a crossover than
if it is a single switch and turnout. Main to main crossovers are
another topic that will be addressed in the risk analysis.
FRA believes it to be important to identify the requirement that a
PTC system must enforce a positive stop short of any main line switch,
and any switch on a siding where the allowable speed is in excess of 20
miles per hour, if movement of a train over such a switch not in its
proper position could create an unacceptable risk. FRA is providing
within the language of the rule example of movements through an
improperly lined switch that FRA believes would result in unacceptable
risk. This unacceptable risk is not related to the potential ``roll-
out'' of equipment from another track onto the main track, which was
referenced in the comment submitted by Caltrain, but constitutes any
situation where a movement may diverge from one track onto an adjacent
track potentially directly in front of a proceeding movement of a
separate train on that track.
Furthermore, FRA provides in paragraph (e)(3) that a railroad may
submit, with justification, alternative PTC system enforcement
associated with unacceptable risk of train movements through improperly
aligned switches in their applicable PTCDP or PTCSP for FRA approval.
FRA therefore elects to leave the rule text of paragraph (e)(2)(ii) as
it was written in the proposed rule.
The PTC system must also enforce a positive stop short of any
misaligned switch on a PTC controlled siding in dark territory where
the allowable track speed is in excess of 20 miles per hour. Sidings
are used for meeting and passing trains and where those siding
movements are governed by the PTC system, safety necessitates the
position of the switches located on sidings to be monitored in order to
protect train movements operating on them. Conversely, on signaled
sidings, train movements are governed and protected by the associated
signal indications, track circuits, and monitored switches, none of
which are present in dark territory.
Paragraph (e)(3) notes that while switch position detection and
enforcement must be accomplished, the PTCSP may include a safety
analysis for alternative means of PTC system enforcement associated
with switch position. Moreover, an identification and justification of
any alternate means of protection other than that provided in this
section shall be identified and justified. FRA recognizes that, in
certain circumstances, this flexibility may allow the reasonable use of
a track circuit in lieu of individually monitored switches (addressing
rail integrity as well as identification of open switches).
Paragraph (e)(4) provides amplifying information regarding existing
standards of subparts A through G of this part related to switches,
movable-point frogs, and derails in the route governed that are equally
applicable to PTC systems unless otherwise provided in a PTCSP approved
under this subpart. This paragraph explains that the FRA required and
accepted railroad industry standard types of components used to
monitored switch point position and how those devices are required to
function. This paragraph allows for some alternative method to be used
to accomplish the same level of protection if it is identified and
justified in a PTCSP approved under this subpart.
[[Page 2628]]
The AAR submitted comment that the language within paragraph
(e)(4), which was presumably derived from subpart C of this part,
prescribes conditions under which ``movement authorities can only be
provided.'' (emphasis added). The AAR contends that, in the context of
PTC design, this paragraph seems to prescribe a specific method (the
withholding of movement authorities) to provide switch position
protection per the requirements identified by paragraphs (e)(1) through
(e)(3). The AAR asserts that paragraph (e)(4) should be clarified or
revised to allow for PTC systems that may meet these requirements by
methods other than, or in addition to, those methods prescribed by
paragraph (e)(4). Thus, the AAR suggests rewording paragraph (e)(4) to
include the language: ``unrestricted movement authorities can only be
provided''.
FRA agrees with the principle of the AAR's comment. The intention
appears to be that the permissiveness of all movement authorities over
any switches, movable-point frogs, or derails must be determined by
control circuits or their electronic equivalent selected through a
circuit controller or functionally equivalent device that is operated
directly by the switch points, derail, or switch locking mechanism, or
through relay or electronic device controlled by such circuit
controller or functionally equivalent device. Unrestricted movement
authorities can only be provided when each switch, movable-point frog,
or derail in the route governed is in proper position. FRA has
therefore revised paragraph (e)(4) to read as follows: ``The control
circuit or electronic equivalent for all movement authorities over any
switches, movable-point frogs, or derails shall be selected through
circuit controller or functionally equivalent device operated directly
by switch points, derail, or by switch locking mechanism, or through
relay or electronic device controlled by such circuit controller or
functionally equivalent device, for each switch, movable-point frog, or
derail in the route governed. Circuits or electronic equivalents shall
be arranged so that any movement authorities less restrictive than
those prescribed in paragraphs (e)(1) and (e)(2) of this section can
only be provided when each switch, movable-point frog, or derail in the
route governed is in proper position, and shall be in accordance with
subparts A through G of this part, unless it is otherwise provided in a
PTCSP approved under this subpart.''
Paragraph (f) provides amplifying information for determining
whether a PTC system is considered to be configured to prevent train-
to-train collisions, as required under paragraph (a). FRA will consider
the PTC system as providing the required protection if the PTC system
enforces the upper limits of restricted speed. These criteria will
allow following trains to pass intermediate signals displaying a
restricting aspect and will allow for the issuance of joint mandatory
directives.
Where a wayside signal displays a ``Stop,'' ``Stop and Proceed,''
or ``Restricted Proceed'' indication, paragraph (f)(1)(i) requires the
PTC system to enforce the signal indication accordingly. In the case of
a ``Stop'' or ``Stop and Proceed'' indication, operating rules require
that the train will be brought to a stop prior to passing the signal
displaying the indication. The train may then proceed at 15 or 20 miles
per hour, as applicable according to the host railroad's operating
rule(s) for restricted speed. In the case of a ``Restricted Proceed''
indication, the train would be allowed to pass the signal at 15 or 20
miles per hour. Some existing PTC systems do not enforce the stop
indication under these circumstances, and FRA believes that this is
acceptable. However, in either event, the speed restriction would be
enforced until the train passes a more favorable signal indication. NJ
Transit asserted, and FRA agrees, that in dark territory where trains
operate by mandatory directive, the PTC system would be expected to
enforce the upper limit of restricted speed on a train when the train
was allowed into a block already occupied by another preceding train
traveling in the same direction. In freight operations, there may be
situations where, in order to accomplish local switching, further
latitude would be necessary, so long as the upper limit of restricted
speed is enforced.
NJ Transit suggests that the FRA consider modifying the verbiage to
more clearly define the expectation of the operating rules and
enforcement requirements associated with the Stop and Proceed
indication.
FRA fully understands the concern presented by NJ Transit, but
suggests that the recommended modification to verbiage is already
provided for in the language of paragraph (f)(1)(ii). FRA has therefore
elected to retain the language of paragraph (f) in the final rule.
Paragraphs (g) through (k) all concern situations where temporary
rerouting may be necessary and would affect application of the
operational rules under subpart I. While the final rule attempts to
reduce the opportunity for PTC and non-PTC trains to co-exist on the
same track, FRA recognizes that this may not always be possible,
especially when a track segment is out of service and a train must be
rerouted in order to continue to destination. Accordingly, paragraph
(g) allows for temporary rerouting of traffic between PTC equipped
lines and lines not equipped with PTC systems. FRA anticipates two
situations--emergencies and planned maintenance--that would justify
such rerouting.
Paragraph (g) provides the preconditions and procedural rules to
allow or otherwise effectuate a temporary rerouting in the event of an
emergency or planned maintenance that would prevent usage of the
regularly used track. Historically, FRA has dealt with temporary
rerouting on an ad hoc basis. For instance, on November 12, 1996, FRA
granted UP, under its application RS&I-AP-No. 1099, conditional
approval for relief from the requirements of Sec. 236.566, which
required equipping controlling locomotives with an operative apparatus
responsive to all automatic train stop, train control, or cab signal
territory equipment. The conditional approval provided for ``detour
train movements necessitated by catastrophic occurrence such as
derailment, flood, fire, or hurricane'' on certain listed UP
territories configured with automatic cab signals (ACS) or automatic
train stop (ATS). Ultimately, the relief would allow trains not
equipped with the apparatus required under Sec. 236.566 to enter those
ACS and ATS territories. However, the relief was conditional upon
establishing an absolute block in advance of each train movement--as
prescribed by General Code of Operating Rules (GCOR) 11.1 and 11.2--and
notifying the applicable FRA Regional Headquarters. The detour would
only be permissible for up to seven days and FRA could modify or
rescind the relief for railroad non-compliance.
On February 7, 2006, that relief was temporarily extended to
include defined territory where approximately two months of extensive
track improvements were necessary. Additional conditions for this
relief included a maximum train speed of 65 miles per hour and
notification to the FRA Region 8 Headquarters within 24 hours of the
beginning of the non-equipped detour train movements and immediately
upon any accident or incident. On February 27, 2007, FRA provided
similar temporary relief for another three months on the same
territory.
While the aforementioned conditional relief was provided on an ad
hoc basis, FRA feels that codifying rules regulating temporary
rerouting involving PTC system track or locomotive equipment is
[[Page 2629]]
necessary due to the potential dangers of allowing mixed PTC and non-
PTC traffic on the same track and the inevitable increased presence of
PTC and PTC-like technologies. Moreover, FRA believes that the subject
railroads and FRA would benefit from more regulatory flexibility to
work more quickly and efficiently to provide for temporary rerouting to
mitigate the problems associated with emergency situations and
infrastructure maintenance.
Under the final rule, FRA is providing for temporary rerouting of
non-PTC trains onto PTC track and PTC trains onto non-PTC track. A
train will not be considered rerouted for purposes of the conditions
set forth in this section if it operates on a PTC line that is other
than its ``normal route,'' which is equipped and functionally
responsive to the PTC system over which it is subsequently operated, or
if it is a non-PTC train (not a passenger train or a freight train
having any PIH materials) operating on a non-PTC line that is other
than its ``normal route.''
Paragraph (g) effectively provides temporary civil penalty immunity
from various applicable requirements of this subpart, including
provisions under subpart I relating to controlling locomotives, similar
to how waivers from FRA have provided certain railroads immunity from
Sec. 236.566.
FRA expects that emergency rerouting will require some flexibility
in order to respond to circumstances outside of the railroad's
control--most notably changes in the weather, vandalism, and other
unexpected occurrences--that would result in potential loss of life or
property or prevent the train from continuing on its normal route.
While paragraph (g) lists a number of possible emergency circumstances,
they are primarily included for illustrative purposes and are not a
limiting factor in determining whether an event rises to an emergency.
For instance, FRA would also consider allowing rerouting in the event
use of the track is prevented by vandalism or terrorism. While these
events are not the primary reasons for which paragraph (g) would allow
rerouting, FRA recognizes that they may fall outside of the railroad's
control.
In the event of an emergency that would prevent usage of the track,
temporary rerouting may occur instantly by the railroad without
immediate FRA notice or approval. By contrast, the vast majority of
maintenance activities can be predicted by railroad operators. While
the final rule provides for temporary rerouting for such activities,
the lack of exigent circumstances does not require the allowance of
instantaneous rerouting without an appropriate request and, in cases
where the request is for rerouting to exceed 30 days, FRA approval.
Accordingly, under paragraph (g), procedurally speaking, temporary
rerouting for emergency circumstances will be treated differently than
temporary rerouting for planned maintenance. While FRA continues to
have an interest in monitoring all temporary rerouting to ensure that
it is occurring as contemplated by FRA and within the confines of the
rule, the timing of FRA notification, and the approval procedures,
reflects the aforementioned differences.
When an emergency circumstance occurs that would prevent usage of
the regularly used track, and would require temporary rerouting, the
subject railroad must notify FRA within one business day after the
rerouting commences. To provide for communicative flexibility in
emergency situations, the final rule provides for such notification to
be made in writing or by telephone. FRA provides that written
notification may be accomplished via overnight mail, e-mail, or
facsimile. In any event, the railroad should take the steps necessary
for the method of notification selected to include confirmation that an
appropriate person actually on duty with FRA receives the notification
and FRA is duly aware of the situation.
While telephone notification may provide for easy communications by
the railroad, a mere phone call would not provide for documentation of
information required under paragraph (g). Moreover, if for some reason
the phone call is made at a time when the designated telephone operator
is not on duty or if the caller is only able to leave a message with
the FRA voice mail system, the possibility exists that the applicable
FRA personnel would not be timely notified of the communication and its
contents.
Emergency rerouting can only occur without FRA approval for
fourteen (14) consecutive calendar days. If the railroad requires more
time, it must make a request to the Associate Administrator. The
request must be made directly to the Associate Administrator and
separately from the initial notification sometime before the 14-day
emergency rerouting period expires. Unless the Associate Administrator
notifies the railroad of his or her approval before the end of the
allowable emergency rerouting timeframe, the relief provided by
paragraph (g) will expire at the end of that timeframe.
While a mere notification is necessary to commence emergency
rerouting, a request must be made, with subsequent FRA approval, to
perform planned maintenance rerouting. The relative predictability of
planned maintenance activities allows railroads to provide FRA with
much more advanced request of any necessary rerouting and allows FRA to
review that request. FRA requires that the request be made at least 10
calendar days before the planned maintenance rerouting commences.
To ensure a retrievable record, the request must be made in
writing. It may be submitted to FRA by fax, e-mail, or courier. Because
of security protocols placed in effect after the terrorist attacks of
September 11, 2001, regular mail undergoes irradiation to ensure that
any pathogens have been destroyed prior to delivery. The irradiation
process adds significant delay to FRA's receipt of the document, and
the submitted document may be damaged due to the irradiation process.
Thus, FRA implores those making a rerouting request in writing to
deliver the request through other, more acceptable, means.
The lack of emergency circumstances makes telephonic communication
less necessary, since the communication need not be immediate, and less
preferable, since it may not be accurately documented for subsequent
reference and review. Like notifications for emergency rerouting, the
request for planned rerouting must include the number of days that the
rerouting should occur. If the planned maintenance will require
rerouting up to 30 days, then the request must be made with the
Regional Administrator. If it will require rerouting for more than 30
days, then the request must be made with the Associate Administrator.
These longer time periods reflects FRA's opportunity to review and
approve the request. In other words, since FRA expects that the review
and approval process will provide more confidence that a higher level
of safety will be maintained, the rerouting period for planned
maintenance activities may be more than the 14 days allotted for
emergency rerouting.
Regardless of whether the temporary rerouting is the result of an
emergency situation or planned maintenance, the communication to FRA
required under paragraph (g) must include the information listed under
paragraph (i). This information is necessary to provide FRA with
context and details of the rerouting. To attempt to provide railroads
with the flexibility intended under paragraph (g), and to attempt to
prevent enforcement of the rules from which the railroad should be
receiving relief, FRA must be able to coordinate with its inspectors
and other personnel.
[[Page 2630]]
This information may also eventually be important to FRA in developing
statistical analyses and models, reevaluating its rules, and
determining the actual level of danger inherent in mixing PTC and non-
PTC traffic on the same tracks.
For emergency rerouting purposes, the information is also necessary
for FRA to determine whether it should order the railroad or railroads
to cease rerouting or provide additional conditions that differ from
the standard conditions specified in paragraph (i). FRA recognizes the
importance of allowing temporary rerouting to occur automatically in
emergency circumstances. However, FRA must also maintain its
responsibility of ensuring that such rerouting occurs lawfully and as
intended by the rules. Accordingly, the final rule provides the
opportunity for FRA to review the information required by paragraph (g)
to be submitted in accordance with paragraph (i) and order the railroad
or railroads to cease rerouting if FRA finds that such rerouting is not
appropriate or permissible in accordance with the requirements of
paragraphs (g) through (i), and as may be so directed in accordance
with paragraph (k), as discussed further below.
For rerouting due to planned maintenance, the information required
under paragraph (i) is equally applicable and will be used to determine
whether the railroad should not reroute at all. If the request for
planned maintenance is for a period of up to 30 days, then the request
and information must be sent in writing to the Regional Administrator
of the region in which the temporary rerouting will occur. While such a
request is self-executing--meaning that it will automatically be
considered permissible if not otherwise responded to--the Regional
Administrator may prevent the temporary rerouting from starting by
simply notifying the railroad or railroads that its request is not
approved. The Regional Administrator may otherwise provide conditional
approval, request that further information be supplied to the Regional
Administrator or Associate Administrator, or disapprove the request
altogether. If the railroad still seeks to reroute due to planned
maintenance activities, it must provide the Regional Administrator or
Associate Administrator, as applicable, the requested information. If
the Regional Administrator requests further information, no planned
maintenance rerouting may occur until the information is received and
reviewed and the Regional Administrator provides his or her approval.
Likewise, no planned maintenance rerouting may occur if the Regional
Administrator disapproves of the request. If the Regional Administrator
does not provide notice preventing the temporary rerouting, then the
planned maintenance rerouting may begin and occur as requested.
However, once the planned maintenance rerouting begins, the Regional
Administrator may at any time order the railroad or railroads to cease
the rerouting in accordance with paragraph (k).
Requests for planned maintenance rerouting exceeding 30 days,
however, must be made to the Associate Administrator and are not self-
executing. No such rerouting may occur without Associate Administrator
approval, even if the date passes on which the planned maintenance was
scheduled to commence. Under paragraph (h), like the Regional
Administrator, the Associate Administrator may provide conditional
approval, request further information, or disapprove of the request to
reroute. Once approved rerouting commences, the Associate Administrator
may also order the rerouting to cease in accordance with paragraph (k).
Where a train rerouted onto a track equipped with a PTC system is,
for whatever reason, not compatible and functionally responsive to that
PTC system (e.g., an unequipped controlling locomotive, or one equipped
but not compatible with the associated wayside, office, or
communications system), such train must be operated in accordance with
Sec. 236.1029. Where any train is rerouted onto a track segment that
is not equipped with a PTC system, such train must be operated in
accordance with the operating rules applicable to the track segment on
which the train is being rerouted.
Moreover, as referenced in paragraph (g) as it applies to both
emergency and planned maintenance circumstances, the track upon which
FRA expects the rerouting to occur would require certain mitigating
protections listed under paragraph (j) in light of the mixed PTC and
non-PTC traffic. While FRA purposefully intends paragraph (j) to apply
similarly to Sec. 236.567, FRA recognizes that Sec. 236.567 does not
account for the statutory mandates of interoperability and the core PTC
safety functions. Accordingly, paragraph (j) must be more restrictive.
Section 236.567, which applies to territories where ``an automatic
train stop, train control, or cab signal device fails and/or is cut out
en route,'' requires trains to proceed at either restricted speed or,
if an automatic block signal system is in operation according to signal
indication, at no more than 40 miles per hour to the next available
point of communication where report must be made to a designated
officer. Where no automatic block signal system is in use, the train
shall be permitted to proceed at restricted speed or where an automatic
block signal system is in operation according to signal indication but
not to exceed medium speed to a point where absolute block can be
established. Where an absolute block is established in advance of the
train on which the device is inoperative, the train may proceed at not
to exceed 79 miles per hour. Paragraph (j) utilizes that absolute block
condition, which more actively engages the train dispatcher in managing
movement of the train over the territory (in both signaled and non-
signaled territory). Recognizing that re-routes under this section will
occur in non-signaled territory, the maximum authorized speeds
associated with such territory are used as limitations on the speed of
re-routed trains. FRA agrees with the comments of labor representatives
in the PTC Working Group who contend that the statutory mandate alters
to some extent what would otherwise be considered reasonable for these
circumstances.
It should be noted that this paragraph (j) was added by FRA after
further consideration of this issue and was not part of the PTC Working
Group consensus. FRA received several comments associated with the
temporary rerouting requirements and the restrictive operational
conditions imposed by paragraphs (j)(1) and (j)(2) as being overly
burdensome, unsupported and inappropriate. Specifically, the idea that
a train rerouted from a PTC line to a non-PTC line should be treated
differently than the existing traffic on the non-PTC line is
unjustified. The commenters suggest current FRA operational
requirements contained in Sec. Sec. 236.0(c) and (d) providing for
speeds greater than 49 miles per hour for freight and 59 miles per hour
for passenger trains where a block signal system and/or an automatic
cab signal, automatic train stop, or automatic train control system is
in place, is applied safely today and should continue as the applicable
regulation for this reroute scenario. Thus, the commenters suggest
rewording paragraph (j)(2) to read as follows: ``Each rerouted train
movement shall operate in accordance with Sec. 236.0.''
When the PTC Working Group was reconvened following the public
hearing and the NPRM comment period, the PTC Working Group formed three
[[Page 2631]]
separate task forces for the purpose of discussing and resolving
several specific issues. One such task force, deemed the Operational
Conditions Task Force, was assigned the task of resolving the issues
associated with operational limitations presented in the proposed rule
associated with temporary rerouting within Sec. 236.1005, unequipped
trains operating within a PTC system within Sec. 236.1006, and en
route failures within Sec. 236.1029.
Following significant discussion of these issues, a PTC Working
Group task force recommended rule text changes that would maintain the
intended level of safety in an acceptable manner while recognizing the
impractical nature and perhaps even resultant increase in risk
associated with restricting the operation of a rerouted train from a
PTC-equipped line onto a non-PTC equipped line more than other
similarly equipped trains that normally operated on the non-PTC
equipped line. Therefore, the task force recommended that paragraph (j)
be revised to read as follows: ``(j) Rerouting conditions. Rerouting of
operations under paragraph (g) of this section may occur according to
the following: (1) Where a train not equipped with a PTC system is
rerouted onto a track equipped with a PTC system, it shall be operated
in accordance with Sec. 236.1029; (2) Where any train is rerouted onto
a track not equipped with a PTC system, it shall be operated in
accordance with the operating rules applicable to the line on which it
is routed.''
This recommended revision to paragraph (j) was presented to the PTC
Working Group and gained consensus from the group. However, upon
further consideration, FRA has decided to adopt a slight variation of
the recommended revised rule text in order to provide additional
clarification regarding the applicability of paragraph (j)(1) to either
a train not equipped with a PTC system, or one not equipped with a PTC
system that is compatible and functionally responsive to the PTC system
utilized on the line on which the train is rerouted. Therefore,
paragraph (j) has been revised in the final rule to read as follows:
``(j) Rerouting conditions. Rerouting of operations under paragraph (g)
of this section may occur under the following conditions: (1) Where a
train not equipped with a PTC system is rerouted onto a track equipped
with a PTC system, or a train not equipped with a PTC system that is
compatible and functionally responsive to the PTC system utilized on
the line to which the train is being rerouted, the train shall be
operated in accordance with Sec. 236.1029; or (2) Where any train is
rerouted onto a track not equipped with a PTC system, the train shall
be operated in accordance with the operating rules applicable to the
line on which the train is rerouted.''
Paragraph (k), as previously noted, provides the Regional
Administrator with the ability to order the railroad or railroads to
cease rerouting operations that were requested for up to 30 days. The
Associate Administrator may order a railroad or railroads to cease
rerouting operations regardless of the length of planned maintenance
rerouting requested. FRA believes this is an important measure
necessary to prevent rerouting performed not in accordance with the
rules and FRA's expectations based on the railroad's communications and
to ensure the protection of train crews and the public. However, FRA is
confident that in the vast majority of cases railroads will utilize the
afforded latitude reasonably and only under necessary circumstances.
FRA expects each host railroad to develop a plan to govern
operations in the event temporary rerouting is performed in accordance
with this section. Thus, as noted further below in Sec. 236.1015, this
final rule requires that each PTCSP include a plan accounting for such
rerouted operations.
Section 236.1006 Equipping Locomotives Operating in PTC Territory
As reflected by Sec. 236.566, the basic rule for train control
operations is that all trains will be equipped with responsive onboard
apparatus. Paragraph (a) so provided in the NPRM, and the language is
continued in the final rule. Paragraph (a) requires that, as a general
rule, all trains operating over PTC territory must be PTC-equipped. In
other words, paragraph (a) requires that each controlling locomotive be
operated with a PTC onboard apparatus if it is controlling a train
operating on a track equipped with a PTC system in accordance with
subpart I. The PTC onboard apparatus should operate and function in
accordance with the PTCSP governing the particular territory.
Accordingly, it must successfully and sufficiently interoperate with
the host railroad's PTC system.
In the NPRM, FRA recognized the possibility of controlling
locomotives not necessarily being placed in a train's lead position and
sought comments on this issue. Comments were filed indicating that the
lead locomotive is not always necessarily the controlling locomotive.
In light of this information, the final rule reflects a change from
``lead locomotive'' to ``controlling locomotive'' as necessary. FRA's
understanding of a ``controlling locomotive'' is the same understanding
as it is used in part 232 and as defined in Sec. 232.5. Hence, a
definition has been added to Sec. 236.1003 merely cross-referencing to
Sec. 232.5.
First, it is understood that during the time PTC technology is
being deployed to meet the statutory deadline of December 31, 2015,
there will be movements over PTC lines by trains with controlling
locomotives not equipped with a PTC onboard apparatus. In general,
Class I railroad locomotives are used throughout the owning railroad's
system and, under shared power agreements, on other railroads
nationally. FRA anticipates that the gradual equipping of locomotives--
which will occur at a relatively small number of specialized facilities
and which will require a day or two of out of service time as well as
time in transit--will extend well into the implementation period that
ends on December 31, 2015. It will not be feasible to tie locomotives
down to PTC lines, and the RSAC stakeholders fully understood that
point. The RLO did urge that railroads make every effort to use
equipped locomotives as controlling units, and FRA believes that, in
general, railroads will do so in order to obtain the benefits of their
investment.
The debate on this point has dealt with the possibility of
exceptions, which was addressed in paragraph (b) in the NPRM. The
discussion below pertains to the issue of temporary and permanent
exceptions to the rule.
The first issue arose under proposed paragraphs (b)(1) and (b)(2),
which endeavored to set out the rules for the transitional period
during which PTC will be deployed. It is well understood and accepted
that it is not feasible to require all trains operating on a PTC line
to be PTC-equipped and operative from the first day the system is
turned on. Locomotive fleets will be equipped over a multi-year period,
and deployment of locomotives will be driven by many factors, of which
PTC status is only one. Efficient use of locomotives requires them to
be available for use on multiple routes and even under ``shared power''
agreements with other railroads. In some cases, even when a PTC-
equipped locomotive is placed in a consist destined for a PTC line
there may be legitimate reasons why it is not placed in the controlling
position.
Accordingly, the NPRM provided what FRA thought was a very modest
proposal that equipped locomotives placed in the lead on trains bound
for PTC territory have their PTC equipment turned on. FRA even made
allowance for a declining percentage of such locomotives being
dispatched into PTC
[[Page 2632]]
territory after having failed ``initialization.'' The reaction from
Class I railroad commenters was startling, to say the least.
The AAR stated that the proposal was beyond FRA's authority and
that FRA has no ability to require use of PTC before December 31, 2015.
According to AAR, railroads will be required to use PTC-equipped
locomotives on PTC routes come December 31, 2015, and AAR does not
understand how this obligation could be addressed in the implementation
plan other than to state PTC-equipped locomotives would be used on PTC
routes. In the AAR's view, requiring PTC-equipped locomotives to be
turned on would create a disincentive to equip locomotives early.
Limiting the ability of railroads to operate trains with locomotives
that fail initialization could result in railroads attempting to avoid
rail system congestion by delaying the equipping of locomotives. To
avoid such a disincentive for equipping locomotives, AAR believes that
FRA should permit, without limitation, the operation of locomotives
that fail initialization before December 31, 2015.
CSXT asserted that the requirements contained in paragraph
(b)(2)(iii) with respect to the allowable percentage of controlling
locomotives operating out of each railroad's initial terminals with
failed systems over track segments equipped with PTC will deter early
implementation efforts and unfairly punish railroads that are
diligently working to implement PTC on designated tracks. In addition,
CSXT questioned the usefulness of such a provision, as CSXT argued that
there is no meaningful difference between a locomotive that is not
equipped with PTC and a locomotive that is equipped with a PTC system
that is not fully functioning.
Recognizing that matching PTC lines with PTC-equipped controlling
locomotives will be a key factor in obtaining the benefits of this
technology in the period up to December 31, 2015, FRA requested
comments on whether PTCIPs should be required to include power
management elements describing how this will be accomplished to the
degree feasible. In response, NJ Transit asserted that the PTCIP does
require both the lines risk assessment (to establish the track segment
order of PTC commissioning) and the schedule to equip rolling stock and
suggests that these schedules can and should indicate the effort of a
railroad to assure that vehicles are equipped and available for the PTC
equipped lines. According to NJ Transit, inclusion of a power
management plan as well within the PTCIP provides an additional effort
that has a high probability of requiring updates during the PTC
implementation period, while the schedules and a good faith effort
alone may serve the purpose most efficiently, especially for the short
time period anticipated (this should be recognized as 2012 through 2015
at worst). NJ Transit suggests that FRA should not include this plan as
a PTCIP requirement, but require the best good faith effort by each
railroad for providing equipped vehicles during the short interim
period subject to this concern.
The AAR also stated that, for trains in long-haul service, the
train's point of origin or location where the locomotive was added to
the train may be many crew districts or hundreds or thousands of miles
prior to the location where the locomotive's onboard PTC apparatus is
initialized for operation in PTC-equipped territory. In this case, the
paragraph is overly restrictive and should be modified to be predicated
on the location prior to entering PTC-equipped territory where
initialization failed. Accordingly, AAR suggests that paragraph
(b)(2)(i) be revised to read: ``The subject locomotive failed
initialization at the point of crew origin for the train or at the
location where the locomotive was added to the PTC initialized train.''
The RLO also urges FRA to adopt a requirement that railroads place
equipped engines in the lead or controlling position whenever such
equipped engines are in the engine consist during the implementation
period. The RLO states that implementing such consist management
initiatives will help identify any problems in the interface of the
onboard and wayside systems. In the future, states the RLO, railroad
operations will come to rely heavily upon the proper function of these
PTC systems. According to the RLO, requiring railroads to adopt this
approach would require the minor operational maneuver of switching a
trailing unit to the train's lead position. Since technical anomalies
that go undetected can be catastrophic, the RLO asserts that FRA should
not squander the opportunity for discovering them during the
implementation period.
During the public hearing conducted on August 13, 2009, FRA
specifically asked how the RLO expected a railroad to handle the
situation where an engine that is PTC-equipped may be positioned with
long hood forward or may have a broken air conditioning system. In its
comments dated August 20, 2009, the RLO responded by stating that it is
broadly accepted industry practice to operate trains with the short
hood in the direction of movement. Operating trains with the long hood
forward presents safety concerns because the engineer has a limited
view of the track with that configuration. However, if any safety
feature or safe practice is impaired, altered, or compromised in any
locomotive, it should not be in the lead or operating position of the
train. Therefore, if the engine is not equipped with air conditioning
or if the long hood is facing forward, the railroad would have three
choices: grant the crew the right to switch a fully-compliant
locomotive to the lead at the first location where this can be
accomplished, do not operate at all, or remove the engine from the
engine consist entirely. The RLO asserts that this approach would
create the safest possible working environment, as the safest
locomotive is the one with PTC, AC, and the short hood forward.
GE asserts that, by using emerging technology, it is possible to
operate a PTC system from the lead controlling locomotive using at
least some parts of a PTC system on trailing locomotives in the consist
if the onboard network is extended through the locomotive consist.
According to GE, this can provide a useful contingent operation if some
component fails in the locomotive and a backup component on a trailing
unit is linked over the network, providing higher overall PTC
availability. For example, should the data radio fail on the lead
locomotive, PTC could continue to operate through a working radio on
the second or third locomotive unit.
FRA agrees that PTC-equipped locomotives should be utilized when
available on PTC territory during the implementation period, and it is
recognized that it is possible for a unit to serve as the controlling
locomotive when not positioned first in the consist. FRA believes that
railroads have strong incentives to take advantage of their investments
in PTC, but also includes in the final rule a requirement that the
PTCIP include goals for PTC-equipped locomotives in PTC territory.
This issue was discussed further in the PTC Working Group during
the review of the comments, but no formal resolution was achieved. FRA
is not obligated to provide any exception here whatsoever, and the
contention that FRA may not require use of PTC prior to December 31,
2015, is utterly without merit. Nevertheless, FRA does not wish to
proceed in such a manner as to create even a temporary disincentive to
deploy PTC locomotives on PTC-equipped lines. However, clearly leaving
the carriers to their own devices without
[[Page 2633]]
accountability or oversight appears unwarranted given the tenor of
their comments and the known conflicts among departments of the
railroad that can arise during any implementation of new technology.
Leaving the use of available PTC technology wholly unregulated until
December 31, 2015, would not only open the possibility that safety
gains would not be made during the period, it would also increase the
possibility that PTC systems would not be sufficiently stable and
reliable as of the statutory completion date.
Accordingly, FRA has included in the final rule, in lieu of the
language initially proposed, a requirement that each railroad include
in its PTCIP specific goals for progressively effective use of its
equipped locomotives on PTC lines that have been made operational. FRA
would review the goals and stated justification as part of its review
of the PTCIP. The railroad would then be required to report annually
its progress toward achieving its goals, including any adjustments
required to remedy shortfalls. Although FRA does not intend to second
guess details of power management, FRA does believe it is reasonable to
expect results in the form of steadily declining PTC-preventable
accidents during the implementation period. The only way to accomplish
that is to ensure that PTC onboard apparatus is deployed on PTC lines
in reasonable proportion to its deployment elsewhere and that, when so
deployed, it is utilized as intended.
The second major issue arose under paragraph (b)(4), which proposed
limited exceptions for movements of Class II and III trains over PTC
lines of the Class I railroads. The disagreements attendant to that
proposal warrant more detailed treatment.
New PTC systems will be like existing train control systems in the
sense that they are comprised of onboard and wayside components. They
will also involve a more substantial centralized ``office'' function.
The railroad that has the right to control movements over a line of
railroad (generally the entity providing or contracting for the
dispatching function) will provide for equipping of the wayside and
appropriate links to and interface with the office. In preparing the
recommendations that led to the NPRM, the PTC Working Group discussed
at great length the issues related to operation of PTC-equipped
locomotives, and locomotives not equipped with PTC onboard apparatus,
over lines equipped with PTC. As explained above, the PTC Working Group
recognized that the typical rule with respect to train control
territory is that all controlling locomotives must be equipped and
operative (see Sec. 236.566). It was also noted in the discussion that
the Interstate Commerce Commission (FRA's predecessor agency in the
regulation of this subject matter) and FRA have provided some relief
from this requirement in discrete circumstances where safety exposure
was considered relatively low and the hardship associated with
equipping additional locomotives was considered substantial. (For
instance, in the case of intermittent automatic train stop installed
many years ago on the former Atchison, Topeka and Santa Fe Railroad
(now BNSF Railway), only passenger trains were subject to the
requirement for onboard apparatus. That arrangement continues to the
present day, and it is particularly unusual since none of the host
railroad's locomotives are equipped, while all Amtrak locomotives
operating over the territory must be equipped.)
The ASLRRA noted that its member railroads conduct limited
operations over Class I railroad lines that will be required to be
equipped with PTC systems in a substantial number of locations. These
operations are principally related to the receipt and delivery of
carload traffic in interchange. The small railroad service extends onto
the Class I railroad track in order to hold down costs and permit both
the small railroad and the Class I railroad to retain traffic that
might be priced off the railroad if the Class I had to dispatch a crew
to pick up or place the cars. This, in turn, supports competitive
transportation options for small businesses, including marginal small
businesses in rural areas.
The ASLRRA advocated an exception that would permit the trains of
its members and other small railroads to continue use of existing
trackage rights and agreements without the necessity for equipping
their locomotives with PTC technology. They suggested that any
incremental risk be mitigated by requiring that such trains proceed
subject to the requirement for an absolute block in advance (similar to
operating rules consistent with Sec. 236.567 applicable to trains with
failed onboard train control systems). This position was consistently
opposed both by the rail labor organizations and the Class I railroads.
These organizations took the position that all trains should be
equipped with PTC in order to gain the benefits sought by the
congressional mandate and to provide the host railroad the full benefit
of its investment in safety. Informal discussions suggested that Class
I railroads might offer technical or financial assistance to certain
small railroads in equipping their locomotives, but that this would, of
course, be done based on the corporate interest of the Class I
railroad. Although, in general, market forces and the public interest
can be expected to correspond over time, this is not always the case.
So, for instance, there is a risk that requiring all Class II and Class
III railroads operating on Class I PTC lines to be equipped with PTC
could be financially unsustainable absent a more generous division of
the rate or other assistance (technical or otherwise) from the Class I
interchange partner. A Class I railroad might respond to such
situations based exclusively on the value of the traffic interchanged
with respect to the transportation charge recovered for the long haul
less costs. Although that might be a good market decision for the Class
I railroad, the result could be loss of rail service for a rural
community and diversion of the traffic to the highway--a result that
might not be in the public interest. Over the past several decades the
federal government and many of the states have made investments in
light density rail service (through grants, loans, or tax concessions)
that could be undermined should this occur.
In the PTC Working Group and in informal discussions around its
activities, Class I railroads indicated that they intended to take a
strong position against non-equipped trains operating on their PTC
lines, and that in order to enforce this restriction fairly, they
understood that they would need to equip their own locomotives,
including older road switchers that might venture onto PTC-equipped
lines only occasionally. However, during these discussions, FRA was not
able to develop a clear understanding regarding the extent to which the
Class I railroads, under previously executed private agreements or
because of a senior position derived from a prior transaction, enjoy
the effective ability to enforce a requirement that all trains be
equipped.
Proposed rule. On this question of non-equipped trains on PTC
lines, the proposed rule represented a compromise position between the
requests of the Class II and III railroads and the Class I railroads
and labor organizations. It proposed to permit the practice only on
territory where there was no scheduled intercity or commuter passenger
service. On any given subject track segment, a particular Class II or
III railroad could operate up to 4 trains per day (2 round trips) for
up to 20 miles in perpetuity. For hauls in excess of 20
[[Page 2634]]
miles, the practice could continue until the end of 2020.
FRA offered this proposal in order to limit the burden on small
entities and to avoid costs that were both avoidable and more greatly
disproportionate to anticipated benefits than the basic requirements of
the congressional mandate. FRA noted that the exceptions would
constitute a small portion of the movements over the PTC-equipped line.
FRA asserted that the accident/incident data show that the risk
attendant upon these movements is small. As reflected in the NPRM, a
review of the last seven years of accident data covering 3,312
accidents that were potentially preventable by PTC showed that there
were only two of those accidents that involved a Class I railroad's
train and a Class II or III railroad's train. (Left unstated in the
NPRM was the fact that the presence of PTC would have prevented one of
the accidents even absent equipping of the tenant train, while the
other would not be prevented due to limitations of PTC architectures
with respect to low-speed rear-end collisions.) FRA believed that the
low level of risk revealed by these statistics justified an exception
for Class II and III railroad trains traversing a PTC-equipped line for
a relatively short distance. FRA noted that the cost of equipping those
trains would be high when viewed in the context of the financial
strength of the Class II or III railroad and the marginal safety
benefits would be relatively low in those cases where a small volume of
traffic is moved over the PTC-equipped line.
Comments on the NPRM exceptions; FRA response. None of the
commenters responded directly to FRA's safety analysis, but they did
take strong and disparate stands. The RLO filed joint comments that
protested allowing an unequipped train owned by a Class II or III
railroad to move on PTC-required track with only minor restrictions.
The RLO believed that there are alternatives that are consistent with
safety and the intent of RSIA08, including temporal separation or using
the host railroad's equipped locomotives. According to the RLO, simply
limiting the number of moves and miles of unequipped locomotives on
PTC-required track would not eliminate the risk associated with the
hazard or provide compliance with the intent of RSIA08.
The AAR has also expressed concerns with the proposal, stating that
``[s]urely Congress did not enact a requirement for the Class I
railroads to spend billions of dollars on PTC systems only to permit
Class II and III railroads to operate trains unequipped with PTC
technology on the PTC routes. AAR asserts that FRA has not shown that
there would actually be a financial strain on Class II and III
railroads. According to AAR, a Class II or III railroad would not have
to equip a locomotive with PTC technology until December 31, 2015. In
any event, states AAR, the statute makes no distinction among Class I,
II, or III operations on a PTC route.
CSXT disagreed with FRA's interpretation of RSIA08, stating that
the statute, on its face, does not exempt Class II and III railroads
from the PTC requirements. To the contrary, asserted CSXT, the statute
appears to contemplate that Class II and III railroads traveling on PTC
lines would be subject to the PTC requirements since each PTCIP for
those lines ``must provide for interoperability of the system with
movements of trains of other railroad carriers,'' (emphasis original)
which presumably includes Class II and III railroads. CSXT also
questioned whether entities that carry a wide variety of commodities,
including PIH traffic, but without the financial wherewithal to adopt
PTC technologies, should be permitted to impose an arguably increased
safety risk on the public and other railroads. In any event, stated
CSXT, the Class II and III railroads would only be responsible for
outfitting their locomotives, and not wayside units, with PTC
technologies.
Moreover, according to CSXT, the exemption under proposed paragraph
(b)(4)(B)(ii) was unclear as to its application This section allowed
Class II and III railroads to operate on PTC operated track segments to
the extent that any single railroad is allowed ``less than four such
unequipped trains'' over any given track segment. CSXT questions
whether the number of trains is limited per a common holding company or
each railroad subsidiary. (The intent is that the limit will be applied
to each separate railroad company, regardless of common ownership.)
Recognizing FRA's concerns with imposing the costs of PTC
implementation on Class II and III railroads, AAR believes FRA is
mixing up Congress' concern about the ability of Class II and III
railroads to finance installation of PTC on their own routes with the
ability of Class II and III railroads to operate locomotives equipped
with PTC technology over Class I track. The AAR notes that FRA's own
analysis shows that the cost of equipping locomotives with PTC
technology amounts to less than a third of total PTC development and
installation costs. According to AAR, a Class II or III railroad
qualifying for the proposed exception likely would only need to equip
only one or two locomotives with PTC technology by sometime after 2015.
In any event, AAR asserts that this proposed exemption for Class II
and III railroads is inconsistent with the plain language of the
statute, which does not distinguish between Class I, II, or III
operations on a main line with PIH materials. Congress determined that
PTC should be required on Class I routes meeting the statutory criteria
regardless of any cost-benefit analysis. The AAR believes that it is
inconceivable that Congress intended unequipped locomotives be
permitted to operate routinely where PTC is required, thus undercutting
the benefit of equipping a PTC route with PTC technology.
The AAR also challenges FRA's conclusion about the ``marginal
safety benefit,'' which seems premised on its analysis of train-to-
train collisions, questioning whether FRA has concluded that a train
operated by a Class II or III railroad poses less of a risk with
respect to each of the core PTC functions than a train operated by a
Class I railroad. Leaving aside AAR's objection to any exception
permitting Class II and III railroads to conduct routine operations
over PTC routes with unequipped locomotives, AAR does not agree with
the proposal to wait until December 31, 2020, to impose the twenty-mile
limitation. According to AAR, FRA has no factual basis for its concern
that Class II and III railroads will be unable to obtain the technology
as suppliers seek to equip their bigger Class I customers first. In
fact, states AAR, it is more likely that Class I railroads will work
with their Class II and III partners to prepare for the 2015
implementation deadline.
The Canadian Pacific Railway does not support the operation of
unequipped locomotives on PTC equipped lines after December 31, 2015.
It is CP's position that all trains operating on PTC territory after
December 31, 2015, must be controlled by a locomotive equipped for PTC
operation, regardless of whether or not the locomotive in the
controlling position is considered ``historic.''
NYSMTA, the parent organization for the Long Island Rail Road and
Metro-North Railroad, asserted that subpart I of this part should
require all operators on the same trackage as commuter railroads to be
fully equipped, as is the case in the existing FRA regulation, and that
all trains (including those of all Class II and Class III tenant
railroads) operating in cab signal/train control territory must have
operative cab signal and ATC. Thus, NYSMTA suggested that subpart
[[Page 2635]]
I should not permit any trains to enter or operate in PTC territory
that are not equipped with operative PTC systems except where en route
failures occur within PTC territory. NYSMTA suggested that the
definition of ``equipped'' for paragraphs (a) through (b)(3) be
clarified to mean the onboard PTC system equipment has been fully
commissioned, has passed all acceptance tests and has met reliability
and availability demonstration tests. In the final rule, FRA continues
to make clear that all trains operating on intercity/commuter passenger
territory must be equipped.
FRA received a number of comments regarding the operation of
historic locomotives over rail lines that will need to be equipped with
a PTC system, from commenters such as the San Bernardino Railway
Historical Society, the Pacific Southwest Railway Museum, the Railroad
Passenger Car Alliance, and J.L. Patterson & Associates. These
commenters requested that FRA provide clarification that a historic
locomotive, as defined in 49 CFR 229.125(h), which is not equipped with
PTC may be operated over rail lines equipped with PTC systems in
limited excursion service, provided an excursion operating management
plan is included in the PTC railroad's PTCIP that is consistent with
the provisions of Sec. 236.1029(b) of this part.
These locomotives might include steam locomotives many decades old.
FRA notes that these operations are relatively infrequent, and they
normally receive additional oversight by host railroads as a matter of
course.
Final rule. The final rule provides exceptions for trains operated
by Class II and III railroads, including tourist or excursion
railroads. The exceptions are limited to lines not carrying intercity
or commuter passenger service, except where the host railroad and the
passenger railroad (if different entities) have requested an exception
in the PTC Implementation Plan, as further discussed below, and FRA has
approved that element of the plan. Examples of potentially acceptable
instances concerning non-equipped operations on an intercity/commuter
route might include a weekend excursion operation during periods
scheduled passenger service is very light or in terminal areas under
circumstances where all trains will be operated at reduced speed and
risk is otherwise very limited.
FRA presumes for purposes of this final rule that there will be
circumstances rooted in previously executed private agreements under
which the Class I railroad would be entitled to require the small
railroad to use a controlling locomotive equipped with PTC as a
condition of operating onto the property. FRA wishes to emphasize that,
in issuing this final rule, FRA does not intend to influence the
exercise of private rights or to suggest that public policy would
disfavor an otherwise legitimate restriction on the use of unequipped
locomotives on PTC lines. FRA also notes that, in the absence of clear
guidance on this issue, a substantial number of waiver requests could
be expected that would have to be resolved without the benefit of
decisional criteria previously examined and refined through the
rulemaking process.
With respect to limited operations of Class II or III railroads on
Class I PTC lines, FRA continues to believe that the risk in question
is very small in relation to the direct and indirect costs of equipping
locomotives with PTC and maintaining those locomotives over time
(including configuration management). FRA has also considered the
issues required applicable statutes concerning the affect of
regulations on small entities. (See also discussion of de minimis
exceptions in the preamble to Sec. 236.1005.) Although FRA does expect
that over time Class II and III railroads will participate more fully
in the use of PTC technologies, both as tenants and hosts, the initial
costs and logistical challenges of PTC system operation will be
significantly greater than the costs and challenges after interoperable
PTC systems have been demonstrated to be reliable and after the market
for PTC equipment and services settles. Mandating that every locomotive
leading a Class II or III train be PTC equipped during the initial roll
out would create significant incentives to shed marginally profitable
traffic with unpredictable societal effects. FRA does believe that, as
the end of the initial implementation approaches, smaller railroads can
begin the process of joining the PTC community by equipping locomotives
used for longer hauls on PTC lines. FRA will also review the experience
of Class I railroads as of that general time period (end of 2015,
beginning of 2016) to evaluate what additional requirements might be
appropriate and sustainable.
FRA has adopted final language sufficiently flexible to permit
occasional tourist, historic and excursion service on PTC lines. Much
of the subject equipment is used very lightly and in fact may spend the
great majority of its time on static display. Ending the educational
and recreational role of occasional excursion service is no part of
what the Congress was addressing through the mandate underlying this
rule.
Paragraph (b)(3) references the fact that operation of trains with
failed onboard PTC apparatus is governed by the safeguards of Sec.
236.1029, where applicable; and paragraph (c) applies the same
principle to non-equipped trains operating on PTC territory.
Section 236.1007 Additional Requirements for High-Speed Service
Since the early 1990's, there has been an interest centered around
designated high-speed corridors for the introduction of high-speed
rail, and a number of states have made progress in preparing rail
corridors through safety improvements at highway-rail grade crossings,
investments in track structure, and other areas. FRA has administered
limited programs of assistance using appropriated funds. With the
passage of ARRA, which provides $8 billion in capital assistance for
high-speed rail corridors and intercity passenger rail service, and the
President's announcement in April 2009 of a Vision for High-Speed Rail
in America, FRA expects those efforts to increase considerably. FRA
believes that railroads conducting high-speed operations in the United
States can provide a world class service as safe as, or better than,
any high-speed operations conducted elsewhere. In anticipation of such
service, and to ensure public safety, FRA proposed three tiers of
requirements for PTC systems operating in high-speed service. The
proposed performance thresholds were intended to increase safety
performance targets as the maximum speed limits increase to compensate
for increased risks, including the potential frequency and adverse
consequences of a collision or derailment. These thresholds were
supported by AASHTO and are adopted as proposed.
Section 236.1007 sets the intervals for the high-speed safety
performance targets for operations with: maximum speeds at or greater
than 60 and 50 miles per hour for passenger service and freight
operations, respectively, under paragraph (a); maximum speeds greater
than 90 miles per hour under paragraph (b); maximum speeds greater than
125 miles per hour under paragraph (c); and maximum speeds greater than
150 mph under paragraph (d). The reader should note that the
requirements increase as speed rises. Thus, for instance, operations
with trains moving above 125 miles per hour must, in addition to the
requirements under paragraph (c), adhere to the requirements under
paragraphs (a) and (b).
[[Page 2636]]
Paragraph (a) addresses the PTC system requirements for territories
where speeds are greater than 59 miles per hour for passenger service
and 49 miles per hour for freight service. Under 49 CFR 236.0 as it
existed directly previous to the issuance of this final rule, block
signal systems were required at these speeds (unless a manual block
system was in place, an option that this final rule phases out). The
final rule expects covered operations moving at these speeds to have
implemented a PTC system that provides, either directly or with another
technology, all of the statutory PTC system functions along with the
safety-critical functions of a block signal system as defined in the
existing standards of subparts A through F of part 236. The safety-
critical functions of a block signal system include track circuits,
which assist in broken rail detection and unintended track occupancies
(equipment rolling out), and fouling circuits, which can identify
equipment that is intruding on the clearance envelope and may prevent
raking collisions. FRA recognizes that advances in technology may
render current block signal, fouling, and broken rail detection systems
obsolete and FRA does not want to preclude the introduction of suitable
and appropriate advanced technologies. Accordingly, FRA believes that
alternative mechanisms providing the same functionality are entirely
acceptable and FRA encourages their development and use to the extent
they do not have an adverse impact on the level of safety.
Paragraph (b) addresses system requirements for territories where
operating speeds are greater than 90 miles per hour, which is currently
the maximum allowable operating speed for passenger trains on Class 5
track. At these higher speeds, the implemented PTC system must not only
comply with paragraph (a), but also be shown to be fail-safe (as
defined in Appendix C) and at all times prevent unauthorized intrusion
of rail traffic onto the higher speed line operating with a PTC system.
FRA intends this concept of fail-safe application to be understood in
its commonplace meaning; i.e., that insofar as feasible the system is
designed to fail to a safe state, which normally means that each
subject train will be brought to a stop. Further, FRA understands that
there are aspects of current system design and operation that may
create a remote opportunity for a ``wrong-side'' or unsafe failure and
that these issues would be described in the PTCSP and mitigations would
be provided. FRA recognizes that, as applied in the general freight
system, this final rule could create a significant challenge related to
interoperability of freight equipment operating over the same
territory. Accordingly, FRA requested comment on whether, where
operations do not exceed 125 miles per hour or some other value, the
requirement for compliance with Appendix C safety assurance principles
might be limited to the passenger trains involved, with ``non-vital''
onboard processing permitted for the intermingled freight trains. No
comments were received on this issue, apart from the general concern of
the RLO that very safe technology be employed in all PTC systems, and
the restriction is adopted as proposed.
As speed increases, it also becomes more important that inadvertent
incursions on the PTC-equipped track be prevented at switch locations.
In this final rule, FRA expects that this be done by effective means
that might include use of split-point derails properly placed,
equipping of tracks providing entry with PTC, or arrangement of tracks
and switches in such a way as to divert an approaching movement which
is not authorized to enter onto the PTC line. The protection mechanism
on the slower speed line must be integrated with the PTC system on the
higher speed line in a manner to provide appropriate control of trains
operating on the higher speed line if a violation is not prevented for
whatever reason.
Paragraph (c) addresses high-speed rail operations exceeding 125
miles per hour, which is the maximum speed for Class 7 track under
Sec. 213.307. At these higher speeds, the consequences of a derailment
or collision are significantly greater than at lower speeds due to the
involved vehicle's increased kinetic energy. In such circumstances, in
addition to meeting the requirements under paragraphs (a) and (b),
including having a fail-safe PTC system, the entity operating above 125
miles per hour must provide an additional safety analysis (the HSR-125)
providing suitable evidence to the Associate Administrator that the PTC
system can support a level of safety equivalent to, or better than, the
best level of safety of comparable rail service in either the United
States or a foreign country over the 5 year period preceding the
submission of the PTCSP. Additionally, PTC systems on these high-speed
lines must provide the capability, as appropriate, to detect incursion
from outside the right of way and provide warnings to trains. Each
subject railroad is free to suggest in its HSR-125 any method to the
Associate Administrator that ensures that the subject high-speed lines
are corridors effectively sealed and protected from such incursions
(see Sec. 213.347 of this title), including such hazards as motor
vehicles falling on the track structure from highway bridges.
Paragraph (d) addresses the highest speeds existing or currently
contemplated for rail operations exceeding 150 miles per hour. FRA
expects these operations to be governed by a Rule of Particular
Applicability and the HSR-125 required by paragraph (c) shall be
developed as part of an overall system safety plan approved by the
Associate Administrator. The quantitative risk showing required for
operations above 125 miles per hour is not required to include
consideration of acts of deliberate violence. The reason for this
exclusion is simply to remove speculative or extraordinary
considerations from the analysis. However, FRA and the Department of
Homeland Security will certainly expect that security considerations
are taken into account in system planning.
AASHTO believed that the proposed rule appropriately addressed the
PTC related safety levels for high-speed rail. According to AASHTO, the
proposed rule text provided a clear position for the levels of safety
required for high-speed rail at speeds that are achieved today, and for
speeds that may be achieved in the future, allowing for benchmarking
against precedent levels achieved in the U.S. and internationally.
AASHTO also commented that, in PTC systems running over federally
designated high-speed rail corridors, highway-rail grade crossings
should either be eliminated or protected by hazard warning detection
systems.
Amtrak notes that it currently operates safely above 90 miles per
hour on the Northeast Corridor and on its Michigan line, with the full
knowledge, approval, and authorization of the FRA, based on past and
remaining safety procedures and equipment. Amtrak also states that it
currently operates above 125 mph on portions of the Northeast Corridor.
Accordingly, Amtrak asserts that services above 90 and 125 miles per
hour that existed as of October 16, 2008, the date of RSIA08, should be
exempted or ``grandfathered'' from the requirements of this section.
FRA agrees that Amtrak has been providing safe passenger service at
speeds between 90 and 150 miles per hour on the Northeast Corridor as
well as its Michigan line, and that the train control systems in use
(ACSES with Cab Signals, and ITCS) have records of safe operations.
Given the value of service experience and the extraordinary burden of
review and decision making associated with this rule, FRA intends to
give full credit to established safety
[[Page 2637]]
records in conducting these reviews, simplifying the task for all
concerned.
Section 236.1009 Procedural Requirements
Section 236.1009 establishes the regulatory procedures that must be
followed by each Class I railroad carrier and each entity providing
regularly scheduled intercity or commuter rail passenger transportation
to obtain the required FRA certification of PTC systems prior to
operating the system or component in revenue service. FRA is
implementing these requirements to support more rapid FRA review and
decision making, while reducing the administrative burden on the
railroads.
While the current subpart H of this part provides a technically
sound procedure for obtaining FRA approval of various processor-based
signal and train control systems, it was crafted with the presumption
that PTC implementation was a strictly voluntary action on the part of
railroads. Arguably FRA could have simply amended subpart H to include
requirements relating to implementation plans and to modify the
language to equate ``approval'' under subpart H with ``certification''
under the statute. However, FRA believes that such a resultant amended
subpart H would still remain unsuitable to support the RSIA08
implementation schedule. Accordingly FRA has developed the new
procedures of this section to avoid redundancy, provide sufficient
flexibility to accompany the varying needs of those seeking
certification, and to mitigate the financial risk associated with
technological investment necessary to comply with the regulatory
requirements.
Generally speaking, there are three documents associated with the
new procedures of this section: the PTCIP, PTCDP, and PTCSP. The
details of each document are set forth in Sec. Sec. 236.1011,
236.1013, and 236.1015, respectively. To summarize these sections, the
PTCIP is the written plan that defines the specific details of how and
when the railroad will implement the PTC system. The PTCDP provides a
detailed discussion of the proposed technology and product that will be
implemented according to the PTCIP. The PTCSP provides the railroad-
specific information demonstrating that the PTC system, as implemented
by the railroad, meets the required safety performance objectives.
Certification of a PTC system by FRA for revenue operations is based on
the review and approval of the information provided in these documents.
Paragraph (a) requires that a PTCIP be filed by ``host'' railroads
as defined in Sec. 236.1003 that are required to install a PTC system
on one or more main lines in accordance with Sec. 236.1005(b). This
generally is each Class I railroad and each entity providing regularly
scheduled intercity or commuter rail passenger transportation as
defined by statute. However, Class II and III railroads that host
intercity or commuter rail service will also need to file
implementation plans, whether or not they directly procure or manage
installation of the PTC system.
Intercity and commuter railroads that are tenants on Class I, II,
or III freight lines must also join with their host railroad in filing
these plans. FRA believes that the railroad that maintains operational
control over a particular track segment is generally in the best
position to develop and submit the PTCIP, since that railroad is more
knowledgeable of the conditions of, and operations over, its track. FRA
recognizes that, in cases where a tenant passenger railroad operates
over a Class II or III railroad, the passenger railroad may be required
to take a more active role in planning the PTC system deployment by
working with the host railroad. In the case of an intercity or commuter
railroad providing service over a Class I railroad, it may be
sufficient for the passenger railroad to file a letter associating
itself with the Class I railroad's plan to the extent it impacts the
passenger service. AAR also expressed some confusion whether the
requirement to file joint plans was only required when freight and
passenger railroads conduct operations over the same route. The final
rule does not levy any requirement for joint filing in the case where
another railroad has freight trackage rights over a Class I railroad's
PTC line. FRA expects that the host Class I railroad will address these
types of operations and discuss the issue of interoperability in its
PTCIP as required by law.
The Class I railroads generally opposed the requirement for a host
railroad and tenant passenger railroad to file a joint PTCIP as being
excessively burdensome and unnecessary because it merely appears to be
intended to address interoperability issues. Beyond possibly addressing
the interoperability issue, the AAR maintained that nothing further
would be gained by requiring the joint filing of a PTCIP.
FRA has taken note of these objections. However, FRA believes that
the joint filing requirement provides motivation for the proactive
involvement by both parties in the decision-making process, especially
with regards to interoperable equipment requirements and operating
procedures. This joint filing requirement reflects FRA's position that
communication between all parties involved in establishing
interoperability is absolutely essential to ensure the implementation
of timely, cost effective solutions.
Some railroads have also expressed concern that they will be
required to support installation of PTC over Class II and III railroads
that would otherwise not be required to implement PTC, were it not for
the passenger/commuter railroad presence. Amtrak noted that the
requirement for joint filings would, as a practical manner, require
Amtrak to take a dominant role in the development and preparation of
the required documentation.
While FRA appreciates the difficulties that both the passenger/
commuter railroad, as well as the Class II or III railroad may
experience, FRA believes that this is essentially a commercial matter
between the parties involved, which would be best resolved with
government participation only as a last resort. This position is
consistent with the underlying philosophy of sections 151 through 188
of title 45 of the United States Code.
Although FRA believes that the resolution of differences between
host and tenant railroads is a commercial issue, provisions have been
made if a host freight railroad and tenant passenger railroad cannot
come to an agreement to jointly file a PTCIP by April 16, 2010. In this
situation, each railroad must file an individual PTCIP, together with a
notification to the Associate Administrator, indicating that a joint
filing was not possible and an explanation of why the subject railroads
could not agree upon a final PTCIP for joint filing.
Both the freight and passenger/commuter railroads have strenuously
objected to the assessment of civil penalties in the event that
agreement cannot be reached. Amtrak claimed that failure to come to
agreement did not rise to the level of an act that warranted penalty.
AAR asserted that imposition of penalties would not be an appropriate
way to resolve good faith disputes over the implementation of PTC.
Concern has also been raised that, in the event of a dispute, the
resolution process does not appear to have any established milestones.
NYSMTA expressed concern related to the ability of railroads to fairly
and quickly resolve disputes related to the development of host/tenant
interoperability agreements required by RSIA08. NYSMTA asserted that,
even though FRA provides for dispute resolution in Sec. 236.1009,
there are no time limits or standards to ensure
[[Page 2638]]
that disputes are resolved fairly and in a manner that does not affect
railroads' ability to comply with the statutory/mandatory
implementation of PTC by December 31, 2015.
FRA has taken note of these objections and concerns. FRA believes
that the milestones are self-evident. Railroads are required to file
implementation plans by April 16, 2010. Thus, failure to file an
implementation plan (either jointly or individually) by April 16, 2010,
constitutes a violation of the RSIA08. Railroads are also required to
complete implementation by December 31, 2015. FRA does not intend to
set any specific deadline for completion of mediation or arbitration
other than to state that the mediation or arbitration must be resolved
in time to allow both parties to complete the timely submission of
their PTCIP by April 16, 2010, and to complete PTC installation by
December 31, 2015.
FRA will exercise its prosecutorial discretion if railroads have
unresolved conflicts, but have filed individual implementation plans in
accordance with paragraph (a)(4) of this section and are engaged in
good faith mediation or arbitration.
Caltrain requested clarification of the meaning of the term
``confer,'' as used in paragraph (a)(4)(iv) of this section. During the
conference process, FRA will request that all parties to the dispute
advise FRA of where their differences arise, so that FRA can evaluate
the potential impact on completion of the statutorily-required build
out and understand the nature and extent of their disagreement. FRA may
propose alternative solutions for consideration by both parties in the
dispute. FRA is not, however, obligated to act as either a mediator or
arbitrator of essentially commercial disputes. FRA expects that the
disputing parties will submit such issues to a mutually acceptable
mediator or arbitrator. If the disputing parties are unable to find a
mutually agreeable private mediator or arbitrator, FRA may agree to
mediate the dispute as a last resort. Otherwise, the disputing parties
will need to seek judicial resolution of their issues.
It was also commented that if a PTCIP or request for amendment
(RFA), as provided in Sec. 236.1021, is submitted after April 16,
2010, in accordance with this rule, paragraph (a) does not provide the
subject railroads with an opportunity to file separately. FRA intends,
in such a situation, that if a railroad wishes to use track that would
require the installation of a PTC system, and the parties have
difficulty reaching agreement, then such usage would be delayed until
the parties jointly file a mutually acceptable PTCIP and the jointly-
filed PTCIP is approved by FRA.
FRA notes that new passenger railroads are likely to begin
operations during the period between issuance of this final rule and
the end of the implementation period for PTC (December 31, 2015).
Railroads that are required to install PTC, who intend to commence
operations after April 16, 2010, but before December 31, 2015, would be
expected to file a PTCIP that meets the requirements of paragraph (a)
as soon as possible after the decision is made to commence operations.
Any railroad commencing operations after December 31, 2015, that is
required to install PTC, will not be authorized to commence revenue
operations until the PTC installation is complete.
During review of the NPRM, AAR noted that paragraph (a)(2)(i) had
not been updated to reflect an RSAC agreement. FRA agrees and has
updated paragraph (a)(2)(i) to include the language, ``[a] PTCIP if it
becomes a host railroad of a main line track segment for which it is
required to implement and operate a PTC system in accordance with Sec.
236.1005(b).''
Paragraph (b) in the proposed rule required the submission of a
PTCDP when the PTCIP is submitted to FRA for approval. Some railroads,
primarily those owned or operated by government agencies, who submitted
comments on this issue indicated that, while they would be able to
identify the general functional requirements of the PTC system, they
expected public procurement regulations would preclude contract award
and identification of a particular vendor or supplier and the
associated product details in time to meet the statutory submission
deadline. They requested that FRA not require submission of the PTCDP
at the same time (or before) the PTCIP.
NYSMTA submitted comments asserting that simultaneous submissions
would be problematic for LIRR. In view of the complexities and unknown
factors associated with developing PTC solutions for LIRR's dark and
ABS territories, and in light of its unique signaling applications and
operating rules, LIRR was identified as being at high risk of non-
compliance with the April 16, 2010, PTCDP submission deadline, despite
its best efforts. Inasmuch as the RSIA08 does not explicitly stipulate
a timeframe for a PTCDP, NYSMTA requested that the regulation be
modified to allow for submission of a PTCDP after the April 16, 2010,
deadline, at least with regard to dark territory and ABS territories.
APTA submitted similar comments stating that the inclusion of the
PTCDP or PTCSP in the April 2010 submission is problematic. Noting that
submittal of these plans implies the selection of specific hardware and
systems, APTA asserted that such submission is not possible given the
current state of development of industry standards by the Railroad
Electronics Standards Committee (RESC). Without available industry
standards, APTA asserted that it would be impossible for the vast
majority of public agencies that operate passenger rail systems to
identify and contract with vendors or suppliers by the April 2010
deadline. Even though the freight railroads may have selected a
proprietary technology as a basis for their PTC implementation, the
competition standards for publicly funded contracts limit the ability
of public agencies to follow a similar procurement strategy.
Additionally, the lack of specific hardware and system standards to
support interoperability further limits the ability of public agencies
to enter into contracts by April 2010. Thus, if required to submit
PTCDP and PTCSP documents by April 16, 2010, the documents would, of
necessity, be incomplete and unacceptable.
APTA further claimed that the sole legislative requirement tied to
April 2010 is for submission of the PTCIP. Thus, APTA believes FRA
should allow submission of the PTCIP in a ``product neutral'' fashion
to meet the statutory deadline and should defer submission of the PTCDP
and PTCSP to allow flexibility and avoid incomplete submissions and the
compilation and review of documents that cannot be approved.
Amtrak similarly expressed concern with the inadequate amount of
time necessary to prepare the PTCIPs for its own NEC and Michigan Line
and for the Class II and III railroads over which Amtrak operates (to
the extent that those lines are not found to constitute other than
``main lines'') and to review those PTCIPs submitted by the Class I
railroads and develop full PTCDPs. Because of the severe burden on
Amtrak's resources, Amtrak recommended that the filing deadline for
PTCDPs be extended at least 9 months beyond April 16, 2010.
As a government agency, FRA clearly understands the position faced
by these railroads. However, FRA believes that a meaningful
implementation plan cannot be created if a railroad has not identified
and does not understand the technology it proposes to implement.
Without this knowledge, it is not possible to have any informed
discourse on system
[[Page 2639]]
interoperability and implementation scheduling between railroads,
vendors or suppliers, and FRA. Therefore, in this final rule, FRA has
provided several mechanisms that eliminate the need for each railroad
to submit a PTCDP for a proposed PTC system, while still providing FRA
sufficient information to carry out its regulatory responsibilities.
One such mechanism, as specified in paragraph (b) is through the
use of a Type Approval. The Type Approval is a number assigned to a
particular off-the-shelf or modified PTC system product--described in a
PTCDP in accordance with Sec. 236.1013--indicating FRA's belief that
the product could fulfill the requirements of subpart I. FRA's issuance
of a Type Approval does not mean that the product will meet the
requirements of subpart I. The Type Approval applies to the technology
designed and developed, but not yet implemented, and does not bestow
any ownership or other similar interests or rights to any railroad.
Each Type Approval number remains under the control of the FRA, and can
be issued or revoked in accordance with this subpart.
FRA expects the Type Approval process to provide a variety of
benefits to FRA and the industry. If a railroad submits a PTCDP
describing a PTC system, and the PTC system receives a Type Approval,
then other railroads intending to use the same PTC system without
variances may, in accordance with paragraph (b)(1), simply rely on the
Type Approval number without having to file a separate PTCDP. While the
railroad filing the PTCDP must expend resources to develop and submit
the PTCDP, all other railroads using the same PTC system would not.
This should not only provide significant cost and time savings for a
number of railroads, but should remove a significant level of
redundancy from the approval process that is currently inherent in
subpart H.
If, however, a railroad intends to use a modified version of a PTC
system that has already received a Type Approval number, and the
variances between the two systems are of a safety-critical nature, the
railroad must submit a new PTCDP. The railroad may submit a new PTCDP
that fully complies with the content requirements under Sec. 236.1013
or supply a Type Approval number for the other PTC system upon which
the modified PTC system will rely and a document that fulfills the
content requirements under Sec. 236.1013 with respect to the safety-
critical variances between the system described within the original
PTCDP and the system as modified.
This final rule does not preclude a railroad from submitting its
PTCDP before its PTCIP for FRA review and approval. FRA encourages an
earlier submission of the PTCDP to further reduce the required
regulatory effort necessary to review the PTCIP and PTCDP if submitted
together. More importantly, it would present an opportunity for FRA to
issue a Type Approval for the proposed PTC system before April 16,
2010, thus providing other railroads intending to use the same or
similar PTC system the opportunity to leverage off of the work already
performed by simply submitting the Type Approval and--in the event of
any variances--a much less burdensome PTCDP. FRA also believes this
regulatory procedure may incentivize railroads using the same or
similar PTC system to jointly develop and submit a PTCDP, thus further
reducing the paperwork burden on FRA and the industry as a whole and
increasing confidence in the interoperability between systems.
Vendors believe that FRA should type approve specific components,
so the vendor may sell the type approved products. FRA believes that
such a request may be based on the mistaken belief that FRA has adopted
the FAA aviation model of type certifying aircraft frames, aircraft
engines, and propellers (see 14 CFR part 21, subparts B-G). This is
not, however, the case. FRA has adopted some elements of the FAA
Airworthiness Certificate process (see 14 CFR part 21, subpart H),
which addresses the suitability of an entire aircraft for a particular
purpose. FRA will apply a similar standard and certify only complete
PTC systems.
Another mechanism FRA is adding that will enable railroads to meet
their statutory obligations in preparing and submitting a PTCIP, while
providing enough information to FRA to facilitate FRA's evaluation of
the technical feasibility of the PTCIP, can be found in the provisions
of paragraph (c).
Paragraph (c) allows a railroad to file an abbreviated PTCDP,
called a Notice of Product Intent (NPI), with their PTCIP. The NPI,
detailed in Sec. 236.1013(e), is handled in a manner similar to a full
PTCDP, with certain key exceptions. First, a PTCIP may be submitted
with a NPI in lieu of either a complete PTCDP (or reference to an
approved Type Approval). Any PTCIP submitted with an NPI and approved
by FRA will only receive ``Provisional Approval.'' The Provisional
Approval will only be valid for a maximum period of 270 days
(approximately 9 months), by which time a railroad must resubmit its
PTCIP with a complete PTCDP or reference to an approved Type Approval.
If the railroad submits the updated PTCIP within that period, FRA will
treat the updated filing in the same manner as FRA would have treated
the original PTCIP submission. If the railroad fails to update the
PTCIP before the end of that period, the Provisional Approval will
automatically be revoked, and the revocation will be considered as
retroactive to the original due date. FRA has no intention of extending
any Provisional Approval beyond the 270 day period and will not
entertain requests to that effect. Each railroad is expected to be
capable of fully defining the product they intend to use within the 270
day period. Use of an NPI by a railroad allows for incremental, albeit
limited, submission of the PTCDP.
Railroads would still be required to fully describe their plans for
the use and completion of the PTCDP in their PTCIPs. Having the PTCDP
development extend beyond the PTCIP due date may be beneficial to the
entire industry, since it allows for practical development of PTC
systems for railroads with unique technical requirements or financing
restrictions while potentially increasing the number of viable
suppliers, products, and systems. In addition to being practical, this
approach would further the industry interests of having a more even
distribution of the workload for commuter rail agencies and for FRA
staff. Additionally, it enhances the ability of railroads to provide
sufficient detail in the PTCDP, due to greater confidence in the
overall design solution, thereby reducing the need for revision and the
associated burden on FRA and railroad staff.
FRA clearly recognizes, regardless of the approach taken, that a
vendor or supplier to the railroad may prepare part, if not all, of the
required documentation. Notwithstanding that fact, the railroad remains
responsible for the completeness and accuracy of any documentation
submitted. For instance, FRA may find that the PTCDP does not
adequately conform to this subpart or otherwise has insufficient
information to justify approval. FRA may also determine that there are
issues raised by the PTCDP that would adversely affect the ability of
FRA to eventually certify the system. If such a situation were to
arise, the railroad would need to address the issues and resubmit the
documentation for FRA approval.
The third mechanism available to railroads is described in
paragraph (d). This paragraph allows railroads the opportunity to file
a Request for Expedited Certification (REC) in lieu of an approved
PTCDP or a Type
[[Page 2640]]
Approval, and the subsequent PTCSP developed in accordance with Sec.
236.1015 in order to receive PTC System Certification. A REC applies
only to PTC systems that have already been in revenue service and meet
the criteria of Sec. 236.1031(a). If a PTC system is not eligible for
expedited certification, the railroad will be limited to the options
presented in paragraphs (b) and (c).
Paragraph (e) requires that each PTCIP, PTCDP, and PTCSP must
comply with the content requirements in Sec. Sec. 236.1011, 236.1013,
and 236.1015, respectively. If the submissions do not comply with their
respective regulatory requirements, then they may not be approved.
Without approval, a PTC system may not receive a Type Approval or PTC
System Certification. Ultimately, PTC System Certification is FRA's
formal recognition that the PTC system, as described and implemented,
meets the statutory requirements and the provisions of subpart I. It
does not imply FRA endorsement or approval of the PTC system itself.
In the interest of an open market, FRA does not want to preclude
the ability of PTC system suppliers outside of the United States from
manufacturing PTC systems or selling them to the regulated railroads.
However, in order to ensure the safety and reliability of those
systems, FRA needs to be able to conduct an adequate review of the
submitted plans. Accordingly, paragraph (e) requires that all materials
submitted in accordance with this subpart be in the English language,
or be translated into the English language and attested as true and
correct.
Under subpart H of this part, a railroad may seek confidential
treatment for what it deems to be trade secrets, commercial, or
financial information that is privileged or confidential under
Exemption 4 of the Freedom of Information Act (FOIA), 5 U.S.C.
552(b)(4), or the Trade Secrets Act, 18 U.S.C. 1905, and submit such
requests in accordance with Sec. 209.11. A railroad may request
similar confidential treatment under subpart I. As with subpart H,
should a FOIA request be made for information submitted under this rule
for which the submitting party has requested confidential treatment,
the submitting company will be notified of the request in accordance
with the submitter consultation provisions of the Department's FOIA
regulations (Sec. 7.17) and will be afforded the opportunity to submit
detailed written objections to the release of information as provided
for in Sec. 7.17(a). FRA strongly encourages submitting parties to
request confidential treatment only for those portions of documents
that truly justify such treatment (i.e., trade secrets and security
sensitive information).
While FRA continues to believe that there is no need at this time
to substantially revise Sec. 209.11, FRA will require an additional
document to assist FRA in efficiently and correctly reviewing requests
for confidentiality. Under Sec. 209.11, a redacted and an unredacted
copy of the same document must be submitted. When FRA review is
required to determine whether confidentiality should be afforded, FRA
personnel must painstakingly compare side-by-side the two versions to
determine what information has been redacted. This process may result
in information for which exemption from disclosure is being requested
to be misidentified. To reduce this burden, and ensure that the
intellectual property of the railroad and their suppliers is
appropriately guarded, FRA requires that any material submitted for
confidential treatment under subpart I and Sec. 209.11 include a third
version that would indicate, without fully obscuring, the redacted
portions for which protection is requested. For instance, in order to
indicate without obscuring the plan's redacted portions, the railroad
may use the highlighting, underlining, or strikethrough functions of
its word processing program. This document will also be treated as
confidential under Sec. 209.11. FRA could amend Sec. 209.11 to
include this requirement. However, FRA does not believe it to be
necessary at this time.
FRA is allowing the submission of an adequate GIS shapefile to
fulfill some of the PTCIP content requirements under Sec. 236.1011.
However, with respect to requesting confidential treatment of specific
information contained in a GIS shapefile, which includes primarily map
data, FRA recognizes that visually blocking out the information would
defeat the purpose. For instance, a black dot over a particular map
location, or a black line over a particular route, would actually
reveal the location. Thus, FRA expects that a railroad seeking
confidential treatment for portions of a GIS shapefile will submit
three versions of the shapefile to comply with paragraph (e).
Alternatively, a single shapefile can include three separate layers
each representing the three levels of confidentiality, with specific
instructions indicating which elements are being displayed and how to
handle the file for confidentiality purposes. FRA also expects that the
version for public consumption would not include the information for
which the railroad is seeking confidential treatment.
NICTD strongly urged FRA to only accept PTCIPs that provided full
public disclosure of all the information needed to obtain components
from multiple suppliers, including message interface standards,
functional allocation for each subsystem, and safety allocation for
each subsystem (e.g., identifying which hazards and safety-critical
assumptions are made for each subsystem). NICTD asserted that it was
not requesting proprietary information for any subsystems, but merely
the ability to utilize alternative sources to fulfill the subsystem
requirements within the overall PTC system. According to NICTD, this
would substantially improve the likelihood of commuter railroads being
able to obtain components from the multiple suppliers that are
currently more than willing to develop components that will safely
operate with other systems. Moreover, NICTD stated that this would
facilitate compliance with interoperability requirements, as the
knowledge gained would simplify development of interoperable systems
and reduce procurement delays. Amtrak agrees on the need for full
public disclosure and asserts that it should be able to review and
comment on the PTCIPs of the Class I railroads. FRA understands these
positions, but FRA will not make any flat pronouncements about the
confidentiality of information it has not yet received.
FRA expects that FRA-monitored laboratory or field testing or an
independent third party assessment may be necessary to support
conclusions made and included in a railroad's submitted PTCDP or PTCSP.
This issue is addressed in paragraph (f). The procedural requirements
to effectuate either of those requirements can be found in Sec. Sec.
236.1035 and Sec. 236.1017, respectively.
Paragraph (g) makes clear that FRA approval of a plan submitted
under subpart I may be contingent upon any number of factors and that,
once the plan is approved, FRA maintains the authority to modify or
revoke the resulting Type Approval or PTC System Certification. Under
paragraph (g)(1), FRA reserves the right to attach additional
requirements as a condition for approval of a PTCIP, or issuance of a
Type Approval or PTC System Certification. In the preparation of any of
these plans, railroads may have inadvertently failed to fully address
hazards and risks associated with all of these components.
FRA believes that paragraph (g)(1) will make the regulatory process
more efficient and stable. Rather than reject a railroad's plan
completely, and
[[Page 2641]]
consequently delay the railroad's implementation of its PTC system, FRA
would prefer to add additional conditions during the approval process
to address these oversights. When determining whether to attach
conditions to plan approval, FRA will consider whether: (1) The plan
includes a well-defined and discrete technical or security issue that
affects system safety; (2) the risk or safety significance of an issue
can be adequately determined; (3) the issue affects public health and
safety; (4) the issue is not already being processed under an existing
program or process; and (5) the issue cannot be readily addressed
through other regulatory programs and processes, existing regulations,
policies, guidance, or voluntary industry initiatives.
Paragraph (g)(2) provides FRA the right to reconsider an issued
Type Approval or PTC System Certification as a consequence of the
discovery of potential error, fraud or new information regarding system
safety that was not previously identified. FRA issuance of each Type
Approval or PTC System Certification under performance-based
regulations assumes that the model of the train control system and its
associated probabilistic data adequately accounts for the behavior of
all design features of the system that could contribute to system risk.
Different system design approaches may result in different levels of
detail introducing different approximations or errors associated with
the safety performance. There are some characteristics for which
modeling methods may not fully capture the behavior of the system, or
there may be elements of the system for which historical performance
data may not be currently available. These potential inconsistencies in
the failure analysis could introduce significant variations between the
predicted and actual performances. Because of the design complexity
associated with train control systems, FRA recognizes that these
inconsistencies may not be the result of deliberate acts by any
individuals or organizations, but simply reflect the level of
analytical detail, the availability of comprehensive information, the
qualification and experience of the analyst team, and the railroad's
and FRA's resource limitations.
In paragraph (g)(3), FRA indicates that the railroad may be allowed
to continue operations using the system, although such continued
operations may have special conditions attached to mitigate any adverse
consequences. It is FRA's intent, to the maximum extent possible and
when consistent with safety, to assist railroads in keeping the systems
in operation. FRA expects that, if it places a condition on PTC system
operations, each railroad will have a predefined process and procedure
in place that would allow continued railroad operations, albeit under
reduced capability, until appropriate mitigations are in place, and the
system can be restored to full operation. In certain dire situations,
FRA may actually order the suspension or discontinuation of operations
until the root cause of the situation is understood and adequate
mitigations are in place. FRA believes that suspending a Type Approval
or a PTC System Certification pending a more detailed analysis of the
situation may be appropriate, and that any such suspension must be done
without prejudice. FRA expects to take such an action only in the most
extreme circumstances and after consultation with the affected parties.
After reconsidering its issuance of a Type Approval or PTC System
Certification, under paragraph (g)(4), FRA may either dismiss its
reconsideration and continue to recognize the existing FRA approved
Type Approval or PTC System Certification, allow continued operations
with certain conditions attached, or order the railroad to cease
applicable operations by revoking its Type Approval or PTC System
Certification. If FRA dismisses its reconsideration and continues to
recognize the Type Approval, any conditions required during the
reconsideration period would no longer be applicable. If FRA will allow
continued operations, FRA may order the continuation of conditions that
were required during the reconsideration period or impose additional
conditions. FRA expects that revocation of a Type Approval or PTC
System Certification would occur in very narrow circumstances, where
the risks to safety appear insurmountable. Regrettably, there may be a
few situations in which the inconsistencies are the result of
deliberate fraudulent representations. In such situations, FRA may also
seek criminal or civil penalties against the entities involved.
APTA submitted comments asserting that the NPRM offered minimal
guidance on what criteria FRA will use in accepting or rejecting a
railroad's plan. Therefore, APTA asserted that FRA should draft and vet
criteria that accomplishes the basic purposes of PTC, while allowing
for innovation in meeting the performance requirements envisioned in
the proposed regulation. FRA believes that this concern arises from the
fact that this regulation, like subpart H of this part, is a
performance-based rule. While performance-based rules provide maximum
flexibility to railroads and vendors or suppliers, they also introduce
a degree of ambiguity.
FRA, in consultation with the RSAC PTC Working Group, has developed
and vetted model templates for both the PTCIP and the risk
prioritization scheme to provide some degree of specificity without
unnecessary constraints. It should be carefully noted that these
templates are, by necessity, general in nature and must be customized
by the individual railroad to reflect its individual operations. What
may be applicable for one railroad may not be applicable to another.
FRA has also provided vetted guidance as to acceptable design,
verification and validation, and human factors in the appendices to
this part. Again, given the wide variety of potential solutions that
may be adopted by various railroads, FRA is reluctant to provide more
detailed guidance. However, if a PTCIP content requirement under Sec.
236.1011 is fulfilled in a submitted GIS shapefile, then the written
PTCIP should simply cross-reference appropriately.
Paragraph (h) relates to FRA's authority to conduct inspections to
ensure that a railroad is in compliance with subpart I. FRA inspections
may be required to determine whether a particular railroad has
implemented a PTC system where necessary. For instance, FRA may need to
confirm whether a track segment is subject to five million gross tons
or more of annual railroad traffic, PIH materials, or passenger
traffic. FRA may also need to inspect locomotives to determine whether
they are equipped with a PTC onboard apparatus or to review locomotive
logs to determine whether the locomotive has entered PTC territory.
Paragraph (h) simply reiterates FRA's statutory authority to inspect
the railroads and gather information necessary to enforce its
regulations.
In order to maintain an open marketplace, this final rule has been
drafted to allow domestic railroads to purchase PTC systems from
outside of the United States. FRA recognizes that PTC systems have been
used in revenue service across the globe and that acceptable products
may be available in other countries. FRA also recognizes that such use
may fall under the jurisdiction of a foreign regulatory entity much
like FRA. Accordingly, under paragraph (i), in the event information
relating to a particular PTC system has been certified under the
auspices of a regulatory entity in a foreign government, FRA is willing
to consider that information as independently Verified and Validated to
support the
[[Page 2642]]
railroad's PTCSP development. The phrase ``under the auspices'' intends
to reflect the possibility of certification contractually performed by
a private entity on behalf of a foreign government agency. However, the
foreign regulatory entity must be recognized by the Associate
Administrator. A railroad seeking to enjoy the benefits of paragraph
(i) must communicate that interest in its PTCSP, and is strongly
encouraged to communicate such a desire well before submission of the
PTCSP for approval.
Finally, the AAR noted that, unlike the precedent set by subpart H
and the RSIA08, FRA did not include time frames for the agency to
respond to the submissions of the PTCDP or PTCSP. The AAR urged FRA to
include specific deadlines for these filings to ensure a common
understanding of the time allotted to carry out the regulatory
responsibilities. Accordingly, AAR proposed that FRA agree to respond
within 60 and 120 days of the submission of a PTCDP and PTCSP,
respectively. This 180-day approval period for both the development and
safety plans is consistent with existing subpart H, which allows 180
days for approval of a product safety plan.
FRA agrees that the railroads need, for their planning purposes, an
estimated amount of time within which FRA will provide a response
regarding the acceptability of their PTCSP submission. FRA also
believes that this information would be appropriately placed in Sec.
236.1009. Accordingly, FRA is adding paragraph (j) to this section,
which contains target deadlines for FRA review. FRA will acknowledge
receipt of a PTCDP or PTCSP submission within 30 days. Depending upon
the complexity of the system and the amount of participation by FRA in
the PTCDP or PTCSP development process, FRA will endeavor to approve,
approve with conditions, or deny approval of the PTCDP and PTCSP within
60 and 180 days, respectively. If FRA is unable to complete its review
of the PTCDP or PTCSP within these estimated time periods, FRA will
advise the submitter accordingly.
When reviewing the procedural requirements contained in the
proposed rule, the RLO expressed concern that this streamlined process
may result in degradation of safety and significant concern with the
ability of FRA to adequately staff the oversight process with a
sufficient number of people with the requisite skill sets. FRA
appreciates these concerns, and is undertaking plans to ensure that
this new process does not result in any degradation of safety. FRA will
continue to apply the same technical standards as used in earlier PTC
system approvals. FRA has also taken steps to ensure that it has
sufficient people, with the appropriate skills, to ensure proper safety
oversight of this new process. A task analysis to determine the desired
skills, as well as appropriate placement within the agency of
additional staff members has been completed The RSIA08 authorizes an
additional 200 full time positions to FRA, and FRA is ready to recruit
the necessary technical staff as appropriations permit.
Section 236.1011 PTC Implementation Plan Content Requirements
This section describes the minimum required contents of a PTC
Implementation Plan. A PTCIP is a railroad's plan for complying with
the installation of mandatory PTC systems required by RSIA08. The PTCIP
consists of implementation schedules, narratives, rules, technical
documentation, and relevant excerpts of agreements that an individual
railroad will use to complete mandatory PTC implementation. FRA will
measure the railroad's progress in meeting the required implementation
date based on the schedule and other information in the PTCIP. While
the final rule does not specify or mandate any specific organization
for the PTCIP, it must at least clearly indicate which portions intend
to address compliance with the various plan requirements under this
section. The PTCIP must also clearly identify each referenced document
and either include a copy of each document (or its applicable excerpt)
or indicate where FRA and the public may view that document. Should FRA
not be able to readily determine adequate response to the required
information, FRA will assume that the information has not been
submitted, and will handle the document accordingly. The lack of the
required information may result in FRA's disapproval of a PTCIP. To
facilitate timely and successful submittals, FRA, through assistance
from a PTCIP Task Force drawn from the PTC Working Group, developed a
template that can be used to format the documents that must be
submitted. FRA, however, wishes to emphasize that the use of such a
template is strictly voluntary, and encourages railroads to prepare and
submit the documents in the structure most economical for the railroad.
FRA does not believe it is necessary to require that the railroads
expend their limited resources in reformatting documents when such an
activity adds no real value. However, while the template may be a
useful tool, in light of the various forms a PTCIP may be required to
take and the type of system the railroad intends to implement, complete
adherence to the template will not guarantee FRA approval of the
submitted PTCIP.
FRA expects each PTCIP to include various highly specific and
descriptive elements relating to each railroad's infrastructure and
operations. FRA recognizes manual assembly of each piece of data into a
PTCIP may be exceptionally onerous and time consuming and may make the
PTCIP prone to errors. In light of the foregoing, and due to the
statutory requirement that Congress be apprised on the progress of the
railroad carriers in implementing their PTC systems, FRA believes that
electronic submission of much of this information may be warranted and
preferred. To facilitate collection of this data, FRA will accept the
submission of this data in electronic format.
FRA believes that the preferred, least costly, and least error-
prone method to comply with this section is for railroads to submit an
electronic geographic digital system map containing the aforementioned
segment attribute information in shapefile format, which is a data
format structure compatible with most Geographic Information System
(GIS) software packages. Using GIS provides an efficient means for
organizing basic transportation-related geographic data to facilitate
the input, analysis, and display of transport networks. Railways around
the world rely on GIS to manage key information for rail operations,
maintenance, asset management, and decision support systems. FRA
believes that the railroads may have already identified track segments,
and their physical and operational characteristics, in shapefile
format. Accordingly, each shapefile document must provide the following
identifiable information for each track segment: Owning railroad(s);
distance; signal system; track class; subdivision; number and location
of sidings; maximum allowable speed; number and location of mainline
tracks; annual volume of gross tonnage; annual number of cars carrying
hazmat; annual number of cars carrying PIH; passenger traffic volume;
average daily through trains; WIUs; switches; and at-grade rail-to-rail
crossings.
Paragraph (a) cites the minimum requirements that must be addressed
in the PTCIP. However, given the wide diversity of railroads and their
operating environments, FRA recognizes that additional factors may
arise that reflect the unique operational characteristics of a
particular railroad. It is beholden to each railroad to carefully
analyze the
[[Page 2643]]
circumstances associated with its operations and address any of these
elements that may affect implementation planning. During its review of
a PTCIP, FRA will carefully evaluate the plan to determine if the
submitting railroad(s) have indeed addressed unique railroad issues.
FRA wishes to make clear that in those situations, where additional
factors that are unique to a railroad have not been addressed, FRA will
return the PTCIP unapproved.
Paragraph (a)(1) requires that the railroad describe the functional
requirements that the technology will employ in its PTC system. Here,
FRA broadly defines the term ``technology'' to include all applicable
tools, machines, methods, and techniques.
Paragraph (a)(2) requires that the railroad describe how it will
address fulfilling the requirements associated with the submittal of an
NPI (see 49 CFR 236.1009(c)) temporarily in lieu of a PTCDP and the
requirements associated with a PTCSP (see 49 CFR 236.1009(d)).
In RSIA08, Sec. 20157(a)(2) requires that a railroad describe how
it will ``provide for interoperability of the system with movements of
trains of other railroad carriers over its lines.''
Practically speaking, this means that each locomotive operating
within PTC territory must be able to communicate with, and respond to,
the PTC systems installed on each PTC territory's track and signal
system, except in those limited situations established elsewhere in
this final rule. For this reason, paragraph (a)(3) requires that the
PTCIP describe how the PTC system will provide for interoperability of
the system between the host and all tenant railroads on the lines
required to be equipped with PTC systems under this subpart.
Interoperability means the ability of diverse systems and
organizations to work together (inter-operate), taking into account the
technical, operational, and organizational factors that may impact
system-to-system performance. FRA expects each PTC system required by
subpart I to exhibit syntactic interoperability--so that it may
successfully communicate and exchange data with other PTC systems--and
semantic interoperability--so that it may automatically, accurately,
and meaningfully interpret the exchanged information to prove useful to
the end user of each communicating PTC system. To achieve semantic
interoperability, both sides must defer to a common information
exchange reference model. In other words, the content of the
information sent must be the same as what is received and understood.
Taking syntactic and semantic interoperability together, FRA expects
each PTC system to provide services to, and accept services from, other
PTC systems and to use those services exchanged to enable the PTC
systems to operate effectively together and to provide the intended
results. The degree of interoperability should be defined in the PTCIP
when referring to specific cases.
Interoperability is achieved through four interrelated means:
Product testing, industry and community partnership, common technology
and intellectual property, and standard implementation.
Product testing includes conformance testing and product
comparison. Conformance testing ensures that the product complies with
an appropriate standard. FRA recognizes that certain standards attempt
to create a framework that would result in the development of the same
end product. However, many standards apply only to core elements and
allow developers to enhance or otherwise modify products as long as
they adhere to those core elements. Thus, if an end product is
developed in different ways to conform to the same standard, there may
still be discrepancies between each instantiation of the end product
due to the existence of variables outside of the core elements.
Accordingly, FRA believes that comparison testing must also occur to
ensure that each instantiation of the same product, regardless of the
means upon which it is created to meet the same standard, is ultimately
identical. In regards to PTC systems, such comparison testing must
occur on all portions that relate to each system's interoperability
with other systems. Thus, it is also important that the PTC system be
formally tested in a production scenario--as they will be finally
implemented--to ensure that it will actually intercommunicate and
interoperate with other PTC systems as advertised and intended.
To reach interoperability between the various applicable PTC
systems, each PTCDP must also show that the systems share common
product engineering. Product engineering refers to the common standard,
or a sub-profile thereof, as defined by the industry and community
partnerships, specifically intended to achieve interoperability.
Without common product engineering, the systems will be unable to
intercommunicate or otherwise interact as necessary to comply with the
proposed rule.
FRA expects that each interoperability standard for PTC systems
will be developed by a partnership between various industry
participants. Industry and community partnerships, either domestic or
international, usually sponsor standard workgroups to define a common
standard to provide system intercommunications for a specific purpose.
At times, an industry or community will sub-profile an existing
standard produced by another organization to reduce options and thus
making interoperability more achievable. Thus, in each PTCDP, the
railroad must discuss how it developed or adopted a standard commonly
accepted by that partnership.
In the proposed rule, FRA noted that means of achieving
interoperability include having the various entities involved using the
same PTC system product or obtaining its components from the same
developer. In its comments, NICTD expressed its belief that this
conclusion does not meet RSIA08's interoperability requirements.
According to NICTD, while the freight railroads are free to choose
their own supplier, their essential monopoly power has the potential to
force commuter railroads to use the same supplier and thereby prevent
commuter railroads from meeting the requirement to use open competitive
bids from multiple suppliers for a system. Since the quantity of units
required from the commuter railroads is substantially less than those
required for the freight railroads, NICTD asserts this greatly reduces
the ability of the commuter railroads to obtain system components that
meet their specific operating needs, as the single supplier will not
have the resources available to support those needs. NICTD also
believes that this is in direct contrast with the FRA statement
relating to performance standards: ``FRA intends the proposed rule to
accelerate the promotion of, and not hinder, cost effective
technological innovation by encouraging an efficient utilization of
resources, an increased level of competition, and more innovative user
applications and technological developments.''
Safetran also believes that each railroad should be free to choose
a supplier. According to Safetran, the freight railroads through their
implementation and development plans could specify a specific product
or supplier preventing other railroads from using open competitive bids
from multiple suppliers for a system and achieving the cost savings of
competitive bidding. Safetran urges FRA to accept PTCIPs and PTCDPs
that require public disclosure of all information needed to enable
development of PTC components from multiple suppliers. This does not
require disclosure of proprietary
[[Page 2644]]
information, but does require disclosure of interface specifications as
well as required functional attributes, assigned safety attributes and
stimulus/response attributes.
While FRA does not necessarily require this approach--since the
agency seeks to maintain an open and competitive marketplace--FRA
believes that this is a suitable means to achieve interoperability.
This technique may provide similar technical results when using PTC
system products from different vendors or suppliers relying on the same
intellectual property. FRA recognizes that certain developers with an
intellectual property interest in a particular technology may provide a
non-exclusive license of its intellectual property to another entity so
that the licensee may introduce into the marketplace a substantially
similar product reliant on that intellectual property. In such a case,
FRA foresees that the use of a common PTC system technology--even if it
is proprietary to a single or multiple entities and licensed to
railroads--could reduce the variability between components, thus
providing for a more efficient means to achieve interoperability.
In order for interoperability to actually occur between multiple
entities' PTC systems, there must be some standard to which they all
adhere. Thus, FRA also expects that each PTCDP will provide assurances
of a common interoperability standard agreed to between all entities
using PTC systems that must interoperate.
Since each of these interrelated means has an important role in
reducing variability in intercommunication, each railroad's PTCIP must
clearly describe the elements required under paragraph (a)(1)-(3).
During review of the NPRM, AAR noted paragraph (a)(3)(i) had not
been updated to reflect an RSAC agreement. FRA agrees and has revised
paragraph (a)(3)(i) to include the language: ``include relevant
provisions of agreements, executed by all applicable railroads, in
place to achieve interoperability.''
Much of the remaining information required in a PTCIP under this
final rule relies on the location, length, and characteristics of each
track segment. Therefore, a common understanding of a track segment is
necessary. A track is the main designation for describing a physical
linear portion of the network. Each line of railroad has a station
location referencing system, which serves to locate inventory features
and defects along the length of the track. Because some tracks can be
very long, track or line segments are established to divide the track
into smaller ``management units.'' Typically, segment's boundaries are
established at point of switch (POS) locations, but may also be located
at mile markers, grade crossings, or other readily identifiable
locations. Inspection, condition assessment, and maintenance planning
is performed individually on each segment. After the track network
hierarchy is established, the attribute information associated with
each track is defined. This attribute information describes the track
layout (e.g., curves and grades), the track structure (e.g., rail
weights and tie specifications), track clearance issues, and other
track related items such as turnouts, rail-to-rail at-grade crossings,
highway-rail grade crossings, drainage culverts, and bridges. Inventory
information about these track attributes can be quite detailed. The
benefits of a complete and accurate track inventory provides a record
of the track network's properties and information about the existing
track materials at the specific locations when maintenance or repair is
necessary.
Paragraphs (a)(4) and (a)(5) require the railroad to put its entire
implementation plan into an understandable context, primarily as it
relates to the sequence and schedule of track segment implementation
events. Under RSIA08, 49 U.S.C. 20157(a)(2), Congress requires each
subject railroad to describe in its PTCIP how it shall, to the extent
practical, implement the PTC system in a manner that addresses areas of
greater risk before areas of lesser risk. Accordingly, under paragraph
(a)(4), the PTCIP must discuss the railroad's areas of risk and the
criteria by which these risks were evaluated and prioritized for PTC
system implementation. To this end, the railroad must clearly identify
all track segments that must be equipped, the basis for that decision
for each segment (which might be done by categories of segments), and,
as provided in paragraph (a)(5), the dates that implementation of each
segment will be completed, taking into account the time necessary to
fulfill the procedural requirements related to PTCSP submission,
review, and approval. At a minimum, the deployment decisions must be
based on segment traffic characteristics such as passenger and freight
traffic volumes, the quantity of PIH and other hazardous materials,
current methods of operations, existence of block signals and other
traditional train control technologies, the number and class of tracks,
authorized and allowable speeds for each segment, and other unusual
characteristics that may adversely impact safety, such as unusual
ruling grades and other track geometries. In cases where deployment of
the PTC system cannot be accomplished in order of areas with the
greatest risk to areas with the least risk, paragraph (a)(9) requires
that the railroad explain why such a deployment was not practical and
the steps that will be taken to minimize adverse consequences to the
public until the track segment can be equipped.
Paragraphs (a)(6) and (a)(7) require the PTCIP to include
information regarding the rolling stock and wayside devices that will
be equipped with the appropriate PTC technology. For a PTC system to
work as intended, PTC system components must be installed and operated
in all applicable offices and on all applicable onboard and wayside
subsystems. Accordingly, the PTCIP must identify which technologies
will be installed on each subsystem and when they are scheduled to be
installed.
Under paragraph (a)(6), each host railroad filing the PTCIP must
include a comprehensive list of all rolling stock upon which a PTC
onboard apparatus must be operative. FRA understands that, in most
situations, the rolling stock referenced in paragraph (a)(6) may only
apply to controlling locomotives. However, in the interest of not
hindering creative technological innovations, FRA presumes the
possibility that PTC system technology may also be attached to
additional rolling stock to provide other functions, including
determining train capacity and length or providing certain acceptable
and novel train controls. To be kept apprised of these possibilities,
FRA is requiring in paragraph (a)(6) that each PTCIP include a list of
all rolling stock equipped with PTC technology. FRA believes that the
PTCIP should also identify any risks associated with trains operated by
tenant railroads and not equipped with PTC system technology and the
efforts that the host railroad has made to establish the extent of that
risk. FRA understands that a host railroad may not receive cooperation
from a tenant railroad in collecting the necessary rolling stock
information. Nevertheless, FRA expects each host railroad to make a
good faith effort. Identification of those tenant railroads from whom
the host railroad attempted to obtain the requisite and applicable
information from, but failed to address a host railroad's written
request, may establish a good faith effort by the host railroad.
One railroad has requested that FRA eliminate the requirement for a
power (locomotive) equipage plan in the PTCIP to avoid the need for
updates to the
[[Page 2645]]
PTCIP. Instead of requiring such a plan, the railroad recommends that
FRA rely on railroad scheduling and good faith effort to drive
installations during the period 2012 through 2015. FRA carefully
considered this proposal, but has rejected it. Without an understanding
of what portion of the locomotive fleet has been equipped and what
portion remains to be equipped, FRA cannot accurately assess the extent
to which PTC could be used in revenue service. FRA is required to make
regular reports to Congress on the status of industry compliance and
the operational capability of existing PTC systems. Since PTC is an
integrated system, which requires both wayside and onboard equipment to
be installed and operational, evaluation of the state of system
deployment requires knowledge of the state of both subsystems.
Furthermore, the elimination of the equipage plan does not appear
to provide any significant advantages to the railroad. Regardless of
whether the railroad is required to maintain an equipage schedule for
the PTCIP, or rely on railroad scheduling and good faith efforts, the
railroad will still need to maintain some type of schedule to ensure
the completion of required PTC installations by 2015. FRA believes that
formalizing the schedule provides a planning tool that should
facilitate completion of the installation process. If the equipage plan
were unalterable, FRA could understand the railroad's concerns about
being locked into an unrealistic and unobtainable schedule. However,
FRA believes these concerns are unfounded because any plan in the
PTCIP, including the equipage plan, can be adjusted to reflect changing
circumstances.
Paragraph (a)(7) requires the railroad to provide the number of
wayside devices required for each track segment in its PTCIP and an
installation schedule for the completion of wayside equipment
installation by December 31, 2015. The selection and identification of
a technology discussed in the PTCIP will also, to a great extent,
determine the distribution of the functional behaviors of each of the
PTC subsystems (e.g., office, wayside, communications, and back
office). The WIU is a type of remote terminal unit (RTU) that is part
of a larger PTC system, which is a type of SCADA. As a whole, the safe
and efficient operation of a SCADA--a centralized system that covers
large areas, monitors and control systems, and passes status
information from, and operational commands to, RTUs--is largely
dependent on the ability of each of its RTUs to accurately receive and
distribute the required information. As such, a PTC system cannot
properly operate without properly functioning WIUs to provide and
receive status information and react appropriately to control
information.
It is commonly understood that a WIU device is capable of
communicating directly to the office, train, or other wayside unit. FRA
recognizes that there may not be the same number of WIUs and devices
that they monitor. Depending on the architecture and technology used, a
single WIU may communicate the necessary information as it relates to
multiple devices. FRA is comfortable with this type of consolidation
provided that, in the event of a failure of any one of the devices
being monitored, the most restrictive condition will be transmitted to
the train or office, except where the system may uniquely identify the
failed device in a manner that will provide safe movement of the train
when it reaches the subject location.
Because of the critical role that WIU's play in the proper and safe
operation of PTC systems, paragraph (a)(7) requires that the railroad
identify the number of WIU's required to be installed on any given
track segment and the schedule for installing the WIU's associated with
that segment. This information is necessary to fully and meaningfully
fulfill the RSIA08 requirement that by December 31, 2012, Congress
shall receive a report on the progress of the railroad carriers in
implementing PTC systems. See 49 U.S.C. 20157(d). To comply with this
statutory requirement, each railroad must determine the number of WIUs
it will need to procure and the location--as defined by the applicable
subdivision--where each WIU will be installed. FRA believes that, if a
railroad does not perform these traditional engineering tasks, it will
risk exceeding the statutory implementation deadline of December 31,
2015. FRA considers this information an integral part of the PTCIP that
must be submitted to FRA for approval.
NYSMTA asserts that the requirement in paragraph (a)(7) to include
the quantities of devices for each track segment in the PTCIP requires
prior completion of the full design of the PTC system. However, NYSMTA
asserts that it is not feasible to complete all of the survey and
design necessary to meet this requirement by April 2010. Therefore,
NYSMTA suggested that the requirement be reworded to read as follows:
``Identification of each PTC subsystem and major assembly, and an
estimated number of each required for each line segment.''
FRA recognizes the potential for technological improvements that
may modify the number and types of WIUs required. FRA also recognizes
that during testing and installation, it may be discovered that
additional WIU installations may be necessary. In either case, the
railroad will be required to submit an RFA in accordance with Sec.
236.1021 indicating how the railroad intends to appropriately revise
its schedule to reflect the resulting necessary changes. Nevertheless,
regardless of whether FRA approves or disapproves the RFA, if a
railroad is required to submit its PTCIP by April 16, 2010,
implementation must still be completed by the statutory deadline of
December 31, 2015.
One railroad recommended that paragraph (a)(7) should be revised to
require railroads to identify each PTC subsystem and assembly and the
estimated number of each subsystem required for each track segment.
However, FRA does not believe that this change is required. First, FRA
believes that the discussion of WIU requirements in paragraph (a)(7) is
already generalized and implementation independent. Second, this final
rule already provides for corrections in inventory count by submission
of an RFA with the revised count. Therefore, FRA has not adopted this
recommendation.
Under paragraph (a)(8), each railroad must also identify in its
PTCIP which of its track segments are either main line or not main
line. This list must be made based solely on the statutory and
regulatory definitions regardless of whether FRA may later deem a track
segment as other than main line. If a railroad has a main line that it
believes should be considered not main line, it may file with the PTCIP
a main line track exception addendum (MTEA) in accordance with Sec.
236.1019, as further discussed below. Each track segment included in
the MTEA should be indicated on the list required under paragraph
(a)(8), so that the PTCIP accounts for each track segment with an
appropriate cross-reference to the subject MTEA.
Paragraph (a)(9) requires that the plan call out the basis for a
railroad's determination that risk-based prioritization required by
paragraph (a)(4) of this section is not practical. FRA recognizes that
there may be situations where risk is somewhat evenly distributed and
where other factors related to practical considerations--such as the
need to establish reliable operation of the system in less complex
environments before installation in more complex
[[Page 2646]]
environments--may be the prudent course. However, the burden of
establishing the reasonableness of this approach would be on the
railroad, starting with a showing that risk does not vary substantially
among the track segments in question.
As mentioned elsewhere in this document, various railroads
incorrectly asserted that they would not have to ``turn on'' their
respective PTC systems until December 31, 2015. FRA recognizes that,
although an approved PTCIP will include a progressive roll-out
schedule, a PTC system cannot be operated in revenue service until it
receives PTC System Certification. To avoid the possibility of a
delayed plan submission that would frustrate the schedule, FRA has
added paragraph (a)(10), which requires the railroad(s) to set its own
due dates for such submissions. The ultimate due date, of course, is
subject to FRA's approval of the PTCIP.
Paragraph (b) of Sec. 236.1011 contains provisions related to
further PTC deployment by the Class I railroads. As noted in the NPRM,
the specific characteristics of the PTC route structure, with the focus
on PIH traffic as an indicator of risk, was a late addition to the bill
that would become RSIA08, not having appeared in either the House or
Senate bills until the final package was assembled using consultations
between the committee staffs in lieu of a formal committee of
conference. Although the statutory construct (Class I rail line with 5
million gross tons and some PIH materials) adequately defines most of
the core of the national freight rail system, it is a construct that
will introduce distortions at both ends of the spectrum of risk.
On one hand, a line with a maximum speed limit of 25 miles per hour
ending at a grain elevator that receives a few cars of anhydrous
ammonia per year is a ``main line'' if it has at least 5 million gross
tons of traffic (a very low threshold for a Class I railroad). This is
not a line without risk, particularly if it lacks wayside signals, but
FRA analysis shows that the potential for a catastrophic release from a
pressure tank car is very low at an operating speed of 25 miles per
hour, and the low tonnage is likely associated with relatively
infrequent train movements--limiting the chance of a collision.
On the other end of the spectrum, lines with greater risk may go
unaddressed. For instance, a line carrying perhaps a much higher level
of train traffic and significant volumes of other hazardous materials
at higher speeds, without any PIH or passenger traffic, would not be
equipped. This example is not likely to be present to any significant
extent under current conditions. However, should the Class I railroads
raise freight rates making rail transportation prohibitively expensive
and accordingly eliminating PIH traffic, the issue would be presented
as a substantial one. Most of the transportation risk--including
hazards to train crews and roadway workers and exposure to other
hazardous materials if released--would remain, but not the few carloads
of PIH. FRA believes that the intent of Congress with respect to
deployment of PTC might be defeated, even though the minimum
requirements related to passenger and PIH traffic would be satisfied.
Other lines carrying very heavy volumes of bulk commodities such as
coal and intermodal traffic may or may not include PIH traffic. Putting
aside the risk associated with PIH materials, significant risk exists
to train crews and persons in the immediate vicinity of the right-of-
way if a collision or other PTC-preventable accident occurs. Any place
on the national rail system is a potential roadway work zone, but
special challenges are presented in providing for on-track safety where
train movements are very frequent or operations are conducted on
adjacent tracks.
Risk on the larger Class II and III railroads' lines is also a
matter of concern, and the presence of significant numbers of Class I
railroad trains on some of those properties presents the opportunity
for further risk reduction, since over the coming years virtually all
Class I railroad locomotives will be equipped with PTC onboard
apparatus'. Examples include trackage and haulage rights retained over
Class II and III railroads following asset sales in which the Class I
railroads divested the subject lines. Other prominent examples involve
switching and terminal railroads, the largest of which are owned and
controlled by two or more Class I railroads and function, in effect, as
extensions of their systems. Conrail Shared Assets, a large regional
switching railroad that is owned by NS and CSXT and is comprised of
major segments of the former Conrail, then a Class I railroad, is
perhaps the classic example.
FRA notes that there has also been a trend, only recently and
temporarily abated by the downturn in the economy, toward higher train
counts on some non-signaled lines of the Class I railroads. On a train-
mile basis, these operations present about twice the risk as similar
operations on signalized lines. These safety gaps need to be filled;
and, while most will be filled due to the presence of PIH traffic, FRA
cannot verify that this is the case in every instance.
FRA concludes that the mandated deployment of PTC will leave some
substantial gaps in the Class I route structure, including gaps in some
major urban areas. FRA believes that these gaps will, over time, be
``filled in'' by voluntary actions of the Class I railroads as they
establish the reliability of their PTC systems, verify effective
interoperability, and begin to enjoy the safety and other business
benefits from use of these systems. FRA fully understands both the
desire of the labor stakeholders in the PTC Working Group to see a
broader build-out of PTC systems than that ``minimally'' required by
RSIA08 and the concerns of the Class I railroads' representatives who
noted the extreme challenge associated with equipping tends of
thousands of wayside units, some 20,000 locomotives, and their
dispatching centers' back offices within the statutory implementation
period.
The Congress recognized that all of these issues are legitimate
concerns and so mandated the establishment of Risk Reduction Programs
under the same legislation. Section 103 of RSIA08 specifically
requires, within the Risk Reduction Program, a Technology
Implementation Plan to address technology alternatives, including PTC.
Accordingly, the PTC and Risk Reduction provisions in RSIA08 are
clearly aligned in purpose; and there are also references in the
technology plan elements of the Risk Reduction language that address
installation of PTC by other railroads. Further, FRA has been charged
with a separate rulemaking under section 406 of RSIA08 regarding risk
in non-signaled (dark) territory that significantly overlaps the issue
set in this rulemaking and the Risk Reduction section. Use of
technologies that are integral to PTC systems constitute the best
response to hazards associated with non-signaled lines. Switch position
monitoring systems, track integrity circuits, digital data links and
other technology used to address dark territory issues should be and,
as presently conceived, are forward-compatible with PTC. In paragraph
(b), FRA intends to dovetail these requirements by requiring that each
Class I railroad include in its PTCIP deployment strategies indicating
how it will approach the further build-out of full PTC, or partial
implementation of PTC (e.g., using PTC technology to prevent train-to-
train collisions but perhaps not monitoring all switches in the
territory; or using PTC to protect movements of the Class I over a
[[Page 2647]]
switching or terminal railroad without initially requiring all
controlling locomotives of the switching or terminal railroad to be
equipped). These railroads would then be required to include in the
technology elements of their initial Risk Reduction plans a
specification of which lines will be equipped and with what PTC system
elements. Paragraph (b) makes clear that there would be no expectation
regarding additional lines being equipped until those mandated by
subpart I have been addressed. FRA shares the view of the Class I
railroads and the passenger railroads that the December 31, 2015,
deadline already presents a substantial challenge for railroads,
suppliers, and the employees affected.
One railroad objected to the requirement to describe the strategy
and plan for complete build out and characterized it as premature,
unwarranted, and inconsistent with the RSIA08. FRA strongly disagrees
for the reasons previously set forth and has retained the requirement
specified in paragraph (b).
Paragraph (c) codifies in regulation the statutory mandate that FRA
review the PTCIP and determine, within 90 days upon receipt of the
plan, whether to provide its approval or disapproval. FRA believes that
it is also important to provide procedural rules to communicate
approval or disapproval. Thus, under paragraph (c), any approval or
disapproval of a PTCIP by FRA will be communicated by written notice.
In the event that FRA disapproves of the PTCIP, the notice will also
include a narrative explaining the reasons for disapproval. Once the
railroad receives notification that its PTCIP has been disapproved by
FRA, it will have 30 days to resubmit its PTCIP for review and
approval. While FRA may provide assistance to remedy a faulty PTCIP, it
is ultimately the railroad's responsibility and burden to develop and
submit a PTCIP worthy of FRA approval. FRA understands the railroads'
desire to extend the period of time for corrections of any issues in
the PTCIP, especially in circumstances that the railroad believes are
out of its control. However, the 30-day period is a statutory
requirement. FRA has little leeway in this regard. FRA will try to
work, within the limits of available FRA resources, with railroads in
reviewing draft versions of the PTCIP before April 16, 2010. Early
identification of potential issues should reduce, and possibly
eliminate, rework that a railroad might need to address during the 30-
day correction period. However, regardless of any early FRA
participation in the document review cycle, the railroad is expected to
submit a plan that requires little to no rework.
A number of comments were submitted objecting to the potential
assessment of civil penalties based on a railroad's failure to timely
file a PTCIP. While FRA is unwilling to revise its position on this
issue, FRA will exercise prosecutorial discretion in the assessment of
civil penalties.
APTA submitted comments suggesting that the language in paragraph
(c) of this section be amended to allow at least 90 days--the time
allotted for FRA plan review--for railroads to correct deficiencies and
re-submit their plans. In a similar vein, NYSMTA submitted comments
asserting that the amount of time allotted to correct deficiencies
should be based on to the extent of the needed correction. On the other
hand, NYSMTA proposed that penalties could be involved if railroads
submit plans deemed to be superfluous. Again, the law requires that
both the railroads and FRA work quickly to get plans in place. As the
entity at the receiving end of multiple filings, FRA will no doubt have
every reason to handle these matters with a spirit of cooperation where
best efforts have been made to fulfill the statutory requirements.
As noted previously, subpart I applies to each railroad that has
been mandated by Congress and FRA to install a PTC system. A railroad
that is not required to install a PTC system may still do so under its
own volition. In such a case, it may either seek approval of its system
under either subpart H or I. Paragraph (d) intends to make this choice
clear.
Paragraph (e) responds to comments by labor organizations in the
PTC Working Group. These employee representatives sought the
opportunity to comment on major PTC filings. Paragraph (e) provides
that, upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA will post on
its public Web site notice of receipt and reference to the public
docket in which a copy of the filing has been placed. FRA may consider
any public comment on these documents to the extent practicable within
the time allowed by law and without delaying implementation of PTC
systems. The version of any filing initially placed in the public
docket, for which confidential treatment has been requested in
accordance with Sec. 209.11, would be the redacted copy as filed by
the railroad. If FRA later determined that additional material was not
deserving of confidential treatment, that material would be
subsequently added to the docket.
Paragraph (f) has been added to this section in the final rule to
require railroads to maintain their most recent PTC deployment plans in
their PTCIPs until all PTC system deployments required under the RSIA08
have been completed.
Section 236.1013 PTC Development Plan Content Requirements and Type
Approval
As noted in the discussion above regarding Sec. 236.1009, each
PTCSP must be submitted with a Type Approval number identifying a PTC
system that FRA believes could fulfill the requirements of subpart I.
Under Sec. 236.1009, a railroad may submit an existing Type Approval
number in lieu of a PTCDP if the PTC system it intends to implement and
operate is identical to the one described in that Type Approval's
associated PTCDP. In the event, however, that a railroad intends to
install a system for which a Type Approval number has not yet been
assigned, or to use a system with an assigned Type Approval number that
may have certain variances to its safety-critical functions, then the
railroad must submit a PTCDP to obtain a new Type Approval number.
The PTCDP is the core document that provides the Associate
Administrator sufficient information to determine whether the PTC
system proposed for installation by the railroad could meet the
statutory requirements for PTC systems specified by RSIA08 and the
regulatory requirements under subpart I. Issuance of a system Type
Approval number is contingent upon the approval of the PTCDP by the
Associate Administrator. While filing of a PTCDP is optional in the
sense that the railroad may proceed directly to submission of the PTCSP
by the April 16, 2010, deadline (see Sec. 236.1009), FRA encourages
railroads engaged in joint operations to file a PTCDP. Approval of the
PTCDP, and issuance of a Type Approval, presents the opportunity for
other railroads to reduce the effort required to obtain a PTC System
Certification. If a Type Approval for a PTC system exists, another
railroad may also use that Type Approval provided there are no
variances in the system as described in the Type Approval's PTCDP. In
such cases, the other railroad may avoid submitting its own PTCDP by
simply incorporating by reference the supporting information in the
Type Approval's PTCDP and certifying that no variances in the PTC
system have been made.
This section describes the contents of the PTCDP required to obtain
FRA approval in the form of issuance of a Type Approval number. This
section requires each PTCDP to include all the
[[Page 2648]]
elements and practices listed in this section to provide reasonable
assurance that the subject PTC system will meet the statutory
requirements and are developed consistent with generally-accepted
principles and risk-oriented proof of safety methods surrounding this
technology. FRA believes that it is necessary to include the provisions
contained in this section in order to provide reasonable assurance that
the PTC system, when developed and deployed, will have no adverse
impact on the safety of railroad employees, the public, and the
movement of trains.
FRA recognizes that much of the information required by Sec.
236.1013 normally resides with the PTC system's developer or supplier
and not the client railroad. While FRA expects that each railroad and
its PTC system supplier may jointly draft a PTCDP, the railroad has the
primary responsibility for the safety of its operations and for
submitting to FRA the information required under this section.
Accordingly, each railroad required to submit a PTCDP under subpart I
should make the necessary arrangements to ensure that the requisite
information is readily available from the supplier for submission to
the agency. FRA believes that suppliers and railroads will develop a
PTCDP for most products that adequately address the requirements of the
new subpart without substantial additional expense. As part of the
design and evaluation process, it is essential to ensure that an
adequate analysis of the features and capabilities is made to minimize
the possibility of conflicts resulting from any use or feature,
including a software fault. Since this analysis is a normal cost of
software engineering development, FRA does not believe this requirement
imposes any additional significant costs beyond what should already be
done when developing safety-critical software.
The passenger and public commuter railroads who submitted comments
expressed significant concern that the Class I railroads' choice of a
single vendor or supplier for the onboard components of the PTC
systems, coupled with the RSIA08 requirement for interoperability,
creates a de-facto monopoly, with associated adverse impacts on costs
and schedule. These commenters recommended that FRA take positive steps
to ensure that sufficient information is made available to allow the
railroads to source components from multiple vendors or suppliers. The
suggested actions ranged from disapproving any PTCIP/PTCDP that is not
based on open standards to expediting Interoperable Train Control (ITC)
specification documentation.
FRA appreciates the concerns expressed regarding a de-facto
monopoly and the possible adverse consequences on system deployments.
FRA, however, must defer to the Departments of Justice and Commerce
regarding issues of alleged monopolistic behavior.
In subparts H and I, FRA has encouraged the use of publicly
available standards in the design, implementation, and testing of PTC
systems. FRA does not mandate the use of any particular standard by a
railroad, vendor, or supplier, but rather has adopted a policy of
allowing the marketplace to decide what standard(s) should be used,
provided the end result--a suitable safe product--is obtained.
Specification of government standards is only appropriate where there
has been a failure of the marketplace. It has not yet been established
that such marketplace failure has occurred. Even if such a marketplace
failure were deemed to have occurred, it is extremely unlikely that FRA
would be able to complete the development of appropriate standards
before current industry efforts with the ITC specifications are
finalized and made publicly available. FRA understands the railroads'
concerns and will monitor the situation.
FRA hastens to add that, since the publication of the NPRM, it has
become clear that ITC standards may not be completed and validated
prior to the end of 2010. FRA has requested that the ITC railroads
accelerate this process in the interest of compliance with the law, and
has added the Notice of Product Intent as a means of bridging to the
point where standards are available. Looking forward to mid-2010, FRA
will assess the situation with respect to delivery of open standards
and their adoption by the AAR. Should it appear that a timely delivery
will not be made, FRA reserves the right to take further regulatory
action. That action could include a proposal for adoption of mandatory
interoperability standards, likely in the form of existing American
Railway Engineering and Maintenance Association standards that have
already been developed through the leadership of the major
international signal suppliers. FRA believes that such action should
not be necessary and looks forward to the timely completion of ITC
standards.
One vendor pointed out that a significant portion of the work
associated with PTC system is commercially sensitive. FRA is committed
to appropriate protection of both railroad and vendor intellectual
property. Its development is recognized as representing the expenditure
of significant resources by the vendor, the railroad, or both. However,
interoperability requirements between railroads require some disclosure
of information between railroads and vendors or suppliers. This should
not require disclosure of proprietary information, but does require
disclosure of interface specifications, as well as required functional
attributes, assigned safety attributes and stimulus/response
attributes. FRA believes such disclosure of the latter is in the best
interest of the railroad, vendor, and supplier communities and strongly
encourages the free exchange of this information.
In Sec. Sec. 236.1013 and 236.1015, various adjectives precede
several of the requirements. For instance, certain paragraphs require
``a complete description,'' ``a detailed description,'' or simply a
``description.'' These phrases are inherited from subpart H of this
part. Their inclusion in subpart I are similarly not to imply that any
description should be more or less detailed or complete than any other
description required. By contrast, they are included merely for the
purposes of emphasis.
Paragraph (a)(1) requires that the PTCDP include system
specifications that describe the overall product and identify each
component and its physical relationship in the system. FRA will not
dictate specific product architectures, but will examine each PTC
system to fully understand how its various parts interrelate. Safety-
critical functions in particular will be reviewed to determine whether
they are designed to be fail-safe. FRA would like to emphasize that the
PTCDP information provided in accordance with the requirements of this
paragraph should be as railroad independent as possible. This will
allow the product's PTCDP, and any associated Type Approval, to be
shared by multiple railroads to the maximum extent possible. FRA
believes that the PTCDP information provided in accordance with this
provision will play an important role in FRA's determination as to
whether safety will be maximized and if regulatory compliance of the
system is obtainable.
Paragraph (a)(2) requires a description of the operation where the
product will be used. Upon receipt of this information within a PTCDP,
FRA will have better contextual knowledge of the product as it applies
to the type of operation on which it is designed to be used. Where
operational behaviors are not applicable to a particular railroad, or
the product design is not intended to address a particular operational
behavior, FRA would expect a short
[[Page 2649]]
statement indicating which operational characteristics do not apply and
why they are not applicable.
Paragraph (a)(3) requires that the PTCDP include a concept of
operations, a list of the product's functional characteristics, and a
description explaining how various components within the system are
controlled. FRA expects that the information provided under paragraphs
(a)(2) and (a)(3) will together provide a thorough understanding of the
PTC system. FRA will review this information--primarily by comparing
the subject PTC system's functionalities with those underlying
principles contained in standards for existing signal and train control
systems--to determine whether the PTC system is designed to account for
all relevant safety issues. While FRA does not intend to prescribe PTC
system design standards, FRA does expect that each applicant will
compare the concepts contained in existing standards to the operational
concepts, functionalities, and controls contemplated for the PTC system
in order to determine whether a sufficient level of safety will be
achieved. For example, existing requirements prescribe that where a
track relay is de-energized, a switch or derail is improperly lined, a
rail is removed, or a control circuit is opened, each signal governing
movements into the subject block occupied by a train, locomotive, or
car must display its most restrictive aspect for the safety of train
operations. The principle behind the requirement is that, when a
condition exists in the operating environment, or with respect to the
functioning of the system, that entails a potential hazard, the system
will assume its most restrictive state to protect the safety of train
operations.
Paragraph (a)(4) requires that each PTCDP include a document that
identifies and describes each safety-critical function of the subject
PTC system. The product architecture includes both hardware and
software aspects that identify the protection developed against random
hardware faults and systematic errors. Further, the document should
identify the extent to which the architecture is fault tolerant. FRA
intends to use this information to determine whether appropriate safety
concepts have been incorporated into the proposed PTC system. For
example, existing regulations require that when a route has been
cleared for a train movement, it cannot be changed until the governing
signal has been caused to display its most restrictive indication and a
predetermined time interval has expired, in those scenarios where time
locking is used or where a train is in approach to the location where
approach locking is used. FRA intends to use this information to
determine whether all the safety-critical functions have been included.
Where such functionalities are not clearly determined to exist as a
result of technology development, FRA will expect the reasoning to be
stated and a justification provided describing how that technology
provides the required level of safety. Where FRA identifies a void in
safety-critical functions, FRA may not approve the PTCDP until remedial
action is taken to rectify the concern.
FRA recognizes that the information required under paragraph (a)(4)
may have already been provided pursuant to paragraph (a)(1). In such a
case, the railroad shall cross reference where both paragraphs (a)(1)
and (a)(4) have been jointly satisfied in the PTCDP.
Paragraph (a)(4) requires that each PTCDP address the minimum
requirements under Sec. 236.1005 for development of safety-critical
PTC systems. FRA expects the information provided under paragraph
(a)(4) to cover: identification of all safety requirements that govern
the operation of a system; evaluation of the total system to identify
known or potential safety hazards that may arise over the life-cycle of
the system; identification of all safety issues during the design phase
of the process; elimination or reduction of the risks posed by the
hazards identified; resolution of safety issues presented; development
of a process to track progress; and development of a program of testing
and analysis to demonstrate that safety requirements are met.
FRA has considered the railroads' concerns, and agrees that the
selection of the safety assurance concepts that any particular railroad
may impose on its vendor or supplier might possibly differ, based on
the railroad's operational philosophy and tolerance for risk.
Accordingly, FRA removed proposed paragraph (a)(5) from the final rule
as an element of the PTCDP, and has made the requirement to describe
the safety assurance concepts an element of the PTCSP (see Sec.
236.1015(d)(2)).
Paragraph (a)(5) requires a submission of a preliminary human
factors analysis that addresses each applicable human-machine interface
(HMI) and all proposed product functions to be performed by humans to
enhance or preserve safety. FRA expects this analysis to place special
emphasis on proposed human factors responses--and the result of any
failure to perform such a response--to safety-critical hazards,
including the consequences of human failure to perform. For each HMI,
the PTCDP should address the proposed basis of assumptions used for
selecting each such interface, its potential effect upon safety, and
all potential hazards associated with each interface. Where more than
one employee is expected to perform duties dependent upon HMI input or
output, the analysis must address the consequences of failure by one or
multiple employees. FRA intends to use this information to determine
the proposed HMI's effect upon the safety of railroad operations. The
preliminary human factors analysis must propose how the railroad or its
PTC system supplier plans to address the HMI criteria listed in
Appendix E to this part or any alternatives proposed by the railroad
and deemed acceptable by the Associate Administrator. The design
criteria for Appendix E were first developed and subsequently adopted
by FRA as an element of subpart H of this part. As the criteria in
Appendix E are generally technology neutral, FRA has adopted them with
minor changes, for use with both subpart H of this part and these
proceedings.
Paragraph (a)(5) also requires that the PTCDP explain how the
proposed HMI will affect interoperability. RSIA08 requires that each
subject railroad explain how it intends to obtain system
interoperability. The ability of a train crew member to operate another
railroad's PTC system significantly depends upon a commonly understood
HMI. The HMI provides the end user with a method of interacting with
the underlying system and accessing the PTC functionality. FRA expects
that each railroad will adopt an HMI standard that will ensure ease of
use of the PTC system both within, and between, railroads.
Paragraph (a)(6) requires an analysis regarding how subparts A
through G of part 236 apply, or no longer apply, to the subject PTC
system. FRA recognizes that, while a PTC system may be designed in
accordance with the underlying safety concepts of subparts A through G,
the specific existing requirements contained in those subparts are not
necessarily applicable. In any event, the PTCDP must identify each
pertinent requirement considered to be inapplicable, fully describe the
alternative method used to fulfill that underlying safety concept, and
explain how the proposed PTC system supports the underlying safety
principle. FRA notes that certain sections in subparts A though G of
this part may always be applicable to PTC systems certified under
subpart I.
FRA is concerned about all dimensions of system security. Thus,
[[Page 2650]]
paragraph (a)(7) requires the PTCDP to include a description of the
security measures necessary to meet the specifications for each PTC
system and the prioritized restoration and mitigation plan as required
under Sec. 236.1033. Security is an important element in the design
and development of PTC systems and covers issues such as developing
measures to prevent hackers from gaining access to software and to
preclude sudden system shutdown, mechanisms to provide message
integrity, and means to authenticate the communicating parties. Safety
and security are two closely related topics. Both are elements for
ensuring that a subject is protected and without risk of harm. In the
industrial marketplace, the goals of safety and security are to create
an environment protecting assets from hazards or harm. While activities
to ensure safety usually relate to the possibility of accidental harm,
activities to ensure security usually relate to protecting a subject
from intentional malicious acts such as espionage, theft, or attack.
Since system performance may be affected by either inadvertent or
deliberate hazards or harms, the safety and security involved in the
implementation and operation of a PTC system must both be considered.
Integrated security recognizes that optimum protection comes from
three mutually supporting elements: Physical security measures,
operational procedures, and procedural security measures. Today, the
convergence of information and physical security is being driven by
several powerful forces, including: interdependency, efficiency and
organizational simplification, security awareness, regulations,
directives, standards, and the evolving global communications
infrastructure. Physical security describes measures that prevent or
deter attackers from accessing a facility, resource, or information
stored on physical media and guidance on how to design structures to
resist various hostile acts. Communications security describes measures
and controls taken to deny unauthorized persons information derived
from telecommunications and ensure the authenticity of such
telecommunications. Because of the integrated nature of security, FRA
expects that each PTCDP will address security as a holistic concept,
and not be restricted to limited or specific aspects.
Paragraph (a)(8) requires documentation of assumptions concerning
reliability and availability targets of mechanical, electrical, and
electronic components. When building a PTC system, designers may make
numerous assumptions that will directly impact specific implementation
decisions. These fundamental assumptions usually come in the form of
data (e.g., facts collected as the result of experience, observation or
experiment, or processes, or premises) that can be randomly sampled.
FRA does not expect to audit all of the fundamental assumptions on
which a PTC system has been developed. Instead, FRA envisions sampling
and reviewing fundamental assumptions prior to product implementation
and after operation for some time. FRA expects that the data sampled
may vary, depending upon the PTC system. It is not possible to provide
a single set of quantitative numbers applicable to all systems,
especially when systems have yet to be designed and for which the
fundamental assumptions are yet to be determined. Quantification is
part of the risk management process for each project. FRA believes that
the actual performance of the system observed during the pre-
operational testing and post-implementation phases will provide
indications of the validity of the fundamental assumptions. FRA
requires that this review process occur for the life of the PTC system
(i.e., as long as the product is kept in operation). The depth of
details required will depend upon what FRA observes. The range of
difference between a PTC system's predicted and actual performance may
indicate to FRA the validity of the underlying fundamental assumptions.
Generally, if the actual performance matches the predicted performance,
FRA believes that it will not have to extensively review the
fundamental assumptions. If the actual performance does not match
predicted performance, FRA may need to more extensively review the
fundamental assumptions.
FRA expects each subject railroad to confirm the validity of
initial assumptions by comparing them to actual in-service data. FRA is
aware that mechanical and electronic component failure rates and times
to repair are easily quantified data, and usually are kept as part of
the logistical tracking and maintenance management of a railroad. FRA
believes that this criterion will enhance the quality of risk
assessments conducted pursuant to this subpart by forcing PTC system
designers and users to consider the long-term effects of operation over
the course of the PTC system's projected life-cycle. If a PTC system
can be used beyond its design life-cycle, FRA expects that any
continued use would only occur pursuant to a waiver provided in
accordance with 49 CFR part 211 or a PTCDP or PTCSP amended in
accordance with Sec. 236.1021. In its request for waiver or request
for amendment, the railroad should address any new risks associated
with the life-cycle extension.
Paragraph (a)(8) also requires specification of the target safety
levels. This includes the identity of each potential hazard and how the
events leading to a hazard will be identified for each safety-critical
subsystem; the proposed safety integrity level of each safety-critical
subsystem, and the proposed means that accomplishment of these targets
will be evaluated. This paragraph also requires identification of the
proposed backup methods of operation and safety-critical assumptions
regarding availability of the product. FRA believes this information is
essential for making determinations about the safety of a product and
both the immediate and long-term effect of its failure. FRA contends
that availability is directly related to safety to the extent the
backup means of controlling operations involves greater risk (either
inherently or because it is infrequently practiced).
Paragraph (a)(9) requires a complete description of how the PTC
system will enforce all pertinent authorities and block signal, cab
signal, or other signal related indications. FRA appreciates that not
all PTC system architectures will seek to enforce the speed
restrictions associated with intermediate signals directly, but
nevertheless a clear description of these functions is necessary for
clarity and evaluation.
Paragraph (a)(10) requires that, if the railroad is seeking to
deviate from the requirements of section 236.1029 with respect to
movement of trains with onboard equipment that has failed en route
using the flexibility provided by paragraph (c) of that section, a
justification must be provided in the PTCDP. As proposed, paragraph (c)
of Sec. 236.1029 provided that, in order for a PTC train that operates
at a speed above 90 miles per hour to deviate from the operating
limitations contained in paragraph (b) of that section, the deviation
must be described and justified in the FRA approved PTCDP or PTCSP, or
by reference to an Order of Particular Applicability, as applicable.
For instance, if Amtrak wished to continue to operate at up to 125
miles per hour with cab signals and automatic train control in the case
of failure of onboard ACSES equipment, Amtrak would request to do so
based on the applicable language of the Order of Particular
Applicability that required installation of that system on portions of
the Northeast Corridor. Similarly, a railroad wishing more liberal
[[Page 2651]]
requirements for a high-speed rail system on a dedicated right-of-way
could request that latitude by explaining how the safety of all
affected train movements would be maintained. During the comment period
and PTC Working Group discussion, Amtrak continued to press its case
for greater flexibility, noting the long routes prevalent on its
intercity network and the trip time penalty that could be incurred with
failed equipment. Paragraph (a)(10) has been revised in the final rule
to reflect the fact that the development plan would contain
justification for any requested deviation from the requirements of
Sec. 236.1029, and that section has been further revised to permit the
agency to receive and consider specific requests and supporting
information regarding latitude such as that sought by Amtrak without
regard to speed. Instead, paragraph (a)(10) requires the railroad to
include a justification in its PTCDP, if the railroad is seeking to
deviate from the requirements of Sec. 236.1029 with respect to
movement of trains with onboard equipment that has failed en route.
Paragraph (a)(11) requires a complete description of how the PTC
system will appropriately and timely enforce all hazard detectors that
are interconnected with the PTC system in accordance with Sec.
236.1005(c)(3), as may be applicable.
Paragraph (b) specifies the approval standard that will be employed
by the Associate Administrator. APTA asserted that the NPRM offered
minimal guidance on the criteria FRA will use to accept or reject a
system. Thus, APTA suggested that FRA should draft and vet criteria
that accomplishes the basic purposes of PTC while allowing for
innovation in meeting the performance requirements envisioned in the
regulation.
The PTCDP is not expected to provide absolute assurance to the
Associate Administrator that every potential hazard will be eliminated
with complete certainty. It only needs to establish that the PTC system
meets the appropriate statutory and regulatory requirements for a PTC
system required under this subpart, and that there is a reasonable
chance that once built, it will meet the required safety standards for
its intended use. FRA emphasizes that approval of a PTCDP and issuance
of a Type Approval does not constitute final approval to operate the
product in revenue service. Such approval only comes when the Associate
Administrator issues an applicable PTC System Certification.
Paragraph (c) establishes a time limit on the validity of a Type
Approval. Provided that at least one product is certified within the 5
year period after issuance of the Type Approval, the Type Approval
remains valid until final retirement of the system. The main purpose of
this requirement is to incentivize installation, not just creation, of
a PTC system. This paragraph would also allow FRA to periodically clean
out its records relating to Type Approvals and PTCDPs for obsolete PTC
systems.
Former paragraphs (d) and (e) in this section have been moved to
Sec. 236.1015 in the final rule. Therefore, former paragraph (f) has
been redesignated as paragraph (d) in the final rule. Paragraph (d)
discusses the Associate Administrator's ability to impose any
conditions necessary to ensure the safety of the public, train crews,
and train operations when approving the PTCDP and issuing a Type
Approval. While FRA expects that adherence to the remainder of this
section's requirements should justify issuance of a Type Approval, FRA
also recognizes that there may be situations where other unaccounted
for variables may reduce the Associate Administrator's confidence in
the PTC system, its manufacturer, supplier, vendor, or operator.
The required contents of the NPI are specified in paragraph (e). As
stated earlier, FRA expects submission of an NPI temporarily in lieu of
a PTCDP only when the railroad is unable to obtain all of the
information required for a PTCDP. This will enable railroads to submit
a PTCIP on or before the statutory deadline of April 16, 2010. FRA
believes that, given the various options available to the railroads,
there are few, if any, valid reasons for not meeting the April 16,
2010, deadline for submission.
The elements that make up the NPI were carefully chosen to strike a
balance between the ability of a railroad that is unable to complete a
full PTCDP and FRA's need to fully understand the railroad's proposed
system and the reasonableness of the PTCIP contents. FRA believes that
the NPI information would be required to have been identified by the
railroad in order to develop requests for proposal from the vendor or
supplier community. Paragraph (e)(1) requires a description of the
proposed operating environment. Paragraph (e)(2) requires a description
of the concept of operations for any PTC system that will be procured
by the railroad. Paragraph (e)(3) requires a description of the target
safety levels that the railroad expects the PTC system to meet, while
paragraphs (e)(4) and (e)(5) require an explanation of how the proposed
system will integrate with the existing signal and train control
system.
Section 236.1015 PTC Safety Plan Content Requirements and PTC System
Certification
The PTCSP is the core document that provides the Associate
Administrator the information necessary to certify that the as-built
PTC system fulfills the required statutory PTC functions and is in
compliance with the requirements of this subpart. Issuance of a PTC
System Certification is contingent upon the approval of the PTCSP by
the Associate Administrator. Under this final rule, the filing and
approval of the PTCSP and issuance of a PTC System Certification is a
mandatory prerequisite for PTC system operation in revenue service.
Each PTCSP is unique to each railroad and must addresses railroad-
specific implementation issues associated with the PTC system
identified by the submitted Type Approval. Paragraph (a) provides
language explaining these meanings and limits.
Paragraph (b), which reflects the contents of proposed paragraphs
(d) and (e) in proposed Sec. 236.1013, establishes the conditions
under which a Type Approval may be used by another railroad. Paragraph
(b)(1) requires the railroad to maintain a continually updated PTC
Product Vendor List (PTCPVL) pursuant to Sec. 236.1023 to enable the
railroad and FRA to determine the appropriate vendor to contact in the
unlikely event of a safety critical failure.
The safety critical nature of PTC systems imposes strict quality
control requirements on the design and manufacturer of the system.
While FRA believes that in the vast majority of cases, the vendor or
supplier community from whom the railroads will procure PTC system
components have established the appropriate quality control systems,
there will be a very small minority who have not. Paragraph (b)(2) is
intended to mitigate against any such occurrence, to ensure that PTC
system components meet the same, uniformly high, standards. FRA is
requiring that the railroad ensure that any vendor from whom they
purchase PTC system or components has an acceptable quality assurance
program for both design and manufacturing processes.
FRA has considered comments submitted by GE, in which GE suggested
language to further clarify paragraph (b)(2) that the vendor quality
control processes for PTC systems must include the process for the
product supplier to promptly report any safety relevant failure and
previously unidentified
[[Page 2652]]
hazards to each railroad using the product. FRA believes that this
suggested language clearly specifies the importance of this requirement
to suppliers who may not already have the appropriate quality control
processes in place. Accordingly, FRA has added the recommended
language.
Paragraph (b)(3) requires the railroad to provide licensing
information. The list should include all applicable vendors or
suppliers. Through the requirements set forth in paragraph (b)(3), FRA
intends to ensure implementation of the proper technology, as opposed
to implementation of an orphan product that uses similar, yet
different, technology. When a railroad submits a previously approved
Type Approval for its PTC system, FRA expects that all the proper
licensing agreements will provide for continued use and maintenance of
the PTC system in place. To bolster FRA's confidence in this area, FRA
will require each Type Approval submission to include the relevant
licensing information. FRA recognizes that there may be various
licensing arrangements available relating to the exclusivity and
sublicensing of manufacturing or vending of a particular PTC system.
There may be other intellectual property variables that may make
arrangements even more complex. To adequately capture all applicable
arrangements, FRA is requiring the submission of ``licensing
information.'' A more specific request may preclude FRA's ability to
collect information necessary to fulfill its intent. If any of this
information were to change, either through any type of sale, transfer,
or sublicense of any right or ownership, then FRA would expect the
railroad to submit a request for amendment of its PTCDP in accordance
with Sec. 236.1021. FRA recognizes that this may be difficult for a
railroad to accomplish, given the fact that the railroad may not be
privy to any intellectual property transactions that may occur outside
its control. In any event, FRA would expect that a railroad will
ensure, either through contractual obligation or otherwise, that its
vendor or supplier will provide it with updated licensing information
on a continuing basis.
When filing a PTCSP, paragraph (c) requires each railroad to
include the applicable and approved PTCDP or, if applicable, the FRA
issued Type Approval. In addition, the railroad must describe any
changes subsequently made to the PTC system that would require
amendment of the PTCDP or assure FRA that the PTC system built is the
same PTC system described in the PTCDP and PTCSP. Some elements of the
PTCSP are the same elements as the PTCDP (and are described more fully
in the section-by-section analysis of Sec. 236.1013). If the railroad
has already submitted, and FRA has already approved, the PTCDP, then
attachment of the PTCDP to the PTCSP should fulfill this requirement.
FRA recognizes the possibility that between PTCIP or PTCDP
approval, and prior to PTCSP submission, there may be changes to the
former two documents. While such changes may only be made in accordance
with Sec. 236.1021, documentation of those changes may not be readily
apparent to the reader of the PTCSP. Further, changes in the PTCIP may
impact the contents of the PTCDP and vice versa. Accordingly, paragraph
(c)(1) requires the railroad to submit the approved PTCDP (or Type
Approval) with the corresponding PTCSP.
AAR asserted that the main purpose of the PTCIP is to document the
deployment plan and that the PTCIP will be of little value once the
implementation is complete. Accordingly, AAR asserts that there is no
need to include the PTCIP when filing either a PTCDP or PTCSP. The AAR
also asserted that since the PTCSP justifies that the PTC system was
built in accordance with the PTCDP, submission of the PTCIP information
should not be required.
FRA agrees with AAR that the main purpose of the PTCIP is to
document the deployment plan and that the PTCIP will essentially become
a historical document when the railroad has completed its PTC
implementation. Therefore, until all PTC system installations have been
completed, FRA will require the PTCIP to be kept current with the
railroad's deployment plan. However, in response to the AAR's comments,
FRA has revised paragraph (c) by removing the proposed requirement to
submit the PTCIP with the PTCDP and PTCSP.
FRA expects that each PTCSP shall include a clear and complete
description of any such changes by specifically and rigorously
documenting each variance. Paragraph (c)(2) also requires that the
PTCSP include an explanation of each variance's significance. To ensure
that there are no other existing variances not documented in the PTCSP,
the railroad must attest that there are no further variances. For the
same reason, paragraph (c)(3) requires that, if there have been no
changes to the plans or to the PTC system as intended, the railroad
must attest that there are no such variances.
The additional required railroad specific elements are as follows:
Paragraph (d)(1) requires that the PTCSP include a hazard log
comprehensively describing all hazards to be addressed during the life-
cycle of the product, including maximum threshold limits for each
hazard. For unidentified hazards, the threshold shall be exceeded at
one occurrence. In other words, if the hazard has not been predicted,
then any single occurrence of that hazard is unacceptable. The hazard
log addresses safety-relevant hazards, or incidents or failures that
affect the safety and risk assumptions of the PTC system. Safety
relevant hazards include events such as false proceed signal
indications and false restrictive signal indications. If false
restrictive signal indications occur with any type of frequency, they
could influence train crew members, roadway workers, dispatchers, or
other users to develop an apathetic attitude towards complying with
signal indications or instructions from the PTC system, creating human
factors problems.
Incidents in which stop indications are inappropriately displayed
may also necessitate sudden brake applications that may involve risk of
derailment due to in-train forces. Other unsafe or wrong-side failures
that affect the safety of the product will be recorded on the hazard
log. The intent of this paragraph is to identify all possible safety-
relevant hazards that would have a negative effect on the safety of the
product. Right-side failures, or product failures that have no adverse
effect on the safety of the product (i.e., do not result in a hazard)
would not be required to be recorded on the hazard log.
Paragraph (d)(2), which has been added to the final rule, requires
that each railroad identify the PTC system's safety assurance concepts.
When identifying the safety assurance concepts used, FRA expects the
information provided pursuant to paragraph (d)(2) will reflect the
safety requirements that govern the operation of a system; the identify
of known or potential safety hazards that may arise over the life-cycle
of the system; safety issues that may arise during the design phase of
the process; elimination or reduction of the risks posed by the hazards
identified; resolution of safety issues presented; development of a
process to track progress; and development of a program of testing and
analysis to demonstrate that safety requirements are being met.
In the proposed rule, this information was required as part of the
PTCDP. One railroad recommended that this information requirement be
completely eliminated as redundant because it is covered as part of the
product safety
[[Page 2653]]
requirements. FRA agrees that this information should not be a required
element of the PTCDP; this information should be provided as an element
of the railroad specific PTCSP, since individual railroads may elect to
require different safety assurance concepts from their vendors or
suppliers. This very same information is an integral element of the
railroad specific Product Safety Plan required by subpart H of this
part. Accordingly, FRA has revised this requirement. However, FRA does
not believe that this information is redundant. The safety assurance
concepts imposed on the vendor or supplier are procedural requirements
that drive vendor or supplier system design and mitigation strategies.
FRA believes that the importance of the safety assurance concepts
merits clear identification.
Paragraph (d)(3) requires that a risk assessment be included in the
PTCSP. FRA will use this information as a basis to confirm compliance
with the appropriate performance standard. A performance standard
specifies the outcome required, but leaves the specific measures to
achieve that outcome up to the discretion of the regulated entity. In
contrast to a design standard or a technology-based standard that
specifies exactly how to achieve compliance, a performance standard
sets a goal and lets each regulated entity decide how to meet that
goal. An appropriate performance standard should provide reasonable
assurance of safe and effective performance by making provision for:
(1) Considering the construction, components, ingredients, and
properties of the device and its compatibility with other systems and
connections to such systems; (2) testing of the product on a sample
basis or, if necessary, on an individual basis; (3) measurement of the
performance characteristics; and (4) requiring that the results of each
or of certain of the tests required show that the device is in
conformity with the portions of the standard for which the test or
tests were required. Typically, the specific process used to design,
verify and validate the product is specified in a private or public
standard. The Associate Administrator may recognize all or part of an
appropriate standard established by a nationally or internationally
recognized standard development organization.
Labor expressed concern during this rulemaking regarding FRA's
position on the treatment of wrong side failures. Wrong side failures,
which occur when a PTC system fails to properly identify the track
occupied by a train, should not be considered an acceptable risk. Such
failures, which are completely avoidable using current technology, can
result in unnecessary and risky penalty brake applications.
FRA agrees that wrong side failures introduce an element of risk in
the operation of a system. Therefore, the extent of that risk and the
consequences of the failure must be identified and carefully analyzed.
It is for that very reason that FRA is requiring that the hazard log
identify all such potential failures. The hazard mitigation analysis
required in paragraph (d)(4) must identify how each hazard in the
hazard log will be mitigated. While FRA agrees the majority of wrong
side failures can be eliminated through the application of technology,
FRA believes that the generalization that all wrong side failures can
be eliminated is not valid.
Paragraph (d)(4) requires that the PTCSP include a hazard
mitigation analysis. The hazard mitigation analysis must identify the
techniques used to investigate the consequences of various hazards and
list all hazards addressed in the system hardware and software
including failure mode, possible cause, effect of failure, and remedial
actions. A safety-critical system must satisfy certain specific safety
requirements specified by the system designer or procuring entity. To
determine whether these requirements are satisfied, the safety assessor
must determine that: (1) Hazards associated with the system have been
comprehensively identified; (2) hazards have been appropriately
categorized according to risk (likelihood and severity); (3)
appropriate techniques for mitigating the hazards have been identified;
and (4) hazard mitigation techniques have been effectively applied. See
Leveson, Nancy G., Safeware: System Safety and Computers, (Addison-
Wesley Publishing Company, 1995).
FRA does not expect that the safety assessment will prove that a
product is absolutely safe. However, the safety assessment should
provide evidence that risks associated with the product have been
carefully considered and that steps have been taken to eliminate or
mitigate them. Hazards associated with product use need to be
identified, with particular focus on those hazards found to have
significant safety effects. The risk assessment provided under
paragraph (d)(4) must include each hazard that cannot be mitigated by
system designs (e.g., human over-reliance of the automated systems) no
matter how low its probability may be. After the risk assessment, the
designer must take steps to remove them or mitigate their effects.
Hazard analysis methods are employed to identify, eliminate, and
mitigate hazards. Under certain circumstances, FRA may require an
independent third party assessment in accordance with proposed Sec.
236.1017 to review these methods as a prerequisite to FRA approval.
Paragraph (d)(5) also requires that the PTCSP address safety
Verification and Validation procedures as defined under part 236. FRA
believes that Verification and Validation for safety are vital parts of
the PTC system development process. Verification and Validation require
forward planning. Consequently, the PTCSP should identify the testing
to be performed at each stage of development and the levels of rigor
applied during the testing process. FRA will use this information to
ensure that the adequacy and coverage of the tests are appropriate.
Paragraph (d)(6) requires the railroad to include in its PTCSP the
training, qualification, and designation program for workers regardless
of whether those railroad employees will perform inspection, testing,
and maintenance tasks involving the PTC system. FRA believes many
benefits accrue from the investment in comprehensive training programs
and are fundamental to creating a safe workforce. Effective training
programs can result in fewer instances of human casualties and
defective equipment, leading to increased operating efficiencies, less
troubleshooting, and decreased costs. FRA expects any training program
will include employees, supervisors, and contractors engaged in
railroad operations, installation, repair, modification, testing, or
maintenance of equipment and structures associated with the product.
Paragraph (d)(7) requires the railroad to identify specific
procedures and test equipment necessary to ensure the safe operation,
installation, repair, modification and testing of the product in its
PTCSP. Requirements for operation of the system must be succinct in
every respect. The procedures must be specific about the methodology to
be employed for each test to be performed that is required for
installation, repair, or modification and the results thereof must be
documented. FRA will review and compare the repair and test procedures
for adequacy against existing similar requirements prescribed for
signal and train control systems. FRA intends to use this information
to ascertain whether the product will be properly installed,
maintained, tested, and repaired.
Paragraph (d)(8) requires that each railroad develop a manual
covering the requirements for the installation, periodic maintenance
and testing,
[[Page 2654]]
modification, and repair for its PTC system. The railroad's Operations
and Maintenance Manual must address the issuance of warnings and
describe the warning labels to be placed on each piece of PTC system
equipment as necessary. Such warnings include, but are not limited to:
Means to prevent unauthorized access to the system; warnings of
electrical shock hazards; cautionary notices about improper usage,
testing, or operation; and configuration management of memory and
databases. The PTCSP should provide an explanation justifying each such
warning and an explanation of why there are no alternatives that would
mitigate or eliminate the hazard for which the warning will be given.
Paragraph (d)(9) requires that the PTCSP identify the various
configurable applications of the product, since this rule mandates use
of the product only in the manner described in its PTCDP. Given the
importance of proper configuration management in safety-critical
systems, FRA believes it is essential that railroads learn of and take
appropriate configuration control of hardware and software. FRA
believes that a requirement for configuration management control will
enhance the safety of these systems and ultimately provide other
benefits to the railroad as well. Pursuant to this paragraph, railroads
will be responsible--through its applicable Operations and Maintenance
Plan and other supporting documentation maintained throughout the
system's life-cycle--for all changes to configuration of their products
in use, including both changes resulting from maintenance and
engineering control changes, which result from manufacturer
modifications to the product. Since not all railroads may experience
the same software faults or hardware failures, the configuration
management and fault reporting tracking system play a crucial role in
the ability of the railroad and the FRA to determine and fully
understand the risks and their implications. Without an effective
configuration management tracking system in place, it is difficult, if
not impossible, to fairly evaluate risks associated with a product over
its life-cycle.
Paragraph (d)(10) requires the railroad to develop comprehensive
plans and procedures for product implementation. Implementation (field
validation or cutover) procedures must be prepared in detail and
identify the processes necessary to verify that the PTC system is
properly installed and documented, including measures to provide for
the safety of train operations during installation. FRA will use this
information to ascertain whether the product will be properly
installed, maintained, and tested. FRA also believes that configuration
management should reduce disarrangement issues. Further, configuration
management will reduce the cost of troubleshooting by reducing the
number of variables and will be more effective in promoting safety.
Paragraph (d)(11) requires the railroad to provide a complete
description of the particulars concerning measures required to assure
that the PTC system, once implemented, continues to provide the
expected safety level without degradation or variation over its life-
cycle. The measures specifically provide the prescribed intervals and
criteria for the following: testing; scheduled preventive maintenance
requirements; procedures for configuration management; and procedures
for modifications, repair, replacement and adjustment of equipment. FRA
intends to use this information, among other data, to monitor the PTC
system to assure it continually functions as intended.
Paragraph (d)(12) requires that each PTCSP include a description of
each record concerning safe operation. Recordkeeping requirements for
each product are discussed in Sec. 236.1037 of this part.
Paragraph (d)(13) requires a safety analysis of unintended
incursions into a work zone. Measuring incursion risks is a key safety
risk assumption. Failing to identify incursion risk can have the effect
of making a system seem safer on paper than it actually is. The
requirements set forth in this paragraph attempt to mandate design
consideration of incursion protection at an early stage in the system
development process. The totality of the arrangements made to prevent
unintended incursions or operation at higher than authorized speed
within the work zone must be analyzed. That is, in addition to the
functions of the PTC system, the required actions for dispatchers,
train crews, and roadway workers in charge must be evaluated.
Regardless of whether a PTC system has been previously approved or
recognized, FRA will not accept a system that allows a single point
human failure to defeat the essential protection intended by the
Congress. See NTSB Recommendations R-08-05 and R-08-06. FRA believes
that exposure should be identified because increases in risk due to
increased exposure could be easily distinguished from increases in risk
due solely to implementation and use of the proposed PTC system.
In the past, little attention was given to formalizing incursion
protection procedures. Training for crews has also not been uniform
among organizations, and has frequently received inadequate attention.
As a result, a variety of procedures and techniques evolved based on
what has been observed or what just seemed correct at the time. This
lack of structure, standardization, and formal training is inconsistent
with the goal of increasing safety and regulatory efficiency.
As proposed, paragraph (d)(14) would have required a more detailed
description of any alternative arrangements provided under Sec.
236.1011(a)(10), pertaining to at grade rail-to-rail crossings. APTA
noted that the reference in this paragraph should be revised, as
section 236.1011(a)(10) does not exist. The correct reference is Sec.
236.1005(a)(1)(i).
As previously mentioned, Sec. 236.1005(a) requires each applicable
PTC system to be designed to prevent train-to-train collisions. Under
that section, FRA has established various requirements that would apply
to at-grade rail-to-rail crossings, also known as diamond crossings.
While the final rule text includes certain specific technical
requirements, it also provides the opportunity for each subject
railroad to submit an alternative arrangement providing an equivalent
level of safety as specified in an FRA approved PTCSP. Accordingly,
under paragraph (d)(14), if the railroad intends to utilize alternative
arrangements providing an equivalent level of safety to that of the
table provided under Sec. 236.1005(a)(1)(i), each PTCSP must identify
those alternative arrangements and methods, with any associated risk
reduction measures, in its PTCSP.
Paragraph (d)(15) requires a complete description of how the PTC
system will enforce mandatory directives and signal indications, unless
already addressed in the PTCDP. Paragraph (d)(16) refers to the
requirement of Sec. 236.1019(f) that the PTCSP is aligned with the
PTCIP, including any amendments.
Under Sec. 236.1007, FRA requires certain limitations on PTC
trains operating over 90 miles per hour, including compliance with
Sec. 236.1029(c). Under Sec. 236.1029(c), FRA provides railroads with
an opportunity to deviate from those limitations if the railroad
describes and justifies the deviation in its PTCDP, PTCSP, or by
reference to an Order of Particular Applicability, as applicable. Thus,
paragraph (d)(17) reminds railroads that this is one of the optional
elements that may be included in a PTCSP. This need
[[Page 2655]]
may also be addressed through review of the PTCDP.
Railroads are required under Sec. 236.1005(c) to submit a complete
description of their compliance regarding hazard detector integration
and under Sec. Sec. 236.1005(g)-(k) to submit a temporary rerouting
plan in the event of emergencies and planned maintenance. Sections
236.1007 and 236.1033 also require the submission of certain documents
and information. Paragraphs (d)(18), (d)(19), and (d)(20) remind
railroads that such requirements must be fulfilled with the submission
of the PTCSP. For example, under paragraph (d)(19), FRA expects each
temporary rerouting plan to explain the host railroad's procedure
relating to detouring the applicable traffic. In other words, FRA
expects that each temporary rerouting plan address how the host
railroad will choose the track that traffic will be rerouted onto. The
plan should explain the factors that will be considered in determining
whether and how the railroad should take advantage of temporary
rerouting. FRA remains concerned about the unnecessary commingling of
PTC and non-PTC traffic on the same track and expects each temporary
rerouting plan to address this possibility. More specifically, each
plan should describe how the railroad expects to make decisions to
reroute non-PTC train traffic onto a PTC line, especially where another
non-PTC line may be available. While FRA recognizes each railroad may
seek to use the most cost effective route, FRA expects the railroad to
also consider the level of risk associated with that route.
In paragraph (e), FRA states the criteria to which FRA will refer
when evaluating the PTCSP, depending upon the underlying technical
approach. Whereas in subpart H of this part, the safety case is
evaluated to determine whether it demonstrates, with a high degree of
confidence, that relevant risk will be no greater under the new product
than previously, the statutory mandate for PTC calls for a different
approach. In crafting this approach, FRA has attempted to limit
requirements for quantitative risk assessment to those situations where
the technique is truly needed. Regardless of the type of PTC system,
the safety case for the system must demonstrate that it will reliably
execute all of the functions required by this subpart (particularly
those provided under proposed Sec. Sec. 236.1005 and 236.1007). With
this foundation, the additional criteria that must be met depend upon
the type of PTC technology to be employed.
It is FRA's understanding that PTC systems may be categorized as
one of the following four system types: non-vital overlay; vital
overlay; stand-alone; and mixed. Initially, however, all PTC systems
will have some features that are not fully fail-safe in nature, even if
onboard processing and certain wayside functions are fully fail-safe.
Common causes include surveying errors of the track database, errors in
consist weight or makeup from the railroad information technology
systems, and the crew input errors of critical operational data. To the
extent computer-aided dispatching systems are the only check on
potential dispatcher error in the creation or inappropriate
cancellation of mandatory directives, some room for undetected wrong-
side failure will continue to exist in this function as well.
Paragraph (e)(1) specifies the required behavior for non-vital
overlay systems. Based on previous experience with non-vital systems,
FRA believes it is well within the technical capability of the
railroads to reduce the level of risk on any particular track segment
to a level of risk 80% lower than the level of risk prior to
installation of PTC on that segment. For subsequent PTC system
installations on the same track segment, FRA recognizes that requiring
an additional 80% improvement may not be technically or economically
practical. Therefore, FRA is only requiring that an entity installing
or a modifying an existing PTC system demonstrate that the level of
safety is equal to, and preferably greater than, the level of safety of
the prior PTC system. The risk that must be reduced is the risk against
which the PTC functionalities are directed, assuming a high level of
availability. Note that the required functionalities themselves do not
call for elimination of all risk of mishaps. It is scope of risk
reduction that the functionalities describe that becomes the 100%
universe which is the basis of comparison. Although it is understood
that the system will endeavor to eliminate 100% of this risk--meaning
that if the system worked as intended every time and was always
available, 100% of the target risk would be eliminated--the analysis
will need to account for cases where wrong side failure of the
technology is coincident with a human failure potentially induced by
reliance on the technology. Since, within an appropriate conservative
engineering analysis (i.e., pro forma analysis), non-vital processing
has the theoretical potential to result in more failures than will
typically be experienced, a 20% margin is provided. In preparing the
PTCSP, the railroad should affirmatively address how training and
oversight--including programs of operational testing under 49 CFR
217.9--will reduce the potential for inappropriate reliance by those
charged with functioning in accordance with the underlying method of
operation.
The 80% reduction in risk for PTC preventable accidents must be
demonstrated by an appropriate risk analysis acceptable to the
Associate Administrator and must address all intended track segments
upon which the system will be installed. Again, FRA does not expect, or
require, that these types of systems will prevent all wrong side
failures. However, FRA expects that the systems will be designed to be
robust, all pertinent risk factors (including human factors) will be
fully addressed, and that no corners will be cut to ``take advantage''
of the nominal allowance provided for non-vital approaches. FRA also
encourages those using non-vital approaches to preserve as much as
possible the potential for a transition to vital processing.
The Rail Labor Organizations believe that FRA's position is
inconsistent with safety. Wrong side failures occur when a PTC system
fails to properly identify the track occupied by a train. According to
the RLO, such failures, which are completely avoidable using current
technology, can result in unnecessary penalty braking applications that
risk causing train handling derailments due to in-train forces and may
also cause a PTC system to fail to enforce a necessary stop. As such,
the RLO believe that wrong side failures should not be considered an
acceptable risk. Again, FRA is sympathetic in principle to the RLO
concern. However, no signal or train control system is wholly without
the potential for a wrong side failure; and the key to limiting their
occurrence is identifying the potential and crafting mitigations where
possible. Built on the foundation of existing methods of operation, PTC
systems will drastically reduce unsafe events by providing a safety net
for occasional human errors. It would be unwise to defer the promise of
PTC technologies by demanding perfection and thereby permit accidents
and casualties to continue.
Paragraph (e)(2) addresses vital overlays. Unlike a non-vital
system, the vital system must be designed to address, at a minimum, the
factors delineated in Appendix C. The railroad and their vendors or
suppliers are encouraged to carry out a more thorough design analysis
addressing any other potential product specific hazards. FRA cannot
overemphasize that vital overlay system designs must be fully designed
to address the factors contained in
[[Page 2656]]
Appendix C. The associated risk analysis supporting this design
analysis demonstrating compliance may be accomplished using any of the
risk analysis approaches in subpart H, including abbreviated risk
analysis.
Paragraph (e)(3) addresses stand-alone PTC systems that are used to
replace existing methods of operations. The PTCSP design and risk
analysis submitted to the Associate Administrator must show that the
system does not introduce any new hazards that have not been acceptably
mitigated, based upon all proposed changes in railroad operation. GE
proffered the suggestion that when the stand-alone system is created
using proven principles of vital signaling, assessing the system risk
is straightforward and not significantly different than with the vital
overlay system. The importance of system availability and risk under
operations in contingent mode become more significant factors. FRA
agrees, but believes that the one of the fundamental issues that the
agency must reconcile is the value of appropriately capturing these
principles in new systems and with new technologies without
artificially restricting their use. FRA must accordingly exercise great
care when evaluating the safety cases presented to it, regardless of
the type (overlay, stand-alone, or mixed).
While FRA believes that a comprehensive safety analysis will be
required for all systems, since it must provide sufficient information
to the Associate Administrator to make a decision with a high degree of
confidence, the required analysis for stand-alone systems is much more
comprehensive than that required for vital overlay systems because it
must provide sufficient information to the Associate Administrator to
make a decision with a high degree of confidence. FRA will therefore
exercise greater oversight when it uniquely and separately considers
each request for stand-alone operations, and will render decisions in
the context of the proposed operation and the associated risks. FRA
recognizes that application of this standard to a new rail system for
which there is no clear North American antecedent could present a
conceptual challenge.
Paragraph (e)(4) addresses mixed systems (i.e., systems that
include a combination of the systems identified in paragraphs (e)(1)
through (e)(3). Because of the inherent complexity of these systems,
FRA will determine an appropriate approach for demonstrating compliance
after consultation with the railroad. Any approach will, of course,
require that the system perform the PTC requirements set forth in
Sec. Sec. 236.1005 and 236.1007.
Paragraph (f) discusses the factors that the Associate
Administrator will consider in reviewing the PTCSP. In general, PTC
systems will have some features that are not fail-safe in nature.
Examples include surveys of the track database, errors in consist data
from the railroad such as weight and makeup, and crew input errors. FRA
participation in the design and testing of the PTC system product helps
FRA to better understand the strengths and weaknesses of the product
for which approval is requested, and facilitates the approval process.
The railroad must establish through safety analysis that its
assertions are true. This standard places the burden on the railroad to
demonstrate that the safety analysis is accurate and sufficiently
supports certification of the PTC system. The FRA Associate
Administrator will determine whether the railroad's case has been made.
As provided in subpart H, FRA believes that final agency determinations
under this new subpart I should also be made at the technical level,
rather than the policy level, due to the complex and sometimes esoteric
subject matters associated with risk analysis and evaluation. This is
particularly appropriate in light of the RSIA08's designation of the
Associate Administrator for Railroad Safety as the Chief Safety Officer
of FRA. When considering the PTC system's compliance with recognized
standards in product development, FRA will weigh appropriate factors,
including: the use of recognized standards in system design and safety
analyses; the acceptable methods in risk estimates; the proven safety
records for proposed components; and the overall complexity and novelty
of the product design. In those cases where the submission lacks
information the Associate Administrator deems necessary to make an
informed safety decision, FRA will solicit the data from the railroad.
If the railroad does not provide the requested information, FRA may
determine that a safety hazard exists. Depending upon the amount and
scope of the missing data, PTCSP approval, and the subsequent system
certification, may be denied.
While paragraph (f) summarizes how FRA intends to evaluate the risk
analysis, paragraph (g) applies specifically to cases where a PTC
system has already been installed and the railroad subsequently wants
to install in a new PTC system. Paragraph (g) re-emphasizes that FRA
policy regarding the safety of PTC systems is not, and cannot expect to
be, static. Rather, FRA policy may evolve as railroad operations
evolve, operating rules are refined, related hazards are addressed
(e.g., broken rails), and other readily available options for risk
reduction emerge and become more affordable. FRA embraces the concept
of progressive improvement and expects that when new systems are
installed to replace existing systems that actual safety outcomes equal
or exceed those for the existing systems.
Finally, paragraph (h) emphasizes the need for the PTCSP to
carefully document all potential sources of error that can be
introduced into the system and their corresponding mitigation
strategies. FRA reserves the right to require quantitative, as opposed
to qualitative risk assessments, especially in cases where there is
significant residual risk or changes to the method of operations.
Section 236.1017 Independent Third Party Review of Verification and
Validation
As previously noted in the discussion regarding Sec. 236.1009(e),
FRA may require a railroad to engage in an independent assessment of
its PTC system. In the event an independent assessment is required,
this section describes the applicable rules and procedures.
Paragraph (a) establishes factors considered by FRA when requiring
a third-party assessment. FRA will attempt to make a determination of
the necessary level of third party assessment as early as possible in
the approval process. However, based on issues that may arise during
the development and testing processes, or during the detailed technical
reviews of the PTCDP and PTCSP, FRA may deem it necessary to require a
third party assessment at any time during the review process.
Paragraph (b) is intended to make it clear that it is FRA that will
make the determination of the acceptability of the independence of the
third party to avoid any potential issues downstream regarding the
acceptability of the assessor's independence. If a third party
assessment is required, then each railroad is encouraged to identify in
writing what entity it proposes to utilize as its third party assessor.
Compliance with paragraph (b) is not mandatory. However, if FRA
determines that the railroad's choice of a third party does not meet
the level of independence contemplated under paragraph (c), then the
railroad will be obligated to have the assessment repeated, at its
expense, until it has been completed by a third party suitable to FRA.
[[Page 2657]]
Paragraph (c) provides a definition of the term ``independent third
party'' as used in this section. It limits independent third parties to
those that are compensated by the railroad or an association on behalf
of one or more railroads that is independent of the PTC system
supplier. FRA believes that requiring the railroad to compensate a
third party will heighten the railroad's interest in obtaining a
quality analysis and will avoid ambiguous relationships between
suppliers and third parties that could indicate possible conflicts of
interest.
Paragraph (d) explains that the minimum requirements of a third
party audit are outlined in Appendix F and that FRA has discretion to
the limit the extent of the third party assessment. As the criteria in
Appendix F are, for the most part, technology neutral, FRA has adopted
them with minor changes, for use with both subparts H and I of this
part. FRA intends to limit the scope of the assessment to areas of the
safety Verification and Validation as much as possible, within the
bounds of FRA's regulatory obligations. This will allow reviewers to
focus on areas of greatest safety concern and eliminate any unnecessary
expense to the railroad. In order to limit the number of third-party
assessments, FRA first strives to inform the railroad as to what
portions of a submittal could be amended to avoid the necessity and
expense of a third-party assessment altogether. However, FRA wishes to
make it clear that Appendix F represents minimum requirements and that,
if circumstances warrant, FRA may expand upon the Appendix F
requirements as necessary to enable FRA to render a decision that is in
the public interest (i.e., if FRA is unable to certify the system
without the additional information).
Section 236.1019 Main Line Track Exceptions
The RSIA08 generally defines ``main line'' as ``a segment of
railroad tracks over which 5,000,000 or more gross tons of railroad
traffic is transported annually. See 49 U.S.C. 20157(i)(2). However,
FRA may also define ``main line'' by regulation ``for intercity rail
passenger transportation or commuter rail passenger transportation
routes or segments over which limited or no freight railroad operations
occur.'' See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes
that there may be circumstances where certain statutory PTC system
implementation and operation requirements are not practical and provide
no significant safety benefits. In those circumstances, FRA will
exercise its statutory discretion provided under 49 U.S.C.
20157(i)(2)(B).
In accordance with the authority provided by the statute and with
carefully considered recommendations from the RSAC, FRA will consider
requests for designation of track over which rail operations are
conducted as ``other than main line track'' for passenger and commuter
railroads, or freight railroads operating jointly with passenger or
commuter railroads. Such relief may be granted only after request by
the railroad or railroads filing a PTCIP and approval by the Associate
Administrator.
Paragraph (a), therefore, requires the submittal of a main line
track exclusion addendum (MTEA) to any PTCIP filed by a railroad that
seeks to have any particular track segment deemed as other than main
line. Since the statute only provides for such regulatory flexibility
as it applies to passenger transportation routes or segments where
limited or no freight railroad operations occur, only a passenger
railroad may file an MTEA as part of its PTCIP. This may include a
PTCIP jointly filed by freight and passenger railroads. In fact, FRA
expects that in the case of joint operations, only one MTEA should be
agreed upon and submitted by the railroads filing the PTCIP. After
reviewing a submitted MTEA, FRA may provide full or conditional
approval for the requested exemptions.
Each MTEA must clearly identify and define the physical boundaries,
use, and characterization of the trackage for which exclusion is
requested. When describing each track's use and characterization, FRA
expects the requesting railroad or railroads to include copies of the
applicable track and signal charts. Ultimately, FRA expects each MTEA
to include information sufficiently specific to enable easy segregation
between main line track and non-main line track. In the event the
railroad subsequently requests additional track to be considered for
exclusion, a well-defined MTEA should reduce the amount of future
information required to be submitted to FRA. Moreover, if FRA decides
to grant only certain requests in an MTEA, the portions of track for
which FRA has determined should remain considered as main line track
can be easily severed from the MTEA. Otherwise, the entire MTEA, and
thus its concomitant PTCIP, may be entirely disapproved by FRA,
increasing the risk of the railroad or railroads not meeting its
statutory deadline for PTC implementation and operation.
For each particular track segment, the MTEA must also provide a
justification for such designation in accordance with paragraphs (b) or
(c) of this section.
Paragraph (b) specifically addresses the conditions for relief for
passenger and commuter railroads with respect to passenger-only
terminal areas. As noted previously in the analysis of Sec.
236.1005(b), any track within a yard used exclusively by freight
operations moving at restricted speed is excepted from the definition
of main line. In those situations, operations are usually limited to
preparing trains for transportation and do not usually include actual
transportation. This automatic exclusion does not extend to yard or
terminal tracks that include passenger operations. Such operations may
also include the boarding and disembarking of passengers, heightening
FRA's sensitivity to safety. Moreover, while FRA could not expend its
limited resources to review whether a freight-only yard should be
deemed other than main line track, FRA believes that the relatively
lower number of passenger yards and terminals would allow for such
review. Accordingly, FRA believes that it is appropriate to review
these circumstances on a case-by-case basis.
During the PTC Working Group discussions, the major passenger
railroads requested an exception for tracks in passenger terminal areas
because of the impracticability of installing PTC. These are locations
where signal systems govern movements over very complex special track
work divided into short signal blocks. Operating speeds are low (not to
exceed 20 miles per hour), and locomotive engineers moving in this
environment expect conflicting traffic and restrictive signals.
Although low-speed collisions do occasionally occur in these
environments, the consequences are low; and the rate of occurrence is
very low in relation to the exposure. It is the nature of current-
generation PTC systems to use conservative braking algorithms.
Requiring PTC to govern short blocks in congested terminals would add
to congestion and frustrate efficient passenger service, in the
judgment of those who operate these railroads. The density of wayside
infrastructure required to effect PTC functions in these terminal areas
would also be exceptionally costly in relation to the benefits
obtained. FRA agrees that technical solutions to address these concerns
are not presently available. FRA does believe that the appropriate role
for PTC in this context is to enforce the maximum allowable speed
(which is presently accomplished in cab signal territory through use of
automatic speed control, a practice which could continue where already
in place).
[[Page 2658]]
If FRA grants relief, the conditions of paragraphs (b)(1), (b)(2),
or (b)(3), as applicable, as well as conditions attached to the
approval, must be strictly adhered to.
Under paragraph (b)(1), relief under paragraph (b) is limited to
operations that do not exceed 20 miles per hour. The PTC Working Group
agreed upon the 20 miles per hour limitation, instead of requiring
restricted speed, because the operations in question will be by signal
indication in congested and complex terminals with short block lengths
and numerous turnouts. FRA agrees with the PTC Working Group that the
use of restricted speed in this environment would unnecessarily
exacerbate congestion, delay trains, and diminish the quality of rail
passenger service.
Moreover, when trains on the excluded track are controlled by a
locomotive with an operative PTC onboard apparatus that PTC system
component must enforce the regulatory speed limit or actual maximum
authorized speed, whichever is less. While the actual track may not be
outfitted with a PTC system in light of an MTEA approval, FRA believes
it is nevertheless prudent to require such enforcement when the
technology is available on the operating locomotives. This can be
accomplished in cab signal territory using existing automatic train
stop technology and outside of cab signal territory by mapping the
terminal and causing the onboard computer to enforce the maximum speed
allowed.
FRA also limits relief under paragraph (b)(2) to operations that
enforce interlocking rules. Under interlocking rules, trains are
prohibited from moving in reverse directions without dispatcher
permission on track where there are no signal indications. FRA believes
that such a restriction will minimize the potential for a head-on
impact.
Also, under paragraph (b)(3), such operations are only allowed in
yard or terminal areas where no freight operations are permitted. While
the definition of main line may not include yard tracks used solely by
freight operations, FRA is not extending any relief or exception to
tracks within yards or terminals shared by freight and passenger
operations. The collision of a passenger train with a freight consist
is typically a more severe condition because of the greater mass of the
freight equipment. However, FRA did receive a comment suggesting some
latitude within terminals when passenger trains are moving without
passengers (e.g., to access repair and servicing areas). FRA agrees
that low-speed operations under those conditions should be acceptable
as trains are prepared for transportation. FRA has not included a
request by Amtrak (discussed below) to allow movements within major
terminals at up to 30 miles per hour in mixed passenger and freight
service, which appears in FRA's judgment to fall outside of the
authority to provide exclusions conferred on FRA by the law.
Paragraph (c) provides the conditions under which joint limited
passenger and freight operations may occur on defined track segments
without the requirement for installation of PTC. Under Sec. 236.1003
(Definitions), ``limited operations'' is defined as ``operations on
main line track that have limited or no freight operations and are
approved to be excepted from this subpart's PTC system implementation
and operation requirements in accordance with Sec. 236.1019(c). This
paragraph provides five alternative paths to the main line exception,
three of which were contained in the proposed rule and a fourth and
fifth that responds to comments on the proposed rule.
The three alternatives derived from the NPRM are set forth in
paragraph (c)(1). First, under paragraph (c)(1), an exception may be
available where both the freight and passenger trains are limited to
restricted speed. Such operations are feasible only for short
distances, and FRA will examine the circumstances involved to ensure
that the exposure is limited and that appropriate operating rules and
training are in place.
Second, under paragraph (c)(1)(ii), FRA will consider an exception
where temporal separation of the freight and passenger operations can
be ensured. A more complete definition of temporal separation is
provided in paragraph (e). Temporal separation of passenger and freight
services reduces risk because the likelihood of a collision is reduced
(e.g., due to freight cars engaged in switching that are not properly
secured) and the possibility of a relatively more severe collision
between a passenger train and much heavier freight consist is obviated.
Third, under paragraph (c)(1)(iii), FRA will consider commingled
freight and passenger operations provided that a jointly agreed risk
analysis is provided by the passenger and freight railroads, and the
level of safety is the same as that which would be provided under one
of the two prior options selected as the base case. FRA requested
comments on whether FRA or the subject railroad should determine the
appropriate base case, but received none. FRA recognizes that there may
be situations where temporal separation may not be possible. In such
situations, FRA may allow commingled operations provided the risk to
the passenger operation is no greater than if the passenger and freight
trains were operating under temporal separation or with all trains
limited to restricted speed. For an exception to be made under
paragraph (c)(3), FRA requires a risk analysis jointly agreed to and
submitted by the applicable freight and passenger services. This
ensures that the risks and consequences to both parties have been fully
analyzed, understood, and mitigated to the extent practical. FRA would
expect that the moving party would elect a base case offering the
greatest clarity and justify the selection.
Comments on the proposed rule generally supported the
aforementioned exclusions or were silent.
In its comments on the NPRM, Amtrak requested further relief
relating to lines requiring the implementation and operation of a PTC
system due solely to the presence of light-density passenger traffic.
According to Amtrak, the defining characteristic of light-density lines
is the nature of the train traffic; light-density patterns on these
lines lead to a correspondingly low risk of collision. Amtrak also
asserted that, due to relatively limited wear and tear from lower
traffic densities, these lines often have fewer track workers on site,
further reducing the chance of collisions and incursions into work
zones. Thus, states Amtrak, one of the principal reasons for installing
PTC--collision avoidance--is a relatively low risk on many light
density lines. With only marginal safety benefits anticipated from PTC
use in such applications, Amtrak believed that there may be minimal
justification for installing PTC on certain light-density lines.
Amtrak further noted that FRA itself had concluded that the costs
of PTC generally exceed its benefits, and Amtrak urged that this may be
even more so on light-density lines. Amtrak believed that Congress
understood this issue and thus created the regulatory flexibility for
the definition of ``main line'' for passenger routes found at 49 U.S.C.
20157(i)(2)(B) as a means to allow the Secretary to exempt certain
routes from the PTC mandate. According to Amtrak, this provision
essentially allows the Secretary to define certain passenger routes
with limited or no freight traffic as other than ``main line,'' thereby
effectively exempting such lines from the reach of the PTC mandate
because the mandate only applies to railroad operations over ``main
line[s].'' Said another way, urged Amtrak, the provision allows the
Secretary the freedom to decide in what circumstances such routes
should be considered ``main lines'' and thus be
[[Page 2659]]
required to install PTC-pursuant to whatever factors the Secretary
deems appropriate through the rulemaking process.
Amtrak urged that the Secretary should use this flexibility to
limit which passenger routes it defines as ``main lines'' to those
deemed to warrant the use of PTC using the FRA's usual risk-based
approach to safety regulation and traditional measures of
reasonableness, costs, and benefits. Amtrak posited that such a risk-
based analysis by FRA would likely lead to the conclusion that PTC is
simply not needed on many light-density lines over which passenger
trains currently operate. Amtrak therefore asked that FRA exercise this
authority by working with Amtrak and the rail industry to exempt
certain light density freight lines which host passenger traffic from
the obligation to install PTC where operating and safety conditions do
not warrant an advanced signal system.
Should FRA choose not to exempt some of these light density freight
lines over which passenger trains operate, Amtrak felt that the high
costs of full PTC systems will be passed on to the passenger and
freight operators of these routes. According to Amtrak, this obligation
could threaten the continuation of intercity passenger rail service on
several routes, including lines in California, Colorado, Kansas, Maine,
Massachusetts, Michigan, Missouri, New Hampshire, New Mexico, North
Dakota, Vermont, and Virginia, on what are potentially light density
lines. Additionally, states Amtrak, this obligation, where it can be
financed, could force the diversion of significant capital dollars away
from essential safety investments in track and other infrastructure
improvements, which are typically the leading safety risks for such
light-density operations. According to Amtrak, the cost of PTC
installation on these lines may be so out of proportion to the benefit
that Amtrak's service will need to be rerouted onto a different line
(e.g., to a Class I line with PIH materials) if a reroute option
exists, or eliminated entirely because there is no feasible alternate
route and no party is willing or able to bear the cost of installing
PTC on the existing route. The defining characteristic of light-density
lines is the nature of the train traffic: Low density patterns on these
lines lead to a correspondingly low risk of collision.
According to the Amtrak testimony, the ``limited operations
exception'' in subsection 236.1019(c) of the NPRM did not provide a
practical solution to the problem created by defining all light-density
routes and terminal areas with passenger service as ``main lines.''
Amtrak stated that this subsection would arguably require installation
of PTC on most of the trackage and locomotives of the Terminal Railroad
Association of St. Louis (TRRA) unless: (1) The entire terminal
operates at restricted speed (which TRRA is unlikely to agree to); (2)
passenger and freight trains are temporally separated (which would not
be practical on TRRA, and is unlikely to be practical on any of the
light-density lines over which Amtrak operates, due to the 24/7 nature
of railroad operations); or (3) a risk mitigation plan can be effected
that would achieve a level of safety not less than would pertain if all
operations on TRRA were at restricted speed or subject to temporal
separation. Accordingly, Amtrak recommended: (a) That the FRA adopt a
risk analysis-based definition of ``main line'' passenger routes that
excludes light-density lines on which the installation of PTC is not
warranted; and (b) with respect to freight terminal areas in which
passenger trains operate, that the FRA modify the limited operations
exception in subsection 236.1019(c) to require that all trains be
limited to 30 miles per hour rather than to restricted speed, or that
non-PTC equipped freight terminals be deemed as other than ``main
lines'' so long as all passenger operations are pursuant to signal
indication and at speeds not greater than 30 miles per hour (with
speeds reduced to not greater than restricted speed on unsignaled
trackage or if the signals should fail).
FRA believes that Amtrak's request is much broader than
contemplated by the law. FRA notes that TRRA is a very busy terminal
operation. FRA does not believe that the ``limited freight operations''
concept is in any way applicable under those circumstances. Nor is
there any indication in law that FRA was expected to fall back to
traditional cost-benefit principles in relation to PTC and scheduled
passenger service. However, there are a number of Amtrak routes with
limited freight operations that will not otherwise be equipped with PTC
because they are operated by other than Class I railroads. Further,
there are some Class I lines with less than 5 million gross tons, or no
PIH, that also warrant individualized review to the extent Amtrak and
the host railroad might elect to propose it.
Accordingly, in response to the Amtrak comments, paragraphs (c)(2)
and (c)(3) have been added to the final rule to provide an option by
which certain additional types of limited passenger train operations
may qualify for a main line track exception where freight operations
are also suitably limited and the circumstances could lead to
significant hardship and cost that might overwhelm the value of the
passenger service provided. Paragraph (c)(2) deals with lines where the
host is not a Class I freight railroad, describing characteristics of
track segments that might warrant relief from the requirement to
install PTC. Paragraph (c)(2)(i) pertains to passenger service
involving up to four regularly scheduled passenger trains during a
calendar day over a segment of unsignaled track on which less than 15
million gross tons of freight traffic is transported annually.
Paragraph (c)(2)(ii) pertains to passenger service involving up to
twelve regularly scheduled passenger trains during a calendar day over
a segment of signaled track on which less than 15 million gross tons of
freight traffic is transported annually. In FRA's experience, four
trains per day in unsignaled territory and twelve trains per day in
signaled territory can be expected to be handled safely in combination
with 15 million gross tons of freight traffic if the operations are
carefully scrutinized and appropriate mitigation measures are taken to
accommodate the particular operating environment in question. Paragraph
(c)(2) derived indirectly from discussions in the RSAC in response to
comments by Amtrak set forth above. The PTC Working Group proposed an
exception that might have been available anywhere an intercity or
commuter railroad operated over a line with 5 million gross tons of
freight traffic, including Class I lines and the lines of the intercity
or commuter railroad. This would have opened the potential for a
considerable exception for lines with very light freight density under
circumstances not thoroughly explored in the short time available to
the working group (e.g., on commuter rail branch lines, low density
track segments on Class I railroads, etc.).
Subsequent to the RSAC activities, Amtrak notified FRA that its
conversations with Class II and III railroads, whose lines have been at
the root of the Amtrak comments, revealed that some of the situations
involved freight traffic exceeding 5 million gross tons, potentially
rendering the exception ineffective for this purpose. At the same time,
FRA noted that the policy rationale behind the proposed additional
exception was related as much to the inherent difficulty associated
with PTC installation during the initial period defined by law, given
that the railroads identified by Amtrak were for the most part very
small operations with limited technical
[[Page 2660]]
capacity and limited safety exposure. It was clear that in these cases
care would need to be taken to analyze collision risk and potentially
require mitigations.\7\ Accordingly, FRA has endeavored to address the
concern brought forward by Amtrak with a provision that is broad enough
to permit consideration of actual circumstances, limit this particular
exception to operations over railroads that would not otherwise need to
install PTC (e.g., Class II and III freight railroads), provide for a
thorough review process, and make explicit reference to the potential
requirement for safety mitigations. In this regard, FRA has chosen 15
million gross tons as a threshold that should accommodate situations
where Amtrak trains will, in actuality, face few conflicts with freight
movements (i.e., requiring trains to clear the main line for meets and
passes or to wait at junctions) and where mitigations are in place or
could be put in place to establish a high sense of confidence that
operations will continue to be conducted safely. FRA believes that less
than 15 million gross tons represents a fair test of ``limited freight
operations'' for these purposes, with the further caveat that specific
operating arrangements will be examined in each case. FRA emphasizes
that this is not an entitlement, but an exclusion for which the
affected railroads will need to make a suitable case.
---------------------------------------------------------------------------
\7\ An example of an existing mitigation, which is provided to
support service quality but also supports safety, is the practice of
one Class III Amtrak host and its connecting freight partner to hold
out fleeted empty coal trains off the Class III property during the
period that Amtrak is running. While not constituting strict
``temporal separation,'' it does significantly reduce collision risk
over the route.
---------------------------------------------------------------------------
Amtrak also provided to FRA a spreadsheet identifying each of its
route segments with attributes such as route length, freight tonnage,
number of Amtrak trains, and numbers of commuter trains. FRA further
reviewed this information in light of Amtrak's request for main track
exceptions. FRA noted a number of segments of the Amtrak system on
Class I railroads where the number of Amtrak trains was low and the
freight tonnage was also low (less than 15 million gross tons). Each of
these lines, with the exception of one 33-mile segment, is signalized.
FRA further noted that, with both Amtrak and Class I railroad
locomotives equipped for PTC, use of partial PTC technology (e.g.,
monitoring of switches where trains frequently clear) should be
available as a mitigation for collision risk. Accordingly, in paragraph
(c)(3), FRA has provided a further narrow exception for Class I lines
carrying no more than four intercity or commuter passenger trains per
day and cumulative annual tonnage of less than 15 million gross tons,
subject to FRA review. The limit of four trains takes into
consideration that it is much less burdensome to equip the wayside of a
Class I rail line than to install a full PTC system on a railroad that
would not otherwise require one. Again, the exception is not automatic,
and FRA's approval of a particular line segment would be discretionary.
Any Class I line carrying both 5 million gross tons and PIH traffic
would, of course, not be eligible for consideration.\8\
---------------------------------------------------------------------------
\8\ Freight tonnage on Amtrak lines varies from zero on two
segments to over 150 million gross tons. On a per-mile basis, 15
million gross tons falls into the twenty-first percentile of Amtrak
track miles. The candidate lines on the Class I system comprise
about 6% of Amtrak's route structure.
---------------------------------------------------------------------------
The new paragraph (d) makes clear that FRA will carefully review
each proposed main track exception and may require that it be supported
by appropriate hazard analysis and mitigations. FRA has previously
vetted through the RSAC a Collision Hazard Analysis Guide that can be
useful for this purpose. If FRA determines that freight operations are
not ``limited'' as a matter of safety exposure or that proposed safety
mitigations are inadequate, FRA will deny the exception.
Paragraph (e) (formerly paragraph (d) in the proposed rule)
provides the definition of temporal separation with respect to
paragraph (c)(2). The temporal separation approach is currently used
under the FRA-Federal Transit Administration Joint Policy on Shared
Use, which permits co-existence of light rail passenger services
(during the day) and local freight service (during the nighttime). See
Joint Statement of Agency Policy Concerning Shared Use of the Tracks of
the General Railroad System by Conventional Railroads and Light Rail
Transit Systems, 65 FR 42,526 (July 10, 2000); FRA Statement of Agency
Policy Concerning Jurisdiction Over the Safety of Railroad Passenger
Operations and Waivers Related to Shared Use of the Tracks of the
General Railroad System by Light Rail and Conventional Equipment, 65 FR
42,529 (July 10, 2000). Conventional rail technology and secure
procedures are used to ensure that these services do not commingle.
Amtrak representatives in the PTC Working Group were confident that
more refined temporal separation strategies could be employed on
smaller railroads that carry light freight volumes and few Amtrak
trains (e.g., one train per day or one train per day in each
direction). The Passenger Task Force agreed. The UTA also supported the
temporal separation exception under former paragraph (d), having stated
that temporal separation is important in the operations of many
commuter and intercity passenger railroad carriers.
Paragraph (f) (paragraph (e) in the proposed rule) ensures that by
the time the railroad submits its PTCSP, no unapproved changes have
been made to the MTEA and that the PTC system, as implemented, reflects
the PTCIP and its MTEA. Under this final rule, the PTCSP must reflect
the PTCIP, including its MTEA, as it was approved or how it has been
modified in accordance with Sec. 236.1021. FRA believes that it is
also important that the railroad attest that no other changes to the
documents or to the PTC system, as implemented, have been made.
FRA understands that, as a railroad implements its PTC system in
accordance with its PTCIP or even after it receives PTC System
Certification, the railroad may decide to modify the scope of which
tracks it believes to be other than main line. To effectuate such
changes, paragraph (g) requires FRA review. In the case that the
railroad believes that such relief is warranted, the railroad may file
in accordance with Sec. 236.1021 a request for amendment of the PTCIP,
which will eventually be incorporated into or referenced by the PTCSP
upon PTCSP submission. Each request, however, must be fully justified
to and approved by the Associate Administrator before the requested
change can be made to the PTCIP. If such a RFA is submitted
simultaneously with the PTCSP, the RFA may not be approved, even if the
PTCSP is otherwise acceptable. A change made to an MTEA subsequent to
FRA approval of its associated PTCIP that involves removal or reduction
in functionality of the PTC system will be treated as a material
modification. In keeping with traditional signaling principles, such
requests must be formally submitted for review and approval by FRA.
Section 236.1021 Discontinuances, Material Modifications, and
Amendments
FRA recognizes that, after submittal of a plan or implementation of
a train control system, the subject railroad may have legitimate
reasons for making changes in the system design and the locations where
the system is installed. In light of the statutory and regulatory
mandates, however, FRA believes that the railroad should be required to
request FRA approval prior to effectuating certain changes. Section
236.1021 provides the scope and
[[Page 2661]]
procedure for requesting and approving those changes. For example, all
requests for covered changes must be made in a request for amendment
(RFA) of the subject PTC system or plan. While Sec. 236.1021 includes
lengthy descriptions of what changes may, or may not, require FRA
approval, there are various places elsewhere in subpart I that also
require the filing of a RFA.
Paragraph (a) requires FRA approval prior to certain PTC system
changes. FRA expects that if a railroad wants to make a PTC system
change covered by subpart I, then any such change would result in
noncompliance with one of the railroad's plans approved under this
subpart. For instance, if a railroad seeks to modify the geographical
limits of its PTC implementation, such changes would not be reflected
in the PTCIP. Accordingly, under paragraph (a), after a plan is
approved by FRA and before any change is made to the PTC system's
development, implementation, or operation, the railroad must file a RFA
to the subject plan.
FRA considers an amendment to be a formal or official change made
to the PTC system or its associated PTCIP, PTCDP, or PTCSP. Amendments
can add, remove, or update parts of these documents, which may reflect
proposed changes to the development, implementation, or operation of
its PTC system. FRA believes that an amending procedure provides a
simpler and cleaner option than requiring the railroad to file an
entirely new plan.
While the railroad may develop a RFA without FRA input or
involvement, FRA believes that it is more advantageous for the railroad
to informally confer with FRA before formally submitting its RFA. If
FRA is not involved in the drafting process, FRA may not have a
complete understanding of the system, making it difficult for FRA to
evaluate the impact of the proposed changes on public safety. After RFA
submission, all applicable correspondence between FRA and the railroad
must be made formally in the associated docket, as further discussed
below. In such a situation, FRA's review may take a significantly
longer time than usual. If FRA continues to not understand the impact,
it may request a third party audit, which would only further delay a
decision on the request. Accordingly, FRA believes it is more
advantageous for the railroad drafting an RFA to informally confer with
FRA before its formal submission of the change request. The railroad
would then be provided an opportunity to discuss the details of the
change and to assure FRA's understanding of what the railroad wishes to
change and of the change's potential impact.
Under paragraph (b), once the RFA is approved, the railroad shall
adopt those changes into the subject plan and immediately ensure that
its PTC complies with the plan, as amended. FRA expects that each PTC
system accurately reflects the information in its associated approved
plans. FRA believes that this requirement will also incentivize
railroads to make approved changes as quickly as possible. Otherwise,
if a railroad delays in implementing the changes reflected in an
approved RFA, FRA may find it difficult to enforce its regulations
until implementation is completed, since the plans and PTC system do
not accurately and adequately reflect each other. In such
circumstances, a railroad may be assessed a civil penalty for violating
its plan or for falsifying records.
Any change to a PTCIP, PTCDP, or PTCSP, which may include removal
or discontinuance of any signal system, may not take effect until after
FRA has approved the corresponding submitted or amended PTCIP, PTCDP,
or PTCSP. FRA may provide partial or conditional approval. Until FRA
has granted appropriate relief or approval, the railroad may not make
the change, and once a requested change has been made, the railroad
must comply with requested change.
FRA recognizes that a railroad may wish to remove an existing train
control system due to new and appropriate PTC system implementation.
For train control systems existing prior to promulgation of subpart I,
any request for a material modification or discontinuance must be made
pursuant to part 235. Paragraph (c), however, provides the railroads
with an opportunity to instead request such changes in accordance with
proposed Sec. 236.1021. FRA believes that this requirement will reduce
the number of required filings and would otherwise simplify the process
requesting material modifications or discontinuances.
Paragraph (d) provides the minimum information required to be
submitted to FRA when requesting an amendment. While the procedural
rules here are different than those in part 235, FRA expects that the
same or similar information be provided. Accordingly, under paragraph
(d)(1), the RFA must contain the information required in 235.10.
Paragraph (d)(1) also requires the railroad to submit, upon FRA
request, certain additional information, including the information
referenced in Sec. 235.12. Paragraphs (d)(2) through (d)(7) provide
further examples of such information. While such information may only
be required upon request, FRA urges each railroad to include this
information in its RFA to help expedite the review process.
FRA believes that paragraphs (d)(2) through (d)(6) are self-
explanatory. However, according to paragraph (d)(7), FRA may require
with each RFA an explanation of whether each change to the PTCSP is
planned or unplanned. Planned changes are those that the system
developer and the railroad have included in the safety analysis
associated with the PTC system, but have not yet implemented. These
changes provide enhanced functionality to the system, and FRA strongly
encourages railroads to include PTC system improvements that further
increase safety. A planned change may require FRA approved regression
testing to demonstrate that its implementation has not had an adverse
affect on the system it is augmenting. Each planned change must be
clearly identified as part of the PTCSP, and the PTCSP safety analysis
must show the affect that its implementation will have on safety.
Unplanned changes are those either not foreseen by the railroad or
developer, but nevertheless necessary to ensure system safety, or are
unplanned functional enhancements from the original core system. The
scope of any additional work necessary to ensure safety may depend upon
when in the development cycle phase the changes are introduced. For
instance, if the PTCDP has not yet been submitted to FRA, no FRA
involvement is required. However, if the PTCDP has been submitted to
FRA, or if the change impacts the safety functionality of the system
once a Type Approval has been issued, and a PTCSP has not yet been
submitted, the railroad must submit a RFA requesting and documenting
that change. Once FRA approves that RFA, FRA expects the subsequently
filed PTCSP to account for the change in analysis.
If the change is made after approval of the PTCSP and the system
has been certified by FRA, a RFA must be submitted to FRA for approval.
Because this requires significant effort by FRA and the railroad, FRA
expects that every effort will be made to eliminate the need for
unplanned changes. If the railroad and the vendor or supplier submit
unplanned safety related changes that FRA believes are a significant
amount or inordinately complex, FRA may revoke any approvals previously
granted and disallow the use of the product until such time the
railroad demonstrates the product is sufficiently mature.
Paragraph (e) provides that if a RFA is submitted for a
discontinuance or a
[[Page 2662]]
material modification to a portion or all of its PTC system, a notice
of its submission shall be published in the Federal Register.
Interested parties will be provided an opportunity to comment on the
RFA, which will be located in an identified docket.
Paragraph (f) makes it clear that FRA will consider all impacts on
public safety prior to approval or disapproval of any request for
discontinuance, modification, or amendment of a PTC system and any
associated changes in the existing signal system that may have been
concurrently submitted. While the economic impact to the affected
parties may be considered by FRA, the primary and final deciding factor
on any FRA decision is safety. FRA will consider not only how safety is
affected by installation of the system, but how safety is impacted by
the failure modes of the system.
The Southern California Regional Rail Authority submitted comments
requesting ``easy streamlined approval'' of incremental changes and
additions to the plans based on procurement and type approval of vendor
or supplier products. However, FRA would like to point out that, where
lines change during or subsequent to the railroad's submission of its
PTCIP, the railroad merely needs to identify its plan for
implementation on such lines in its RFA. This does not appear to be an
overly burdensome task.
The purpose of paragraph (g) is to emphasize the right of FRA to
unilaterally issue a new Type Approval, with whatever conditions are
necessary to ensure safety based on the impact of the proposed changes.
In paragraph (h), FRA makes clear that it considers any implemented
PTC system to be a safety device. Accordingly, the discontinuance,
modification, or other change of the implemented system or its
geographical limits will not be authorized without prior FRA approval.
While this requirement primarily applies to safety critical changes,
FRA believes that they should also apply to all changes that will
affect interoperability. The principles expressed in the paragraph
parallel those embodied in part 235, which implements 49 U.S.C.
20502(a). Railroads may need to review Sec. 236.1005(b)(4) and supply
the required information in an RFA submission.
That said, FRA recognizes that there are a limited number of
situations where changes of the PTC system may not have an adverse
impact upon public safety. Specific situations where prior FRA approval
is required are provided in paragraphs (h)(1) through (h)(4).
Paragraph (i) provides the exceptions from the requirement for
prior approval in cases where the discontinuance of a system or system
element will be treated as pre-approved, as when a line of railroad is
abandoned.
Paragraph (j) provides exceptions for certain lesser changes that
are not expected to materially affect system risk, such as removal of
an electric lock from a switch where speed is low and trains are not
allowed to clear.
The AAR submitted comment that paragraphs (j)(2) and (j)(3) should
be revised to recognize the allowance for removal of a signal used in
lieu of an electric or mechanical lock in the same manner as removal of
the electric or mechanical lock. These two paragraphs are intended to
recognize that where train speed over the switch does not exceed 20
miles per hour, or where trains are not permitted to clear the main
track at the switch, removal of the devices intended to provide the
necessary protection should not require the submission of a filing for
FRA approval.
The regulation requiring the installation of an electric or
mechanical lock identifies the allowance for a signal used in lieu
thereof (see Sec. 236.410). FRA agrees with the AAR that when the
requirement for an electric or mechanical lock, or a signal used in
lieu thereof, are eliminated, the removal of any of these devices in
their entirety without filing for approval is appropriate. FRA has
therefore revised paragraphs (j)(2) and (j)(3) to clarify these
allowances.
Paragraph (k) provides additional exceptions consisting of
modifications associated with changes in the track structure or
temporary construction. FRA notes that only temporary removal of the
PTC system without prior FRA approval is allowed to support highway
rail separation construction or damage to the PTC system by
catastrophic events. In both cases, the PTC system must be restored to
operation no later than 6 months after completion of the event.
Caltrain submitted comments stating that proposed paragraph (k)(6)
and Sec. 236.1009(a)(2)(ii)(B) appear to address the installation of
new track in an inconsistent manner. While proposed paragraph (k)(6)
states that it will not be necessary to file an RFA for the
installation of new track, Sec. 236.1009(a)(2)(ii)(B) states that an
RFA must be filed if railroad intends to add, subtract, or otherwise
materially modify one or more lines of railroad for which installation
of a PTC system is required.
FRA agrees that there appears to have been a conflict between the
provisions contained in paragraph (k)(6) and Sec.
236.1009(a)(2)(ii)(B). In light of the fact that FRA considers it
necessary to file an RFA if the railroad intends to install new track
for which installation of a PTC system is required, FRA has not
included proposed paragraph (k)(6) in the final rule.
Section 236.1023 Errors and Malfunctions
Often it is only after the product has been placed in field service
for an extended period of time before the accuracy of the assumptions
regarding errors and malfunctions can be validated. Accordingly, the
reporting and recording of errors and malfunctions takes on critical
importance. If the number of errors and malfunctions exceeds those
originally anticipated in the design, or errors and malfunctions that
were not predicted are observed to occur, the validity of the system
design assumptions and the accuracy of the performance predictions
becomes suspect. The requirements of this section provide the process
and procedures for tracking, reporting, and correction of errors and
malfunctions. The final rule reflects the requirements of the NPRM, but
has been reorganized for greater clarity.
Paragraph (a) of this section contains the requirement for all
railroads operating a PTC system to establish and maintain a PTCPVL.
The PTCPVL list ensures that the railroad can quickly determine the
vendor of the product that has experienced an error or malfunctioned,
and then be able to report the occurrence of the error or malfunction
in a timely and accurate manner to the appropriate entity responsible
for the design and manufacture of the product. FRA access to the PTCPVL
of each railroad enables FRA to quickly identify all railroads that may
potentially be affected by the error malfunction, thereby allowing FRA
to better understand the implications of the condition on the industry.
Not all railroads using the same product or processes may experience
the same software errors or hardware failures, even if the cause of the
error or failure is systemic to the design, and an individual railroad
may not have the resources to determine if there are any industry-wide
implications. The requirement for creating and maintaining the PTCPVL
was originally proposed in paragraph (c) of the NPRM.
Paragraph (b)(1) establishes a requirement that the railroad
specify in its PTCSP all contractual arrangements with their vendors or
suppliers for immediate notification of safety-critical upgrades made
to the product by the
[[Page 2663]]
vendors or suppliers. FRA is not interested in the commercial terms of
any such contractual arrangement, only that the contractual arrangement
is in place for notification and provision of safety-critical changes
from a vendor or supplier to the railroad. Paragraph (b)(2) levies the
requirement on the vendor or supplier to report to all railroads using
the product any safety-critical failures reported. Paragraph (b)(3)
levies a requirement on the vendor or supplier to provide accurate and
adequate information of the circumstances surrounding the reported
failure to any potentially affected railroad, as well as recommended
mitigating actions that should be taken until the situation is
resolved. The text of paragraph (b) has been modified slightly from
that of the NPRM to more accurately reflect FRA's expectation in this
regard.
Paragraph (c)(1) levies the requirement on the railroad to specify
in its PTCSP the process and procedures the railroad will implement
when a safety-critical upgrade or failure notification is received from
the vendor or supplier. This requirement is necessary regardless of
whether the railroad itself discovers the problem or the vendor or
supplier notifies the railroad of the problem. Paragraph (c)(2)
requires the railroads to identify the associated configuration
management process they will use to identify safety-critical failures
and mitigations. FRA believes it to be essential, given the potential
impact on safety of a safety-critical failure, that the railroads have
the necessary planning and mechanisms in place to promptly address the
situation. Each railroad's and vendor's or supplier's development
processes, configuration management programs, and fault reporting
tracking systems play a crucial role in the ability of both parties and
the FRA to determine and fully understand the risks and implications.
Without an effective configuration management tracking system in place,
it is difficult, if not impossible, to fairly evaluate PTC system risks
during the system's life-cycle.
Paragraph (d) requires that the railroad provide to its vendor or
supplier the railroad's processes and procedures for addressing safety-
critical failure, malfunction, and fault issues. FRA believes that by
providing this information to the vendor or supplier, the vendor or
supplier will be able to more efficiently and effectively provide
notification to the appropriate railroad personnel. The net result FRA
is seeking is that potential delays in identifying or correcting
safety-critical faults will be minimized.
Paragraph (e) requires the railroad to maintain a database of all
safety-relevant hazards identified in its PTCSP, as well as all safety-
relevant hazards that were not previously identified. FRA believes that
the requirement to report any safety-relevant hazard that was not
previously identified in the PTCSP is self evident, in that it clearly
represents an unknown and unplanned failure mode. Without this
database, a railroad will be unable to determine if the number of
particular failures has risen to a level above the thresholds set forth
in the PTCSP. If the frequency of the safety-relevant hazards exceeds
the thresholds set forth in the PTCSP, the railroads shall take the
following specific actions as prescribed in this section: Notify the
applicable vendor or supplier and the FRA; keep the applicable vendor
or supplier and the FRA apprised of the status of any and all
subsequent failures; and, take prompt countermeasures to eliminate or
reduce the frequency below the threshold identified. Until the
corrective action is complete, the railroad is required to take
measures to ensure the safety of train operations, roadway workers, on
track equipment, and the general public.
While the preceding paragraphs dealt with the establishment of a
framework to address errors and malfunctions, paragraphs (f) through
(g) deal with the actual handling and reporting of errors and
malfunctions within that framework. Paragraph (f) establishes time
limits for reporting failures and malfunctions to the product vendor or
supplier and the FRA as well as minimum reporting requirements. The
period for notification has been lengthened from that proposed in the
NPRM to 15 days. FRA wishes to emphasize that it is more interested in
timely notifications, and accordingly, has not established a specific
format for the reports. FRA will accept any report format, provided it
contains at least the minimal information required by this section. FRA
will accept delivery of these reports by commercial courier, fax, and
e-mail. However, with respect to information that is not immediately
available, paragraph (f) has been amended to require railroads to
submit supplemental reports with the previously unavailable
information. FRA requires this information to determine the full impact
of the problem, and to determine if any additional restrictions or
limitations on the use of the PTC system may be warranted to ensure the
safety of the general public and the railroad personnel. If the
correcting or mitigating action were to take a significant amount of
time, FRA would expect the railroad to provide FRA with periodic
frequent progress reports.
Paragraph (g) establishes a reporting requirement for railroads and
vendors or suppliers to provide to the Associate Administrator on
request the results of any investigation of an accident or service
difficulty report that shows the PTC system, subsystem, or component is
unsafe because of a manufacturing or design defect. In addition, the
railroad and its vendor or supplier may be required to report on any
action taken or proposed to correct the defect.
Paragraph (h) imposes a direct obligation on suppliers to report
safety-relevant failures or defective conditions, previously
unidentified hazards, and recommended mitigation actions in their PTC
system, subsystem, or component to each railroad using its product.
Each applicable supplier is also required to notify FRA of the safety-
relevant failure, defective condition, or previously unidentified
hazard discovered by the vendor or supplier and the identity of each
affected and notified railroad. FRA believes that it should be informed
to ensure public safety in any case where a commercial dispute (e.g.,
over liability) might disrupt communication between a railroad and
supplier.
GE submitted a comment on this section, in which it raised an
objection to the direct imposition by FRA of a reporting obligation on
PTC suppliers. GE believes this requirement is unwarranted for three
reasons. First, the railroad is the primary entity having knowledge of
such a failure and already has the obligation to report a failure
within strict guidelines. Second, even if the PTC supplier becomes
aware of a failure, the PTC supplier may not have sufficient
understanding of the failure to determine whether it is truly safety-
related in nature without talking to the railroad. Third, there already
exist sufficient legal incentives for a supplier to quickly resolve any
safety-related failure that might occur. GE believes that railroads'
regulatory compliance responsibilities should not be delegated to
suppliers. Ultimately, GE asserts that this requirement unnecessarily
complicates the task of deploying PTC and is unwarranted.
GE proposed alternative language at the RSAC PTC Working Group
meeting held August 31-September 2, 2009, that removed the supplier's
obligation to directly report to FRA by deleting proposed paragraphs
(a) and (f) of this section and adding language to Sec.
236.1015(b)(2). In this proposed alternative language, GE recommended
[[Page 2664]]
that FRA require suppliers to include a process for promptly reporting
any safety relevant failure and previously unidentified hazard to each
railroad using the product in the quality control systems maintained by
suppliers for PTC system design and manufacturing.
FRA carefully considered GE's recommendation. In Sec. 236.907(d),
FRA has previously established for PTC systems that are voluntarily
implemented by railroads, under the provisions of subpart H of this
part, a requirement that the vendor/supplier and railroads establish
mutual reporting relationships for promptly reporting any safety-
relevant failures and previously unidentified hazards. FRA seeks to
continue this relationship requirement for mandatory PTC system
installations under the provisions of this subpart.
As noted in the preamble discussion of Sec. 236.907(d), FRA
clearly indicated that if there was ``a breakdown in communications
that could adversely affect public safety'', FRA would take appropriate
action as necessary. See 70 FR 11,052, 11,074. FRA also noted that the
language of Sec. 236.907 ``place[d] a direct obligation on suppliers
to report safety-relevant failures, which would include `wrong-side
failures' and failures significantly impacting on availability where
the Product Safety Plan indicates availability to be a material issue
in the safety performance of the larger railroad system.'' 70 FR
11,052, 11,074. This provision was necessary to ensure public safety in
the event where a commercial dispute (e.g., over liability) might
disrupt communications between a railroad and its supplier.
FRA believes that the requirement that a product supplier notify
FRA, in addition to the affected railroads, of safety-relevant failures
of the PTC product discovered by the supplier does not add to the
complexity or cost of PTC system deployment. The addition of FRA to the
list of entities that must be notified in the unlikely event of a
product failure that has been identified by the product supplier adds
only marginally to the level of effort required of the product
supplier. As a condition of providing PTC systems pursuant to subpart H
of this part, the product supplier must already maintain a list of
parties that require such notification. As GE noted, even if there were
no regulatory requirement for a mutual reporting relationship between
product suppliers and railroads, there are already legal incentives for
a supplier to quickly resolve any safety related failure. FRA believes
that these legal incentives should motivate the product supplier to
promptly notify product users of safety-related issues and, therefore,
to maintain a list of product users.
FRA has also considered GE's argument that the railroad is the
primary entity having knowledge of safety-related failures and already
has an obligation to report the failure within strict guidelines. Thus,
even if the PTC supplier becomes aware of the failure, the supplier may
not have sufficient understanding of the failure to determine whether
it is safety-related in nature without talking to the railroad. GE's
assertion that the supplier may not recognize that a failure is safety
related without talking to the railroad also applies equally to the
converse situation. A railroad may report a failure to the vendor or
supplier that the railroad may not recognize as safety critical, and it
is only the vendor's or supplier's detailed knowledge of the product
that enables recognition of the failure as safety critical.
FRA is consequently unmoved by the assertion that the imposition of
a requirement that a vendor or supplier notify FRA upon discovery of a
safety critical problem would be unduly burdensome.
In view of the preceding, FRA has left this paragraph unchanged in
principle. FRA has, however, made editorial changes to more clearly
define the responsibilities of the parties involved and to clearly
indicate the acceptability of incremental reporting as more information
becomes available.
RSI made many statements similar to those of GE and also asserts
that the notification requirement on suppliers would not enhance
safety, but would create the potential for redundant, premature,
potentially misleading, and burdensome reports to FRA. RSI cites
various statutes and regulations, including RSIA08 and the existing
part 236, that apply ``exclusively'' to ``railroads'' and ``railroad
carriers.'' However, according to 49 U.S.C. 20103, which continues to
be referenced in part 236's Authorities section:
(a) Regulations and orders.--The Secretary of Transportation, as
necessary, shall prescribe regulations and issue orders for every
area of railroad safety supplementing laws and regulations in effect
on October 16, 1970. When prescribing a security regulation or
issuing a security order that affects the safety of railroad
operations, the Secretary of Homeland Security shall consult with
the Secretary.
Thus, FRA has jurisdiction ``for every area of railroad safety.''
Subpart I supplements the laws and regulations in effect on October 16,
1970. Moreover, while the U.S.C. provisions cited by RSI apply to
railroads and railroad carriers, there is nothing in those provisions
restricting FRA's jurisdiction over other entities or persons.
FRA has previously applied its jurisdiction over suppliers. Under
Sec. 236.907(d), suppliers must perform certain notification
responsibilities. While that paragraph concerns notification by the
supplier to the railroad, there is nothing preventing FRA from
requiring the supplier to also notify FRA. In fact, as a practical
matter, FRA believes that reporting failures directly to FRA is
necessary here. Under subpart H, the absence of direct and timely
access to product notices has continued to be an issue for FRA. This
concern will only become greater as the subject technology becomes more
complex.
RSI also noted that, ``the scope of the signal and train control
provision at Part 236 explains that this entire part, which will
include the proposed regulations for Sec. 236.1023, applies only to
the railroads.'' Indeed, Sec. 236.0(a) currently states, ``Except as
provided in paragraph (b) of this section, this part applies to all
railroads.'' While that paragraph indicates that the part applies to
all railroads, it does not limit application to ``only'' railroads, as
misstated by RSI. In any event, to avoid confusion, FRA is modifying
Sec. 236.0(a) to apply to all railroads and persons as indicated in
this part. For instance, ``person'' is defined in Sec. 236.0(f) when
referencing 1 U.S.C. 1 (which includes manufacturers and independent
contractors) and railroad is defined in subpart G of part 236.
Paragraph (i) addresses situations which are clearly not the result
of a design or manufacturing issue, and limits unnecessary reporting.
If the failure, malfunction, or defective condition was the result of
improper operation of the PTC system outside of the design parameters
or of non-compliance with the applicable operating instructions, FRA
believes that compliance with paragraph (e) is not necessary. Instead,
FRA expects and requires the railroad to engage in more narrow remedial
measures, including remedial training by the railroad in the proper
operation of the PTC system. Similarly, once a problem has been
identified to all stakeholders, FRA does not believe it is necessary
for a manufacturer to repeatedly submit a formal report in accordance
with paragraph (h). In either situation, however, FRA expects that all
users of the equipment will be proactively and timely notified of the
misuse that occurred and the corrective actions taken.
[[Page 2665]]
Such reports, however, do not have to be made within fifteen days
of occurrence, as required for other notifications under paragraph (f),
but within a reasonable time appropriate to the nature and extent of
the problem.
Paragraph (j) has been added to the final rule to require that,
when any safety-critical PTC system, subsystem, or component fails to
perform its intended function, the railroad is required to determine
the cause and perform necessary adjustment, repair, or replacement of
any faulty product without undue delay. Paragraph (j) also reminds
railroads that, until corrective action has been completed, a railroad
is required to take appropriate action to ensure safety and reliability
as specified within its PTCSP.
In paragraph (k) of the final rule, FRA intends to make it
absolutely clear that the reporting requirements of part 233 are not a
substitute for the reporting requirements of this subpart, nor are the
reporting requirements of this subpart considered to be a substitute
for the reporting requirements of part 233. Both sets of reporting
requirements apply. FRA would like to clarify that both requirements
apply. In the case of a failure meeting the criteria described in Sec.
233.7, FRA would not expect the railroad to wait for the frequency of
such occurrences to exceed the threshold reporting level assigned in
the hazard log of the PTCSP, but will expect the railroad to report the
occurrence as required by Sec. 233.7.
Section 236.1027 PTC System Exclusions
This section retains similarities to, but also establishes
contrasts with, Sec. 236.911, which deals with exclusions from subpart
H. In particular, Sec. 236.911(c) offers reassurance that a stand-
alone computer aided dispatching (CAD) system would not be considered a
safety-critical processor-based system within the purview of subpart H.
CADs have long been used by large and small railroads to assist
dispatchers in managing their workload, tracking information required
to be kept by regulation, and--most importantly--providing a conflict
checking function designed to alert dispatchers to incipient errors
before authorities are delivered. Even Sec. 236.911, however, states
that ``a subsystem or component of an office system must comply with
the requirements of this subpart if it performs safety-critical
functions within, or affects the safety performance of, a new or next-
generation train control system.'' FRA continues to work with a vendor
or supplier on a simple CAD that provides authorities in an automated
fashion, without the direct involvement of a dispatcher.
For subpart I, FRA intends to retain the exception referred to in
Sec. 236.911 for CAD systems not associated with a PTC system. Many
smaller railroads use CAD systems to good effect, and there is no
reason to impose additional regulations where dispatchers
contemporaneously retain the function of issuing mandatory directives.
However, in the present context, it is necessary to recognize that PTC
systems utilize CAD systems as the ``front end'' of the logic chain
that defines authorities enforced by the PTC system, particularly in
non-signaled territory.
Accordingly, paragraph (a) provides for the potential exclusion of
certain office systems technologies from subpart I compliance. These
existing systems have been implemented voluntarily to enhance
productivity and have proven to provide a reasonably high level of
safety, reliability, and functionality. FRA recognizes that full
application of subpart I to these systems would present the rail
industry with a tremendous burden. The burdens of subpart I may
discourage voluntary PTC implementation and operation by the smaller
railroads.
However, subpart I applies to those subsystems or components that
perform safety critical functions or affect the safety performance of
the associated PTC system. The level and extent of safety analysis and
review of the office systems will vary depending upon the type of PTC
system with which the office system interfaces. For example, to prevent
the issuance of overlapping and inconsistent authorities, FRA expects
that each PTC system demonstrate sufficient credible evidence that the
requisite safety-critical, conflict resolution (although not
necessarily vital) hardware and software functions of the system will
work as intended. FRA also expects that the applicable PTCDP's and
PTCSP's risk analysis will identify the associated hazards and describe
how they have been mitigated. Particularly where mandatory directives
and work authorities are evaluated for use in a PTC system without
separate oral transmission from the dispatcher to the train crew or
employee in charge--with the opportunity for receiving personnel to
evaluate and confirm the integrity of the directive or authority
received and the potential for others overhearing the transmission to
note conflicting actions by the dispatching center--FRA will insist on
explanations sufficient to provide reasonable confidence that
additional errors will not be introduced.
Paragraph (b) provides requirements for modifications of excluded
PTC systems. At some point when a change results in degradation of
safety or in a material increase in safety-critical functionality,
changes to excluded PTC systems or subsystems may be significant enough
to require application of subpart I's safety assurance processes. FRA
believes that all modifications caused by unforeseen implementation
factors will not necessarily cause the product to become subject to
subpart I. These types of implementation modifications will be minor in
nature and be the result of site specific physical constraints.
However, FRA expects that implementation modifications that will result
in a degradation of safety or a material increase in safety-critical
functionality, such as a change in executive software, will cause the
PTC system or subsystem to be subject to subpart I and its
requirements. FRA is concerned, however, that a series of incremental
changes, while each individually not meeting the threshold for
compliance with this subpart, may when aggregated result in a product
which differs sufficiently so as to be considered a new product.
Therefore, FRA reserves the right to require products that have been
incrementally changed in this manner to comply with the requirements of
this subpart. Prior to FRA making such a determination, the affected
railroad will be allowed to present detailed technical evidence why
such a determination should not be made. This provision mirrors
paragraph (d) of existing Sec. 236.911.
Paragraph (c) addresses the integration of train control systems
with other locomotive electronic control systems. The earliest train
control systems were electro-mechanical systems that were independent
of the discrete pneumatic and mechanical control systems used by the
locomotive engineer for normal throttle and braking functions. Examples
of these train control systems included cab signals and ACS/ATC
appliances. These systems included a separate antenna for interfacing
with the track circuit or inductive devices on the wayside. Their power
supply and control logic were separate from other locomotive functions,
and the cab signals were displayed from a separate special-purpose
unit. Penalty brake applications by the train control system bypassed
the locomotive pneumatic and mechanical control systems to directly
operate a valve that accomplished a service reduction of brake pipe
pressure and application of the brakes as well as
[[Page 2666]]
reduction in locomotive tractive power. In keeping with this physical
and functional separation, train control equipment on board a
locomotive came under part 236, rather than the locomotive inspection
requirements of part 229.
Advances in hardware and software technology have allowed the
various PTC systems' and components' original equipment manufacturers
(OEMs) to repackage individual components, eliminating parts and system
function control points access. Access to control functions became
increasingly restricted to the processor interfaces using proprietary
software. While this resulted in significant simplification of the
previously complex discrete pneumatic and mechanical control train and
locomotive control systems into fewer, more compact and reliable
devices, it also creates significant challenges with respect to
compatibility of the application programs and configuration management.
FRA encourages such enhancements, and believes that, if properly
done, they can result in significant safety, as well as operational,
improvements. Locomotive manufacturers can certainly provide secure
locomotive and train controls, and it is important that they do so if
locomotives are to function safely in their normal service environment.
FRA highly encourages the long-term goal of common platform
integration. However, when such integration occurs, it must not be done
at the expense of decreasing the safe and reliable operation of the
train control system. Accordingly, FRA expects that the complete
integrated system will be shown to have been designed to fail-safe
principles, and then demonstrated that the system operates in a fail-
safe mode. Any commingled system must have a manual fail-safe fall back
up that allows the engineer to be brought to be a safe stop in the
event of an electronic system failure. This analysis must be provided
to FRA for approval in the PTCDP and PTCSP as appropriate. This
provision mirrors the heightened scrutiny called for by Sec.
236.913(c) of subpart H for commingled systems, but is more explicit
with respect to FRA's expectations. The provision in general accords
with the requirements for locomotive systems that are currently under
development in the RSAC's Locomotive Safety Standards Working Group.
GE generally agreed with the preceding discussion about separate
regulatory treatment of PTC and the locomotive control systems.
However, they strongly disagree with any implication, if the two
systems were interfaced or commingled, that PTC requirements could be
extended into the locomotive control system. They assert non-safety-
critical data can be passed between the systems using appropriate
interfaces without any impact on safety and without triggering a need
to extend PTC requirements into the control system.
FRA agrees that there are implementation techniques that allow for
locomotive control systems to passively receive information from a
train control system, and the train control and locomotive control
systems are not tightly coupled. FRA expects that in such situations
the safety case for the train control system clearly and unequivocally
demonstrates that the train control system is not tightly coupled with
the locomotive control system, and that failures in the locomotive
control system have absolutely no adverse consequences on the safe
operation of the train control system. Likewise, FRA expects that the
safety analysis for the locomotive control system clearly and
unequivocally demonstrates that the train control system is not tightly
coupled with the locomotive control system, and that failures in the
train control system have absolutely no adverse consequences on the
safe operation of the locomotive control system. If the safety analysis
cannot convincingly demonstrate to FRA that the train control and
locomotive control systems are loosely coupled, then FRA will require
that the safety analysis for the PTC system include the applicable
elements of the locomotive control system, and vice versa.
Finally, paragraph (d) clarifies the application of subparts A
through H to products excluded from compliance with subpart I. These
products are excluded from the requirements of subpart I, but FRA
expects that the developing activity demonstrates compliance of
products with subparts A through H. FRA believes that railroads not
mandated to implement PTC, or that are implementing other non-PTC
related processor based products, should be given the option to have
those products approved under subpart H by submitting a PSP and
otherwise complying with subpart H or by voluntarily complying with
subpart I. This provision mirrors Sec. 236.911(e) of subpart H.
Section 236.1029 PTC System Use and En Route Failures
This section provides minimum requirements, in addition to those
found in the PTC system's plans, for each PTC system with a PTC System
Certification. Railroads are allowed, and encouraged, to adopt more
restrictive rules that increase safety.
Paragraph (a) requires that, in the event of the failure of a
component essential to the safety of a PTC system to perform as
intended, the cause be identified and corrective action taken without
undue delay. The paragraph also states that until the corrective action
is completed, the railroad is required, at a minimum, to take
appropriate measures, including those specified in the PTCSP, to ensure
the safety of train movements, roadway workers, and on-track equipment.
This requirement mirrors the current requirements of Sec. 236.11,
which applies to all signal and train control system components. Under
paragraph (a), FRA intends to apply to PTC systems provided PTC System
Certification under subpart I the same standard in current Sec.
236.11.
Paragraph (b) provides the circumstance where a PTC onboard
apparatus on a controlling locomotive that is operating in or is to be
operated within a PTC system fails or is otherwise cut-out while en
route. Under paragraph (b), the subject train may only continue such
operations in accordance with specific limitations. An en route failure
is applicable only in instances after the subject train has departed
its initial terminal, having had a successful initialization, and
subsequently rendering it no longer responsive to the PTC system. For
example, FRA believes that an en route failure may occur when the PTC
onboard apparatus incurs an onboard fault or is otherwise cut out.
Under subpart H, existing Sec. 236.567 provides specific
limitations on each train failing en route in relation to its
applicable automatic cab signal, train stop, and train control system.
FRA believes that it would be desirable to impose somewhat more
restrictive conditions given the statutory mandate and the desire to
have an appropriate incentive to properly maintain the equipment and to
timely respond to en route failures. For instance, FRA recognizes that
the limitations of Sec. 236.567 do not account for the statutory
mandates of the core PTC safety functions.
During the PTC Working Group meetings prior to issuance of the
NPRM, no consensus was reached on how to regulate en route failures on
PTC territory. However, FRA subsequently received several comments that
the en route failure requirements and the restrictive operational
conditions imposed by paragraph (b) are burdensome and overly
restrictive. When the PTC Working Group was
[[Page 2667]]
reconvened following the Public Hearing and the NPRM comment period,
the PTC Working Group formed three separate task forces for the purpose
of discussing and resolving several specific issues. One such task
force, deemed the Operational Conditions Task Force, was assigned the
task of resolving the issues associated with operational limitations
presented in the proposed rule associated with temporary rerouting
within Sec. 236.1005, unequipped trains operating within a PTC system
within Sec. 236.1006, and en route failures within Sec. 236.1029.
The proposed rule provided allowances for deviations from the
restrictions of operations exceeding 90 miles per hour if such
deviations were presented and justified in an FRA approved plan. At the
PTC Working Group meeting, it was recommended that the procedure
allowing for such deviations equally apply to all other operations,
regardless of the speed of the operations.
Upon presentation of these recommended revisions to the PTC Working
Group, Amtrak and NJ Transit withheld consensus, requesting rather to
state on the record that they believed the requirement for the
establishment of an absolute block was overly burdensome and
unnecessary, and the operational limitations were too restrictive in
areas where an underlying block signal system and/or cab signal system
with train stop/train control functions remained in place. They further
suggested that the operational restrictions for en route failures
should be solely presented and described within a railroad's PTCDP and
PTCSP, which would then be applicable to a particular PTC system.
FRA appreciates the concerns presented. However, FRA remains
convinced that the rule text must provide a ``baseline'' for
operational restrictions associated with en route failures within all
PTC systems, with the recognition of the allowance for a railroad to
submit a request for deviation from those requirements, with
justification, within their PTCDP and PTCSP for FRA approval.
Accordingly, FRA has substantially adopted into paragraphs (b) and (c)
the text proposed at the PTC Working Group meeting.
Section 236.1029, and in particular paragraph (b), purposefully
parallels the limitations contained in Sec. 236.567. In other words,
FRA intends that Sec. 236.567 and paragraph (b) of this section will
share the common purpose of maintaining a level of safety generally in
accord with that expected with the train control system fully
functional. This is accomplished by requiring supplementary procedures
to heighten awareness and provide operational control (limiting the
frequency of unsafe events) and by restricting the speed of the failed
train (reducing the potential severity of any unsafe event).
Paragraph (b)(1) allows the subject train to proceed at restricted
speed--or at medium speed if a block signal system is in operation
according to signal indication--to the next available point where
communication of a report can be made to a designated railroad officer
of the host railroad. The intent of this requirement is to ensure that
the occurrence of an en route failure may be appropriately recorded and
that the necessary alternative protection of absolute block is
established.
NYSMTA provided comments recommending that paragraph (b)(1) of this
section cite 40 miles per hour as the maximum permissible speed within
a failed PTC system where a block signal system is in operation because
some railroads, such as the LIRR and Metro-North, have defined medium
speed lower than what the FRA regulation would permit. FRA defines
medium speed in Sec. 236.811 as ``A speed not exceeding 40 miles per
hour.'' Thus, we believe the rule is clear in terms of the applicable
maximum speed limit and consistent with the suggestions made by NYSMTA.
While a particular railroad may internally define ``medium speed''
differently, the definitions contained in part 236 control the meaning
of the terms used therein.
After a report is made in accordance with paragraph (b)(1), or made
electronically and immediately by the PTC system itself, paragraph
(b)(2) allows the train to continue to a point where an absolute block
can be established in advance of the train in accordance with the
limitations that follow in paragraphs (b)(2)(i) and (ii). Paragraph
(b)(2)(i) requires that where no block signal system is in use, the
train may proceed at restricted speed. Alternatively, under paragraph
(b)(2)(ii), the train may proceed at a speed not to exceed medium speed
where a block signal system is in operation according to signal
indication.
Paragraph (b)(3) requires that, upon the subject train reaching the
location where an absolute block has been established in advance of the
train, the train may proceed in accordance with the limitations that
follow in paragraphs (b)(3)(i), (ii), or (iii). Paragraph (b)(3)(i)
requires that where no block signal system is in use, the train may
proceed at medium speed; however, if the involved train is a train
which is that of the criteria requiring the PTC system installation
(i.e., a passenger train or a train hauling any amount of PIH
material), it may only proceed at a speed not to exceed 30 miles per
hour. Paragraph (b)(3)(ii) requires that where a block signal system is
in use, a passenger train may proceed at a speed not to exceed 59 miles
per hour and a freight train may proceed at a speed not to exceed 49
miles per hour. Paragraph (b)(3)(iii) requires that, except as provided
in paragraph (c), where a cab signal system with an automatic train
control system is in operation, the train may proceed at a speed not to
exceed 79 miles per hour.
The Rail Labor Organizations believe that the rule is too
permissive for en route failures of a PTC system where an underlying
signal system is not governing train movements, as they assert that any
train invisible to the PTC system in PTC territory presents an
unacceptable risk. Instead, asserts the RLO, treatment of en route
failures should parallel the restrictions required when a train
experiences a signal failure, such as a switch position that is unknown
or when a route is not known to be clear. While the NPRM proposed to
allow a passenger or PIH PTC train in dark territory to traverse a
switch in an unknown position at medium speed or 30 miles per hour, the
RLO asserts that such trains should be limited to restricted speed or
other methods, such as temporal separation.
FRA appreciates the RLO's concerns. However, FRA believes that the
proposal to limit operations to restricted speed, or employ other
protective methods such as temporal separation, would be too burdensome
and unwarranted. FRA has elected to keep the language of the NPRM in
this final rule for several reasons. First, it is expected that
failures en route addressed by this rule, as well as temporary
rerouting that could result in its application, will not occur on any
frequent basis. Experience and requirements of other portions of this
subpart would preclude this from being the case. Second, the assertion
that ``any train invisible to the PTC system in PTC territory presents
an unacceptable risk'' is inaccurate. Such a train would not in fact be
``invisible'' to the PTC system as there remains in place some type of
authority for the train's movement, and all authorities of other trains
that would be PTC-equipped would be enforced by the system.
Additionally, the maximum speed of 30 miles per hour established by FRA
for these situations is based on extensive analysis of past accident
and incidence data, which has shown that train accidents at or below 30
miles per hour have not resulted in breach or compromise of cars
carrying hazardous
[[Page 2668]]
materials. FRA has elected to keep this language of the NPRM in this
final rule.
Paragraph (c) requires that, in order for a PTC train to deviate
from the operating limitations contained in paragraph (b) of this
section, the deviation must be described and justified in the FRA
approved PTCDP or PTCSP. Amtrak had presented comments regarding the
NPRM, as well as within the PTC Working Group task force assigned to
address comments received regarding this section, asserting that the
operational limitations of failure en route were too restricting and
unwarranted. Directly in response to those comments, FRA may allow for
deviation from the identified limitations of the rule if that deviation
is described and justified in the applicable and FRA approved PTCDP,
PTCSP, or Order of Particular Applicability. Furthermore, the speed
threshold of 90 miles per hour proposed in the NPRM has been removed.
FRA will consider deviation proposals for conventional operations, as
well as high-speed operations. FRA continues to anticipate that
existing operations on the Northeast Corridor will not be adversely
impacted, since failure of one component of the onboard train control
system will permit the remaining portion to function and provide for a
reasonable level of safety.
Paragraph (d) requires that the railroad operate its PTC system
within the design and operational parameters specified in the PTCDP and
PTCSP. Railroads will not exceed maximum volumes, speeds, or any other
parameter provided for in the PTCDP or PTCSP. On the other hand, a
PTCDP or PTCSP could be based upon speed or volume parameters that are
broader than the intended initial application, so long as the full
range of sensitivity analyses is included in the supporting risk
assessment. FRA feels this requirement will help ensure that
comprehensive product risk assessments are performed before products
are implemented.
Paragraph (e) sets forth the requirement that any testing of the
PTC system must not interfere with its normal safety-critical
functioning, unless an exception is obtained pursuant to 49 CFR Sec.
236.1035, where special conditions have been established to protect the
safety of the public and the train crew. Otherwise, paragraph (e)
requires that each railroad ensure that the integrity of the PTC system
not be compromised, by prohibiting the normal functioning of such
system to be interfered with by testing or otherwise without first
taking measures to provide for the safety of train movements, roadway
workers, and on-track equipment that depend on the normal safety-
critical functioning of the system. This provision parallels current
Sec. 236.4, which applies to all systems. By requiring this paragraph,
FRA also intends to clarify that the standard in current Sec. 236.4
also applies to subpart I PTC systems.
Paragraph (f) requires that each member of the operating crew has
appropriate access to the information and functions necessary to
perform his or her job safely when products are implemented and used in
revenue service. FRA expects paragraph (f) to automatically require
each engineer operating the controlling locomotive to have access to
the PTC display providing such information. Paragraph (f) also applies
to other crew members assigned duties in the locomotive cab. The rule
is a performance standard which can be met in several different ways.
Train crews perform as a team and are required by railroad and FRA
rules to do so. The importance of having assigned crew members fully
involved in train operations is also clearly the intent of Congress in
the RSIA. The Congress mandated the certification of the conductor to
work in concert with the already federally-certified locomotive
engineer. For the conductor and engineer to fulfill the expectations of
Congress, it is necessary for both crewmembers to have sufficient
information to perform their duties. For the conductor to be able to
fulfill the assigned obligations, the conductor must have ready access
to certain information, including the authority information being
received from the dispatcher. As described below, FRA believes that
safety would be materially diminished if the conductor in freight
operations were denied access to the same information in the same
format as the engineer.
For instance, under the operating rules or special instructions of
the major freight railroads, each train crew member in the performance
of his or her duties receives copies of a fair amount of paperwork that
includes the train consist, which provides the number, loading,
locations, and hazardous materials contents of cars, the length and
weight of the train, General Orders, which provide loose footing
issues, the safety rules of the day or week, security reminders,
temporary speed restrictions, and the locations of maintenance of way
crews performing track repairs. This paperwork provides the train crew
with the work plan necessary to operate the assigned train during their
tour of duty. Once the crew is underway, the conductor receives from
the dispatcher, via radio, updates to the above information (and
provides acknowledgment back to the dispatcher), transcribes hand
written copies, and provides those copies to the engineer and other
crew members (in lieu of stopping if engineer only). Each crew member
keeps these copies in front of them (usually on a desk) for ready
reference to approaching speed restrictions and working limits of
roadway workers. Upon these documents, crew members make hand written
notes and are required to write ``void'' across superseded or expired
movement authorities. In case any questions pertaining to crew
performance arise later, each crewmember keeps these copies.
Particularly, in a PTC overlay system, which by definition depends upon
continued performance of all of the safety-related functions of the
underlying system of operation, all of these functions must continue to
be performed either as they are now or in an equivalent manner.
Removing or impairing any of those functions will diminish safety.
The conductor is responsible for determining the train consist and
for ensuring compliance with hazardous materials train placement
requirements. The conductor is also responsible for determining whether
one or more cars in the train is restricted (e.g., requirement
regarding appropriate placement in the train or speed restriction
limiting the train's speed to avoid a derailment hazard).\9\ Conductors
are regularly disciplined in certain situations, including when the
limits of authorities are violated or maximum speed limits are
exceeded.
---------------------------------------------------------------------------
\9\ Enforcement of a speed restriction associated with a
particular car is not a mandated PTC function, but is an important
function that will be provided within the Interoperable Train
Control architecture for the general freight system.
---------------------------------------------------------------------------
Moreover, in present cab signal territory, multiple crew members
rely on the information provided by the cab signal display, typically
mounted in the center of the cab or other conspicuous location. ACSES
displays have also been centrally mounted in passenger and freight cabs
for clear visibility.\10\ Under this final rule, cab signals may
continue to operate independently of the PTC display of the locomotive
cab. However, based upon RSAC discussions, FRA is confident that PTC
displays may (and
[[Page 2669]]
probably will) supplant current cab signal displays and utilize the cab
signal code as an input to the PTC display.\11\ Section 236.515 has
long provided that ``The cab signals shall be plainly visible to a
member or members of the locomotive crew from their stations in the
cab.'' Positive train control systems will play a role very similar to,
but in fact even more important than, automatic cab signals have played
in the territories where installed. In addition to providing current
displays (or ``targets'') for signal indications, FRA expects that PTC
will also display in graphic form slow orders and other mandatory
directives.
---------------------------------------------------------------------------
\10\ ITCS displays in freight locomotives have not been mounted
so as to be clearly visible to freight crews. The subject line is
principally used for passenger service, and the number of freight
locomotives involved has been very small. ITCS has been permitted to
operate under waiver, and FRA freely concedes that the issue of
freight crew display visibility had not been clearly joined to this
point.
\11\ In vital applications, reliance on these displays will be
authorized and required. Although initially in-block signal upgrades
may not be permitted to be acted upon, except in cab signal
territory, FRA has no doubt that the ability to upgrade between
wayside signals will be requested as the technology is proven
reliable. According to the major railroads involved in the
Interoperable Train Control effort, most Class I locomotives will
need to be configured to operate essentially in any territory on the
system.
---------------------------------------------------------------------------
FRA recognizes that PTC systems are being designed to move much of
this information into an electronic format. The intent of utilizing
electronic transmission of authorities is to reduce human error
associated with listening, copying, and reading back of updates over
voice channels while the train crew is en route. Regardless if the
information is transmitted digitally or verbally, the goal is to
prevent the train from occupying the main track without authority, to
prevent most over-speed issues, and to stop short of misaligned
switches if the crew fails to follow the rules. While FRA supports this
transition to digital communications, this final rule does not require
it.
In the event that a certified PTC system does use digital
transmissions to provide communications and acknowledgement of
mandatory directives between the dispatcher and conductor, to allow the
conductor to electronically input the train consist into the PTC
system, or otherwise similarly modify a crew member's responsibilities,
FRA expects under paragraph (f) that the subject crew member will be
afforded appropriate access to the PTC system display to fulfill those
responsibilities.
In its comments, the AAR also indicated that railroads have been
planning to put a single display in locomotive cabs for the engineer in
systems which FRA has already approved and that this requirement was
redundant and excessive, referring to the BNSF ETMS system. The AAR
questioned the need for a conductor to have access to a PTC display.
The Class I railroads have attempted to present the case that FRA had
previously blessed the implementation of PTC technology that would
permit electronic delivery of mandatory directives while discontinuing
the delivery of printed or voice transmitted directives. However, that
is not the case.
The system to which AAR refers--BNSF's ETMS I configuration--was
qualified under subpart H, which only requires that the system be at
least as safe as existing systems and the approval was limited in
material ways the AAR failed to mention. Subpart I, however, requires
that non-vital overlay systems reduce the likelihood of PTC preventable
accidents by at least 80%. Subpart H does not address or require
interoperability, but subpart I requires interoperability.
The BNSF ETMS I configuration concept of operations was a pure non-
vital overlay on the existing method of operations. The safety analysis
for that system assumed that the conductor would continue to receive
mandatory directives in the normal manner. BNSF, the only railroad to
obtain authority for use of a first-generation freight PTC system, very
heavily justified its safety case on the assumption that crewmembers
would intervene should the PTC system experience a wrong-side failure
(which could occur due to a software error, hardware malfunction,
database error, or combination of these factors). This system was
justified as an ``overlay'' on the existing method of operations; while
there would be only one PTC display screen, it was contended that most
wrong-side errors would be caught by crewmembers holding mandatory
directives in paper form. This type of existing PTC system, which has
only been deployed by BNSF on a few lines and with very few locomotives
equipped, precludes one-half of the train crew from having any access
to the information for which they are held accountable. This has been
tolerable only because both crew members do have a full set of printed
or written directives.
Note that basic interoperability is potentially a concern with
respect to the human-machine interface and the means by which FRA
addresses it. To the extent a locomotive from a railroad which uses
only voice transmission of mandatory directives were to travel on a
railroad using electronic transmission of mandatory directives, it
would need to be equipped for the other railroad. Yet none of the major
freight railroads has conducted a revenue demonstration of a system
that relies exclusively on electronic transmission of authorities; and,
after more than two decades of development and demonstrations, the
major freight railroads have still not issued interoperability
standards. Even if FRA were able to accept some of the arguments
proffered in regard to the need for access to PTC information,
addressing this issue through review of individual railroad plans would
not be feasible. This issue needs to be settled ``up front'' in order
to support an orderly implementation.
The testimony and written filings in this docket reflected a
serious misunderstanding regard the distinctions noted above and the
posture of the BNSF Product Safety Plan review. The AAR and CSXT both
asserted that FRA has approved use of a single screen in the form of
BNSF ETMS I configuration. More remarkably, BNSF itself testified at
the public hearing that, ``As approved by FRA, our locomotive cab
configuration includes one display screen, which is positioned on the
dashboard of the engineer.'' Comment of BNSF Railway Company, Docket
FRA-2008-0132.0011.1 (Aug. 19, 2009); Positive Train Control Systems:
Hearing Before the Fed. Railroad Admin. (Aug. 13, 2009) (statement of
Mark Schulze, Vice President, BNSF Railway Company).
In fact, FRA's decision letter for that system stated as follows:
7. Prior to any further ETMS Configuration I operations, BNSF must
either comply with 49 CFR Sec. 236.515 (Visibility of cab signals), or
submit a risk-based justification as to why the requirements of this
rule should be waived. The justification shall be submitted in
accordance with the PSP amendment procedures in 49 CFR Sec. 236.913.
(FRA Docket No. 2006-23687, Document No. 0021.)
The subject approval remains contingent as of the date of preparation
of this final rule, since the railroad has not submitted the required
justification.\12\
---------------------------------------------------------------------------
\12\ Prior to enactment of the RSIA08, FRA had taken significant
steps to encourage voluntary PTC deployment, including offering the
inducement of exceptions from traditional train control
requirements. Had BNSF submitted a detailed justification for the
single display visible only to the locomotive engineer, it is
entirely possible that it would have been approved, since the
performance standard under subpart H presents a very low bar for a
reasonably competent train control system when applied in non-
signaled or traffic control territory and since under the ETMS PSP
the conductor would either continue to receive mandatory directives
in writing or would copy mandatory directives transmitted verbally
by the dispatcher via radio. 49 CFR 236.909(a). The point here is
that, if the railroad had indeed conducted adequate human factors
analysis, it had not been submitted to FRA; and no implications
should be drawn with respect to this very different context, wherein
interline operation of locomotives is at stake and several major
railroads clearly wish to abandon traditional means of delivering
authorities.
---------------------------------------------------------------------------
[[Page 2670]]
The AAR also misstates the extent of the Volpe Center's review of
ETMS. From the Volpe Center's review: ``The purpose of the analysis was
to assess the extent to which the ETMS system follows accepted human
factors design guidelines that are likely to catch and correct
potential human performance problems.'' Volpe did not perform a
``thorough human factors analysis'' as posited by AAR. Rather, Volpe
focused on the user interface for locomotive engineers, identifying
issues within the existing design (which was still under development)
and within the concept of operations as defined by the railroad.
Once all of the paperwork is moved into electronic transmissions
(which has been neither formally requested nor in any way justified
under existing regulations), in the absence of an available display
one-half of the train crew would not have the ability to review and
receive updates while en-route, or keep records of the movement
authorities and restrictions for future use. PTC is currently an
imperfect technology fed by databases that can be corrupted. Mandatory
directives will continue to be issued by dispatchers with limited
conflict checking using non-vital computer-aided dispatching systems.
As the point paper orders are no longer provided, and mandatory
directives are issued electronically en route, there would be no
general broadcast on the ``road channel'' that could lead to other
train crews or roadway workers identifying a defective authority (e.g.,
a mandatory directive to traverse a track segment already occupied by
another train). None of the freight railroads has yet demonstrated how
the transition to full electronic delivery of mandatory directives will
be accomplished. FRA believes that the transition will eventually be
made, but in the initial period it is critical that existing provisions
for safety--which work very well a very high percentage of the time--
not be prematurely abandoned; these provisions include appropriate
access to the PTC system display. Although FRA agrees that transmission
of valid authorities should be more secure, and thus the trade-off is
likely to be favorable, FRA sees no reason at this time to take a
second or third crew member out of the loop or to load on the engineer
the responsibility for both receiving mandatory directives and briefing
the second or third crew member who will be expected under the
railroad's rules to comply.
FRA believes it is important to the risk assessment process that
the engineer and conductor perform at a level no less safe than they
would have had there not been a PTC system. The PTC systems proposed
for freight railroads are overlay systems. In an overlay system, the
railroad adds a layer of safety to the existing operation. The risk
assessment then is relatively easy, because it is easy to show that the
new system adds safety, reducing the risk of certain accidents, while
not adding any new risk. The key assumption of the risk assessment is
no degradation of the underlying safety system, and the performance of
crewmembers is a key element of that safety system.
It is impossible at present to quantify the additional risk
associated with adding a task which compromises the safe operation of
the train by the engineer or conductor, even if only for a short time.
Engineers and conductors have an excellent record of avoiding
accidents. PTC seeks to improve upon that excellent record. The
existing human factors literature leads one to believe that entering
complex acknowledgements into a PTC system while the train is in motion
is a very significant risk. To quantify that risk, one would have to
put it into the context of comparative safety using a human factors
model far more complex and accurate than any of which FRA is aware.
Also note that PTC does not address all accident scenarios, many of
which are often avoided by timely locomotive engineer intervention. The
timeliness of such intervention is dependent on situational awareness,
which would be negatively impacted if the engineer were distracted.
Reading text on a PTC screen appears to be as distracting as reading
text on a cell phone or PDA and texting in reply. In order for FRA to
accept the diversion of the engineer's attention which would come from
having the engineer review and accept the mandatory directives while
the train is motion, FRA would need a process different from the
current risk assessment methodology. That in turn would require FRA to
impose a specification standard, instead of a performance standard.
Were FRA issuing only a specification standard, FRA would require the
second display and input unit.
In short, the rule as it stands relies on comparing system risk,
which is easy if the engineer is not distracted by the system, but
impossible if the engineer might be distracted. What we do know with
certainty is that having the engineer read and respond to lengthy
written messages on the PTC screen would be a distraction resulting in
greater risk exposure which would offset to some extent the risk
reduction resulting from PTC systems.
AAR argues that the requirement in Sec. 236.1029(f) pertaining to
distraction of the locomotive engineer should be deleted. The AAR
claims that FRA does not offer any study showing that safety is
jeopardized by assigning the engineer PTC-related duties. FRA has
directly observed engineers exceeding authorities while attempting to
respond to PTC system requirements on tests of existing PTC systems. In
those cases, the engineer was attempting to respond to digitally
transmitted authority while the train was in motion and was plainly
distracted from safety-critical duties. FRA does not need a study to
verify the possibility of that which it has observed directly.
The AAR also raises an issue of accuracy in transmitting and
receiving mandatory directives, and appears to make the argument that
because electronic transmission of mandatory directives is likely to be
much more accurate than voice communication of mandatory directives,
that all will be safer if mandatory directives are transmitted
electronically. FRA agrees that the electronic transmission is likely
to be more accurate, but does not agree that accurate transmission is
the only safety issue. FRA is concerned with procedures which might
distract the engineer from his duties. There is no problem if the
railroad intends to have engineers receive, review, and acknowledge
mandatory directives, unless the railroad wants the engineer to perform
that task with the train in motion, and provided the engineer can take
the time to brief other crew members, who under current railroad
operating rules would need to copy and retain the orders.
All systems of which FRA is aware will require the crew to
acknowledge the mandatory directives. FRA has seen system designs that
would permit acknowledgement by simply pressing a button. There is no
reason to believe that simply pressing a button demonstrates
understanding of a mandatory directive, and FRA does not intend to
approve such systems because they will not provide an adequate level of
safety. Simply pressing a button does not provide the evidence of
comprehension and mutual understanding currently provided by the
practice of reading mandatory directives back to the dispatcher over
the radio. Even if this means of acknowledgment is elected and approved
by FRA, it would be necessary for an engineer receiving such a
directive to read it and consider its relevance to the current
situation. This
[[Page 2671]]
could distract the engineer from actions needed to address other
restrictions or an emerging situation on the railroad (e.g., need to
warn equipment or personnel unexpectedly fouling the track ahead,
requirement to manage a train over undulating terrain to avoid
excessive in-train forces, emergency use of the train horn because of
vehicle storage on the tracks in a quiet zone).
FRA believes that simply referencing the default PTC display screen
will be consistent with good situational awareness and should not
present a problem. However, excessive engagement with the PTC onboard
computer while underway can distract a locomotive engineer from current
duties. While acknowledgment by use of a single soft key may limit the
distraction associated with manipulation of the device, it does not
address whether the directive was understood. It is also possible to
create greater interaction with the onboard computer while causing
distraction and yet still not ensure that the directive is understood.
For instance, a system tested by one railroad required an eight digit
acknowledgment code to confirm receipt of a mandatory directive. In
prototype testing locomotive engineers attempting to enter the code
have exceeded their authority, because entering a code is a distraction
similar to text messaging (a prohibited practice).\13\
---------------------------------------------------------------------------
\13\ The response to this kind of concern is typically that the
PTC system will enforce, which was its purpose to start with.
However, even vital electronics sometimes fail in other than a safe
mode, and in that case the crew performance is relied upon to
backstop the system (rather than the opposite)--assuming that the
crew has information that it needs to do so. Further, if the
engineer is distracted even for relatively few seconds the danger
exists that the engineer will not take other necessary actions
(sounding the horn at a crossing, monitoring the condition of the
brake pipe and setting the train up for an upcoming slow order to
avoid excessive in-train forces, etc.).
---------------------------------------------------------------------------
In those cases where train consist information needs to be adjusted
and confirmed in the PTC system, having that done by the conductor will
eliminate a potential source of error. (Provision of input capability
on the conductor's terminal will also (if so elected) avoid delays in
train starts associated with multiple crews attempting to work out
consist information over the radio or a cell phone link to the central
office.) Having the conductor observe displayed PTC system data should
also provide an additional opportunity for early identification of
problems with mandatory directives and displayed information that may
derive from corrupted databases, computational errors, or erroneous
mandatory directives.
The purpose of paragraph (f) is to ensure that those assigned tasks
in the cab are able to perform those tasks, including constructive
engagement with the PTC system. Furthermore, while the train is moving,
the locomotive engineer would be prohibited from performing functions
related to the PTC system that have the potential to distract the
locomotive engineer from performance of other safety-critical duties.
According to the public comments, that would make it impractical for
certain freight railroads not to equip its locomotives with a second,
interactive, display.
AAR says that FRA cannot point to any computer-related activities
that could result in distraction of the engineer. The 2009 FRA report
entitled Technology Implications of a Cognitive Task Analysis for
Locomotive Engineers touches on this. For example, the report states:
``Sources of new cognitive demands include constraints imposed by the
PTC braking profile that require locomotive engineers to modify train
handling strategies; increases in information and alerts provided by
the in-cab displays that require locomotive engineers to focus more
attention on in-cab displays versus out the window, and requirements
for extensive interaction with the PTC systems (e.g., to initialize
it--to acknowledge messages and alerts) that impose new sources of
workload.'' This suggests that, unless task sequencing is managed
wisely, interaction with PTC can distract the engineer from looking
outside the cab and attending to other duties important in train
operation safety.
Over the years, FRA has conducted significant human factors
research related to supervisory train control systems such as PTC. In
the course of that research, it has been noted that the human-machine
interface (HMI) should be configured to avoid task overload and to
permit the locomotive engineer to attend to the safe movement of the
train during all times when it is in motion. This may require
responding to obstacles on the railroad ahead (e.g., vandalism, cars
stored on grade crossings, unsecured equipment that has rolled out,
personnel in the foul without prior notice to train crews), without
regard to risk of collision with other trains. Further, FRA has noted
from its experience with the initial freight implementations of PTC
systems that having the second crew member, where applicable, directly
interact with the PTC system may offer the best likelihood of its safe
functioning. For instance, train consist information (number of
locomotives and cars, tonnage, length of train) is provided in ETMS
from the company's management information system). That information is
essential to the braking computation onboard. But this is often the
intended consist, and the actual consist may vary. Having the crew
member responsible for the accuracy of the consist enter or confirm the
consist in the PTC system will avoid one opportunity for error each
time this is accomplished (which, in the case of a road switching
assignment, may be several times during a duty tour).
The NPRM proposed, and the final rule requires, that the onboard
apparatus be arranged so that each crew member assigned to perform
duties in the locomotive cab could view a PTC display and execute any
functions necessary to that crew member's duties. This provision does
not require multiple screens, per se, nor does it require that more
than one employee must be assigned to a crew. In fact, the proposed and
final rules are technology neutral.
FRA is aware of multiple ways that paragraph (f) may be satisfied
in the event multiple crew members are in the cab and need access to
the information provided by the PTC system. Each alternative has its
own advantages and difficulties. FRA is ultimately concerned that the
crew members receive the same information displayed in the same manner.
I.e., if an engineer is looking at a graphic on a screen, a conductor
in the same cab should be looking at the same graphic on whatever
device the conductor is using.
For instance, there can be a single large display placed in a
location within the cab making it accessible to all crew members in the
cab (as is done by Amtrak in the ACSES system used on the Northeast
Corridor). A single display (similar to traditional cab signals) could
be used if sufficiently large to provide adequate resolution of
details. If the railroad opts to use a PTC system that includes the
added functionality of digital transmissions for these purposes, a
single screen placed between the crew members may be appropriate.
A configuration may also include two fixed screens; one for the
locomotive engineer and another for other crew members. In providing
cost estimates for this rulemaking, the Class I railroads have assumed
that this approach would be employed and that the display would be
associated with an interactive terminal. FRA does not question the
rationale in this manner and has approached costs estimates in the
Regulatory Impact Analysis with this assumption.
[[Page 2672]]
The railroads have also discussed the possibility that, where the
locomotive engineer may have his or her own fixed screen, the other
crew members could make use of individual ``heads-up'' displays or
personal hand-held or portable wired or wireless devices with train
control software, which could be set up as an interactive terminal.
Through its Office of Research and Development, FRA has developed
personal digital assistant (PDA) software for management of roadway
worker authorities at a reasonable cost (at approximately one-quarter
of the cost of a second dash-mounted display), and doing the same for a
crew remote terminal should be just as practical. The vendor for the
on-board portion of the ITC system already provides a router port, and
routers are inexpensive. FRA assumes that there would be some
additional costs related to replacement of misplaced or damaged devices
and changing of batteries, but those costs should be reasonable. Under
paragraph (f), hand-held or portable devices could be implemented and
would have the same advantages as a fixed terminal. FRA does not
require that the display be permanently affixed to the locomotive. The
advantage of this approach would be a lesser initial cost, likely about
one-fourth of the fixed terminal. Disadvantages include logistics of
handling (loss, damage).
The major freight railroads point to passenger service as evidence
that a ``second display'' is not required, but their arguments are
inapposite. Crew responsibilities and interactions on passenger trains
are historically different than is the case with freight crews, and
thus crew resource management will not be undercut by use of a single
display. For instance, in the case of a passenger train with a single
locomotive engineer, the engineer will have the opportunity to
initialize the system at the point of departure by making a relatively
easy selection for class of train (if this is not done automatically).
Moreover, unlike in freight operations, crew members for passenger
operations do not need to enter or confirm detailed consist information
for a heavy train that may have a wide variety of loaded and empty
cars. If it is necessary for the locomotive engineer to take a
mandatory directive through the PTC terminal, that can be done with the
train stopped at a passenger station, as is the case today using the
voice radio. Passenger railroads will almost certainly elect to use
vital on-board processing, so the relative chance of an on-board
computer error will be less.
For all of the systems proposed thus far, crewmembers must actively
review and acknowledge mandatory directives in order for the system to
provide the required level of safety. Where mandatory directives are
transmitted by voice over the radio, which is the current practice for
freight railroads, the conductor would typically be able to copy and
acknowledge the transmission while the train is in motion. Passenger
train engineers would have to be stopped (e.g., at a station) in order
to copy and acknowledge the mandatory directive. See 49 CFR
220.61(b)(2).
FRA is aware of three ways to receive, safely review, and
acknowledge mandatory directives. First, the engineer could receive,
review, and acknowledge authorities while the train is stopped. Second,
the conductor could receive, review, and acknowledge voice
transmissions of mandatory directives, whether or not the train is
moving. Third, the conductor could receive, review, and acknowledge
authorities through a device which combines display and data entry
capabilities, whether or not the train is moving. The first option is
likely how passenger railroads will comply with the requirements. Such
railroads have only one crewmember in most cabs. This is likely not to
be extremely burdensome on most passenger trains, as the engineer can
receive, review, and acknowledge mandatory directives at passenger
station stops. Thus, FRA is not being illogical, as AAR asserts, by
permitting passenger operations with a single cab occupant. What would
be illogical would be to require a second display where only one
crewmember is present. Freight locomotives with only one crewmember
present would also be likely to use the first option, although the cab
may be equipped with a second display. The second option would only
require a display be within a conductor's view, but would be much lower
cost. The third option, which FRA believes may be the norm for freight
locomotives, may require the aforementioned second fixed screen, heads-
up display, or handheld or portable device. FRA does not believe it
would be practical for one terminal to serve both crewmembers if both
may be required to enter or access data.
It should be noted that employing a fourth option, implied in
railroad testimony, would be problematic on many fronts. That option
would presumably involve a single display in front of the locomotive
engineer. The train would receive electronic authorities exclusively
through that device, and the engineer would acknowledge receipt using a
simple procedure (e.g., pressing a single soft key) that was designed
to hasten the task and limit distraction. The problem with such a
procedure is that (i) there is no assurance that the engineer would
understand what was being received, (ii) there is little chance that
the engineer would identify any authority or slow order that was not
appropriate to the situation, and (iii) there would be no reasonable
way to convey the mandatory directive to the other crew member without
stopping the train and copying it off the screen. This would be a
perfect prescription for exclusive reliance on technology, which is
ill-advised and which the railroads claim will not be done (i.e., these
are said to be ``overlay'' systems that cannot detract from the
underlying methods of operation).
Again, the railroads are perhaps correct that safety might still be
improved under this fourth option, at least as to the operations under
PTC control, but that is not the question here. The question is whether
technology will be employed that primarily protects against human error
on board, or whether technology will be employed that protects most of
the time but induces human error on other occasions. Every day in the
United States there are thousands of train starts and hundreds of
thousands of opportunities for human error in train operations. Yet
well-trained crews rise to these challenges, and as a result each year
there are approximately 50 to 60 train collisions on the main lines, a
small number of overspeed derailments and work zone violations, and a
handful of movements through misaligned main track switches.
Accordingly, a relatively small number of wrong-side errors in the
operation of the PTC system accompanied by any diminishing of vigilance
on the part of train crew members could easily cause results from PTC
implementation to fall short of the risk reduction identified in FRA's
analysis. With time and refinement of technology and databases, there
may be significant adjustments that can be made in current operating
rules and procedures. But existing PTC technology for the general
freight system has not yet been proven at that level, and it will be
some years before that will be the case. In the meantime, it will be
crucial that informed and well coordinated crews maintain engagement in
the management of mandatory directives and compliance with wayside or
cab-displayed signal indications.
Accordingly, FRA remains convinced that each crew member should
have access to, and engagement with, information and requirements
pertinent
[[Page 2673]]
to the operations for which they are responsible. This third option,
combined with electronic transmission of mandatory directives, would
pay for itself in a very short time. Assuming that a train has to be
stopped twice each day for the engineer to acknowledge a directive, and
that such a stop results in a cost of at least, and probably a lot more
than, $80 to account for additional braking and trip time as well as
missed opportunity for meets and passes, the cost of implementing this
option would surpass the cost of installing a second terminal in just
50 days of service as the controlling locomotive. Assuming the
locomotive is in the lead one-fourth of the time it is in service, the
avoided cost of stopping would be $8,000, the cost of an additional
terminal, in 200 days. In other words, the device will return its cost
in much less than a year.
Of course, the business benefits of a second terminal are not as
great if the railroad does not adopt electronic transmission of
mandatory directives. However, FRA believes that railroads will adopt
electronic transmission of mandatory directives as rapidly as possible.
They would benefit from being able to give roadway workers much more
rapid access to track, as well as by being able to reduce the
dispatchers' workload. Further, the business benefits envisioned in
Appendix A require more efficient dispatching, which would rely on
electronic transmission of mandatory directives, as well as managerial
directives related to train pacing and meet-pass planning.
The railroads have made no convincing argument that providing a
second display would be harmful, as such. Rather, they argue that the
cost is excessive in relation to any expected benefits. The AAR and
several Class I freight railroads commented that the cost to install a
second display in the locomotive would be approximately $8,000 per
locomotive. According to AAR estimates, 29,461 locomotives would need
to be equipped. This would translate into an initial installation cost
of $235,688,000. However, AAR overestimated the number of locomotives,
based on the document it cites. In that document, FRA estimated that
27,598 freight locomotives would be equipped with VTMS technology only,
and an additional 100 freight locomotives would be equipped with both
VTMS and ACSES technology, for a total of 27,698 locomotives, which, at
a unit cost of $8,000 per terminal type display, implies a total cost
of $221,584,000. AAR did not include the locomotives which would have
both VTMS and ACSES installed, and included passenger locomotives that
will likely not require additional hardware to meet the requirement due
to the nature of their operations. FRA does not disagree with the AAR
and railroad unit cost estimates, as long as what AAR refers to is the
type of unit that has input capabilities. FRA recognizes that the cost
is actually for an additional ``terminal'' versus simply a display and
that it must be made rugged for the locomotive cab operating
environment. The AAR and other railroads objecting to these
requirements maintain that there will be little safety benefit to the
requirements, and that the benefits would be far less than the costs.
However, in the long run, FRA believes that the additional cost for
installing a second terminal would be justified by the aforementioned
business benefits as well as the safety assurance.
FRA is not altering the cost estimates for PTC from those in the
analysis of the NPRM, because the costs of the second terminal were
already reflected.
FRA notes that estimated cost of the second display will be about
4% of the total initial costs of PTC deployment. FRA has narrowly
construed the PTC mandate to avoid separate monitoring of switches in
signal territory, to avoid significant costs and potential delay
related to following train collisions at low speed, and to provide
generous exceptions where allowed by law (restricted speed in yards and
terminals, passenger exceptions, Class II/III locomotives in limited
operations on PTC lines, etc.)--actions that will save one or more
billions of dollars during this initial implementation. If FRA believed
a deviation from historic train control practice was warranted here to
save 4% of the initial cost, we would happily provide it. We do not.
FRA believes that the PTC systems contemplated today will, at some
point in the future, all accept electronic transmission of mandatory
directives. The cost of providing a terminal to the second crewmember,
where applicable, reflects that reality. Were railroads not planning to
have conductors acknowledge mandatory directives, the railroad could
provide the conductor with a screen without input devices, or a clearer
view of the engineer's screen, which have a much lower unit cost.
FRA has placed in the docket of this rulemaking a document prepared
by FRA's Office of Research and Development, referencing available
human factors literature. Although FRA has addressed this issue from
the point of view of whether the cost is justified, FRA wishes to
emphasize that, at bottom, it is most crucial whether it would be
possible to responsibly implement PTC on the national rail system
without engaging the participation of each assigned crew member. We
conclude that no such possibility has been demonstrated. Further, based
upon FRA's knowledge of railroad operations and experience with
oversight of existing and emerging train control technologies, FRA
determines that it is essential for safety that each assigned crew
member be provided the information and access to system inputs required
to fulfill the crew member's respective duties.
AAR again raises the issue of single occupant cabs as an issue of
``crew resource management'' best left to the railroads. FRA maintains
that these operators will only be authorized to receive, review, and
acknowledge mandatory directives or similarly interact with the PTC
systems when their trains are not in motion.
In the NPRM, FRA noted:
[T]he principles of crew resource management and current crew
briefing practices in the railroad industry require that all members
of a functioning team (e.g., engineer, conductor, dispatcher,
roadway worker in charge) have all relevant information available to
facilitate constructive interactions and permit incipient errors to
be caught and corrected. Retaining and reinforcing this level of
cooperation will be particularly crucial during the early PTC
implementation as errors in train consist information, errors
generated in onboard processing, delays in delivery of safety
warnings due to radio frequency congestion, and occasional errors in
dispatching challenge the integrity of PTC systems even as the
normal reliability of day-to-day functioning supports reductions in
vigilance. Loss of crew cooperation could easily spill over to other
functions, including switching operations and management of
emergency situations.
Commenters generally made scant reference to this point. The AAR
did include an attachment to its testimony captioned with reference to
this point, but it begins with a summary task analysis to the effect
that ``the conductor is responsible for assisting in the operation.''
How the conductor will assist without a copy of the requisite orders
available, when the duty to copy mandatory directives is eliminated (as
the AAR assumes it will be), is left unexplained.
This is a ``far cry'' from section 402 of the RSIA08, which
requires that FRA adopt regulations for the certification of train
conductors. In FRA's experience as the agency responsible for oversight
of railroad operating rules and practices, the conductor plays a key
role in rail freight over-the-road operations by, inter alia,
determining the train consist, ensuring compliance with hazardous
materials placement and documentation
[[Page 2674]]
requirement, calling or acknowledging signals, receiving mandatory
directives, conducting frequent briefings with the locomotive engineer
to ensure compliance with movement restrictions, and intervening
through use of the conductor's brake valve if the engineer is
unresponsive or incapacitated. A conductor may be disciplined with the
locomotive engineer if a signal is violated or if a slow order or other
mandatory directive is disobeyed, and this regularly occurs. The
conductor plays the determinative role in switching operations, issuing
the directions for operation of the locomotive(s) so as to accomplish
safely the placement or pick-up of rail cars at customer locations, the
making up and breaking up of trains, and the conduct of brake tests
when mechanical personnel are not available.
Again, the major freight railroads have said that their PTC systems
will ``overlay'' existing methods of operations. Those existing methods
are defined in their books of rules, timetables and special
instructions. The General Code of Operating Rules, applicable to most
railroad operations in the western U.S., provides at section 1.47 that
``The conductor and engineer are responsible for the safety and
protection of their train and observance of the rules.'' It further
provides that ``The conductor supervises the operation and
administration of the train.'' ``The conductor must remind the engineer
that the train is approaching an area restricted by:
Limits of authority.
Track warrant.
Track bulletin.
or
Radio speed restriction.''
The rule continues: ``To ensure the train is operated safely and rules
are observed, all crew members must act responsibly to prevent
accidents or rule violations. Crew members in the engine control
compartment must communicate to each other any restrictions or other
known conditions that affect the safety operation of their train
sufficiently in advance of such condition to allow the engineer to take
proper action.'' The rule further requires communication of signals and
enjoins crew members to ``take action to ensure safety, using the
emergency brake valve to stop the train, if necessary.''
The NORAC Operating Rules, applicable to a number of eastern U.S.
railroads, provides at Rule 94 for general crew responsibilities
similar to those quoted above. In addition, Rule 941 provides that
``Conductors have general charge of the train to which they are
assigned, and all persons employed thereon are subject to their
instructions.''
Each railroad is free, within the constraints of the Railway Labor
Act as to staffing, and subject to oversight by FRA with respect to
safety, to determine its operating rules and assignment of
responsibilities to its personnel. Nevertheless, FRA remains concerned
that railroad operating crews function as a team, discharging their
responsibilities on the basis of adequate information and using their
knowledge of the operating situation to identify safety concerns and
resolve them. Within this framework, each crew member must remain able
to respectfully and helpfully question a judgment by another crew
member. This general approach is known as ``crew resource management''
(CRM), a concept perfected in aviation and urgently pressed on the
railroad industry by the National Transportation Safety Board and the
FRA. See NTSB Recommendation R-99-13 (July 29, 1999). Major railroads
have included CRM in their training programs.
The fear with respect to a diminution of crew integrity and
efficiency associated with asymmetrical distribution of current
operational data is that, not only may opportunities be lost to correct
errors within PTC operations, but also that the conductor's lack of
engagement will transfer to operations on lines not equipped with PTC.
Further, any reduction in ability to function as a team could transfer,
as well, to road and yard switching operations. Should this occur, the
price paid for PTC would include additional casualties and property
damage where PTC is not available as a safety net. A substantial
portion of the Class I freight network, and much of the switching and
terminal railroad mileage over which Class I crews also operate, will
not be equipped under the current mandate and perhaps not for many
years. How crews are conditioned to function together will influence
their behavior both within and outside of the PTC-equipped network. In
summary, FRA believes that maintaining the involvement of all assigned
crew members in operating and responding to the PTC system is necessary
to achieve the desired risk reduction expected of PTC systems and is
also necessary to avoid degrading crew performance outside of PTC
territory and during switching operations.
NYSMTA requested clarification that in a multiple unit passenger
train consist: (a) A second PTC display in every train operator
compartment is not required inasmuch as only the train operator
occupies the compartment, and; (b) the PTC operator displays in train
operator compartments in a consist, other than those from which the
train is operated from, are not to display PTC information while the
train is en route. The MTA railroads have been repeatedly reassured on
this point, and we are pleased to do so once again here.
As previously noted, on September 25, 2009, FRA entered into the
docket to this rulemaking a compendium of human factors literature
relevant to the HMI regulations and compiled by FRA's Office of
Research and Development. AAR then submitted late-filed supplemental
comments--which posted to the docket on October 20, 2009, approximately
two months after the closing of the comment period and three weeks
after FRA entered the compendium into the docket--addressing various
portions of the compendium. FRA believes that this final rule already
addresses each one of AAR's substantial concerns in its supplemental
comments. AAR also states that it ``has been deprived of the
opportunity to consider its comments in a deliberative fashion.''
Supplemental Comment of the Association of American Railroads, Docket
FRA-2008-0132-0055.1, at 3 (Oct. 20, 2009). However, contrary to AAR's
suggestion, the Administrative Procedure Act (APA) does not require
that FRA provide additional time to comment on the compendium. See,
e.g., Credit Union Nat. Ass'n v. National Credit Union Admin., 57
F.Supp.2d 294, 302 (E.D. Va. 1995) (agency complied with the APA's
notice and comment requirements, despite not disclosing certain data
related to the rulemaking, because the agency had provided a reasonable
opportunity to participate in the rulemaking process); see also
Appalachian Power Co. v. E.P.A., 579 F.2d 846, 853 (4th Cir. 1978)
(despite agency's failure to provide notice of certain data in advance
of public hearings, interested parties were sufficiently advised of the
scope and basis of the rulemaking to enable them to comment
intelligently and meaningfully). Instead, the APA simply states that an
agency must publish ``the terms or substance of the proposed rule or a
description of the subjects or issues involved.'' 5 U.S.C. 553(b)(3).
To meet the requirements of section 553, an agency ``must provide
sufficient factual detail and rationale for the rule to permit
interested parties to comment meaningfully.'' Florida Power & Light Co.
v. United States, 846 F.2d 765, 771 (DC Cir. 1988), cert. denied, 490
U.S. 1045 (1989).
[[Page 2675]]
FRA has provided that opportunity in this proceeding. The research
recited in the compendium simply provided for the benefit of interested
parties additional information that had previously been made public,
FRA's views on the import of the research were aired during RSAC
meetings and are expressed at various points in the NPRM, and the
railroads obviously had sufficient time to prepare 16 pages of comments
on the compendium itself. Clearly, the commenters were not prejudiced
by the inclusion of the compendium in the docket.
Section 236.1031 Previously Approved PTC Systems
FRA recognizes that substantial effort has been voluntarily
undertaken by the railroads to develop, test, and deploy PTC systems
prior to the passage of the RSIA08, and that some of the PTC systems
have accumulated a significant history of safe and reliable operations.
In order to facilitate the ability of the railroads to leverage the
results of PTC design, development, and implementation efforts that
have been previously approved or recognized by FRA prior to the
adoption of this subpart, FRA is proposing an expedited certification
process in this section.
Under paragraph (a), each railroad that has a PTC system that may
qualify for expedited treatment would have to submit a Request for
Expedited Certification (REC) letter. Products that have not received
approval under the subpart H, or have that have not been previously
recognized by FRA, would be ineligible. The REC letter may be jointly
submitted by PTC railroads and suppliers as long as there is at least
one PTC railroad. A PTC system may qualify for expedited certification
if it fulfills at least one of the descriptions proposed in paragraphs
(a)(1) through (a)(3). While these descriptions are objective in
nature, FRA intends them to cover ETMS, ITCS, and ACSES, respectively.
The versions or configurations recognized would depend upon the status
at the time of the request.
Paragraph (a)(1) applies to systems that have been recognized or
approved by FRA after submission of a PSP in accordance with subpart H.
Subpart I generally reflects the same criteria required for a PSP under
subpart H. Thus, FRA believes that most of the PTCDP and PTCSP
requirements in subpart I can be fulfilled with the submission of the
existing and approved PSP. However, FRA notes that the subject railroad
will also need to submit the information required in a PTCDP and PTCSP
that is not in the current PSP.
FRA also recognizes that certain PTC systems may currently operate
in revenue service with FRA approval through the issuance of a waiver
or order. Paragraphs (a)(2) and (a)(3) intend to cover those systems.
If a PTC system complying with paragraph (a)(1) is provided
expedited certification, the system plans should ultimately match the
criteria required for each PTCDP and PTCSP. As previously noted, a
railroad may seek to use a PTC system that has already received a Type
Approval. To extend this benefit as it applies to previously used
systems for which expedited certification is provided, paragraph (b)
gives the Associate Administrator the ability to provide a Type
Approval to systems receiving expedited certification in accordance
with paragraph (a)(1).
FRA recognizes that certain systems eligible for expedited
certification may not entirely comply with the subsequently issued
statutory mandate. Accordingly, under paragraph (c), FRA is compelled
to require that before any Type Approval or expedited certification may
be provided, the PTC system must be shown to reliably execute the same
functionalities of every other PTC system required by subpart I.
Nothing in this abbreviated process should be construed as implying the
automatic granting by FRA of a Type Approval or PTC System
Certification. Each expedited request for a Type Approval or PTC System
Certification must be submitted by the railroad under this abbreviated
process and, as required under subpart I, must demonstrate that the
system reliably enforces positive train separation and prevents
overspeed derailments, incursions into roadway worker zones, and
movements through misaligned switches.
Under paragraph (d), FRA encourages railroads, to the maximum
extent possible, to use proven service history data to support their
requests for Type Approval and PTC System Certification. While proven
service history cannot be considered a complete replacement for an
engineering analysis of the risks and mitigations associated with a PTC
product, it provides great creditability for the accuracy of the
engineering analysis. Testing and operation can only show the absence
or mitigation of a particular failure mode, and FRA believes that there
will always be some failure modes that may only be determined through
analysis. Due to this inherent limitation associated with testing and
operation, FRA also strongly encourages the railroads to also submit
any available analysis or information.
Paragraph (e) requires that, to the extent that the PTC system
proposed for implementation under this subpart is different in
significant detail from the system previously approved or recognized,
the changes shall be fully analyzed in the PTCDP or PTCSP as would be
the case absent prior approval or recognition. FRA understands that the
PTC product for which expedited Type Approval and PTC System
Certification is sought may differ in terms of functionality or
implementation from the PTC product previously approved or recognized
by FRA. In such a case, the service history and analysis may not align
directly with the new variant of the product. Similarly, the available
service history and analysis associated with a PTC product may be
inconclusive about the reliability of a particular function. It is
because of these possible situations that FRA can not unequivocally
promise that all requests for expedited Type Approval and PTC System
Certification submitted by a railroad under this subpart will be
automatically granted. FRA will, however, apply the available service
history and analytical data as credible evidence to the maximum extent
possible. FRA believes that this still greatly simplifies each
railroad's task in making its safety case, since the additional testing
and analysis required need only address those areas for which credible
evidence is insufficient. To reduce the overall level of financial
resources and effort necessary to obtain sufficient credible evidence
to support the claims being made for the safety performance of the
product, FRA also encourages each railroad to share with other
railroads a system's service history and the results of any analysis,
even in the case where the shared information does not fully support a
particular railroad's safety analysis.
Paragraph (f) defines terms used only in this section. ``Approved''
refers to approval of a PSP under subpart H. As this final rule was
being prepared, only BNSF ETMS I configuration had been so approved,
but other systems were under development. ``Recognized'' refers to
official action permitting a system to be implemented for control of
train operations under an order or waiver, after review of safety case
documentation for the implementation. As this NPRM was being prepared,
only ACSES I had been recognized under an order of particular
applicability, and ACSES II was under review for potential approval.
Only one system, the ITCS in place on Amtrak's Michigan line, had been
approved for unrestricted revenue service under waiver.
[[Page 2676]]
FRA was unable to fashion an outright ``grandfathering'' of
equipment previously used in transit and foreign service. FRA does not
have the same degree of direct access to the service history of these
systems. Transit systems--except those that are connected to the
general railroad system--are not directly regulated by FRA. FRA has had
limited positive experience eliciting safety documentation from foreign
authorities, particularly given the influence of national industrial
policies.
However, FRA believes that, while complete exclusion may not be
available in those circumstances, procedural simplification may be
possible. FRA is considering a procedure under which the railroad and
supplier could establish safety performance at the highest level of
analysis for the particular product, relying in part on experience in
the other service environments and showing why similar performance
should be expected in the U.S. environment. Foreign signal suppliers
should be in a good position to marshal service histories for these
products and present them as part of the railroad's PTCSP. For any
change, the applicant must provide additional information that will
enable FRA to make an informed decision regarding the potential impact
of the change on safety. This information must include, but is not
limited to, the following: (1) A detailed description of the change;
(2) a detailed description of the hardware and software impacted by the
change; (3) a detailed description of any new functional data flows
resulting from the change; (4) the results of the analysis used to
verify that the change did not introduce any new safety risks or, if
the change did introduce any new safety risks, a detailed description
of the new safety risks and the associated risk mitigation actions
taken; (5) the results of the tests used to verify and validate the
correct functionality of the product after the change has been made;
(6) a detailed description of any required modifications in the
railroad training plan that are necessary for continued safe operation
of the product after the change; and (7) a detailed description of any
new test equipment and maintenance procedures required for the
continued safe operation of the product.
In the same vein, paragraph (g) encourages re-use of safety case
documentation previously reviewed, whether under subpart H or subpart
I.
Section 236.1033 Communications and Security Requirements
Subpart I provides specific communications security requirements
for PTC system messages. Section 236.1033 originated from the radio and
communications task force within the PTC Working Group. The objectives
of the requirements are to ensure data integrity and authentication for
communications with and within a PTC system.
In data communications, ``cleartext'' is a message or data in a
form that is immediately comprehensible to a human being without
additional processing. In particular, it implies that this message is
transferred or stored without cryptographic protection. It is related
to, but not entirely equivalent to, the term ``plaintext.'' Formally,
plaintext is information that is fed as an input to a cryptographic
process, while ``ciphertext'' is what comes out of that process.
Plaintext might be compressed, encrypted, or otherwise manipulated
before the cryptographic process is applied, so it is quite common to
find plaintext that is not cleartext. Cleartext material is sometimes
in plain text form, meaning a sequence of characters without
formatting, but this is not strictly required. The security
requirements are consistent with the Department of Homeland Security
(DHS) guidance for SCADA systems and the National Institute of
Standards and Technology guidance. FRA has coordinated this final rule
with DHS.
Paragraph (a) establishes the requirement for message integrity and
authentication. Integrity is the assurance that data is consistent and
correct. Generally speaking, in cryptography and information security,
integrity refers to the validity of data. Integrity can be compromised
through malicious altering--such as an attacker altering an account
number in a bank transaction, or forgery of an identity document--or
accidental altering--such as a transmission error, or a hard disk
crash. A level of data integrity can be achieved by mechanisms such as
parity bits and cyclic redundancy codes. Such techniques, however, are
designed only to detect some proportion of accidental bit errors; they
are powerless to thwart deliberate data manipulation by a determined
adversary whose goal is to modify the content of the data for his or
her own gain. To protect data against this sort of attack,
cryptographic techniques are required. Thus, appropriate algorithms and
keys must be employed and commonly understood between the entity
wanting to provide data integrity and the entity wanting to be assured
of data integrity.
Authentication is the act of establishing or confirming something
(or someone) as authentic. Various systems have been invented to
provide a means for readers to reliably authenticate the sender. In any
event, the communication must be properly protected; otherwise, an
eavesdropper can simply copy the relevant data and later replay it,
thereby successfully masquerading as the original, legitimate entity.
Sender authentication typically finds application in two primary
contexts. Entity identification serves simply to identify the specific
entity involved, essentially in isolation from any other activity that
the entity might want to perform. The second context is data origin
identification, which identifies a specific entity as the source or
origin of a given piece of data. This is not entity identification in
isolation, nor is it entity identification for the explicit purpose of
enabling some other activity. Rather, this is identification with the
intent of statically and irrevocably binding the identified entity to
some particular data, regardless of any subsequent activities in which
the entity might engage. Cryptographically based signatures provide
nearly irrefutable evidence that can be used subsequently to prove to a
third party that this entity did originate--or at least possess--the
data.
Paragraph (b)(1) requires that cryptographic algorithms and keys
used to establish integrity and authenticity be approved by either the
National Institute of Standards & Technology (NIST) or a similar
standards organization acceptable to FRA. As a practical matter,
cryptographic algorithms can be believed secure by competent,
experienced, and practicing cryptographers. This requires that the
algorithms be publicly known and have been seriously studied by working
cryptographers. Algorithms that have been approved by NIST (or similar
standards bodies) can be assured of being both publicly known and
seriously studied.
Paragraph (b)(2) allows the use of either manual or automated means
to distribute keys. Key distribution is the most important component in
secure transmissions. The general key distribution problem refers to
the task of distributing keys between communicating parties to provide
the required security properties. Frequent key changes are usually
desirable to limit the amount of data compromised if an attacker learns
the key. Therefore, the strength of any cryptographic system
[[Page 2677]]
results with the key distribution technique, a term that refers to the
means of delivering a key to two parties that wish to exchange data
without allowing others to see the key. Key distribution can be
achieved in a number of ways. There are various combinations by which a
key can be selected manually or in automation amongst one or multiple
parties.
Paragraph (b)(3) establishes the conditions under which
cryptographic keys must be revoked. Paragraph (b)(3)(i) addresses the
situation when a key has actually been found to have been compromised
and when the possibility of key compromise exists. Cryptographic
algorithms are part of the foundations of the security house, and any
house with weak foundations will collapse. Adequate procedures should
be foreseen to take an algorithm out of service or to upgrade an
algorithm which has been used beyond its lifetime.
Paragraph (d) addresses physical protection as applied to
cryptographic equipment. Compliance does not necessitate locking
devices within mechanical safes or enclosing their electronics within
thick steel or concrete shields (i.e., making them tamper-proof).
Compliance does, however, involve using sound design practices to
construct a system capable of attack detection by a comprehensive range
of sensors (i.e., tamper resistant). The level of physical security
suggested should be such that unauthorized attempts at access or use
will either be unsuccessful or will have a high probability of being
detected during or after the event. Additionally, the cryptographic
equipment should be prominently situated in operation so that its
condition (outward appearance, indicators, controls, etc.) is easily
visible to minimize the possibility of undetected penetration. In any
system containing detection and destruction methods as described here,
there is naturally a cost penalty for providing very high levels of
tamper resistance, due to construction and test requirements by the
manufacturer. It is naturally important to analyze the risks of key
disclosure against cost of protection and specify a suitable
implementation.
Confidentiality has been defined by the International Organization
for Standardization (ISO) as ``ensuring that information is accessible
only to those authorized to have access.'' Confidentiality, integrity,
and authentication all rely on the same basic cryptographic
primitives--algorithms with basic cryptographic properties--and their
relationship to other cryptographic problems. These primitives provide
fundamental properties, which guarantee one or more of the high-level
security properties. In paragraph (e)(1), FRA makes it clear that while
providing for confidentiality of message data is not a regulatory
requirement, if confidentiality is elected to be implemented by a
railroad, that the same protection mechanisms applicable to the
cryptographic primitives that support integrity and authentication must
also be provided for the cryptographic primitives that support
confidentiality.
It is only the difficulty of obtaining the key that determines
security of the system, provided that there is no analytic attack
(i.e., a ``structural weakness'' in the algorithms or protocols used),
and assuming that the key is not otherwise available (such as via
theft, extortion, or compromise of computer systems). A key should
therefore be large enough that a brute force attack (possible against
any encryption algorithm) is infeasible, whereas the attack would take
too long to execute. Under information theory, to achieve perfect
secrecy, it is necessary for the key length to be at least as large as
the message to be transmitted and only used once (this algorithm is
called the one-time pad). In light of this, and the practical
difficulty of managing such long keys, modern cryptographic practice
has discarded the notion of perfect secrecy as a requirement for
encryption, and instead focuses on computational security. Under this
definition, the computational requirements of breaking an encrypted
text must be infeasible for an attacker. Paragraph (e)(2) requires that
in the event that a railroad elects to implement confidentiality, the
chosen key length should provide the appropriate level of computational
complexity to protect the information being protected, and that this
information be included in the PTCSP. Both academic and private
organizations provide recommendations and mathematical formulas to
approximate the minimum key size requirement for security based on
mathematic attacks; they generally do not take algorithmic attacks,
hardware flaws, or other such issues into account. Paragraph (e)(2) has
been revised in the final rule to correct an erroneous cross-reference
to the security requirements set forth in Sec. 236.1013(a)(7).
Key management--the process of handling and controlling
cryptographic keys and associated material during their life cycle in a
cryptographic system--includes ordering, generating, distributing,
storing, loading, escrowing, archiving, auditing, and destroying the
different types of material. Paragraph (e) requires that cleartext
stored cryptographic keys be protected from unauthorized disclosure,
modification, or substitution. During key management, however, it may
be necessary to validate the accuracy of the key being entered,
especially in cases where the key management process is being done
manually. During the key entry process, keys not encrypted to protect
against disclosures may be temporarily displayed to allow visual
verification. However, if the key has been encrypted to protect against
disclosure, then the cleartext version of the key may not be displayed.
This does not, however, preclude the display of the encrypted version
of the key.
In paragraph (f), FRA requires that each railroad implement a
service restoration and mitigation plan to address restoral of
communications services in the event of their loss or disruption and to
make this plan available to FRA. Loss of communications services
reduces or eliminates the effectiveness of a PTC system and FRA
requires that these critical safety systems, once implemented, are
restored to operation as soon as practical. FRA believes that the
restoration plan must include testing and validating the plan,
communicating the plan, and validating backup and restoration
operations.
To ensure that these or any other procedures work in the railroad's
operational environment, the railroad must validate each procedure
intended for implementation. The backup and restoration plan should
clearly describe who is to implement procedures and how they are to do
it. The primary information to be communicated includes: The team or
person (specified as an individual or a role) that is responsible for
determining when restoration of service is required and the procedures
to be used to restore service, as well as the team or person
responsible for implementing procedures for each restoration scenario;
the criteria for determining which restoration procedures are most
appropriate for a specific situation; the time estimates for
restoration of service in each restoration scenario; the restoration
procedures to be used, including the tools required to complete each
procedure; and the information required to restore data and settings.
Finally, paragraph (g) makes clear that railroads are permitted to
implement more restrictive security requirements provided the
requirements do not adversely impact the interoperability.
[[Page 2678]]
FRA has received no comments on Sec. 236.1033 and has adopted it
as proposed.
Section 236.1035 Field Testing Requirements
Initial field or subsequent regression testing of a PTC product on
the general rail system is often required before the product has been
certified in order to obtain data to support the safety case presented
in the PTCSP. To ensure the safety of the public and train crews, prior
FRA approval is required to conduct test operations on the general rail
system. This paragraph provides an alternative to the waiver process
when only part 236 regulations are involved. When regulations
concerning track safety grade crossing safety or when operational rules
are involved, however, this process would not be available. Such
testing may also implicate other safety issues, including adequacy of
warning at highway-rail crossings (including part 234 compliance),
qualification of passenger equipment (part 238), sufficiency of the
track structure to support higher speeds or unbalance (part 213), and a
variety of other safety issues, not all of which can be anticipated in
any special approval procedure. Approval under this part for testing
does not grant relief from other parts of this title and the railroads
must still apply for relief from the non-part 236 regulations under the
discrete special approval sections of those regulations, the provisions
of part 211 related to waivers, or both.
The information required for this filing is described in paragraphs
236.1035(a)(1) through (a)(7). This information is necessary in order
for FRA to make informed decisions regarding the safety of testing
operations. FRA would prefer that the informational filings to test
under this part be accompanied by any requests for relief from non-part
236 regulations so that they may be considered as a whole.
Paragraph (b) provides notification that FRA may--based on the
results of the review of the information provided in paragraph (a) and
in order to provide additional oversight to ensure the safety of rail
operations--impose special conditions on the execution of the testing,
including the appointment of an FRA test monitor. When a test monitor
is appointed, he or she has the authority to stop testing if unsafe
conditions arise, require additional tests as necessary to demonstrate
the safe operation of the system, or have tests rerun when the results
are in question.
Paragraph (c) reemphasizes the earlier discussion that either
temporary or permanent requests for relief for other than requirements
of part 236 must be submitted in accordance with the waiver processes
specified by part 211.
FRA has received no comments on Sec. 236.1035 and has adopted it
as proposed.
Sections 236.1037 Through 236.1049
In subpart H, Sec. Sec. 236.917 through 236.929 contain various
requirements that involve PSPs. FRA believes that these requirements
should apply equally to PTC systems governed by subpart I. FRA has
included Sec. Sec. 236.1037 to 236.1049 to inform interested parties
how these elements would apply. FRA intends that the meanings of those
sections in subpart H, as described in the preamble to its proposed and
final rules, would also apply equally in the context of this final
rule. While FRA has considered amending these sections in subpart H to
incorporate references to subpart I, FRA believes such an attempt and
its results would be cumbersome and awkward. Thus, FRA has included the
provisions in subpart I for clarity.
The Rail Labor Organizations have expressed support for the
training and qualification provisions in Sec. Sec. 236.1041, 236.1045,
236.1047, and 236.1049 and support an expansion of PTC personnel
training requirements, as necessary, based upon experience gained and
any training deficiencies identified during operations of these
systems. The RLO states that training on the PTC system is essential
for all employees who will interface with this technology. While the
RLO supports the requirement that employees must maintain the skill
level necessary to safely operate trains, they urge FRA to consider
that the ``4 hour work period'' of manual operation of a train should
be conducted not less often than once in any given tour of duty.
Considering that the maximum workday (except in extreme emergencies) is
12 hours, the locomotive engineer will then be manually operating the
train at least 33% of the time. FRA has considered this suggestion for
a change in the approach from subpart H. However, FRA believes that
this is an issue that should be more specifically addressed in the
PTCSP for the system, should automatic operation ever be proposed.
Appendix A to Part 236--Civil Penalties
Appendix A to part 236 contains a schedule of civil penalties for
use in connection with this part. FRA is revising this schedule of
civil penalties through issuance of the final rule to reflect the
addition of subpart I to this part.
Appendix B to Part 236--Risk Assessment Criteria
FRA hereby modifies Appendix B of part 236 to enhance the language
for risk assessment criteria in light of the experience gained during
the initial stage of PTC system implementation under subpart H and to
accommodate the requirements of subpart I regulating the use of
mandatory PTC systems. As modified, Appendix B includes certain
headings and new language in paragraphs (a) through (h).
Paragraph (a) reflects the change in the required length of time
over which the system's risk must be computed. FRA replaces the
requirement to assess risk for the system ``over the life-cycle of 25
years or greater'' with the requirement to assess risk ``over the
designed life-cycle of the product.'' FRA believes that the language is
consistent with the preamble discussion of the subpart H final rule
inasmuch that they do not specify the length of a system's life cycle,
thereby providing flexibility for new processor-based systems to have a
life cycle other than 25 years.
FRA hereby modifies paragraph (b) only to clarify FRA's intent.
FRA hereby modifies the heading and content of paragraph (c) to
better identify the main purpose of this requirement and to ensure its
consistency with the associated requirements of Sec. Sec. 236.909(c)
and (d). FRA believes that previous paragraph (c) and its heading did
not fully support or clarify the main intent of subpart H, which
requires that the total cost of hazardous events should be the risk
measure for a full risk assessment and that the mean time to hazardous
event (MTTHE) calculations for all hazardous events should be the risk
measure for the abbreviated risk assessment. The existing subpart H
text asks for both the base case and the proposed case to be expressed
in the same metrics. Paragraph (c) of this appendix, as written prior
to the issuance of this final rule, did not fully reflect FRA's intent
that the same risk metric is to be used in the risk assessment for both
the previous and current conditions (see Sec. 236.913(g)(2)(vii)). FRA
believes that the revised title of this paragraph poses the right
question and that its new language provides better guidance on how to
perform risk assessment for previous and current conditions.
FRA hereby modifies the heading and text of paragraph (d) to create
a comprehensive and detailed list of system characteristics that must
be included in the risk assessment for each proposed PTC system subject
to requirements of subpart H or subpart I,
[[Page 2679]]
or both, as applicable. FRA believes that the extended description of
system characteristics better suits the risk assessment requirements of
subpart H and subpart I. For example, the revisions clarify that the
risk assessment must account for the total volume of traffic, the type
of transported freight materials (PIH, TIH), and any additional
requirements for PTC systems with trains operating at certain speeds.
FRA hereby modifies paragraph (e) to clarify its intent and reflect
the industry's experience in risk assessment techniques gained during
the initial stage of PTC system implementation under subpart H. In the
language of paragraph (e), FRA provides more specific guidance on how
to derive the main risk characteristics, MTTHE, and what role
reliability and availability parameters, such as mean time to failure
(MTTF) or mean time between failures (MTBF), for different system
components can play while assessing risk for vital and non-vital
hardware or software components of the system. FRA emphasizes that it
is critical that each railroad and its vendors or suppliers include the
software failure rates into risk assessments for the system. FRA also
finds it necessary to advise each railroad and its vendors or suppliers
to include reliability and availability characteristics, such as MTTF
or MTBF, into its risk assessment to account for potential system
exposure to hazards during system failures or malfunctioning when the
system operates in its fall back mode--the back-up operation, as
described in the PTCSP, when the PTC system fails to operate.
FRA believes that the modifications to paragraph (e) more
accurately address the industry's need for clarity in interpretation
and execution of the requirements related to risk assessment. FRA
received comments from HCRQ/CGI noting that the phrases ``frequency of
hazardous events'' and ``failure frequency'', which were contained in
paragraph (e) of the proposed rule, are equivalent. HCRQ/CGI therefore
recommended that FRA revise the second sentence in paragraph (e) to
read as follows: ``The MTTHE is to be derived for both fail-safe and
non-fail-safe subsystems or components.'' FRA agrees with this
recommendation and has therefore revised the second sentence of
paragraph (e) accordingly.
Several commenters questioned whether additional guidance on
acceptable methods for calculating MTTHE values for processor-based
subsystems and components can be given by FRA. FRA believes it is
inappropriate to provide this guidance in the text of the final rule,
especially counting the fact that FRA is not to be involved in all
aspects of the design and engineering associated with a product. Any
guidance that FRA could provide would not reflect the level of
understanding that the vendor(s) or supplier(s) and system integrators
of the product should have gained throughout the design and
implementation process that would enable them to specify, evaluate and
determine such critical measures as MTTF, MTBF, and MTTHE. There is a
large body of publicly available work from the research and engineering
community that addresses various perspectives on determination of
appropriate methods of determining MTTHE and other related parameters.
Upon receipt of the risk assessment documentation in the PTCSP, FRA
will provide feedback on the appropriateness of a vendor, supplier, or
railroad selected methodology for determining MTTHE and the
acceptability of the results of calculations based on that methodology
with respect to regulatory acceptability. However FRA views the
specification and determination of appropriate MTTHE and other design
parameters as a fundamental responsibility of the system integrator,
vendor, or supplier that neither can nor should be abrogated.
FRA received comments on the last sentence in paragraph (f)(1) from
HCRQ/CGI, in which HCRQ/CGI asserted that ``permanent'' faults would
result in an MTTHE of zero. In addition, HCRQ/CGI asserted that
``transient'' by definition is something that comes and then goes away,
which may never be detected. Thus, HCRQ/CGI questioned how one could
determine the rate of its occurrence. In order to address these
concerns, HCRQ/CGI recommended that FRA revise the last sentence in
paragraph (f)(1) to read as follows: ``The MTTHE calculation must
consider the rates of failures caused by contributory faults accounting
for the fault coverage of the integrated hardware/software subsystem or
component, phased interval maintenance, and restoration of the detected
failures.''
In response to this comment, FRA would like to reiterate that the
main intent of the requirement specified in paragraph (f)(1) was to
request that the statistics on subsystem or component failures
available for MTTHE calculation must be used in its entirety. This
means that all types of failures (faults) observed during subsystem or
component operation should be accounted for, regardless of the types of
failures by their appearance to the observer (permanent, transient or
intermittent), and regardless of whether the failure was caused by the
fault of the subsystem or component itself or by errors of the
operating agent (human factor associated with operation, maintenance or
restoration of the subsystem). FRA feels that replacing the enumerated
in the original text types of faults ``permanent, transient, and
intermittent'' with the term ``contributory faults'' will not assure
that all types of faults will be accounted for. FRA also notes that the
derivation of MTTHE for the operating system, subsystem or component
for which the risk assessment is to be performed is a complex process
which may require the use of Fault Tree Analysis or other relevant
techniques. These techniques will use the probabilities of single point
component failures identified for the system. This process cannot lead
to MTTHE of zero value. Neither can this process result in MTTHE being
equal to infinity. The calculated probability of accidents (the inverse
value of MTTHE) may be infinitely small to the extent that the safety
requirement of this Part is met (i.e., during the entire life time of
the system it is very unlikely for the accident to occur), but rarely
will the probability of such events be zero in a practical world. Based
on this reasoning, FRA retains the text in proposed paragraph (f)(1).
FRA hereby modifies paragraph (f)(2) to reflect FRA's understanding
that a software failure analysis may not necessarily be based on MTTHE
``Verification and Validation'' processes and that MTTHE
characteristics cannot be easily obtained for the system software
components. The modification intends to outline the significance of
detailed software fault/failure analysis and software testing to
demonstrate repeatable predictive results that all software defects are
identified and corrected.
FRA received comments from HCRQ/CGI on paragraph (f)(2), in which
HCRQ/CGI asserted that ``proper'' assessment is open to interpretation,
while Real Time Operating System (RTOS) ``evaluation'' is possible.
HCRQ/CGI also asserted that the assessment of device driver software
would require the source code, which is usually proprietary. Thus,
HCRQ/CGI recommended that the assessment should include Commercial Off-
The-Shelf (COTS) software, if incorporated, other than the operating
system. HCRQ/CGI asserted that FRA could make this change by revising
the first sentence in paragraph (f)(2) to read as follows: ``Software
fault/failure analysis must be based on the assessment of the design
and implementation of the application code, an evaluation of the
operating/
[[Page 2680]]
executive program and other COTS software components.'' HCRQ/CGI also
commented that it is not possible to demonstrate that all software
defects have been identified with a high degree of confidence. HCRQ/CGI
quotes a famous statement made years ago (author unknown): ``It is
common in industry to find a piece of software, which has been
subjected to a thorough and disciplined testing regime, has serious
flaws.'' HCRQ/CGI asserted that it is not clear what ``high degree of
confidence'' implies. Therefore, HCRQ/CGI recommended that the last
sentence in paragraph (f)(2) be revised to read as follows: ``The
software assessment process must demonstrate, through repeatable
predictive results, that the software operates as specified without
error.''
In response to this comment, FRA revises paragraph (f)(2) to
replace the phrase ``proper assessment'' with the word ``assessment,''
and to specify that ``all safety-related software'' should be included
in the software fault/failure analysis including COTS software.
However, FRA disagrees with the commenter that, in the requirement
for the software defects to be identified and corrected with the ``high
degree of confidence,'' the term ``high degree of confidence'' requires
further clarification. The definition of this term is already given in
the preamble discussion for Sec. 236.903 in subpart H of this part.
See 70 FR 11,052, 11,067 (Mar. 7, 2005). This term is widely issued in
sections of this part related to safety and risk assessment. Therefore,
FRA leaves the last sentence of paragraph (f)(2) unchanged.
FRA hereby modifies paragraph (g) to clarify that MMTHE
calculations should account for the restoration time after system or
component failure and that the system design must be assessed for
adequacy through the Verification and Validation process.
HCRQ/CG, in reference to paragraph (g)(1), repeated its comment
given for the last sentence in paragraph (f)(1) that relates to the
types of faults (permanent, transient).
FRA notes that the explanations provided in FRA's response to this
comment for paragraph (f)(1) are also applicable for this paragraph and
therefore includes the text of proposed (g)(1) in the final rule.
FRA hereby modifies paragraph (h) to emphasize the need to document
all assumptions made during the risk assessment process. FRA believes
that the assumptions should be documented while deriving the total cost
of potential accident consequences for full risk assessment or MTTHE
values for abbreviated risk assessment, rather than only documenting
assumptions for other intermediate parameters, such as MTTF and Mean
Time To Repair (MTTR), as currently required. These two referenced
parameters may or may not be relevant for the risk assessment.
FRA received comments from HCRQ/CGI on paragraph (h)(1), in which
HCRQ/CGI asserted that the first sentence should be its own paragraph.
However, HCRQ/CGI also asserted that the proposed rule text was unclear
as to how the railroad would be expected to comply with this
requirement.
FRA disagrees with the commenter that the paragraph (h)(1) should
be restructured and that further clarification is required for the
process of documenting all assumptions made while deriving the risk
metrics that are to be used in the risk assessment for the product. In
order for FRA to assess the validity of risk assessment done by
railroads for their particular products, all assumptions made by the
railroad in regards of deriving chosen risk metrics shall be presented
along with the risk assessment. This is critical for the further
confirmation that the assumptions made were correct based on the
following in-service experience. Documenting assumptions made in the
process of risk analysis is rather common procedure recommended by
various studies in safety and reliability engineering.
In its comments, HCRQ/CGI also asserted that there is no need to
specify an ``automated'' process for comparing risk assessment
assumptions with actual experience. This comment also was made for the
similar text in paragraph (h)(3). Thus, HCRQ/CGI recommended that FRA
revise the last sentence of paragraph (h)(1) to read as follows: ``The
railroad shall document these assumptions in such a form as to permit
later comparisons with in-service experience.'' FRA agrees with this
comment and has therefore revised the last sentences of paragraphs
(h)(1) and (h)(3) accordingly.
HCRQ/CGI also submitted comments on paragraph (h)(4), asserting
that the language in this paragraph seems to imply that a detailed
document, separate from the fault trees themselves, is required, which
would be very costly. Therefore, HCGI/CGI recommended that FRA revise
paragraph (h)(4) to read as follows: ``The railroad shall document all
of the identified safety critical fault paths to a mishap.''
FRA does not see the need to eliminate the clause in the first
sentence ``as predicted by the safety analysis methodology,'' but finds
it necessary to clarify that no additional tool to that chosen by the
railroad for the risk assessment is required by this paragraph.
Appendix C to Part 236--Safety Assurance Criteria and Processes
FRA hereby modifies Appendix C to part 236 to enhance and clarify
its language, reorganize the existing list of safe system design
principles in accordance with the well established models of system
safety engineering, and augment the list of safe system design
principles with the principles related to safe system software design.
A safe state is a system state that the system defaults to in the event
of a fault or failure or when unacceptable or dangerous conditions are
detected. The safe state is a state when the hazardous event cannot
occur. This final rule revises proposed paragraph (a) to reflect the
main purpose of this appendix in clear, accurate, and consistent
language that will be repeatedly used throughout the appendix. It also
outlines that the requirements of this appendix will be applicable to
each railroad's PTCIP and PTCSP, as required by subpart I.
This final rule modifies and restructures paragraph (b) to
consistently present a complete list of safety assurance principles
properly classified or categorized in accordance with well established
system safety engineering principles that need to be followed by the
designer of the system to assure that all system components perform
safely under normal operating conditions and under failures, accounting
for human factor impacts, external influencing, and procedures and
policies related to maintenance, repair, and modification of the
system. FRA also adds language indicating that these principles must
also be applicable to PTC systems designed and implemented under the
requirements of subpart I. FRA's intent in initially promulgating
Appendix C was to ensure that safety principles are followed during the
design stage and that Verification and Validation methods are used to
assure that the product meets the safety criteria established in Sec.
236.909. The heading of this paragraph and its subparagraphs are
changed to more adequately and precisely capture this paragraph's
purpose. For instance, FRA hereby modifies the heading of paragraph
(b)(1) to better suit the chosen base of classification for all safety
principles under paragraph (b).
HCRQ/CGI submitted comments asserting that the third sentence of
paragraph (b)(1) implies that the system will operate safely in the
presence of human error. Questioning whether this
[[Page 2681]]
would be possible, HCRQ/CGI recommended deletion of this sentence.
In order to avoid ambiguity in interpreting the important
requirement spelled out in the third sentence of this paragraph, FRA
revises it to read as follows: ``The system shall operate safely even
in the absence of prescribed operator actions or procedures.''
With respect to the fifth sentence in paragraph (b)(1), HCRQ/CGI
asserted that it is a rare situation when hazards can be
``eliminated.'' Therefore, HCRQ/CGI recommended that FRA revise the
fifth and sixth sentences of proposed paragraph (b)(1) to read as
follows: ``The safety order of precedence is to eliminate hazards
categorized as unacceptable or undesirable. If this is not possible or
practical, these hazards should be mitigated to acceptable levels as
required by this part.''
FRA agrees with the commenter that the last clause in this
paragraph discussing elimination of unacceptable and undesirable
hazards requires modification and revises this clause by adding extra
clarifying sentence in the final rule for the entire clause to read as
follows: ``Hazards categorized as unacceptable, which is determined by
hazard analysis, must be eliminated by design. Best effort must be made
by the designer to also eliminate by design the hazards categorized as
undesirable. Those undesirable hazards that cannot be eliminated should
be mitigated to the acceptable level as required by this part.''
HCRQ/CGI submitted comments on the first and second sentences of
paragraph (b)(2)(ii), asserting that it is not possible to implement a
system that would continue to operate safely in the presence of
multiple hardware failures. Therefore, HCRQ/CGI recommended that FRA
revise the first and second sentences of paragraph (b)(2)(ii) to read
as follows: ``The product must be shown to operate safely under
conditions of random hardware failure. This includes single failures
and multiple hardware failures where one or more failures.''
FRA agrees with the commenter that the paragraph requires
modification and revises the first two sentences to read as follows:
``The product must be shown to operate safely under conditions of
random hardware failures. This includes single hardware failures as
well as multiple hardware failures that may occur at different times
but remain undetected (latent) and react in combination with a
subsequent failure as a later time to cause an unsafe operating
situation.''
HCRQ/CGI asserted that the meaning of each of the last sentences in
paragraphs (b)(2)(iii) and (b)(2)(iv) was unclear. In order to address
this concern, HCRQ/CGI recommended that the last sentence in paragraph
(b)(2)(iii) be revised to read as follows: ``Occurrence of credible
single point failures that can result in hazards must be detected and
the product must achieve a known safe state before inadvertently
activating any physical appliance.'' Similarly, HCRQ/CGI recommended
that the last sentence in paragraph (b)(2)(iv) be revised to read as
follows: ``If one non-self-revealing failure combined with a second
failure can cause a hazard that is categorized as unacceptable or
undesirable, then the second failure must be detected and the product
must achieve a known safe state before inadvertently activating any
physical appliance.''
FRA agrees with the commenter and revises the referenced sentences
in paragraphs (b)(2)(iii) and (b)(2)(iv) for the sentences to end with
the following clause: ``* * * the product must achieve a known safe
state that eliminates the possibility of false activation of any
physical appliance.''
Under paragraph (b)(3), FRA amends the definition of Closed Loop
Principle to reflect its industry accepted definition provided by the
AREMA Manual. FRA believes that the previous definition was too general
and did not reflect the essence of the most significant principles of
safe signaling system design.
HCRQ/CGI submitted comments on the last sentence of paragraph
(b)(3), asserting that the sentence is confusing because all system
operation is a product of actions and decisions. In order to provide
clarification, HCRQ/CGI recommended that FRA revise the last sentence
of paragraph (b)(3) to read as follows: ``In addition, closed loop
design requires that failure to perform a single logical operation, or
absence of a single logical input, output or decision shall not cause
an unsafe condition, i.e. system safety does not depend upon the
occurrence of a single action or logical decision.''
FRA has made an effort to perfect the definition of close loop
principle in the NPRM and found it satisfactory to adopt the definition
given in the 2009 issue of AREMA Communication and Signal Manual of
Recommended Practices. FRA does not see the need for further
enhancement of this definition.
Under paragraph (b)(4), FRA adds a list of Safety Assurance
Concepts that the designer may consider for implementation to assure
sail-safe system design and operation. These principles are
predominantly applicable for the safe system software design and quoted
from the IEEE-1483 standard. Based on this amendment, FRA also
renumbers some of the remaining subparagraphs of paragraph (b) to
follow the chosen scheme for the proper classification and sequence of
safety principles.
GE asserts that more detail is required for the Human Factor
Engineering Principle in paragraph (b)(5), which is part of the section
on ``safety principles during product development.'' There are two
components to applied Human Factor engineering in system safety: The
component of ergonomic design and the system risk contribution of the
human interaction with the system, along with the degree of dependency
on the operator for safety coverage. According to GE, the latter is
missing from the discussion and is most relevant to the safety
principles section.
In response to this comment, FRA would like to emphasize that the
main purpose of Appendix C is to provide safety criteria and processes
for design of safe systems, or fail-safe, or vital signaling systems
that by definition must exclude any hazards associated with human
errors. The ``reliance factor'' or, in other words, the possibility of
hazards arising due to overreliance of the operator on the proper
functioning of the system itself, which the commenter is referring to,
is an issue solely relevant to the non-vital overlays complementing
existing method of operation. For non-vital signaling systems the
designer must adhere to the safety principles of Appendix C only to the
extent necessary to satisfy the safety requirements of this part.
Therefore FRA does not see a need for further modification of paragraph
(b)(5).
This final rule amends paragraph (c) to reflect the changes in
recommended standards. For instance, the standard ``EN50126: 1999,
Railway Applications: Specification and Demonstration of Reliability,
Availability, Maintainability and Safety'' (RAMS) is superseded by the
standard IEC62278: 2002 under the same title. The standard ``EN50128
(May 2001), Railway Applications: Software for Railway Control and
Protection Systems'' is superseded by the Standard IEC62279: 2002 under
the same title.
HCRQ/CGI submitted comments asserting that the U.S. Department of
Defense Military Standard (MIL-STD) 882C, ``System Safety Program
Requirements'' (January 19, 1993) has been superseded by U.S.
Department of Defense Military Standard (MIL-STD) 882C, ``System Safety
Program Requirements'', Notice 1 (January 19, 1996)''.
In the NPRM, FRA suggested that railroads follow recommendations of
MIL-STD-882C of January 19, 1993
[[Page 2682]]
issuance specifically. The notice issued on January 19, 1996 does not
contain material necessary for the risk analysis, verification and
validation processes. Therefore FRA retains the former reference to
MIL-STD-882C of January 19, 1993.
Under paragraph (c)(3)(i), FRA references additional IEEE standards
that have become available and will support the designs of PTC systems
that are widely using communications as their main component. In
addition to existing reference under paragraph (c)(3)(i)(A) for IEEE-
1483 Standard, the following standards are added to paragraph
(c)(3)(i): IEEE 1474.2-2003, Standard for user interface requirements
in communications based train control (CBTC) systems; and IEEE 1474.1-
2004, Standard for Communications-Based Train Control (CBTC)
Performance and Functional Requirements.
After an analysis of the current applicability of ATCS
Specification 130 and 140, FRA believes that they are not being used.
Thus, FRA hereby removes these standards from the list of referenced
standards. However, FRA also adds the ATCS 200, Data Communication
standard that remains relevant for communication segment of PTC system
designs.
FRA also considers it necessary to reference several additional
sections of the current AREMA 2009 Communications and Signal Manual of
Recommended Practices. In addition to Section 17 of this manual
referenced in a previous version of Appendix C, FRA hereby adds to the
list of references Section 16 Vital Circuit and Software Design;
Section 21 Data Transmission; and Section 23 Communication-Based
Signaling.
Appendix D to Part 236--Independent Review of Verification and
Validation
There has been no change in the underlying engineering principles
associated with Appendix D. The changes made in this final rule are
cosmetic, simply updating the Appendix so that it is applicable to both
subpart H and I, and reducing the workload on the vendor or supplier,
the railroad, and FRA. FRA determined that it would have been more
burdensome to refer to different Appendices that are functionally
identical, and whose only practical difference would be that one
referred only to subpart H, and the other to subpart I of this part.
Paragraph (a) discusses the purpose of an independent third-party
assessment of product Verification and Validation. FRA's position that
the requirement for an independent third-party assessment is reasonably
common in the field of safety-critical systems remains unchanged. FRA's
recent experience confirms that this approach can enhance the quality
of decision making by railroads and FRA. The potential for undergoing a
third party audit provides incentives to those who design and produce
safety-critical systems to more rigorously create and maintain safety
documentation for their systems. FRA acknowledges that documentation,
by itself, will not ensure a safe system. However, the absence of
documentation will make it virtually impossible to ensure the safety of
the system throughout its life-cycle. The third party also brings a
level of technical expertise, and a perspective that may not be
available on the staff of the railroad (or FRA)--effectively permitting
the railroad (and thus FRA) to look behind claims of the vendor or
supplier to actual engineering practice. This may be especially
appropriate where the system in question utilizes a novel architecture
or relies heavily on COTS hardware and software.
Paragraph (b) establishes the requirements for independence of the
third-party auditor. The text associated with the underlying principle
of independence has simply been clarified to indicate that there must
be independence at all levels of the product design and manufacture.
This situation has arisen where a third party wished to provide
independent safety assessments of the system, but also provide
technical support for the design of a component that would be used in
the system being reviewed. FRA maintains that such practices, even if
the entity in question attempts to firewall the parts of the
organization doing the respective tasks, represents a conflict of
interest and is unacceptable.
Paragraphs (c) through (f) discuss the substance of the third-party
assessment. This assessment should be performed on the system as it is
finally configured, before revenue operations commence. The assessor
should review the supplier's processes as set forth in the applicable
documentation and provide comments to the supplier. The reviewer should
be able to determine vulnerabilities in the supplier's processes and
the adequacy of the safety analysis (be it in an RSPP and PSP or in a
PTCDP and PTCSP) as they apply to the product. ``Acceptable
methodology'' is intended to mean standard industry practice, for
example, as contained in MIL-STD-882C. FRA is aware of many other
acceptable industry standards, but usage of a less common one in an
analysis would most likely require a higher level of FRA scrutiny. In
addition, the reviewer considers the completeness and adequacy of the
required safety documents.
Paragraph (d) discusses the reviewer's tasks at the functional
level. Here, the reviewer will analyze the supplier's methods to
establish that they are complete and correct. First, a Preliminary
Safety Analysis is performed in the design stage of a product. In
addition to describing system requirements within the context of the
concept of operations, it attempts, in an early stage, to classify the
severity of the hazards and to assign an integrity level requirement to
each major function (in conventional terms, a preliminary hazard
analysis). Again there are many practices widely accepted within
industry such as: Hazard Analysis (HA), Fault Tree Analysis (FTA),
Failure Mode and Effects Analysis (FMEA), and Failure Modes, Effects,
and Criticality Analysis (FMECA). Other simulation methods may also be
used in conjunction with the preceding methods, or by themselves when
appropriate. Commonly practiced techniques and methods include fault
injection, a technique that evaluates performance by injecting known
faults at random times during a simulation period; Markov modeling, a
modeling technique that consists of states and transitions that control
events; Monte Carlo model, a simulation technique based on randomly-
occurring events; and Petri-net, an abstract, formal model of
information flow that shows static and dynamic properties of a system.
Paragraphs (e) and (f) address what must be performed at the
implementation level. At this stage, the product is beginning to take
form. The reviewer typically evaluates the software and, if appropriate
or required, the hardware. In the case of software, the software will
most likely be in modular form, such that software modules are produced
in accordance to a particular function. In the case of hardware, this
may be at the component or line replaceable unit level. The reviewer
must select a significant number of modules to be able to establish
that the product is being developed in a safe manner.
Paragraph (g) discusses the reviewer's tasks at closure. The
reviewer's primary task at this stage is to prepare a final report
where all product deficiencies are noted in detail. This final report
may include material previously presented to the supplier during
earlier development stages.
FRA received several comments on Appendix D related to the proper
documentation to be reviewed by the third-party reviewer according to
[[Page 2683]]
paragraph (d)(1), the scope of hazard analysis required to be reviewed
by paragraph (d)(2), and the methods of software development techniques
to be reviewed according to paragraph (f)(2)(vii). These comments are
the same as those submitted by the commenter on the text of Appendix F.
Due to the wider applicability of these comments to the material
presented in Appendix F, FRA has provided a response to these comments
in the section-by-section analysis for Appendix F.
Appendix E to Part 236--Human-Machine Interface (HMI) Design
Appendix E provides human factors design criteria. Paragraphs (a)
through (f) cover the same material as was previously contained in
Appendix E. See 70 FR 11,107 (March 7, 2005). However, Appendix E has
been reformatted to support its use for subparts H and I of this part
and, with a few exceptions, is textually the same. This Appendix still
addresses the basic human factors principles for the design and
operation of displays, controls, supporting software functions, and
other components in processor-based signal or train control systems and
subsystems regardless if they are voluntarily implemented (as is the
case with systems qualified under subpart H of this part) or
mandatorily implemented (as is the case with systems developed under
subpart I of this part). The HMI requirements in this Appendix attempt
to capture the lessons learned from the research, design, and
implementation of similar technology in other modes of transportation
and other industries. The rationale for each of the requirements
associated with paragraphs (a) through (f) remains the same as was
presented in the former version of Appendix E. See 70 FR 11,107,
11,090-11,091 (Mar. 7, 2005).
FRA has noted that products implemented under the requirements of
subpart H of this part, or proposed products that will be developed
under subpart I of this part, all have been capable of generating
electromagnetic radiation. Such emissions are strictly regulated by the
Federal Communications Commission for public safety and health, as well
as to ensure that the limited electromagnetic spectrum is optimally
utilized. FRA is therefore adding a new paragraph (h) to Appendix E,
which requires that as part of the HMI design process, the designer
must ensure that the product has the appropriate FCC Equipment
Authorization, and that the product meets FCC requirements for Maximum
Permissible Exposure limits for field strength and power density.
Paragraph (g) does not levy any new regulatory requirements. The
requirements cited are mandatory FCC requirements for any device that
emits electromagnetic radiation that the system designer must comply
with. FRA is simply identifying these requirements, as not all railroad
product developers may be aware of them.
Appendix F to Part 236--Minimum Requirements of FRA Directed
Independent Third-Party Assessment of PTC System Safety Verification
and Validation
FRA has revised the title of Appendix F in response to comments
submitted by GE, in which GE noted that, while FRA may require a
railroad to engage in an independent assessment of its PTC system based
on the criteria set forth in Sec. 236.913, FRA is not requiring an
independent assessment of every PTCSP.
FRA received several comments from HCRQ/CGI on paragraphs (d), (e),
(f), and (i) of Appendix F.
The commenter asserted that the term ``acceptable methodology''
used in the second sentence of paragraph (d) is not clear and suggested
that it be replaced with the term ``methodologies typical to safety-
critical systems.'' If revised in accordance with this recommendation,
the second sentence of paragraph (d) would read as follows: ``At a
minimum, the reviewer shall compare the supplier processes with
methodologies typical of safety-critical systems and employ any other
such tests or comparisons if they have been agreed to previously with
FRA.'' In response to this comment, FRA notes that the term
``acceptable methodologies,'' by its very nature, includes
methodologies typical of safety-critical systems. FRA believes that the
proposed modification may artificially limit the use of the atypical
analysis methodologies that may provide an equivalent, or better,
analytical results. Therefore, FRA did not incorporate the proposed
change. However, in the interest of providing clarification to reflect
the main intent of this paragraph, FRA has modified the second and
third sentences in paragraph (d) to read as follows: ``At a minimum,
the reviewer shall evaluate the supplier design and development process
regarding the use of an appropriate design methodology. The reviewer
may use the comparison processes and test procedures that have been
previously agreed to with FRA.''
The commenter also asserted that, with respect to paragraph (e),
the reviewer will be required to analyze a ``Hazard Log,'' as opposed
to a ``Preliminary Hazard Analysis'' document, since the Hazard Log
will supersede the Preliminary Hazard Analysis on the final stage of
the system development process.
FRA agrees with the commenter that the Hazard Log more accurately
reflects the perceived risk in the as-built condition and, therefore,
has modified paragraph (e) to read as follows: ``The reviewer shall
analyze the Hazard Log and/or any other hazard analysis documents for
comprehensiveness and compliance with applicable railroad, vendor,
supplier, industry, national, and international standards.'' The
commenter also suggested that this comment is equally applicable to
former paragraph (d)(1) in the prior version of Appendix D. FRA agrees
and has modified the various applicable phrases in Appendices D and F
accordingly. The commenter further suggested that in paragraph (f) the
reviewer should be required to analyze samples of the hazard analyses
``for completeness, correctness, and compliance with industry,
national, or international standards,'' as opposed to the proposed
requirement to analyze ``all'' hazard analyses such as Fault Tree
Analyses (FTA), Failure Mode and Effects Criticality Analysis (FMECA).
The commenter asserted that it will be ``difficult and prohibitive''
for both the supplier and the reviewer to analyze ``all'' of these
documents in their entire length. The commenter also noted that these
comments are applicable to existing Appendix D, paragraph (d)(2).
In response to this comment, FRA notes that there does not appear
to be a need for additional clarification on the depth of the quoted
documents analysis by the reviewer. As FRA has already indicated in the
section-by-section analysis of Sec. 236.1017, ``FRA has the discretion
to limit the extent of the third party assessment.'' Moreover, the
section-by-section analysis of Sec. 236.1017 goes on to state that
``Appendix F represents minimum requirements and that if circumstances
warrant, FRA may expand upon the Appendix F requirements as necessary
to render a decision that is in the public interest.'' FRA will, if
appropriate, limit the scope of analysis. FRA notes the comment, and
will execute its regulatory discretion in this matter.
With respect to paragraph (i)(7), HCRQ/CGI points out that the text
of NPRM, while discussing methods of safety-critical software
development by the manufacturer, enumerates examples that, according to
the commenter, are not particular to the safety-critical systems, which
appears to be contrary to the intent of this paragraph. The commenter
recommends that FRA
[[Page 2684]]
include in the text of the final rule an extended list of examples for
methods of software development instead of those cited in NPRM, for
example, such methods as ``system requirement analysis, requirements
traceability to functional and derived safety requirements, design
analysis, documented peer review,'' etc. The commenter also noted that
this comment is equally applicable to Appendix D, paragraph
(f)(2)(vii).
FRA understands the commenter's concern. FRA believes that the
review should include any documentation associated with the software
development that may reflect on, or address, the safety of the system.
To address the commenter's concern and to more accurately reflect FRA's
position, paragraph (i)(7) has been revised by deleting the list of
examples of methods of software development previously proposed in the
NPRM. FRA modifies the text of this paragraph to emphasize that the
review on any documentation that may reflect on the safety of software
design is required. As with the preceding comment, FRA will exercise
its regulatory discretion with regards to the specific documentation
based on the system in question and public safety. FRA has also
modified paragraph (i)(7) in Appendix D that discusses the same issue.
VIII. Regulatory Impact and Notices
A. Executive Order 12866 and DOT Regulatory Policies and Procedures
This final rule has been evaluated in accordance with existing
policies and procedures, and determined to be significant under both
Executive Order 12866 and DOT policies and procedures. 44 FR 11,034
(Feb. 26, 1979). We have prepared and placed in the docket a regulatory
impact analysis (RIA) addressing the economic impact of this final
rule.
The costs anticipated to accrue from adopting this final rule would
include: (1) Costs associated with developing implementation plans and
administrative functions related to the implementation and operation of
PTC systems, including the information technology and communication
systems that make up the central office; (2) hardware costs for onboard
locomotive system components, including installation; (3) hardware
costs for wayside system components, including installation; and (4)
maintenance costs for all system components.
Two types of benefits are expected to result from the
implementation of this final rule--benefits from railroad accident
reduction and business benefits from efficiency gains. The first type
would include safety benefits or savings expected to accrue from the
reduction in the number and severity of casualties arising from train
accidents that would occur on lines equipped with PTC systems. Casualty
mitigation estimates are based on a value of statistical life of $6
million. In addition, benefits related to accident preventions would
accrue from a decrease in damages to property such as: Locomotives,
railroad cars, and track; equipment cleanup; environmental damage;
train delay resulting from track closures; road closures; emergency
response; and evacuations. Benefits more difficult to monetize--such as
the avoidance of hazmat accident related costs incurred by federal,
state, and local governments and impacts to local businesses--will also
result. FRA also expects that once PTC systems are refined, there would
likely be substantial additional business benefits resulting from more
efficient transportation service; however, such benefits are not
included because of significant uncertainties regarding whether and
when individual elements will be achieved and given the complicating
factor that some benefits might, absent deployment of PTC, be captured
using alternative technologies at lower cost. In the NPRM, FRA
requested comments on whether the proposed regulation exercised the
appropriate level of discretion and flexibility to comply with RSIA08
in the most cost effective and beneficial manner. The FRA received
comments, discussed above in the section-by-section analysis, that FRA
had exceeded its discretion, in general, in not creating a de minimis
exception, in Sec. 236.1005, by designating that the railroad base its
system designation on 2008 base year traffic patterns; in Sec.
236.1029, by requiring that each crewmember assigned to a cab have
access to a display adequate to perform assigned duties safely, which
the railroads claimed meant that they have to install a second display;
and in Sec. 236.1006 (b)(4) in permitting Class II and Class III
railroads to operate locomotives unequipped with PTC on Class I
railroad lines under certain conditions. FRA believes that the agency
interpreted RSIA08 correctly in not granting AAR's very broad request
for a de minimis exception (however, FRA did craft a new de minimis
exception in Sec. 236.1006(b)(4)(ii), discussed above in the section-
by-section analysis), in using the 2008 traffic patterns as a basis for
designating the system and in requiring that each crewmember in the
locomotive cab have access to a display adequate to perform assigned
safety-related duties. FRA also believes that it acted with an
appropriate level of discretion and flexibility in permitting some
operations of unequipped locomotives on PTC equipped routes. All of
these responses are discussed in detail above, in the Section-by-
Section analysis.
The RIA presents a 20-year analysis of the costs and benefits
associated with this rule, using both 7 percent and 3 percent discount
rates, and two types of sensitivity analyses. The first is associated
with varying cost assumptions used for estimating PTC implementation
costs. The second takes into account potential business benefits from
realizing service efficiencies and related additional societal benefits
from attainment of environmental goals and an overall reduction in
transportation risk from modal diversion.
The 20-year total cost estimates are $9.55 billion (PV, 7%) and
$13.21 billion (PV, 3%). Annualized costs are $0.87 billion (PV, 7%)
and $0.88 billion (PV, 3%). Using high-cost assumptions, the 20-year
total cost estimates would be $16.25 billion (PV, 7%) and $22.54
billion (PV, 3%). Using low-cost assumptions, the 20-year cost
estimates would be $6.73 billion (PV, 7%) and $9.34 billion (PV, 3%).
The later the expenditures are made, the lower the discounted cost
impact, which in any event is a very small portion of the total PTC
costs. This estimate is lower than the cost estimate presented in the
NPRM. It reflects the low freight traffic volume exception for
passenger train routes and the de minimis exception for freight
railroads. These exceptions result in lower wayside costs than
estimated in the NPRM RIA. FRA has not revised its locomotive cost
estimates to reflect reduced burden resulting from the additional
flexibility granted because the magnitude of the reduction is very
small relative to the overall system cost.
Twenty-year railroad safety (railroad accident reduction) benefit
estimates associated with implementation of the rule are $440 million
(PV, 7%) and $674 million (PV, 3%). Annualized benefits are $42 million
(PV, 7%), and $45 million (PV, 3%). This estimate is lower than that
estimated at the NPRM stage of the rulemaking. The estimate was lowered
as a result of revisions made to a study performed by Volpe Center
regarding the cost of PTC-preventable accidents. Some forecasts predict
significant growth of both passenger and freight transportation
demands, and it is thus possible that greater activity on the system
could present the potential for
[[Page 2685]]
larger safety benefits than estimated in this analysis. The presence of
a very large PTC-equipped freight locomotive fleet also supports the
opportunity for introduction of new passenger services of higher
quality at less cost to the sponsor of that service. Information is not
currently available to quantify that benefit.
The table below presents cost and benefit estimates by element
using a 3% discount rate as well as a 7% discount rate.
Total 20-Year Discounted Costs and Discounted Benefits
[At 3% and 7%]
------------------------------------------------------------------------
Discount rate 3.00% 7.00%
------------------------------------------------------------------------
Costs by Category:
Central Office and $283,025,904 $263,232,675
Development................
Wayside Equipment........... 2,902, 751,825 2,414,794,033
On-Board Equipment.......... 1,613,568,678 1,390,618,364
Maintenance................. 8,406,267,684 5,478,877,649
---------------------------------------
Total................... 13,205,614,091 9,547,522,721
=======================================
Benefits by Category:
Fatalities.................. 268,999,278 175,541,848
Injuries.................... 203,984,196 133,114,717
Train Delay................. 24,530,630 16,008,043
Property Damage............. 159,149,846 103,857,000
Emergency Response.......... 431,143 281,353
Equipment Clean Up.......... 2,509,576 1,637,683
Road Closure................ 580,664 378,926
Environmental Cleanup....... 6,486,888 4,233,172
Evacuations................. 7,129,699 4,652,654
---------------------------------------
Total Railroad Safety 673,801,919 439,705,397
Benefits...............
------------------------------------------------------------------------
The Port Authority Trans Hudson (PATH), a commuter railroad, is
apparently considering the system used by the New York City Transit
Authority on the Canarsie line. This system, which is known as
Communication-Based Train Control, is not similar in concept to any of
the other PTC systems (including the CSX CBTC, with which its name
might easily be confused), and would not be suitable, as FRA
understands the system, except on a railroad with operating
characteristics similar to a heavy rail mass transit system. FRA
believes that, in absence of the statutory mandate or this rulemaking,
PATH would have adopted PTC for business reasons.
Although costs associated with implementation of the final rule are
significant and such costs would far exceed the benefits, FRA is
constrained by the requirements of RSIA08, which do not provide
latitude for implementing PTC differently. Nevertheless, FRA has taken
several steps to avoid triggering unnecessary costs in the proposed
rule. For instance, FRA is not requiring use of separate monitoring of
switch position in signal territory or that the system be designed to
determine the position of the end of the train. FRA has also minimized
costs, such as by requiring the monitoring of derails protecting the
mainline, but limiting it to derails connected to the signal system;
and by requiring the monitoring of hazard detectors protecting the
mainline, but limiting it to hazard detectors connected to the signal
system. FRA has also minimized costs related to diamond crossings,
where a PTC equipped railroad crosses a non-PTC equipped railroad at
grade; included exceptions to main track for passenger train
operations, and provisions that would permit some Class III railroad
operation of trains not equipped with PTC over Class I railroad freight
lines equipped with PTC. FRA has also added provisions to the final
rule which will permit passenger railroads to exclude up to roughly
1,900 miles of track from the requirements to install PTC. Finally, FRA
has provided for de minimis exceptions for Class I freight lines with
not passenger service and negligible risk, avoiding any expenses for
right-of-way modifications on about 300 miles, saving about $15
million, and reducing costs by about 80% on about 3,200 additional
miles, saving about $127 million.
RSIA08 requires the railroads to have all mandatory PTC systems
operational on or before December 31, 2015. Members of the PTC Working
Group, especially railroad and supplier representatives, said that the
timeframe was very tight, and that the scheduled implementation dates
would be difficult to meet. In general, the faster a government agency
requires a regulated entity to adopt new equipment of procedures, the
more expensive compliance becomes. In part, this is due to supply
elasticity being less over shorter time periods.
FRA is unable to estimate the potential savings if Congress
provided a longer implementation schedule or provided incentives,
rather than mandates, for PTC system installation. In order to estimate
the likely reduction in costs in such situations, FRA would need to
develop some other schedule for implementation. The element least
sensitive to an implementation's schedule appears to be onboard costs.
Each PTC system's onboard equipment seems similar and is not very
different from existing onboard systems. Further, the 2015 deadline is
not so restrictive that it would cause railroads to pull locomotives
out of service just to install on board PTC equipment. Locomotives must
be inspected thoroughly every 90 and more extensively every 360 days.
The inspections can last from one to several days. Railroads usually
bring locomotives into their shops to perform these inspections, during
which time a skilled and experienced team could install the on board
equipment for PTC. System development is much less certain, and more
time would enable vendors or suppliers to develop, test, and implement
the software at a more reasonable cost. Wayside costs are also
sensitive to the installation timetable, as the wayside must be mapped
and
[[Page 2686]]
measured, and then the railroads must install wayside interface units
(WIUs). Wayside mapping and measurement takes a highly skilled
workforce. A larger workforce is necessary to timely implement the
required PTC systems in a shorter amount of time. WIU installation is
likely similar to existing signal or communication systems
installation, and is likely to involve use of existing railroad skilled
workers. The shorter the installation time period, the more work will
be done at overtime rates, which are, of course, higher.
FRA believes that lower costs could result from a longer
installation period, but FRA also believes that the differences in
costs would be within the range of the low costs provided in the main
analysis of the proposed rule. The 2004 report included some lower cost
estimates, but, in light of current discussions with railroads, the
cost estimates in the 1998 report seem more accurate. The lower
estimates FRA received in preparing the 2004 report were both overly
optimistic, and excluded installation costs, as well as higher costs
which stem from meeting the performance standards.
Some of the costs of PTC implementation, operation, and maintenance
may be offset by business benefits, especially in the long run,
although there is uncertainty regarding the timing and level of those
benefits. Economic and technical feasibility of the necessary system
refinements and modifications to yield the potential business benefits
has not yet been demonstrated. FRA analyzed business benefits
associated with PTC system implementation and presented its findings in
the 2004 Report. Due to the aggressive implementation schedule for PTC
and the resulting need to issue a rule promptly, FRA has not formally
updated this study. Nevertheless, FRA believes that there is
opportunity for significant business benefits to accrue several years
after implementation once the systems have been refined to the degree
necessary. Thus, FRA conducted a sensitivity analysis of potential
business benefits based on the 2004 Report.
The 2004 Report included business benefits from improved or
enhanced locomotive diagnostics, fuel savings attributable to train
pacing, precision dispatching, and capacity enhancement. Although
railroads are enhancing locomotive diagnostics using other
technologies, FRA believes that PTC could provide the basis for
significant gains in the other three areas.
In the years since the 2004 Report, developing technology and
rising fuel costs have caused the rail supply industry and the
railroads to focus on additional means of conserving diesel fuel while
minimizing in-train forces that can lead to derailments and delays from
train separations (usually broken coupler knuckles). Software programs
exist that can translate information concerning throttle position and
brake use, together with consist information and route characteristics,
to produce advice for prospective manipulation of the locomotive
controls to limit in-train forces. Programs are also being conceived
that project arrival at meet points and other locations on the
railroad. These types of tools can be consolidated into programs that
either coach the locomotive engineer regarding how to handle the train
or even take over the controls of the locomotive under the engineer's
supervision. The ultimate purpose of integrating this technology is to
conserve fuel use while handling the train properly and arriving at a
designated location ``just in time'' (e.g., to meet or pass a train or
enter a terminal area in sequence ahead of or behind other traffic).
Further integrating this technology with PTC communications platforms
and traffic planning capabilities could permit transmittal of ``train
pacing'' information to the locomotive cab in order to conserve fuel.
Like the communications backbone, survey data concerning route
characteristics can be shared by both systems. The cost of diesel fuel
for road operations to the Class I railroads is approximately $3.5
billion annually and is gradually rising. If PTC technology helps to
spur the growth and effective use of train pacing, fuel savings of 5%
($175,000,000 annually) or greater could very likely be achieved.
Clearly, if the railroads are able to conserve use of fuel, they will
also reduce emissions and contribute to attainment of environmental
goals, even before modal diversion occurs.
The improvements in dispatch and capacity have further
implications. With those improvements, railroads could improve the
reliability of shipment arrival time and, thus, dramatically increase
the value of rail transportation to shippers, who in turn would divert
certain shipments from highway to rail. Such diversion would yield
greater overall transportation safety benefits, since railroads have
much lower accident risk than highways, on a point-to-point ton-mile
basis. The total societal benefits of PTC system implementation and
operation, following the analysis, would be much greater than total
societal costs, although the costs would fall disproportionately more
heavily on the railroads.
At present, the PTC systems contemplated by the railroads, with the
possible exception of PATH, would not increase capacity, at least not
for some time. If the locomotive braking algorithms need to be made
more conservative in order to ensure that each train does not exceed
the limits of its authority, PTC system operation may actually decrease
rail capacity where applied in the early years. Further investment
would be required to bring about the synergy that would result in
capacity gains. A more significant business benefit of PTC system
operation would be derived from precision dispatching, which decreases
the variance of arrival times of delivered freight. To avoid the risk
of running out of stock, shippers often overstock their inventory at an
annual cost of approximately 25% of its inventory value, regardless of
the material being stored. This estimate accounts for shrinkage,
borrowing costs, and storage costs. Of course, freight with more value
per unit of mass or volume tends to have greater storage costs per
unit. At present, no rail precision dispatch system exists. However, if
a shipper would take advantage of precision dispatching, thus
increasing freight arrival time accuracy, then it could reduce its
overstock inventory. Accurate train data is a necessary, but not a
sufficient condition, for precision dispatch. At least two of the Class
I railroads have unsuccessfully attempted to develop precision dispatch
systems. The mandatory installation of PTC systems is likely to divert
any resources that might have been devoted to precision dispatch, so
these benefits are unlikely during the first several years of this
rule.
Applying current factors to the variables used in the 2004 Report
to Congress, the resulting analysis indicates that diversion could
result in highway annual safety benefits of $744 million by 2022, and
$1,148 million by 2032. Of course, these benefits require that the
productivity enhancing systems be added to PTC, and are heavily
dependent on the underlying assumptions of the 2004 model.
Modal diversion would also yield environmental benefits. The 2004
Report estimated that reduced air pollution costs would have been
between $68 million and $132 million in 2010 (assuming PTC would be
implemented by 2010), and between $103 million and $198 million in
2020. This benefit would have accrued to the general public. FRA has
not broken out the pollution cost benefit of the current
[[Page 2687]]
rule, but offers the estimates from the 2004 Report as a guide to the
order of magnitude of such benefits.
While railroads argued that many of the benefits identified in
FRA's 2004 report were exaggerated, shortly after the publication of
the report, several railroads began developing strategies for PTC
system development and implementation. This investment by the railroads
would seem to illustrate that they believe that there is some potential
for PTC to provide a boost to railroad profits, beyond providing any of
the aforementioned societal benefits.
Modal diversion is highly sensitive to service quality. Problems
with terminal congestion and lengthy dwell times might overwhelm the
benefits of PTC or other initiatives which the railroads have been
pursuing (reconfiguration of yards, pre-blocking of trains, shared
power arrangements, car scheduling, Automatic Equipment Identification,
etc.) that might actually work in synergy with PTC. It should also be
noted that, in the years since the 2004 Report was developed, the Class
I railroads have shown an increased ability to retain operating revenue
as profit, rather than surrendering it in the form of reduced rates.
This was particularly true during the period prior to the current
recession, when strained highway capacity favored the growth of rail
traffic. The sensitivity analysis performed by FRA indicates that
realization of business benefits could yield benefits sufficient to
close the gap between PTC implementation costs and rail accident
reduction benefits within the first 18 years of the rule, applying a 3%
discount rate, and by year 24 of the rule, applying a discount rate of
7%. Accordingly, the precise partition of business and societal
benefits cannot be estimated with any certainty.
FRA recognizes that the likelihood of business benefits is
uncertain and that the cost-to-benefit comparison of this rule,
excluding any business benefits, is not favorable. However, FRA has
taken measures to minimize the rule's adverse impacts and to provide as
much flexibility as FRA is authorized to grant under RSIA08.
B. Regulatory Flexibility Act and Executive Order 13272
To ensure potential impacts of rules on small entities are properly
considered, we developed this rule in accordance with Executive Order
13272 (``Proper Consideration of Small Entities in Agency Rulemaking'')
and DOT's procedures and policies to promote compliance with the
Regulatory Flexibility Act (5 U.S.C. 601 et seq.).
The Regulatory Flexibility Act requires an agency to review
regulations to assess their impact on small entities. An agency must
conduct a Final Regulatory Flexibility Analysis (FRFA) unless it
determines and certifies that a rule is not expected to have a
significant impact on a substantial number of small entities.
In the NPRM, we published an Initial Regulatory Flexibility
Assessment (IRFA) to aid the public in commenting on the potential
small business impacts of the proposals. FRA has considered all
comments submitted to the docket and at public hearings in response to
the NPRM. FRA also worked with the PTC Working Group and its task
forces in developing many of the facets of the final rule. We
appreciate the information provided by the various parties. The
proposed rule, and consequently the IRFA, included as part of the NPRM,
have been modified as a result, as described above. Due to the
uncertainties associated with new product development and deployment,
FRA has prepared a FRFA and will issue a Small Entity Guidance document
soon.
In accordance with the Regulatory Flexibility Act, a FRFA must
contain:
(1) A succinct statement of the need for, and objectives of the
rule;
(2) A summary of the significant issues raised by the public
comments in response to the IRFA, a summary of the assessment of the
agency of such issues, and a statement of any changes made in the
proposed rule as a result of such comments.
(3) A description and an estimate of the number of small entities
to which the rule will apply or an explanation of why no such estimate
is available;
(4) A description of the projected reporting, recordkeeping and
other compliance requirements of the final rule, including an estimate
of the classes of small entities that will be subject to the
requirement and the type of professional skills necessary for
preparation of the report or record; and
(5) A description of the steps the agency has taken to minimize the
significant adverse economic impact on small entities consistent with
the stated objectives of applicable statutes, including a statement of
the factual, policy, and legal reasons for selecting the alternative
adopted in the final rule and why each of the other significant
alternatives to the rule considered by the agency was rejected. 5
U.S.C. 604(a)(1)-(5).
1. Need for, and Objectives of the Rule
PTC systems will be designed to prevent train-to-train collisions,
overspeed derailments, incursions into established work zone limits,
and the movement of a train through a switch left in the wrong
position.
As discussed in more detail in section I of the preamble, the
RSIA08 mandates that widespread implementation of PTC across a major
portion of the U.S. rail industry be accomplished by December 31, 2015.
RSIA08 requires each Class I carrier and each entity providing
regularly scheduled intercity or commuter rail passenger transportation
to develop a plan for implementing PTC by April 16, 2010. The Secretary
of Transportation is responsible for reviewing and approving or
disapproving such plans. The Secretary has delegated this
responsibility to FRA. This final rule details the process and
procedure for obtaining FRA approval of the plans.
As discussed earlier in the preamble, FRA is issuing this final
rule to provide regulatory guidance and performance standards for the
development, testing, implementation, and use of Positive Train Control
(PTC) systems for railroads mandated by the Rail Safety Improvement Act
of 2008 Sec. 104, Public Law 110-432, 122 Stat. 4848, 4856, (Oct. 16,
2008) (codified at 49 U.S.C. 20157).
2. Significant Issues Raised by Public Comment in Response to the IRFA
The only comment which directly referred to the IRFA was a comment
from Class I railroad representatives noting that the IRFA implied that
Class I railroads would pay for installation of split point derails at
railroad-railroad crossings where a PTC equipped line crosses a line
not equipped with PTC. FRA agrees with commenters that costs will be
borne according to preexisting agreements and any other laws or
regulations that might affect which party is responsible for the costs
incurred and has modified its analysis accordingly.
Other comments which affect the IRFA related to definition of main
track for intercity and commuter operations where freight densities are
relatively low. These comments, primarily from Amtrak, not a small
entity, directly referred to the proposed rule, and not to the IRFA. In
response, FRA provided significant relief to Amtrak for operations over
Class II and Class III railroads, thus indirectly providing relief to
some of the Class II and III railroads, potentially allowing one or
more to avoid PTC system installation. The RSIA08 generally defines
``main line'' as ``a segment of railroad tracks over which 5,000,000 or
more gross tons of railroad traffic is transported
[[Page 2688]]
annually. See 49 U.S.C. 20157(i)(2). However, FRA may also define
``main line'' by regulation ``for intercity rail passenger
transportation or commuter rail passenger transportation routes or
segments over which limited or no freight railroad operations occur.''
See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes that
there may be circumstances where certain statutory PTC system
implementation and operation requirements are not practical and provide
no significant safety benefits. In those circumstances, FRA will
exercise its statutory discretion provided under 49 U.S.C.
20157(i)(2)(B).
In accordance with the authority provided by the statute and with
carefully considered recommendations from the RSAC, FRA will consider
requests for designation of track over which rail operations are
conducted as ``other than main line track'' for passenger and commuter
railroads, or freight railroads operating jointly with passenger or
commuter railroads. Such relief may be granted only after request by
the railroad or railroads filing a PTCIP and approval by the Associate
Administrator.
In Sec. 236.1019(a), FRA requires the submittal of a main line
track exclusion addendum (MTEA) to any PTCIP filed by a railroad that
seeks to have any particular track segment deemed as other than main
line. Since the statute only provides for such regulatory flexibility
as it applies to passenger transportation routes or segments over which
limited or no freight railroad operations occur, only a passenger
railroad may file an MTEA as part of its PTCIP. This may include a
PTCIP jointly filed by freight and passenger railroads. In fact, FRA
expects that, in the case of joint operations, only one MTEA should be
agreed upon and submitted by the railroads filing the PTCIP. After
reviewing a submitted MTEA, FRA may provide full or conditional
approval for the requested exemptions.
Each MTEA must clearly identify and define the physical boundaries,
use, and characterization of the trackage for which exclusion is
requested. When describing each track's use and characterization, FRA
expects the requesting railroad or railroads to include copies of the
applicable track and signal charts. Ultimately, FRA expects each MTEA
to include information sufficiently specific to enable easy segregation
between main line track and non-main line track. In the event the
railroad subsequently requests additional track to be considered for
exclusion, a well-defined MTEA should reduce the amount of future
information required to be submitted to FRA. Moreover, if FRA decides
to grant only certain requests in an MTEA, the portions of track for
which FRA has determined should remain considered as main line track
can be easily severed from the MTEA. Otherwise, the entire MTEA, and
thus its concomitant PTCIP, may be entirely disapproved by FRA,
increasing the risk of the railroad or railroads not meeting its
statutory deadline for PTC implementation and operation.
For each particular track segment, the MTEA must also provide a
justification for such designation in accordance with paragraphs (b) or
(c) of this section.
In Sec. 236.1019(b), FRA specifically addresses the conditions for
relief for passenger and commuter railroads with respect to passenger-
only terminal areas. As noted previously in the analysis of Sec.
236.1005(b), any track within a yard used exclusively by freight
operations moving at restricted speed is excepted from the definition
of main line. In those situations, operations are usually limited to
preparing trains for transportation and do not usually include actual
transportation. This automatic exclusion does not extend to yard or
terminal tracks that include passenger operations. Such operations may
also include the boarding and disembarking of passengers, heightening
FRA's sensitivity to safety. Moreover, while FRA could not expend its
resources to review whether a freight-only yard should be deemed other
than main line track, FRA believes that the relatively lower number of
passenger yards and terminals would allow for such review. Accordingly,
FRA believes that it is appropriate to review these circumstances on a
case-by-case basis.
During the PTC Working Group discussions, the major passenger
railroads requested an exception for tracks in passenger terminal areas
because of the impracticability of installing PTC. These are locations
where signal systems govern movements over very complex special track
work divided into short signal blocks. Operating speeds are low (not to
exceed 20 miles per hour), and locomotive engineers moving in this
environment expect conflicting traffic and restrictive signals.
Although low-speed collisions do occasionally occur in these
environments, the consequences are low; and the rate of occurrence is
very low in relation to the exposure. It is the nature of current-
generation PTC systems that they use conservative braking algorithms.
Requiring PTC to short blocks in congested terminals would add to
congestion and frustrate efficient passenger service, in the judgment
of those who operate these railroads. The density of wayside
infrastructure required to effect PTC functions in these terminal areas
would also be exceptionally costly in relation to the benefits
obtained. FRA agrees that technical solutions to address these concerns
are not presently available. FRA does believe that the appropriate role
for PTC in this context is to enforce the maximum allowable speed
(which is presently accomplished in cab signal territory through use of
automatic speed control, a practice which could continue where already
in place).
If FRA grants relief, the conditions of paragraphs (b)(1), (b)(2),
or (b)(3), as applicable, as well as conditions attached to the
approval, must be strictly adhered to.
In Sec. 236.1019(b)(1), FRA specifies that relief under paragraph
(b) is limited to operations that do not exceed 20 miles per hour. The
PTC Working Group agreed upon the 20 miles per hour limitation, instead
of requiring restricted speed, because the operations in question will
be by signal indication in congested and complex terminals with short
block lengths and numerous turnouts. FRA agrees with the PTC Working
Group that the use of restricted speed in this environment would
unnecessarily exacerbate congestion, delay trains, and diminish the
quality of rail passenger service.
Moreover, when trains on the excluded track are controlled by a
locomotive with an operative PTC onboard apparatus that PTC system
component must enforce the regulatory speed limit or actual maximum
authorized speed, whichever is less. While the actual track may not be
outfitted with a PTC system in light of a MTEA approval, FRA believes
it is nevertheless prudent to require such enforcement when the
technology is available on the operating locomotives. This can be
accomplished in cab signal territory using existing automatic train
stop technology and outside of cab signal territory by mapping the
terminal and causing the onboard computer to enforce the maximum speed
allowed.
FRA also limits relief under Sec. 236.1019(b)(2) to operations
that enforce interlocking rules. Under interlocking rules, trains are
prohibited from moving in reverse directions without dispatcher
permission on track where there are no signal indications. FRA believes
that such a restriction will minimize the potential for a head-on
impact.
Also, under Sec. 236.1019(b)(3), such operations are only allowed
in yard or terminal areas where no freight
[[Page 2689]]
operations are permitted. While the definition of main line may not
include yard tracks used solely by freight operations, FRA is not
extending any relief or exception to tracks within yards or terminals
shared by freight and passenger operations. The collision of a
passenger train with a freight consist is typically a more severe
condition because of the greater mass of the freight equipment.
However, FRA did receive a comment suggesting some latitude within
terminals when passenger trains are moving without passengers (e.g., to
access repair and servicing areas). FRA agrees that low-speed
operations under those conditions should be acceptable as trains are
prepared for transportation. FRA has not included a request by Amtrak
(discussed below) to allow movements within major terminals at up to 30
miles per hour in mixed passenger and freight service, which appears in
FRA's judgment to fall outside of the authority to provide exclusions
conferred on FRA by the law.
In Sec. 236.1019(c), FRA provides the conditions under which joint
limited passenger and freight operations may occur on defined track
segments without the requirement for installation of PTC. Under Sec.
236.1003 (Definitions), ``limited operations'' is defined as
``operations on main line track that have limited or no freight
operations and are approved to be excepted from this subpart's PTC
system implementation and operation requirements in accordance with
Sec. 236.1019(c).'' This paragraph provides five alternative paths to
the main line exception, three of which were contained in the proposed
rule and a fourth and fifth that respond to comments on the proposed
rule.
The three alternatives derived from the NPRM are set forth in Sec.
236.1019(c)(1). First, an exception may be available where both the
freight and passenger trains are limited to restricted speed. Such
operations are feasible only for short distances, and FRA will examine
the circumstances involved to ensure that the exposure is limited and
that appropriate operating rules and training are in place.
Second, under Sec. 236.1019(c)(1)(ii), FRA notes that it will
consider an exception where temporal separation of the freight and
passenger operations can be ensured. A more complete definition of
temporal separation is provided in Sec. 236.1019(e). Temporal
separation of passenger and freight services reduces risk because the
likelihood of a collision is reduced (e.g., due to freight cars engaged
in switching that are not properly secured) and the possibility of a
relatively more severe collision between a passenger train and much
heavier freight consist is obviated.
Third, under Sec. 236.1019(c)(1)(iii), FRA notes that it will
consider commingled freight and passenger operations provided that a
jointly agreed risk analysis is provided by the passenger and freight
railroads, and the level of safety is the same as that which would be
provided under one of the two prior options selected as the base case.
FRA requested comments on whether FRA or the subject railroad should
determine the appropriate base case, but received none. FRA recognizes
that there may be situations where temporal separation may not be
possible. In such situations, FRA may allow commingled operations
provided the risk to the passenger operation is no greater than if the
passenger and freight trains were operating under temporal separation
or with all trains limited to restricted speed. For an exception to be
made under Sec. 236.1019(c)(3), FRA requires a risk analysis jointly
agreed to and submitted by the applicable freight and passenger
services. This ensures that the risks and consequences to both parties
have been fully analyzed, understood, and mitigated to the extent
practical. FRA would expect that the moving party would elect a base
case offering the greatest clarity and justify the selection.
Comments on the proposed rule generally supported the
aforementioned exclusions or were silent.
In its comments on the NPRM, Amtrak requested further relief
relating to lines requiring the implementation and operation of a PTC
system due solely to the presence of light-density passenger traffic.
According to Amtrak, the defining characteristic of light-density lines
is the nature of the train traffic; low-density patterns on these lines
lead to a correspondingly low risk of collision. Amtrak also asserted
that, due to relatively limited wear and tear from lower traffic
densities, these lines often have fewer track workers on site, further
reducing the chance of collisions and incursions into work zones. Thus,
states Amtrak, one of the principal reasons for installing PTC--
collision avoidance--is a relatively low risk on many light density
lines. With only marginal safety benefits anticipated from PTC use in
such applications, Amtrak believed that there may be minimal
justification for installing PTC on certain light-density lines.
Amtrak further noted that FRA itself had concluded that the costs
of PTC generally exceed its benefits, and Amtrak urged that this may be
even more so on light-density lines. Amtrak believed that Congress
understood this issue and thus created the regulatory flexibility for
the definition of ``main line'' for passenger routes found at 49 U.S.C.
20157(i)(2)(B) as a means to allow the Secretary to exempt certain
routes from the PTC mandate. According to Amtrak, this provision
essentially allows the Secretary to define certain passenger routes
with limited or no freight traffic as other than ``main line,'' thereby
effectively exempting such lines from the reach of the PTC mandate
because the mandate only applies to railroad operations over ``main
line[s].'' Said another way, urged Amtrak, the provision allows the
Secretary the freedom to decide in what circumstances such routes
should be considered ``main lines'' and thus be required to install
PTC--pursuant to whatever factors the Secretary deems appropriate
through the rulemaking process.
Amtrak urged that the Secretary should use this flexibility to
limit which passenger routes it defines as ``main lines'' to those
deemed to warrant the use of PTC using the FRA's usual risk-based
approach to safety regulation and traditional measures of
reasonableness, costs, and benefits. Amtrak posited that such a risk-
based analysis by FRA would likely lead to the conclusion that PTC is
simply not needed on many light-density lines over which passenger
trains currently operate. Amtrak therefore asked that FRA exercise this
authority by working with Amtrak and the rail industry to exempt
certain light density freight lines which host passenger traffic from
the obligation to install PTC where operating and safety conditions do
not warrant an advanced signal system.
Should FRA choose not to exempt some of these light density freight
lines over which passenger trains operate, Amtrak felt that the high
costs of full PTC systems will be passed on to the passenger and
freight operators of these routes. According to Amtrak, this obligation
could threaten the continuation of intercity passenger rail service on
several routes, including lines in California, Colorado, Kansas, Maine,
Massachusetts, Michigan, Missouri, New Hampshire, New Mexico, North
Dakota, Vermont, and Virginia, on what are potentially light density
lines. Additionally, states Amtrak, this obligation, where it can be
financed, could force the diversion of significant capital dollars away
from essential safety investments in track and other infrastructure
improvements, which are typically the leading safety risks for such
light-density operations. According to Amtrak, the cost of PTC
installation on these lines may be so out
[[Page 2690]]
of proportion to the benefit that Amtrak's service will need to be
rerouted onto a different line (e.g., to a Class I line with PIH
materials) if a reroute option exists, or eliminated entirely because
there is no feasible alternate route and no party is willing or able to
bear the cost of installing PTC on the existing route. The defining
characteristic of light-density lines is the nature of the train
traffic: low density patterns on these lines lead to a correspondingly
low risk of collision. In its filing, Amtrak noted that it was
currently assembling the details (e.g., annual freight tonnage,
frequency of freight train operations) ``for those lines that it
believes may qualify as light-density, and will submit as a supplement
to these Comments a recommendation as to what criteria the FRA should
adopt in determining what light-density lines are other than `main
lines.' '' Amtrak did subsequently file data referred to below, but did
not propose criteria.
According to the Amtrak testimony, the ``limited operations
exception'' in subsection 236.1019(c) of the NPRM did not provide a
practical solution to the problem created by defining all light-density
routes and terminal areas with passenger service as ``main lines.''
Amtrak stated that this subsection would arguably require installation
of PTC on most of the trackage and locomotives of the Terminal Railroad
Association of St Louis (TRRA) unless: (1) The entire terminal operates
at restricted speed (which TRRA is unlikely to agree to), (2) passenger
and freight trains are temporally separated (which would not be
practical on TRRA, and is unlikely to be practical on any of the light-
density lines over which Amtrak operates, due to the 24/7 nature of
railroad operations), or (3) a risk mitigation plan can be effected
that would achieve a level of safety not less than would pertain if all
operations on TRRA were at restricted speed or subject to temporal
separation. Accordingly, Amtrak recommended: (a) That the FRA adopt a
risk analysis-based definition of ``main line'' passenger routes that
excludes light-density lines on which the installation of PTC is not
warranted; and (b) with respect to freight terminal areas in which
passenger trains operate, that FRA modify the limited operations
exception in subsection 236.1019(c) to require that all trains be
limited to 30 miles per hour rather than to restricted speed, or that
non-PTC equipped freight terminals be deemed as other than ``main
lines'' so long as all passenger operations are pursuant to signal
indication and at speeds not greater than 30 miles per hour (with
speeds reduced to not greater than restricted speed on unsignaled
trackage or if the signals should fail).
FRA believes that Amtrak's request is much broader than
contemplated by the law. FRA notes that TRRA is a very busy terminal
operation. FRA does not believe that the ``limited freight operations''
concept is in any way applicable under those circumstances. Nor is
there any indication in law that FRA was expected to fall back to
traditional cost-benefit principles in relation to PTC and scheduled
passenger service. However, there are a number of Amtrak routes with
limited freight operations that will not otherwise be equipped with PTC
because they are operated by other than Class I railroads. Further,
there are some Class I lines with less than 5 million gross tons, or no
PIH, that also warrant individualized review to the extent Amtrak and
the host railroad might elect to propose it.
Accordingly, in response to the Amtrak comments, Sec. Sec.
236.1019(c)(2) and (c)(3) have been added to the final rule to provide
an option by which certain additional types of limited passenger train
operations may qualify for a main line track exception where freight
operations are also suitably limited and the circumstances could lead
to significant hardship and cost that might overwhelm the value of the
passenger service provided. In Sec. 236.1019(c)(2), FRA addresses
lines where the host is not a Class I freight railroad, describing
characteristics of line segments that might warrant relief from PTC. In
Sec. 236.1019(c)(2)(i), FRA addresses passenger service involving up
to four regularly scheduled passenger trains during a calendar day over
a segment of unsignaled track on which less than 15 million gross tons
of freight traffic is transported annually. In Sec.
236.1019(c)(2)(ii), FRA addresses passenger service involving up to 12
regularly scheduled passenger trains during a calendar day over a
segment of signaled track on which less than 15 million gross tons of
freight traffic is transported annually. FRA derived Sec.
236.1019(c)(2) indirectly from discussions in the RSAC in response to
comments by Amtrak set forth above. The PTC Working Group proposed an
exception that might have been available anywhere an intercity or
commuter railroad operated over a line with 5 million gross tons of
freight traffic, including Class I lines and the lines of the intercity
or commuter railroad. This would have opened the potential for a
considerable exception for lines with very light freight density under
circumstances not thoroughly explored in the short time available to
the working group (e.g., on commuter rail branch lines, low density
track segments on Class I railroads, etc.).
Subsequent to the RSAC activities, Amtrak notified FRA that its
conversations with Class II and III railroads whose lines had been at
the root of the Amtrak comments revealed that some of the situations
involved freight traffic exceeding 5 million gross tons, potentially
rendering the exception ineffective for this purpose. At the same time,
FRA noted that the policy rationale behind the proposed additional
exception was related as much to the inherent difficulty associated
with PTC installation during the initial period defined by law, given
that the railroads identified by Amtrak were for the most part very
small operations with limited technical capacity, as well as limited
safety exposure. It was clear that in these cases care would need to be
taken to analyze collision risk and potentially require
mitigations.\14\ Accordingly, FRA has endeavored to address the concern
brought forward by Amtrak with a provision that is broad enough to
permit consideration of actual circumstances, limit this particular
exception to operations over railroads that would not otherwise need to
install PTC (e.g., Class II and III freight railroads), provide for a
thorough review process, and make explicit reference to the potential
requirement for safety mitigations. In this regard, FRA has chosen 15
million gross tons as a threshold that should accommodate situations
where Amtrak trains will, in actuality, face few conflicts with freight
movements (i.e., requiring trains to clear the main line for meets and
passes or to wait at junctions) and where mitigations are in place or
could be put in place to establish a high sense of confidence that
operations will continue to be conducted safely. FRA believes that less
than 15 million gross tons represents a fair test of ``limited freight
operations'' for these purposes, with the further caveat that specific
operating arrangements will be examined in each case.\15\ FRA
emphasizes that this is not
[[Page 2691]]
an entitlement, but an exclusion for which the affected railroads will
need to make a suitable case.
---------------------------------------------------------------------------
\14\ An example of an existing mitigation, which is provided to
support service quality but also supports safety, is the practice of
one Class III Amtrak host and its connecting freight partner to hold
out fleeted empty coal trains off the Class III property during the
period that Amtrak is running. While not constituting strict
``temporal separation,'' it does significantly reduce collision risk
over the route.
\15\ Freight tonnage on Amtrak lines varies from zero on two
segments to over 150 million gross tons. On a per-mile basis, 15
million gross tons falls into the twenty first percentile of Amtrak
track miles. The candidate lines on the Class I system comprise
about 6.8% of Amtrak's route structure.
---------------------------------------------------------------------------
Amtrak also provided to FRA a spreadsheet identifying each of its
route segments with attributes such as route length, freight tonnage,
number of Amtrak trains, and numbers of commuter trains. FRA further
reviewed this information in light of Amtrak's request for main track
exceptions. FRA noted a number of segments of the Amtrak system on
Class I railroads where the number of Amtrak trains was low and the
freight tonnage was also low (less than 15 million gross tons). Each of
these lines, with the exception of one 33-mile segment, is signalized.
FRA further noted that, with both Amtrak and Class I railroad
locomotives equipped for PTC, use of partial PTC technology (e.g.,
monitoring of switches where trains frequently clear) should be
available as a mitigation for collision risk. Accordingly, in Sec.
236.1019(c)(3) FRA has provided a further narrow exception for Class I
lines carrying no more than four intercity or commuter passenger trains
per day and cumulative annual tonnage of less than 15 million gross
tons, subject to FRA review. The limit of four trains takes into
consideration that it is much less burdensome to equip the wayside of a
Class I rail line than to install a full PTC system on a railroad that
would not otherwise require one. Again, the exception is not automatic,
and FRA's approval of a particular line segment would be discretionary.
The new Sec. 236.1019(d), FRA makes clear that it will carefully
review each proposed main track exception and may require that it be
supported by appropriate hazard analysis and mitigations. FRA has
previously vetted through the RSAC a Collision Hazard Analysis Guide
that can be useful for this purpose. If FRA determines that freight
operations are not ``limited'' as a matter of safety exposure or that
proposed safety mitigations are inadequate, FRA will deny the
exception.
3. Description and Estimate of Small Entities Affected
``Small entity'' is defined in 5 U.S.C. 601. Section 601(3) defines
a ``small entity'' as having the same meaning as ``small business
concern'' under section 3 of the Small Business Act. This includes any
small business concern that is independently owned and operated, and is
not dominant in its field of operation. Section 601(4) includes not-
for-profit enterprises that are independently owned and operated, and
are not dominant in their field of operations within the definition of
``small entities.'' Additionally, section 601(5) defines as ``small
entities'' governments of cities, counties, towns, townships, villages,
school districts, or special districts with populations less than
50,000.
The U.S. Small Business Administration (SBA) stipulates ``size
standards'' for small entities. It provides that the largest a for-
profit railroad business firm may be (and still classify as a ``small
entity'') is 1,500 employees for ``Line-Haul Operating'' railroads, and
500 employees for ``Short-Line Operating'' railroads. See ``Table of
Size Standards,'' U.S. Small Business Administration, January 31, 1996,
13 CFR part 121; see also NAICS Codes 482111 and 482112.
SBA size standards may be altered by Federal agencies in
consultation with SBA, and in conjunction with public comment. Pursuant
to the authority provided to it by SBA, FRA has published a final
policy, which formally establishes small entities as railroads that
meet the line haulage revenue requirements of a Class III railroad. See
68 FR 24,891 (May 9, 2003). Currently, the revenue requirements are $20
million or less in annual operating revenue, adjusted annually for
inflation. The $20 million limit (adjusted annually for inflation) is
based on the Surface Transportation Board's threshold of a Class III
railroad carrier, which is adjusted by applying the railroad revenue
deflator adjustment. See also 49 CFR part 1201. The same dollar limit
on revenues is established to determine whether a railroad shipper or
contractor is a small entity. FRA uses this definition for this
rulemaking.
The FRA's ``universe'' of considered entities generally includes
only those small entities that can reasonably be expected to be
directly regulated by the final rule. One type of small entity is
potentially affected by this final rule: railroads. The level of impact
on small railroads will vary from railroad to railroad. Class III
railroads will be impacted for one or more of the following reasons:
(1) They operate on Class I railroad lines that carry PIH materials and
are required to have PTC, in which case they will need to equip the
portion of their locomotive fleet that operates on such lines; (2) they
operate on Amtrak or commuter rail lines, including freight railroad
lines that host such service; (3) they host regularly scheduled
intercity or commuter rail transportation; or (4) they have at-grade
railroad crossings over lines required by RSIA08 to have PTC.
The final rule will apply to small railroads' tracks over which a
passenger railroad conducts intercity or commuter operations and
locomotives operating on main lines of Class I freight railroads
required to have PTC and on railroads conducting intercity passenger or
commuter operations. The impact on Class III railroads that operate on
Class I railroad lines required to be equipped with PTC will depend on
the nature of such operations. Class III railroads often make short
moves on Class I railroad lines for interchange purposes. To the extent
that their moves do not exceed four per day or 20 miles in length of
haul (one way), Class III railroads will be exempt from the requirement
to equip the locomotives. However, some Class III railroads operate
much more extensively on Class I railroad lines that will be required
to have PTC and will have to equip some of their locomotives. It is
likely that Class III railroads will dedicate certain locomotives to
such service, if they have not done so already. FRA estimates that
approximately 55 small railroads will have to equip locomotives with
PTC system components because they have trackage rights on Class I
freight railroad PIH lines that will be required to have PTC and will
not be able to qualify for any of the operational exceptions discussed.
FRA further estimates that 10 small railroads have trackage rights
on intercity passenger or commuter railroads or other freight railroads
hosting such operations, and will need to equip some locomotives with
PTC systems. Half of these will need to equip locomotives anyway,
because they also have trackage rights on Class I railroads that haul
PIH and would otherwise be required to have PTC.
Thus, a total of 60 railroads will need to equip locomotives. FRA
estimates that the average small railroad will need to equip four
locomotives, at a per railroad cost of $55,000 each, totaling $220,000,
and that the total cost for all 60 small railroads which will need to
equip locomotives will be $13,200,000. FRA further estimates that the
annual maintenance cost will be 15% of that total, equaling $33,000 per
railroad or $1,980,000 total for all small railroads.
In addition, 15 small railroads host commuter or intercity
passenger operations on what might be defined as main line track under
the accompanying rulemaking; however, only five of these railroads are
neither terminal nor port railroads, which tend to be owned and
operated by large railroads or port authorities, or subsidiaries of
large short
[[Page 2692]]
line holding companies with the expertise and resources across the
disciplines comparable to larger railroads. Of those five railroads,
only one has trackage exceeding 3.8 miles. The other four railroads may
request that FRA define such track as other than main line after
ensuring that all trains will be limited to restricted speed. The cost
burden on the remaining railroad will likely be reduced by restricting
speed, temporally separating passenger train operations, or by passing
the cost to the passenger railroad. Thus, the expected burden to small
entities hosting passenger operations is minimal. This impact will
further be reduced by exclusion of track from the main track under
Sec. 236.1019.
At rail-to-rail crossings where at least one of the intersecting
tracks allows operating speeds in excess of 40 miles per hour, the
approaching non-PTC line must have a permanent maximum speed limit of
20 miles per hour and either have some type of positive stop
enforcement or a split-point derail incorporated into the signal system
on the non-PTC route. In the IRFA, FRA incorrectly assumed that the
cost of the derail would be borne by the PTC-equipped railroad, and
that slowing to 20 miles per hour reflects current practice at most
diamond crossings. In response to comments from Class I railroad
representatives, FRA has revised its assumption and estimates that
roughly half of the cost of derails will be borne by small entities.
FRA estimates that five small railroads have rail-to-rail crossings,
with two such crossings each, where the newly burdened small railroad
will be slowing to 20 miles per hour from a higher track speed. FRA
estimates that the average traffic on the newly burdened route is two
trains per day, and that the cost to slow from a higher track speed is
$30 per train, for a total cost of $60 per crossing per day, a per
railroad cost of $120 per day, and a total national cost for all ten
small railroads of $600 per day and an annual cost of $43,800 per
railroad and a total for all small railroads of $219,000 per year. FRA
further estimates that small railroads will pay for derails at five of
the ten impacted crossings, at a price per crossing of $80,000, for two
sets of derails, one on each side of the crossings, and a total cost of
$400,000, with annual maintenance costs of $60,000 (15% of installation
cost) total. The initial investment will therefore be $400,000 and the
total annual cost will be $279,000. FRA estimates that only five Class
III railroads will be affected by this provision, and that they will be
railroads not affected by the requirement to equip locomotives, because
railroads with equipped locomotives could simply use the PTC system and
avoid the requirement to slow down.
This analysis yields a total of 65 affected small entities that may
be impacted by implementation of the final rule. FRA requested comments
regarding this estimate of small entities potentially impacted, and the
only comment was that Class I railroads would not necessarily bear the
cost of equipping rail-to-rail crossings with derails.
4. Description of Reporting, Recordkeeping, and Other Compliance
Requirements and Impacts on Small Entities Resulting From Specific
Requirements
Class III railroads that host intercity or commuter rail service
will need to file implementation plans, whether or not they directly
procure or manage installation of the PTC system. FRA believes that,
although the implementation plan must be jointly filed by the small
host railroad and passenger tenant railroad, the cost of these plans
will be borne by the passenger railroads, because under typical
trackage rights agreements, the passenger railroads are responsible for
any costs that would not exist in the absence of the passenger
operations. Clearly, the Class III railroads would not be required to
install PTC in the absence of passenger traffic, so any costs the Class
III railroads bear initially will eventually be passed on to the
passenger railroads operating on the Class III railroads' lines. FRA
believes that only one small entity, as described above, is likely to
have PTC installed on its lines. The implementation plan is likely to
be an extension of the passenger railroad's plan, and the marginal cost
will be the cost of tailoring the plan to the host railroad, which will
be borne by the passenger railroad, and maintaining copies of the plan
at the host railroad, which FRA estimates to be approximately $1,000
per year.
The total cost to small entities will include the initial cost of
equipping locomotives, $13,200,000, and $400,000 to equip diamond
crossings; annual costs of $1,980,000 for maintenance of locomotive
systems; $219,000 due to operating speed restrictions at diamond
crossings; $60,000 to maintain diamond crossings; and $1,000 to
maintain a copy of the PTC implementation plan. The total annual costs
to small entities after initial acquisition will be $2,260,000
($1,980,000 + $219,000 + $60,000 + $1,000). Individual railroads
affected will either face an initial cost of $220,000 to equip
locomotives, and an annual cost of $33,000 to maintain the PTC systems
on those locomotives, or will face a per railroad cost of $80,000 to
equip a diamond crossing, $12,000 per year to maintain a diamond
crossing, and $43,800 per year to slow at diamond crossings. No
railroad will face both sets of costs, because if its locomotives are
equipped, they will not need to slow down at diamond crossings, nor
would the crossings need to be equipped with derails.
5. Steps the Agency Has Taken To Minimize Adverse Economic Impact on
Small Entities
FRA is unaware of any significant alternatives that would meet the
intent of RSIA08 and that would minimize the economic impact on small
entities. FRA is exercising its discretion to provide the greatest
flexibility for small entities available under RSIA08 by allowing
operations of unequipped trains operated by small entities on the main
lines of Class I railroads, and by defining main track on passenger
railroads to avoid imposing undue burdens on small entities. The
definition of passenger main track was adopted based on PTC Working
Group recommendations that were backed strongly by representatives of
small railroads. FRA added further, more expansive exclusions from main
track for passenger railroads in the final rule. The provisions
permitting operations of unequipped trains of Class I railroads
exceeded the maximum flexibility for which the PTC Working Group could
reach a consensus. FRA requested comments on this finding of no
significant alternative related to small entities, but received no such
comments.
The process by which this final rule was developed provided
outreach to small entities. As noted earlier in the preamble, this
notice was developed in consultation with industry representatives via
the RSAC, which includes small railroad representatives. From January
to April 2009, FRA met with the entire PTC Working Group five times
over the course of twelve days. This PTC Working Group established a
task force to focus on issues specific to short line and regional
railroads. The discussions yielded many insights and this final rule
takes into account the concerns expressed by small railroads during the
deliberations. The PTC Working Group had further discussions after
publication of the NPRM, on August 31, 2009, and September 1 and 2,
2009, related to the impact on small entities and on passenger
railroads
[[Page 2693]]
(small entities may be affected under the final rule by their
operations on passenger railroads or as hosts of passenger operations)
and added new exclusions from main track to the RSAC recommendations.
FRA extended these exclusions further, based on Amtrak comments, to the
benefit of small entities.
C. Paperwork Reduction Act
The information collection requirements in this proposed rule have
been submitted for approval to the Office of Management and Budget
(OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq.
The sections that contain the new information collection requirements
and the estimated time to fulfill each requirement are as follows:
----------------------------------------------------------------------------------------------------------------
Respondent Total annual Average time per Total annual
CFR section universe responses response burden hours
----------------------------------------------------------------------------------------------------------------
234.275--Processor-Based 20 Railroads...... 25 letters........ 4 hours........... 100 hours.
Systems--Deviations from
Product Safety Plan (PSP)--
Letters.
236.18--Software Mgmt. Control 184 Railroads..... 184 plans......... 2,150 hours....... 395,600 hours.
Plan.
--Updates to Software Mgmt. 90 Railroads...... 20 updates........ 1.50 hours........ 30 hours.
Control Plan.
236.905--Updates to RSPP........ 78 Railroads...... 6 plans........... 135 hours......... 810 hours.
--Response to Request for 78 Railroads...... 1 updated doc..... 400 hours......... 400 hours.
Additional Info.
--Request for FRA Approval 78 Railroads...... 1 request/modified 400 hours......... 400 hours.
of RSPP Modification. RSPP.
236.907--Product Safety Plan 5 Railroads....... 5 plans........... 6,400 hours....... 32,000 hours.
(PSP)--Dev.
236.909--Minimum Performance
Standard
--Petitions for Review and 5 Railroads....... 2 petitions/PSP... 19,200 hours...... 38,400 hours.
Approval.
--Supporting Sensitivity 5 Railroads....... 5 analyses........ 160 hours......... 800 hours.
Analysis.
236.913--Notification/Submission 6 Railroads....... 1 joint plan...... 25,600 hours...... 25,600 hours.
to FRA of Joint Product Safety
Plan (PSP).
--Petitions for Approval/ 6 Railroads....... 6 petitions....... 1,928 hours....... 11,568 hours.
Informational Filings.
--Responses to FRA Request 6 Railroads....... 2 documents....... 800 hours......... 1,600 hours.
for Further Info. After
Informational Filing.
--Responses to FRA Request 6 Railroads....... 6 documents....... 16 hours.......... 96 hours.
for Further Info. After
Agency Receipt of Notice of
Product Development.
--Consultations............. 6 Railroads....... 6 consults........ 120 hours......... 720 hours.
--Petitions for Final 6 Railroads....... 6 petitions....... 16 hours.......... 96 hours.
Approval.
--Comments to FRA by Public/RRs........ 7 comments........ 240 hours......... 1,680 hours.
Interested Parties.
--Third Party Assessments of 6 Railroads....... 1 assessment...... 104,000 hours..... 104,000 hours.
PSP.
--Amendments to PSP......... 6 Railroads....... 15 amendments..... 160 hours......... 2,400 hours.
--Field Testing of Product-- 6 Railroads....... 6 documents....... 3,200 hours....... 19,200 hours.
Info. Filings.
236.917--Retention of Records.
--Results of tests/ 6 Railroads....... 3 documents/ 160,000 hrs.; 360,000 hours.
inspections specified in records. 160,000 hrs.;
PSP. 40,000 hrs.
--Report to FRA of 6 Railroads....... 1 report.......... 104 hours......... 104 hours.
Inconsistencies with
frequency of safety-
relevant hazards in PSP.
236.919--Operations &
Maintenance Man.
--Updates to O & M Manual... 6 Railroads....... 6 updated docs.... 40 hours.......... 240 hours.
--Plans for Proper 6 Railroads....... 6 plans........... 53,335 hours...... 320,010 hours.
Maintenance, Repair,
Inspection of Safety-
Critical Products.
--Hardware/Software/Firmware 6 Railroads....... 6 revisions....... 6,440 hours....... 38,640 hours.
Revisions.
236.921--Training Programs: 6 Railroads....... 6 Tr. Programs.... 400 hours......... 2,400 hours.
Development.
--Training of Signalmen & 6 Railroads....... 300 signalmen; 20 40 hours; 20 hours 12,400 hours.
Dispatchers. dispatchers.
236.923--Task Analysis/Basic 6 Railroads....... 6 documents....... 720 hours......... 4,320 hours.
Requirements: Necessary
Documents.
--Records................... 6 Railroads....... 350 records....... 10 minutes........ 58 hours.
SUBPART I--NEW REQUIREMENTS
236.1001--RR Development of More 30 Railroads...... 3 rules........... 80 hours.......... 240 hours.
Stringent Rules Re: PTC
Performance Stds.
236.1005--Requirements for PTC
Systems.
--Temporary Rerouting: 30 Railroads...... 50 requests....... 8 hours........... 400 hours.
Emergency Requests.
--Written/Telephonic 30 Railroads...... 50 notifications.. 2 hours........... 100 hours.
Notification to FRA
Regional Administrator.
--Temporary Rerouting 30 Railroads...... 760 requests...... 8 hours........... 6,080 hours.
Requests Due to Track
Maintenance.
--Temporary Rerouting 30 Railroads...... 380 requests...... 8 hours........... 3,040 hours.
Requests That Exceed 30
Days.
236.1006--Requirements for
Equipping Locomotives Operating
in PTC Territory.
[[Page 2694]]
--Reports of Movements in 30 Railroads...... 45 reports + 45 8 hours + 170..... 8,010 hours.
Excess of 20 Miles/RR reports.
Progress on PTC Locomotives.
--PTC Progress Reports...... 35 Railroads...... 35 reports........ 16 hours.......... 560 hours.
236.1007--Additional
Requirements for High Speed
Service.
--Required HSR--125 30 Railroads...... 11 documents...... 3,200 hours....... 35,200 hours.
Documents with approved
PTCSP.
--Requests to Use Foreign 30 Railroads...... 2 requests........ 8,000 hours....... 16,000 hours.
Service Data.
--PTC Railroads Conducting 30 Railroads...... 4 documents....... 3,200 hours....... 12,800 hours.
Operations at More than 150
MPH with HSR-125 Documents.
--Requests for PTC Waiver... 30 Railroads...... 1 request......... 1,000 hours....... 1,000 hours.
236.1009--Procedural
Requirements.
--PTC Implementation Plans 30 Railroads...... 25 plans.......... 535 hours......... 13,375 hours.
(PTCIP).
--Host Railroads Filing 30 Railroads...... 1 PCTIP; 15 RFAs.. 535 hours; 320 5,335 hours.
PTCIP or Request for hours.
Amendment (RFAs).
--Jointly Submitted PTCIPs.. 30 Railroads...... 5 PTCIPs.......... 267 hours......... 1,335 hours.
--Notification of Failure to 30 Railroads...... 25 notifications.. 32 hours.......... 800 hours.
File Joint PTCIP.
--Comprehensive List of 30 Railroads...... 25 lists.......... 80 hours.......... 2,000 hours.
Issues Causing Non-
Agreement.
--Conferences to Develop 25 Railroads...... 3 conf. calls..... 60 minutes........ 3 hours.
Mutually Acceptable PCTIP.
--Type Approval............. 30 Railroads...... 10 Type Appr...... 8 hours........... 80 hours.
--PTC Development Plans 30 Railroads...... 20 Ltr. + 20 App; 8 hrs/1,600 hrs.; 96,160 hours.
Requesting Type Approval. 10 Plans. 6,400 hours.
--Notice of Product Intent w/ 30 Railroads...... 24 NPI; 24 IPs.... 1,070 + 535 hrs... 38,520 hours.
PTCIPs (IPs).
--PTCDPs with PTCIPs (DPs + 30 Railroads...... 6 DPs; 6 IPs...... 2,135 + 535 hrs... 16,020 hours.
IPs).
--Updated PTCIPs w/PTCDPs 30 Railroads...... 24 IPs; 24 DPs.... 535 + 2,135 hrs... 64,080 hours.
(IPs + DPs).
--Disapproved/Resubmitted 30 Railroads...... 6 IPs + 6 NPIs.... 135 + 270 hrs..... 2,430 hours.
PTCIPs/NPIs.
--Revoked Approvals-- 30 Railroads...... 6 IPs + 6 DPs..... 135 + 535 hrs..... 4,020 hours.
Provisional IPs/DP.
--PTCIPs/PTCDPs Still 30 Railroads...... 2 IPs + 2 DPs..... 135 + 535 hrs..... 1,340 hours.
Needing Rework.
--PTCIP/PTCDP/PTCSP Plan 30 Railroads...... 1 document........ 8,000 hours....... 8,000 hours.
Contents--Documents
Translated into English.
--Requests for 30 Railroads...... 30 ltrs; 30 docs.. 8 hrs.; 800 hrs... 24,240 hours.
Confidentiality.
--Field Test Plans/ 30 Railroads...... 150 field tests; 2 800 hours......... 121,600 hours.
Independent Assessments-- assessments.
Req. by FRA.
--FRA Access: Interviews 30 Railroads...... 60 interviews..... 30 minutes........ 30 hours.
with PTC Wrkrs.
--FRA Requests for Further 30 Railroads...... 5 documents....... 400 hours......... 2,000 hours.
Information.
236.1011--PTCIP Requirements-- 7 Interested 21 rev.; 60 com... 143 + 8 hrs....... 3,483 hours.
Comment. Groups.
236.1015--PTCSP Content
Requirements & PTC System
Certification.
--Non-Vital Overlay......... 30 Railroads...... 2 PTCSPs.......... 16,000 hours...... 32,000 hours.
--Vital Overlay............. 30 Railroads...... 16 PTCSPs......... 22,400 hours...... 358,400 hours.
--Stand Alone............... 30 Railroads...... 10 PTCSPs......... 32,000 hours...... 320,000 hours.
--Mixed Systems--Conference 30 Railroads...... 3 conferences..... 32 hours.......... 96 hours.
with FRA regarding Case/
Analysis.
--Mixed Sys. PTCSPs (incl. 30 Railroads...... 2 PTCSPs.......... 28,800 hours...... 57,600 hours.
safety case).
--FRA Request for Additional 30 Railroads...... 15 documents...... 3,200 hours....... 48,000 hours.
PTCSP Data.
--PTCSPs Applying to Replace 30 Railroads...... 15 PTCSPs......... 3,200 hours....... 48,000 hours.
Existing Certified PTC
Systems.
--Non-Quantitative Risk 30 Railroads...... 15 assessments.... 3,200 hours....... 48,000 hours.
Assessments Supplied to FRA.
236.1017--PTCSP Supported by 30 Railroads...... 1 assessment...... 8,000 hours....... 8,000 hours.
Independent Third Party
Assessment.
--Written Requests to FRA to 30 Railroads...... 1 request......... 8 hours........... 8 hours.
Confirm Entity Independence.
--Provision of Additional 30 Railroads...... 1 document........ 160 hours......... 160 hours.
Information After FRA
Request.
--Independent Third Party 30 Railroads...... 1 request......... 160 hours......... 160 hours.
Assessment: Waiver Requests.
[[Page 2695]]
--RR Request for FRA to 30 Railroads...... 1 request......... 32 hours.......... 32 hours.
Accept Foreign Railroad
Regulator Certified Info.
236.1019--Main Line Track
Exceptions.
--Submission of Main Line 30 Railroads...... 30 MTEAs.......... 160 hours......... 4,800 hours.
Track Exclusion Addendums
(MTEAs).
--Passenger Terminal 30 Railroads...... 23 MTEAs.......... 160 hours......... 3,680 hours.
Exception--MTEAs.
--Limited Operation 30 Railroads...... 23 plans.......... 160 hours......... 3,680 hours.
Exception--Risk Mit.
--Ltd. Exception--Collision 30 Railroads...... 12 analyses....... 1,600 hours....... 19,200 hours.
Hazard Anal.
--Temporal Separation 30 Railroads...... 11 procedures..... 160 hours......... 1,760 hours.
Procedures.
236.1021--Discontinuances, 30 Railroads...... 15 RFAs........... 160 hours......... 2,400 hours.
Material Modifications,
Amendments--Requests to Amend
(RFA) PTCIP, PTCDP or PTCSP.
--Review and Public Comment 7 Interested 7 reviews + 20 3 hours; 16 hours. 341 hours.
on RFA. Groups. comments.
236.1023--PTC Product Vendor 30 Railroads...... 30 lists.......... 8 hours........... 240 hours.
Lists.
--RR Procedures Upon 30 Railroads...... 30 procedures..... 16 hours.......... 480 hours.
Notification of PTC System
Safety-Critical Upgrades,
Rev., Etc.
--RR Notifications of PTC 30 Railroads...... 150 notifications. 16 hours.......... 2,400 hours.
Safety Hazards.
--RR Notification Updates... 30 Railroads...... 150 updates....... 16 hours.......... 2,400 hours.
--Manufacturer's Report of 5 System Suppliers 5 reports......... 400 hours......... 2,000 hours.
Investigation of PTC Defect.
--PTC Supplier Reports of 5 System Suppliers 150 reports + 150 16 hours + 8 hours 3,600 hours.
Safety Relevant Failures or rpt. copies.
Defective Conditions.
236.1029--Report of On-Board 30 Railroads...... 960 reports....... 96 hours.......... 92,160 hours.
Lead Locomotive PTC Device
Failure.
236.1031--Previously Approved
PTC Systems.
--Request for Expedited 30 Railroads...... 3 REC Letters..... 160 hours......... 480 hours.
Certification (REC) for PTC
System.
--Requests for 30 Railroads...... 3 requests........ 1,600 hours....... 4,800 hours.
Grandfathering on PTCSPs.
236.1035--Field Testing 30 Railroads...... 150 field test 800 hours......... 120,000 hours.
Requirements. plans.
--Relief Requests from 30 Railroads...... 50 requests....... 320 hours......... 16,000 hours.
Regulations Necessary to
Support Field Testing.
236.1037--Records Retention.
--Results of Tests in PTCSP 30 Railroads...... 960 records....... 4 hours........... 3,840 hours.
and PTCDP.
--PTC Service Contractors 30 Railroads...... 9,000 records..... 30 minutes........ 4,500 hours.
Training Records.
--Reports of Safety Relevant 30 Railroads...... 4 reports......... 8 hours........... 32 hours.
Hazards Exceeding Those in
PTCSP and PTCDP.
--Final Report of Resolution 30 Railroads...... 4 final reports... 160 hours......... 640 hours.
of Inconsistency.
236.1039--Operations & 30 Railroads...... 30 manuals........ 250 hours......... 7,500 hours.
Maintenance Manual (OMM):
Development.
--Positive Identification of 30 Railroads...... 75,000 i.d. 1 hour............ 75,000 hours.
Safety-critical components. components.
--Designated RR Officers in 30 Railroads...... 60 designations... 2 hours........... 120 hours.
OMM regarding PTC issues.
236.1041--PTC Training Programs. 30 Railroads...... 30 programs....... 400 hours......... 12,000 hours.
236.1043--Task Analysis/Basic 30 Railroads...... 30 evaluations.... 720 hours......... 21,600 hours.
Requirements: Training
Evaluations.
--Training Records.......... 30 Railroads...... 350 records....... 10 minutes........ 58 hours.
236.1045--Training Specific to 30 Railroads...... 20 trained 20 hours.......... 400 hours.
Office Control Personnel. employees.
236.1047--Training Specific to
Loc. Engineers & Other
Operating Personnel.
--PTC Conductor Training.... 30 Railroads...... 5,000 trained 3 hours........... 15,000 hours.
conductors.
----------------------------------------------------------------------------------------------------------------
All estimates include the time for reviewing instructions;
searching existing data sources; gathering or maintaining the needed
data; and reviewing the information.
Organizations and individuals desiring to submit comments on the
collection of information requirements should direct them to the Office
of Management and Budget, Office of Information and Regulatory Affairs,
Washington, DC 20503, Attention: FRA Desk Officer. Comments may also be
sent via e-mail to the Office of Management and Budget at the following
address: [email protected].
[[Page 2696]]
OMB is required to make a decision concerning the collection of
information requirements contained in this direct final rule between 30
and 60 days after publication of this document in the Federal Register.
Therefore, a comment to OMB is best assured of having its full effect
if OMB receives it within 30 days of publication.
FRA cannot impose a penalty on persons for violating information
collection requirements which do not display a current OMB control
number, if required. FRA intends to obtain current OMB control numbers
for any new information collection requirements resulting from this
rulemaking action prior to the effective date of this direct final
rule. The OMB control number, when assigned, will be announced by
separate notice in the Federal Register.
D. Federalism Implications
This final rule has been analyzed in accordance with the principles
and criteria contained in Executive Order 13132, ``Federalism.'' See 64
FR 43,255 (Aug. 4, 1999).
As discussed earlier in the preamble, this final rule would provide
regulatory guidance and performance standards for the development,
testing, implementation, and use of Positive Train Control (PTC)
systems for railroads mandated by the Rail Safety Improvement Act of
2008.
Executive Order 13132 requires FRA to develop an accountable
process to ensure ``meaningful and timely input by State and local
officials in the development of regulatory policies that have
federalism implications.'' Policies that have ``federalism
implications'' are defined in the Executive Order to include
regulations that have ``substantial direct effects on the States, on
the relationship between the national government and the States, or on
the distribution of power and responsibilities among the various levels
of government.'' Under Executive Order 13132, the agency may not issue
a regulation with Federalism implications that imposes substantial
direct compliance costs and that is not required by statute, unless the
Federal government provides the funds necessary to pay the direct
compliance costs incurred by State and local governments, or the agency
consults with State and local government officials early in the process
of developing the regulation. Where a regulation has Federalism
implications and preempts State law, the agency seeks to consult with
State and local officials in the process of developing the regulation.
FRA has determined that this final rule would not have substantial
direct effects on the states, on the relationship between the national
government and the states, nor on the distribution of power and
responsibilities among the various levels of government. In addition,
FRA has determined that this final rule, which is required by the Rail
Safety Improvement Act of 2008, would not impose any direct compliance
costs on state and local governments. Therefore, the consultation and
funding requirements of Executive Order 13132 do not apply.
However, this final rule will have preemptive effect. Section 20106
of Title 49 of the United States Code provides that States may not
adopt or continue in effect any law, regulation, or order related to
railroad safety or security that covers the subject matter of a
regulation prescribed or order issued by the Secretary of
Transportation (with respect to railroad safety matters) or the
Secretary of Homeland Security (with respect to railroad security
matters), except when the State law, regulation, or order qualifies
under the local safety or security exception to Sec. 20106. The intent
of Sec. 20106 is to promote national uniformity in railroad safety and
security standards. 49 U.S.C. 20106(a)(1). Thus, subject to a limited
exception for essentially local safety or security hazards, this final
rule would establish a uniform federal safety standard that must be
met, and state requirements covering the same subject matter would be
displaced, whether those state requirements are in the form of a state
law, regulation, order, or common law. Part 236 establishes federal
standards of care which preempt state standards of care, but this part
does not preempt an action under state law seeking damages for personal
injury, death, or property damage alleging that a party has failed to
comply with the federal standard of care established by this part,
including a plan or program required by this part. Provisions of a plan
or program which exceed the requirements of this part are not included
in the federal standard of care. The Locomotive Boiler Inspection Act
(49 U.S.C. 20701-20703) has been held by the U.S. Supreme Court to
preempt the entire field of locomotive safety; therefore, this part
preempts any state law, including common law, covering the design,
construction, or material of any part of or appurtenance to a
locomotive.
In sum, FRA has analyzed this final rule in accordance with the
principles and criteria contained in Executive Order 13132. As
explained above, FRA has determined that this final rule has no
federalism implications, other than the preemption of state laws
covering the subject matter of this final rule, which occurs by
operation of law under 49 U.S.C. 20106 whenever FRA issues a rule or
order. Accordingly, FRA has determined that preparation of a federalism
summary impact statement for this proposed rule is not required.
E. Environmental Impact
FRA has evaluated this final rule in accordance with its
``Procedures for Considering Environmental Impacts'' (``FRA's
Procedures'') (64 FR 28,545 (May 26, 1999)) as required by the National
Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental
statutes, Executive Orders, and related regulatory requirements. FRA
has determined that this final rule is not a major FRA action
(requiring the preparation of an environmental impact statement or
environmental assessment) because it is categorically excluded from
detailed environmental review pursuant to section 4(c)(20) of FRA's
Procedures. In accordance with section 4(c) and (e) of FRA's
Procedures, the agency has further concluded that no extraordinary
circumstances exist with respect to this regulation that might trigger
the need for a more detailed environmental review. As a result, FRA
finds that this final rule is not a major federal action significantly
affecting the quality of the human environment.
F. Unfunded Mandates Reform Act of 1995
The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, 2 U.S.C.
1531) (UMRA) requires agencies to prepare a written assessment of the
costs, benefits, and other effects of proposed or final rules that
include a federal mandate likely to result in the expenditures by
state, local or tribal governments, in the aggregate, or by the private
sector, of $100 million (adjusted annually for inflation with base year
of 1995) or more in any one year. The value equivalent of $100 million
in CY 1995, adjusted annual for inflation to CY 2008 levels by the
Consumer Price Index for All Urban Consumers (CPI-U) is $141.3 million.
The assessment may be included in conjunction with other assessments,
as it is in this rulemaking.
FRA is issuing this final rule to provide regulatory guidance and
performance standards for the development, testing, implementation, and
use of PTC systems for railroads mandated by the Rail Safety
Improvement Act of 2008 Sec. 104, Public Law 110-432, 122 Stat. 4854
(Oct. 16, 2008) (codified at 9 U.S.C. 20157), to
[[Page 2697]]
implement PTC systems. The RIA provides a detailed analysis of the
costs of implementing PTC systems. This analysis is the basis for
determining that, other than to the extent that this regulation
incorporates requirements specifically set forth in RSIA08, this rule
will not result in total expenditures by state, local or tribal
governments, in the aggregate, or by the private sector of $141.3
million or more in any one year. The vast bulk of costs associated with
this final rule are directly attributable to the statutory mandate. The
only unfunded mandate attributable to this final rule that does not
incorporate the requirements specifically set forth in RSIA08 is the
cost pertaining to the filing of paperwork to prove compliance with
RSIA08. The effects are discussed above and in the Regulatory Impact
Analysis, which has been placed in the docket for this rulemaking.
FRA received comments asserting that the rule extends beyond the
congressional mandates communicated in RSIA08. Even if this assertion
was correct, the final rule alone would not create an unfunded mandate
in excess of the threshold amount. For instance, some railroads believe
that Sec. 236.1029(f)--which requires PTC screen access to every
person in the locomotive cab--exceeds the statutory requirements.
Certain freight railroads have said that this provision requires a
second display unit, which will cost $8,000. AAR estimates that
approximately 29,461 second display units would require installation,
resulting in a cost of $235,688,000. FRA, however, believes that only
27,598 screens would require installation, totaling $220,784,000.
Certain railroads have also contested Sec. 236.1005(b)(2), which
governs the baseline information necessary to determine whether a Class
I railroad's track segment shall be equipped with a PTC system. Under
that provision, initial PTC territory shall be determined based on 2008
traffic levels. CSXT asserts that this provision will cause it to
install PTC on 844 miles of track which will no longer meet the PIH
materials threshold or will no longer meet the 5 million gross tons
threshold in 2010. According to CSXT, the installation will cost
$45,000 per mile (the RIA uses an estimate of $50,000 per mile) for a
CSXT estimated cost of almost $38,000,000.
As noted above, FRA believes that these requirements respond
directly to the requirements set forth in RSIA08. For instance, to
effectuate Congress' intent to prevent incursions into roadway worker
zones, it is necessary to require PTC screen access to all crew members
in the locomotive cab so that they may perform their respective duties.
Sometimes, this may require installation of a second display unit. In
its analysis of Sec. 236.1005(b), FRA provides sufficient
justification for the baseline level based on the language in the
statute, the context of the legislative process, and Congress' intent.
If anything, FRA has reduced railroad expenditures by, inter alia,
providing a number of exceptions from the installation requirements and
opportunities for plan amendments.
In any event, the aforementioned costs borne by the railroads will
not exceed $141.3 million or more in any one year. The costs indicated
above--totaling between $258,784,000 and $273,688,000, depending upon
whether one relies on AAR's or FRA's second screen estimates--would be
incurred over a period of several years. Even if FRA were to add the
costs of paperwork filings, which FRA estimates to each have a one time
cost of approximately $20,000, the annual monetary threshold will
likely not be met.
G. Energy Impact
Executive Order 13211 requires Federal agencies to prepare a
Statement of Energy Effects for any ``significant energy action.'' 66
FR 28,355 (May 22, 2001). Under the Executive Order, a ``significant
energy action'' is defined as any action by an agency (normally
published in the Federal Register) that promulgates or is expected to
lead to the promulgation of a final rule or regulation, including
notices of inquiry, advance notices of proposed rulemaking, and notices
of proposed rulemaking: (1)(i) That is a significant regulatory action
under Executive Order 12866 or any successor order, and (ii) is likely
to have a significant adverse effect on the supply, distribution, or
use of energy; or (2) that is designated by the Administrator of the
Office of Information and Regulatory Affairs as a significant energy
action. FRA has evaluated this final rule in accordance with Executive
Order 13211. FRA has determined that this final rule is not likely to
have a significant adverse effect on the supply, distribution, or use
of energy. Consequently, FRA has determined that this regulatory action
is not a ``significant regulatory action'' within the meaning of
Executive Order 13211.
H. Privacy Act
FRA wishes to inform all interested parties that anyone is able to
search the electronic form of any written communications and comments
received into any of our dockets by the name of the individual
submitting the document (or signing the document), if submitted on
behalf of an association, business, labor union, etc.). Interested
parties may also review DOT's complete Privacy Act Statement in the
Federal Register published on April 11, 2000 (65 FR 19,477) or visit
http://www.regulations.gov.
List of Subjects
49 CFR Part 229
Event recorders, Locomotives, Railroad safety.
49 CFR Part 234
Highway safety, Penalties, Railroad safety, Reporting and
recordkeeping requirements.
49 CFR Part 235
Administrative practice and procedure, Penalties, Railroad safety,
Reporting and recordkeeping requirements.
49 CFR Part 236
Penalties, Positive Train Control, Railroad safety, Reporting and
recordkeeping requirements.
IX. The Rule
0
In consideration of the foregoing, FRA amends chapter II, subtitle B of
title 49, Code of Federal Regulations as follows:
PART 229--[AMENDED]
0
1. The authority citation for part 229 continues to read as follows:
Authority: 49 U.S.C. 20103, 20107, 20133, 20137-38, 20143,
20701-03, 21301-02, 21304; 28 U.S.C. 2401, note; and 49 CFR 1.49(c),
(m).
0
2. Section 229.135 is amended by revising paragraphs (b)(3)(xxv) and
(b)(4)(xxi) to read as follows:
Sec. 229.135 Event recorders.
* * * * *
(b) * * *
(3) * * *
(xxv) Safety-critical train control data routed to the locomotive
engineer's display with which the engineer is required to comply,
specifically including text messages conveying mandatory directives and
maximum authorized speed. The format, content, and proposed duration
for retention of such data shall be specified in the Product Safety
Plan or PTC Safety Plan submitted for the train control system under
subparts H or I, respectively, of part 236 of this chapter, subject to
FRA approval under this paragraph. If it can be calibrated against
other data required by this part, such train control data may, at the
election of the railroad, be
[[Page 2698]]
retained in a separate certified crashworthy memory module.
(4) * * *
(xxi) Safety-critical train control data routed to the locomotive
engineer's display with which the engineer is required to comply,
specifically including text messages conveying mandatory directives and
maximum authorized speed. The format, content, and proposed duration
for retention of such data shall be specified in the Product Safety
Plan or PTC Safety Plan submitted for the train control system under
subparts H or I, respectively, of part 236 of this chapter, subject to
FRA approval under this paragraph. If it can be calibrated against
other data required by this part, such train control data may, at the
election of the railroad, be retained in a separate certified
crashworthy memory module.
* * * * *
PART 234--[AMENDED]
0
3. The authority citation for part 234 continues to read as follows:
Authority: 49 U.S.C. 20103, 20107; 28 U.S.C. 2461, note; and 49
CFR 1.49.
0
4. In Sec. 234.275 revise paragraphs (b)(1), (b)(2), (c), and (f) to
read as follows:
Sec. 234.275 Processor-based systems.
* * * * *
(b) Use of performance standard authorized or required. (1) In lieu
of compliance with the requirements of this subpart, a railroad may
elect to qualify an existing processor-based product under part 236,
subparts H or I, of this chapter.
(2) Highway-rail grade crossing warning systems, subsystems, or
components that are processor-based and that are first placed in
service after June 6, 2005, which contain new or novel technology, or
which provide safety-critical data to a railroad signal or train
control system that is governed by part 236, subpart H or I, of this
chapter, shall also comply with those requirements. New or novel
technology refers to a technology not previously recognized for use as
of March 7, 2005.
* * * * *
(c) Plan justifications. The Product Safety Plan in accordance with
49 CFR 236.907--or a PTC Development Plan and PTC Safety Plan required
to be filed in accordance with 49 CFR 236.1013 and 236.1015--must
explain how the performance objective sought to be addressed by each of
the particular requirements of this subpart is met by the product, why
the objective is not relevant to the product's design, or how the
safety requirements are satisfied using alternative means. Deviation
from those particular requirements is authorized if an adequate
explanation is provided, making reference to relevant elements of the
applicable plan, and if the product satisfies the performance standard
set forth in Sec. 236.909 of this chapter. (See Sec. 236.907(a)(14)
of this chapter.)
* * * * *
(f) Software management control for certain systems not subject to
a performance standard. Any processor-based system, subsystem, or
component subject to this part, which is not subject to the
requirements of part 236, subpart H or I, of this chapter but which
provides safety-critical data to a signal or train control system shall
be included in the software management control plan requirements as
specified in Sec. 236.18 of this chapter.
PART 235--[AMENDED]
0
5. The authority citation for part 235 continues to read as follows:
Authority: 49 U.S.C. 20103, 20107; 28 U.S.C. 2461, note; and 49
CFR 1.49.
0
6. In Sec. 235.7, revise paragraph (a)(4), add paragraph (a)(5), and
revise paragraphs (b)(2), (b)(3), and (c)(25) to read as follows:
Sec. 235.7 Changes not requiring filing of application.
(a) * * *
(4) Removal from service not to exceed 6 months of block signal
system, interlocking, or traffic control system necessitated by
catastrophic occurrence such as derailment, flood, fire, or hurricane;
or
(5) Removal of an intermittent automatic train stop system in
conjunction with the implementation of a positive train control system
approved by FRA under subpart I of part 236 of this chapter.
(b) * * *
(2) Removal of electric or mechanical lock, or signal used in lieu
thereof, from hand-operated switch in automatic block signal or traffic
control territory where train speed over the switch does not exceed 20
miles per hour; or
(3) Removal of electric or mechanical lock, or signal used in lieu
thereof, from hand-operated switch in automatic block signal or traffic
control territory where trains are not permitted to clear the main
track at such switch.
(c) * * *
(25) The temporary or permanent arrangement of existing systems
necessitated by highway-rail grade crossing separation construction.
Temporary arrangements shall be removed within 6 months following
completion of construction.
PART 236--[AMENDED]
0
7. The authority citation for part 236 is revised to read as follows:
Authority: 49 U.S.C. 20102-20103, 20107, 20133, 20141, 20157,
20301-20303, 20306, 20501-20505, 20701-20703, 21301-21302, 21304; 28
U.S.C. 2461, note; and 49 CFR 1.49.
0
8. Section 236.0 is amended by revising paragraphs (a) and (c) through
(e) and by adding paragraph (i) to read as follows:
Sec. 236.0 Applicability, minimum requirements, and penalties.
(a) Except as provided in paragraph (b) of this section, this part
applies to all railroads and any person as defined in paragraph (f) of
this section.
* * * * *
(c)(1) Prior to January 17, 2012, where a passenger train is
operated at a speed of 60 or more miles per hour, or a freight train is
operated at a speed of 50 or more miles per hour--
(i) A block signal system complying with the provisions of this
part shall be installed; or
(ii) A manual block system shall be placed permanently in effect
that shall conform to the following conditions:
(A) A passenger train shall not be admitted to a block occupied by
another train except when absolutely necessary and then only by
operating at restricted speed;
(B) No train shall be admitted to a block occupied by a passenger
train except when absolutely necessary and then only by operating at
restricted speed;
(C) No train shall be admitted to a block occupied by an opposing
train except when absolutely necessary and then only while one train is
stopped and the other is operating at restricted speed; and
(D) A freight train, including a work train, may be authorized to
follow a freight train, including a work train, into a block and then
only when the following train is operating at restricted speed.
(2) On and after January 17, 2012, where a passenger train is
permitted to operate at a speed of 60 or more miles per hour, or a
freight train is permitted to operate at a speed of 50 or more miles
per hour, a block signal system complying with the provisions of this
part shall be installed, unless an FRA approved PTC system meeting the
requirements of this part for the subject speed and other operating
conditions is installed.
[[Page 2699]]
(d)(1) Prior to December 31, 2015, where any train is permitted to
operate at a speed of 80 or more miles per hour, an automatic cab
signal, automatic train stop, or automatic train control system
complying with the provisions of this part shall be installed, unless
an FRA approved PTC system meeting the requirements of this part for
the subject speed and other operating conditions, is installed.
(2) On and after December 31, 2015, where any train is permitted to
operate at a speed of 80 or more miles per hour, a PTC system complying
with the provisions of subpart I shall be installed and operational,
unless FRA approval to continue to operate with an automatic cab
signal, automatic train stop, or automatic train control system
complying with the provisions of this part has been justified to, and
approved by, the Associate Administrator.
(3) Subpart H of this part sets forth requirements for voluntary
installation of PTC systems, and subpart I of this part sets forth
requirements for mandated installation of PTC systems, each under
conditions specified in their respective subpart.
(e) Nothing in this section authorizes the discontinuance of a
block signal system, interlocking, traffic control system, automatic
cab signal, automatic train stop or automatic train control system, or
PTC system, without approval by the FRA under part 235 of this title.
However, a railroad may apply for approval of discontinuance or
material modification of a signal or train control system in connection
with a request for approval of a Positive Train Control Development
Plan (PTCDP) or Positive Train Control Safety Plan (PTCSP) as provided
in subpart I of this part.
* * * * *
(i) Preemptive effect. (1) Under 49 U.S.C. 20106, issuance of these
regulations preempts any state law, regulation, or order covering the
same subject matter, except an additional or more stringent law,
regulation, or order that is necessary to eliminate or reduce an
essentially local safety or security hazard; is not incompatible with a
law, regulation, or order of the United States Government; and that
does not impose an unreasonable burden on interstate commerce.
(2) This part establishes federal standards of care for railroad
signal and train control systems. This part does not preempt an action
under state law seeking damages for personal injury, death, or property
damage alleging that a party has failed to comply with the federal
standard of care established by this part, including a plan or program
required by this part. Provisions of a plan or program which exceed the
requirements of this part are not included in the federal standard of
care.
(3) Under 49 U.S.C. 20701-20703, issuance of these regulations
preempts the field of locomotive safety, extending to the design, the
construction, and the material of every part of the locomotive and
tender and all appurtenances thereof.
0
9. Section 236.410 is amended by removing the Note following paragraph
(b), and republishing paragraphs (b) and (c), to read as follows:
Sec. 236.410 Locking, hand-operated switch; requirements.
* * * * *
(b) Approach or time locking shall be provided and locking may be
released either automatically, or by the control operator, but only
after the control circuits of signals governing movement in either
direction over the switch and which display aspects with indications
more favorable than ``proceed at restricted speed'' have been opened
directly or by shunting of track circuit.
(c) Where a signal is used in lieu of electric or mechanical lock
to govern movements from auxiliary track to signaled track, the signal
shall not display an aspect to proceed until after the control circuits
of signals governing movement on main track in either direction over
the switch have been opened, and either the approach locking circuits
to the switch are unoccupied or a predetermined time interval has
expired.
* * * * *
0
10. Section 236.909 is amended by adding four new sentences directly
after the first sentence of paragraph (e)(1) and by revising paragraph
(e)(2)(i) to read as follows:
Sec. 236.909 Minimum performance standards.
* * * * *
(e) * * *
(1) * * * The total risk assessment must have a supporting
sensitivity analysis. The analysis must confirm that the risk metrics
of the system are not negatively affected by sensitivity analysis input
parameters including, for example, component failure rates, human
factor error rates, and variations in train traffic affecting exposure.
In this context, ``negatively affected'' means that the final residual
risk metric does not exceed that of the base case or that which has
been otherwise established through MTTHE target. The sensitivity
analysis must document the sensitivity to worst case failure scenarios.
* * *
(2) * * *
(i) In all cases exposure must be expressed as total train miles
traveled per year over the relevant railroad infrastructure.
Consequences must identify the total cost, including fatalities,
injuries, property damage, and other incidental costs, such as
potential consequences of hazardous materials involvement, resulting
from preventable accidents associated with the function(s) performed by
the system.
* * * * *
0
11. Add a new subpart I to part 236 to read as follows:
Subpart I--Positive Train Control Systems
Sec.
236.1001 Purpose and scope.
236.1003 Definitions.
236.1005 Requirements for Positive Train Control systems.
236.1006 Equipping locomotives operating in PTC territory.
236.1007 Additional requirements for high-speed service.
236.1009 Procedural requirements.
236.1011 PTC Implementation Plan content requirements.
236.1013 PTC Development Plan and Notice of Product Intent content
requirements and Type Approval.
236.1015 PTC Safety Plan content requirements and PTC System
Certification.
236.1017 Independent third party Verification and Validation.
236.1019 Main line track exceptions.
236.1021 Discontinuances, material modifications, and amendments.
236.1023 Errors and malfunctions.
236.1025 [Reserved]
236.1027 PTC system exclusions.
236.1029 PTC system use and en route failures.
236.1031 Previously approved PTC systems.
236.1033 Communications and security requirements.
236.1035 Field testing requirements.
236.1037 Records retention.
236.1039 Operations and Maintenance Manual.
236.1041 Training and qualification program, general.
236.1043 Task analysis and basic requirements.
236.1045 Training specific to office control personnel.
236.1047 Training specific to locomotive engineers and other
operating personnel.
236.1049 Training specific to roadway workers.
Subpart I--Positive Train Control Systems
Sec. 236.1001 Purpose and scope.
(a) This subpart prescribes minimum, performance-based safety
standards for PTC systems required by 49 U.S.C. 20157, this subpart, or
an FRA order, including requirements to ensure that the development,
functionality,
[[Page 2700]]
architecture, installation, implementation, inspection, testing,
operation, maintenance, repair, and modification of those PTC systems
will achieve and maintain an acceptable level of safety. This subpart
also prescribes standards to ensure that personnel working with, and
affected by, safety-critical PTC system related products receive
appropriate training and testing.
(b) Each railroad may prescribe additional or more stringent rules,
and other special instructions, that are not inconsistent with this
subpart.
(c) This subpart does not exempt a railroad from compliance with
any requirement of subparts A through H of this part or parts 233, 234,
and 235 of this chapter, unless:
(1) It is otherwise explicitly excepted by this subpart; or
(2) The applicable PTCSP, as defined under Sec. 236.1003 and
approved by FRA under Sec. 236.1015, provides for such an exception
per Sec. 236.1013.
Sec. 236.1003 Definitions.
(a) Definitions contained in subparts G and H of this part apply
equally to this subpart.
(b) The following definitions apply to terms used only in this
subpart unless otherwise stated:
After-arrival mandatory directive means an authority to occupy a
track which is issued to a train that is not effective and not to be
acted upon until after the arrival and passing of a train, or trains,
specifically identified in the authority.
Associate Administrator means the FRA Associate Administrator for
Railroad Safety/Chief Safety Officer.
Class I railroad means a railroad which in the last year for which
revenues were reported exceeded the threshold established under
regulations of the Surface Transportation Board (49 CFR part 1201.1-1
(2008)).
Cleartext means the un-encrypted text in its original, human
readable, form. It is the input of an encryption or encipher process,
and the output of an decryption or decipher process.
Controlling locomotive means Locomotive, controlling, as defined in
Sec. 232.5 of this chapter.
Host railroad means a railroad that has effective operating control
over a segment of track.
Interoperability means the ability of a controlling locomotive to
communicate with and respond to the PTC railroad's positive train
control system, including uninterrupted movements over property
boundaries.
Limited operations means operations on main line track that have
limited or no freight operations and are approved to be excluded from
this subpart's PTC system implementation and operation requirements in
accordance with Sec. 236.1019(c);
Main line means, except as provided in Sec. 236.1019 or where all
trains are limited to restricted speed within a yard or terminal area
or on auxiliary or industry tracks, a segment or route of railroad
tracks:
(1) Of a Class I railroad, as documented in current timetables
filed by the Class I railroad with the FRA under Sec. 217.7 of this
title, over which 5,000,000 or more gross tons of railroad traffic is
transported annually; or
(2) Used for regularly scheduled intercity or commuter rail
passenger service, as defined in 49 U.S.C. 24102, or both. Tourist,
scenic, historic, or excursion operations as defined in part 238 of
this chapter are not considered intercity or commuter passenger service
for purposes of this part.
Main line track exclusion addendum (``MTEA'') means the document
submitted under Sec. Sec. 236.1011 and 236.1019 requesting to
designate track as other than main line.
Medium speed means, Speed, medium, as defined in subpart G of this
part.
NPI means a Notice of Product Intent (``NPI'') as further described
in Sec. 236.1013.
PTC means positive train control as further described in Sec.
236.1005.
PTCDP means a PTC Development Plan as further described in Sec.
236.1013.
PTCIP means a PTC Implementation Plan as required under 49 U.S.C.
20157 and further described in Sec. 236.1011.
PTCPVL means a PTC Product Vendor List as further described in
Sec. 236.1023.
PTCSP means a PTC Safety Plan as further described in Sec.
236.1015.
PTC railroad means each Class I railroad and each entity providing
regularly scheduled intercity or commuter rail passenger transportation
required to implement or operate a PTC system.
PTC System Certification means certification as required under 49
U.S.C. 20157 and further described in Sec. Sec. 236.1009 and 236.1015.
Request for Amendment (``RFA'') means a request for an amendment of
a plan or system made by a PTC railroad in accordance with Sec.
236.1021.
Request for Expedited Certification (``REC'') means, as further
described in Sec. 236.1031, a request by a railroad to receive
expedited consideration for PTC System Certification.
Restricted speed means, Speed, restricted, as defined in subpart G
of this part.
Safe State means a system state that, when the system fails, cannot
cause death, injury, occupational illness, or damage to or loss of
equipment or property, or damage to the environment.
Segment of track means any part of the railroad where a train
operates.
Temporal separation means that passenger and freight operations do
not operate on any segment of shared track during the same period and
as further defined under Sec. 236.1019 and the process or processes in
place to assure that result.
Tenant railroad means a railroad, other than a host railroad,
operating on track upon which a PTC system is required.
Track segment means segment of track.
Type Approval means a number assigned to a particular PTC system
indicating FRA agreement that the PTC system could fulfill the
requirements of this subpart.
Train means one or more locomotives, coupled with or without cars.
Sec. 236.1005 Requirements for Positive Train Control systems.
(a) PTC system requirements. Each PTC system required to be
installed under this subpart shall:
(1) Reliably and functionally prevent:
(i) Train-to-train collisions--including collisions between trains
operating over rail-to-rail at-grade crossings in accordance with the
following risk-based table or alternative arrangements providing an
equivalent level of safety as specified in an FRA approved PTCSP:
------------------------------------------------------------------------
Crossing type Max speed * Protection required
------------------------------------------------------------------------
(A) Interlocking--one or more <= 40 miles per Interlocking signal
PTC routes intersecting with hour. arrangement in
one or more non-PTC routes. accordance with the
requirements of
subparts A-G of this
part and PTC
enforced stop on PTC
routes.
[[Page 2701]]
(B) Interlocking--one or more > 40 miles per Interlocking signal
PTC routes intersecting with hour. arrangement in
one or more non-PTC routes. accordance with the
requirements of
subparts A-G of this
part, PTC enforced
stop on all PTC
routes, and either
the use of other
than full PTC
technology that
provides positive
stop enforcement or
a split-point derail
incorporated into
the signal system
accompanied by 20
miles per hour
maximum allowable
speed on the
approach of any
intersecting non-PTC
route.
(C) Interlocking--all PTC Any speed........ Interlocking signal
routes intersecting. arrangements in
accordance with the
requirements of
subparts A-G of this
part, and PTC
enforced stop on all
routes.
------------------------------------------------------------------------
(ii) Overspeed derailments, including derailments related to
railroad civil engineering speed restrictions, slow orders, and
excessive speeds over switches and through turnouts;
(iii) Incursions into established work zone limits without first
receiving appropriate authority and verification from the dispatcher or
roadway worker in charge, as applicable and in accordance with part 214
of this chapter; and
(iv) The movement of a train through a main line switch in the
improper position as further described in paragraph (e) of this
section.
(2) Include safety-critical integration of all authorities and
indications of a wayside or cab signal system, or other similar
appliance, method, device, or system of equivalent safety, in a manner
by which the PTC system shall provide associated warning and
enforcement to the extent, and except as, described and justified in
the FRA approved PTCDP or PTCSP, as applicable;
(3) As applicable, perform the additional functions specified in
this subpart;
(4) Provide an appropriate warning or enforcement when:
(i) A derail or switch protecting access to the main line required
by Sec. 236.1007, or otherwise provided for in the applicable PTCSP,
is not in its derailing or protecting position, respectively;
(ii) A mandatory directive is issued associated with a highway-rail
grade crossing warning system malfunction as required by Sec. Sec.
234.105, 234.106, or 234.107;
(iii) An after-arrival mandatory directive has been issued and the
train or trains to be waited on has not yet passed the location of the
receiving train;
(iv) Any movable bridge within the route ahead is not in a position
to allow permissive indication for a train movement pursuant to Sec.
236.312; and
(v) A hazard detector integrated into the PTC system that is
required by paragraph (c) of this section, or otherwise provided for in
the applicable PTCSP, detects an unsafe condition or transmits an
alarm; and
(5) Limit the speed of passenger and freight trains to 59 miles per
hour and 49 miles per hour, respectively, in areas without broken rail
detection or equivalent safeguards.
(b) PTC system installation. (1) Lines required to be equipped.
Except as otherwise provided in this subpart, each Class I railroad and
each railroad providing or hosting intercity or commuter passenger
service shall progressively equip its lines as provided in its approved
PTCIP such that, on and after December 31, 2015, a PTC system certified
under Sec. 236.1015 is installed and operated by the host railroad on
each:
(i) Main line over which is transported any quantity of material
poisonous by inhalation (PIH), including anhydrous ammonia, as defined
in Sec. Sec. 171.8, 173.115 and 173.132 of this title;
(ii) Main line used for regularly provided intercity or commuter
passenger service, except as provided in Sec. 236.1019; and
(iii) Additional line of railroad as required by the applicable FRA
approved PTCIP, this subpart, or an FRA order requiring installation of
a PTC system by that date.
(2) Initial baseline identification of lines. For the purposes of
paragraph (b)(1)(i) of this section, the baseline information necessary
to determine whether a Class I railroad's track segment shall be
equipped with a PTC system shall be determined and reported as follows:
(i) The traffic density threshold of 5 million gross tons shall be
based upon calendar year 2008 gross tonnage, except to the extent that
traffic may fall below 5 million gross tons for two consecutive
calendar years and a PTCIP or an RFA reflecting this change is filed
and approved under paragraph (b)(4) of this section and, if applicable,
Sec. 236.1021.
(ii) The presence or absence of any quantity of PIH hazardous
materials shall be determined by whether one or more cars containing
such product(s) was transported over the track segment in calendar year
2008 or prior to the filing of the PTCIP, except to the extent that the
PTCIP or RFA justifies, under paragraph (b)(4) of this section, removal
of the subject track segment from the PTCIP listing of lines to be
equipped.
(3) Addition of track segments. To the extent increases in freight
rail traffic occur subsequent to calendar year 2008 that might affect
the requirement to install a PTC system on any line not yet equipped,
the railroad shall seek to amend its PTCIP by promptly filing an RFA in
accordance with Sec. 236.1021. The following criteria apply:
(i) If rail traffic exceeds 5 million gross tons in any year after
2008, the tonnage shall be calculated for the preceding two calendar
years and if the total tonnage for those two calendar years exceeds 10
million gross tons, a PTCIP or its amendment is required.
(ii) If PIH traffic is carried on a track segment as a result of a
request for rail service or rerouting warranted under part 172 of this
title, and if the line carries in excess of 5 million gross tons of
rail traffic as determined under this paragraph, a PTCIP or its
amendment is required. This does not apply when temporary rerouting is
authorized in accordance with paragraph (g) of this section.
(iii) Once a railroad is notified by FRA that its RFA filed in
accordance with this paragraph has been approved, the railroad shall
equip the line with the applicable PTC system by December 31, 2015, or
within 24 months, whichever is later.
(4) Exclusion or removal of track segments from PTC baseline.
(i) Routing changes. In a PTCIP or an RFA, a railroad may request
review of the requirement to install PTC on a track segment where a PTC
system is otherwise required by this section, but has not yet been
installed, based upon changes in rail traffic such as reductions in
total traffic volume or cessation of passenger or PIH service. Any such
request shall be accompanied by estimated traffic projections for the
next 5 years (e.g., as a result of planned rerouting, coordinations, or
location of new business on the line). Where the request involves prior
or planned rerouting of PIH traffic, the railroad must provide a
supporting analysis that takes into consideration the requirements of
subpart I, part 172 of
[[Page 2702]]
this title, assuming the subject route and each practicable alternative
route to be PTC-equipped, and including any interline routing impacts.
(A) FRA will approve the exclusion if, based upon data in the
docket of the proceeding, FRA finds that it would be consistent with
safety as further provided in this paragraph.
(1) In the case of a requested exclusion based on cessation of
passenger service or a decline in gross tonnage below 5 million gross
tons as computed over a 2-year period, the removal will be approved
absent special circumstances as set forth in writing (e.g., because of
anticipated traffic growth in the near future).
(2) In the case of cessation of PIH traffic over a track segment,
and absent special circumstances set forth in writing, FRA will approve
an exclusion of a line from the PTCIP (determined on the basis of 2008
traffic levels) upon a showing by the railroad that:
(i) There is no remaining local PIH traffic expected on the track
segment;
(ii) Either any rerouting of PIH traffic from the subject track
segment is justified based upon the route analysis submitted, which
shall assume that each alternative route will be equipped with PTC and
shall take into consideration any significant interline routing
impacts; or the next preferred alternative route in the analysis
conducted as set forth in this paragraph is shown to be substantially
as safe and secure as the route employing the track segment in question
and demonstrated considerations of practicability indicate
consolidation of the traffic on that next preferred alternative route;
and
(iii) After cessation of PIH traffic on the line, the remaining
risk associated with PTC-preventable accidents per route mile on the
track segment will not exceed the average comparable risk per route
mile on Class I lines in the United States required to be equipped with
PTC because of gross tonnage and the presence of PIH traffic (which
base case will be estimated as of a time prior to installation of PTC).
If the subject risk is greater than the average risk on those PIH
lines, and if the railroad making the application for removal of the
track segment from the PTCIP offers no compensating extension of PTC or
PTC technologies from the minimum required to be equipped, FRA may deny
the request.
(B) [Reserved]
(ii) Lines with de minimis PIH risk. (A) In a PTCIP or RFA, a
railroad may request review of the requirement to install PTC on a low
density track segment where a PTC system is otherwise required by this
section, but has not yet been installed, based upon the presence of a
minimal quantity of PIH hazardous materials (less than 100 cars per
year, loaded and residue). Any such request shall be accompanied by
estimated traffic projections for the next 5 years (e.g., as a result
of planned rerouting, coordinations, or location of new business on the
line). Where the request involves prior or planned rerouting of PIH
traffic, the railroad must provide the information and analysis
identified in paragraph (b)(4)(i) of this section. The submission shall
also include a full description of potential safety hazards on the
segment of track and fully describe train operations over the line.
This provision is not applicable to lines segments used by intercity or
commuter passenger service.
(B) Absent special circumstances related to specific hazards
presented by operations on the line segment, FRA will approve a request
for relief under this paragraph for a rail line segment:
(1) Consisting exclusively of Class 1 or 2 track as described in
part 213 of this title;
(2) That carries less than 15 million gross tons annually;
(3) Has a ruling grade of less than 1 percent; and
(4) On which any train transporting a car containing PIH materials
(including a residue car) is operated under conditions of temporal
separation from other trains using the line segment as documented by a
temporal separation plan accompanying the request. As used in this
paragraph, ``temporal separation'' has the same meaning given by Sec.
236.1019(e), except that the separation addressed is the separation of
a train carrying any number of cars containing PIH materials from other
freight trains.
(C) FRA will also consider, and may approve, requests for relief
under this paragraph for additional line segments where each such
segment carries less than 15 million gross tons annually and where it
is established to the satisfaction of the Associate Administrator that
risk mitigations will be applied that will ensure that risk of a
release of PIH materials is negligible.
(D) Failure to submit sufficient information will result in the
denial of any request under this paragraph (b)(4)(ii). If the request
is granted, on and after the date the line would have otherwise been
required to be equipped under the schedule contained in the PTCIP and
approved by FRA, operations on the line shall be conducted in
accordance with any conditions attached to the grant, including
implementation of proposed mitigations as applicable.
(5) Line sales. FRA does not approve removal of a line from the
PTCIP exclusively based upon a representation that a track segment will
be abandoned or sold to another railroad. In the event a track segment
is approved for abandonment or transfer by the Surface Transportation
Board, FRA will review at the request of the transferring and acquiring
railroads whether the requirement to install PTC on the line should be
removed given all of the circumstances, including expected traffic and
hazardous materials levels, reservation of trackage or haulage rights
by the transferring railroad, routing analysis under part 172 of this
chapter, commercial and real property arrangements affecting the
transferring and acquiring railroads post-transfer, and such other
factors as may be relevant to continue safe operations on the line. If
FRA denies the request, the acquiring railroad shall install the PTC
system on the schedule provided in the transferring railroad's PTCIP,
without regard to whether it is a Class I railroad.
(6) New rail passenger service. No new intercity or commuter rail
passenger service shall commence after December 31, 2015, until a PTC
system certified under this subpart has been installed and made
operative.
(c) Hazard detectors. (1) All hazard detectors integrated into a
signal or train control system on or after October 16, 2008, shall be
integrated into PTC systems required by this subpart; and their
warnings shall be appropriately and timely enforced as described in the
applicable PTCSP.
(2) The applicable PTCSP must provide for receipt and presentation
to the locomotive engineer and other train crew members of warnings
from any additional hazard detectors using the PTC data network,
onboard displays, and audible alerts. If the PTCSP so provides, the
action to be taken by the system and by the crew members shall be
specified.
(3) The PTCDP (as applicable) and PTCSP for any new service
described in Sec. 236.1007 to be conducted above 90 miles per hour
shall include a hazard analysis describing the hazards relevant to the
specific route(s) in question (e.g., potential for track obstruction
due to events such as falling rock or undermining of the track
structure due to high water or displacement of a bridge over navigable
waters), the basis for decisions concerning hazard detectors provided,
and the manner in which such additional hazard detectors will be
interfaced with the PTC system.
(d) Event recorders. (1) Each lead locomotive, as defined in part
229, of a train equipped and operating with a
[[Page 2703]]
PTC system required by this subpart must be equipped with an operative
event recorder, which shall:
(i) Record safety-critical train control data routed to the
locomotive engineer's display that the engineer is required to comply
with;
(ii) Specifically include text messages conveying mandatory
directives, maximum authorized speeds, PTC system brake warnings, PTC
system brake enforcements, and the state of the PTC system (e.g., cut
in, cut out, active, or failed); and
(iii) Include examples of how the captured data will be displayed
during playback along with the format, content, and data retention
duration requirements specified in the PTCSP submitted and approved
pursuant to this paragraph. If such train control data can be
calibrated against other data required by this part, it may, at the
election of the railroad, be retained in a separate memory module.
(2) Each lead locomotive, as defined in part 229, manufactured and
in service after October 1, 2009, that is equipped and operating with a
PTC system required by this subpart, shall be equipped with an event
recorder memory module meeting the crash hardening requirements of
Sec. 229.135 of this chapter.
(3) Nothing in this subpart excepts compliance with any of the
event recorder requirements contained in Sec. 229.135 of this chapter.
(e) Switch position. The following requirements apply with respect
to determining proper switch position under this section. When a main
line switch position is unknown or improperly aligned for a train's
route in advance of the train's movement, the PTC system will provide
warning of the condition associated with the following enforcement:
(1) A PTC system shall enforce restricted speed over any switch:
(i) Where train movements are made with the benefit of the
indications of a wayside or cab signal system or other similar
appliance, method, device, or system of equivalent safety proposed to
FRA and approved by the Associate Administrator in accordance with this
part; and
(ii) Where wayside or cab signal system or other similar appliance,
method, device, or system of equivalent safety, requires the train to
be operated at restricted speed.
(2) A PTC system shall enforce a positive stop short of any main
line switch, and any switch on a siding where the allowable speed is in
excess of 20 miles per hour, if movement of the train over the switch:
(i) Is made without the benefit of the indications of a wayside or
cab signal system or other similar appliance, method, device, or system
of equivalent safety proposed to FRA and approved by the Associate
Administrator in accordance with this part; or
(ii) Would create an unacceptable risk. Unacceptable risk includes
conditions when traversing the switch, even at low speeds, could result
in direct conflict with the movement of another train (including a
hand-operated crossover between main tracks, a hand-operated crossover
between a main track and an adjoining siding or auxiliary track, or a
hand-operated switch providing access to another subdivision or branch
line, etc.).
(3) A PTC system required by this subpart shall be designed,
installed, and maintained to perform the switch position detection and
enforcement described in paragraphs (e)(1) and (e)(2) of this section,
except as provided for and justified in the applicable, FRA approved
PTCDP or PTCSP.
(4) The control circuit or electronic equivalent for all movement
authorities over any switches, movable-point frogs, or derails shall be
selected through circuit controller or functionally equivalent device
operated directly by the switch points, derail, or by switch locking
mechanism, or through relay or electronic device controlled by such
circuit controller or functionally equivalent device, for each switch,
movable-point frog, or derail in the route governed. Circuits or
electronic equivalent shall be arranged so that any movement
authorities less restrictive than those prescribed in paragraphs (e)(1)
and (e)(2) of this section can only be provided when each switch,
movable-point frog, or derail in the route governed is in proper
position, and shall be in accordance with subparts A through G of this
part, unless it is otherwise provided in a PTCSP approved under this
subpart.
(f) Train-to-train collision. A PTC system shall be considered to
be configured to prevent train-to-train collisions within the meaning
of paragraph (a) of this section if trains are required to be operated
at restricted speed and if the onboard PTC equipment enforces the upper
limits of the railroad's restricted speed rule (15 or 20 miles per
hour). This application applies to:
(1) Operating conditions under which trains are required by signal
indication or operating rule to:
(i) Stop before continuing; or
(ii) Reduce speed to restricted speed and continue at restricted
speed until encountering a more favorable indication or as provided by
operating rule.
(2) Operation of trains within the limits of a joint mandatory
directive.
(g) Temporary rerouting. A train equipped with a PTC system as
required by this subpart may be temporarily rerouted onto a track not
equipped with a PTC system and a train not equipped with a PTC system
may be temporarily rerouted onto a track equipped with a PTC system as
required by this subpart in the following circumstances:
(1) Emergencies. In the event of an emergency--including conditions
such as derailment, flood, fire, tornado, hurricane, earthquake, or
other similar circumstance outside of the railroad's control--that
would prevent usage of the regularly used track if:
(i) The rerouting is applicable only until the emergency condition
ceases to exist and for no more than 14 consecutive calendar days,
unless otherwise extended by approval of the Associate Administrator;
(ii) The railroad provides written or telephonic notification to
the applicable Regional Administrator of the information listed in
paragraph (i) of this section within one business day of the beginning
of the rerouting made in accordance with this paragraph; and
(iii) The conditions contained in paragraph (j) of this section are
followed.
(2) Planned maintenance. In the event of planned maintenance that
would prevent usage of the regularly used track if:
(i) The maintenance period does not exceed 30 days;
(ii) A request is filed with the applicable Regional Administrator
in accordance with paragraph (i) of this section no less than 10
business days prior to the planned rerouting; and
(iii) The conditions contained in paragraph (j) of this section are
followed.
(h) Rerouting requests. (1) For the purposes of paragraph (g)(2) of
this section, the rerouting request shall be self-executing unless the
applicable Regional Administrator responds with a notice disapproving
of the rerouting or providing instructions to allow rerouting. Such
instructions may include providing additional information to the
Regional Administrator or Associate Administrator prior to the
commencement of rerouting. Once the Regional Administrator responds
with a notice under this paragraph, no rerouting may occur until the
Regional Administrator or Associate Administrator provides his or her
approval.
[[Page 2704]]
(2) In the event the temporary rerouting described in paragraph
(g)(2) of this section is to exceed 30 consecutive calendar days:
(i) The railroad shall provide a request in accordance with
paragraphs (i) and (j) of this section with the Associate Administrator
no less than 10 business days prior to the planned rerouting; and
(ii) The rerouting shall not commence until receipt of approval
from the Associate Administrator.
(i) Content of rerouting request. Each notice or request referenced
in paragraph (g) and (h) of this section must indicate:
(1) The dates that such temporary rerouting will occur;
(2) The number and types of trains that will be rerouted;
(3) The location of the affected tracks; and
(4) A description of the necessity for the temporary rerouting.
(j) Rerouting conditions. Rerouting of operations under paragraph
(g) of this section may occur under the following conditions:
(1) Where a train not equipped with a PTC system is rerouted onto a
track equipped with a PTC system, or a train not equipped with a PTC
system that is compatible and functionally responsive to the PTC system
utilized on the line to which the train is being rerouted, the train
shall be operated in accordance with Sec. 236.1029; or
(2) Where any train is rerouted onto a track not equipped with a
PTC system, the train shall be operated in accordance with the
operating rules applicable to the line on which the train is rerouted.
(k) Rerouting cessation. The applicable Regional Administrator may
order a railroad to cease any rerouting provided under paragraph (g) or
(h) of this section.
Sec. 236.1006 Equipping locomotives operating in PTC territory.
(a) Except as provided in paragraph (b) of this section, each train
operating on any track segment equipped with a PTC system shall be
controlled by a locomotive equipped with an onboard PTC apparatus that
is fully operative and functioning in accordance with the applicable
PTCSP approved under this subpart.
(b) Exceptions. (1) Prior to December 31, 2015, each railroad
required to install PTC shall include in its PTCIP specific goals for
progressive implementation of onboard systems and deployment of PTC-
equipped locomotives such that the safety benefits of PTC are achieved
through incremental growth in the percentage of controlling locomotives
operating on PTC lines that are equipped with operative PTC onboard
equipment. The PTCIP shall include a brief but sufficient explanation
of how those goals will be achieved, including assignment of
responsibilities within the organization. The goals shall be expressed
as the percentage of trains operating on PTC-equipped lines that are
equipped with operative onboard PTC apparatus responsive to the
wayside, expressed as an annualized (calendar year) percentage for the
railroad as a whole.
(2) Each railroad shall adhere to its PTCIP and shall report, on
April 16, of 2011, 2012, 2013, and 2014, its progress toward achieving
the goals set under paragraph (b)(1) of this section. In the event any
annual goal is not achieved, the railroad shall further report the
actions it is taking to ensure achievement of subsequent annual goals.
(3) On and after December 31, 2015, a train controlled by a
locomotive with an onboard PTC apparatus that has failed en route is
permitted to operate in accordance with Sec. 236.1029.
(4) A train operated by a Class II or Class III railroad, including
a tourist or excursion railroad, and controlled by a locomotive not
equipped with an onboard PTC apparatus is permitted to operate on a
PTC-operated track segment:
(i) That either:
(A) Has no regularly scheduled intercity or commuter passenger rail
traffic; or
(B) Has regularly scheduled intercity or commuter passenger rail
traffic and the applicable PTCIP permits the operation of a train
operated by a Class II or III railroad and controlled by a locomotive
not equipped with an onboard PTC apparatus;
(ii) Where operations are restricted to four or less such
unequipped trains per day, whereas a train conducting a ``turn''
operation (e.g., moving to a point of interchange to drop off or pick
up cars and returning to the track owned by a Class II or III railroad)
is considered two trains for this purpose; and
(iii) Where each movement shall either:
(A) Not exceed 20 miles in length; or
(B) To the extent any movement exceeds 20 miles in length, such
movement is not permitted without the controlling locomotive being
equipped with an onboard PTC system after December 31, 2020, and each
applicable Class II or III railroad shall report to FRA its progress in
equipping each necessary locomotive with an onboard PTC apparatus to
facilitate continuation of the movement. The progress reports shall be
filed not later than December 31, 2017 and, if all necessary
locomotives are not yet equipped, on December 31, 2019.
(c) When a train movement is conducted under the exceptions
described in paragraph (b)(4) of this section, that movement shall be
made in accordance with Sec. 236.1029.
Sec. 236.1007 Additional requirements for high-speed service.
(a) A PTC railroad that conducts a passenger operation at or
greater than 60 miles per hour or a freight operation at or greater
than 50 miles per hour shall have installed a PTC system including or
working in concert with technology that includes all of the safety-
critical functional attributes of a block signal system meeting the
requirements of this part, including appropriate fouling circuits and
broken rail detection (or equivalent safeguards).
(b) In addition to the requirements of paragraph (a) of this
section, a host railroad that conducts a freight or passenger operation
at more than 90 miles per hour shall:
(1) Have an approved PTCSP establishing that the system was
designed and will be operated to meet the fail-safe operation criteria
described in Appendix C to this part; and
(2) Prevent unauthorized or unintended entry onto the main line
from any track not equipped with a PTC system compliant with this
subpart by placement of split-point derails or equivalent means
integrated into the PTC system; and
(3) Comply with Sec. 236.1029(c).
(c) In addition to the requirements of paragraphs (a) and (b) of
this section, a host railroad that conducts a freight or passenger
operation at more than 125 miles per hour shall have an approved PTCSP
accompanied by a document (``HSR-125'') establishing that the system:
(1) Will be operated at a level of safety comparable to that
achieved over the 5 year period prior to the submission of the PTCSP by
other train control systems that perform PTC functions required by this
subpart, and which have been utilized on high-speed rail systems with
similar technical and operational characteristics in the United States
or in foreign service, provided that the use of foreign service data
must be approved by the Associate Administrator before submittal of the
PTCSP; and
(2) Has been designed to detect incursions into the right-of-way,
including incidents involving motor vehicles diverting from adjacent
roads and bridges, where conditions warrant.
[[Page 2705]]
(d) In addition to the requirements of paragraphs (a) through (c)
of this section, a host railroad that conducts a freight or passenger
operation at more than 150 miles per hour, which is governed by a Rule
of Particular Applicability, shall have an approved PTCSP accompanied
by a HSR-125 developed as part of an overall system safety plan
approved by the Associate Administrator.
(e) A railroad providing existing high-speed passenger service may
request in its PTCSP that the Associate Administrator excuse compliance
with one or more requirements of this section upon a showing that the
subject service has been conducted with a high level of safety.
Sec. 236.1009 Procedural requirements.
(a) PTC Implementation Plan (PTCIP). (1) By April 16, 2010, each
host railroad that is required to implement and operate a PTC system in
accordance with Sec. 236.1005(b) shall develop and submit in
accordance with Sec. 236.1011(a) a PTCIP for implementing a PTC system
required under Sec. 236.1005. Filing of the PTCIP shall not exempt the
required filings of an NPI, PTCSP, PTCDP, or Type Approval.
(2) After April 16, 2010, a host railroad shall file:
(i) A PTCIP if it becomes a host railroad of a main line track
segment for which it is required to implement and operate a PTC system
in accordance with Sec. 236.1005(b); or
(ii) A request for amendment (``RFA'') of its current and approved
PTCIP in accordance with Sec. 236.1021 if it intends to:
(A) Initiate a new category of service (i.e., passenger or
freight); or
(B) Add, subtract, or otherwise materially modify one or more lines
of railroad for which installation of a PTC system is required.
(3) The host and tenant railroad(s) shall jointly file a PTCIP that
addresses shared track:
(i) If the host railroad is required to install and operate a PTC
system on a segment of its track; and
(ii) If the tenant railroad that shares the same track segment
would have been required to install a PTC system if the host railroad
had not otherwise been required to do so.
(4) If railroads required to file a joint PTCIP are unable to
jointly file a PTCIP in accordance with paragraphs (a)(1) and (a)(3) of
this section, then each railroad shall:
(i) Separately file a PTCIP in accordance with paragraph (a)(1);
(ii) Notify the Associate Administrator that the subject railroads
were unable to agree on a PTCIP to be jointly filed;
(iii) Provide the Associate Administrator with a comprehensive list
of all issues not in agreement between the railroads that would prevent
the subject railroads from jointly filing the PTCIP; and
(iv) Confer with the Associate Administrator to develop and submit
a PTCIP mutually acceptable to all subject railroads.
(b) Type Approval. Each host railroad, individually or jointly with
others such as a tenant railroad or system supplier, shall file prior
to or simultaneously with the filing made in accordance with paragraph
(a) of this section:
(1) An unmodified Type Approval previously issued by the Associate
Administrator in accordance with Sec. 236.1013 or Sec. 236.1031(b)
with its associated docket number;
(2) A PTCDP requesting a Type Approval for:
(i) A PTC system that does not have a Type Approval; or
(ii) A PTC system with a previously issued Type Approval that
requires one or more variances;
(3) A PTCSP subject to the conditions set forth in paragraph (c) of
this section, with or without a Type Approval; or
(4) A document attesting that a Type Approval is not necessary
since the host railroad has no territory for which a PTC system is
required under this subpart.
(c) Notice of Product Intent (NPI). A railroad may, in lieu of
submitting a PTCDP, or referencing an already issued Type Approval,
submit an NPI describing the functions of the proposed PTC system. If a
railroad elects to file an NPI in lieu of a PTCDP or referencing an
existing Type Approval with the PTCIP, and the PTCIP is otherwise
acceptable to the Associate Administrator, the Associate Administrator
may grant provisional approval of the PTCIP.
(1) A provisional approval of a PTCIP, unless otherwise extended by
the Associate Administrator, is valid for a period of 270 days from the
date of approval by the Associate Administrator.
(2) The railroad must submit an updated PTCIP with either a
complete PTCDP as defined in Sec. 236.1013(a), an updated PTCIP
referencing an already approved Type Approval, or a full PTCSP within
270 days after the ``Provisional Approval.''
(i) Within 90 days of receipt of an updated PTCIP that was
submitted with an NPI, the Associate Administrator will approve or
disapprove of the updated PTCIP and notify in writing the affected
railroad. If the updated PTCIP is not approved, the notification will
include the plan's deficiencies. Within 30 days of receipt of that
notification, the railroad or other entity that submitted the plan
shall correct all deficiencies and resubmit the plan in accordance with
this section and Sec. 236.1011, as applicable.
(ii) If an update to a ``Provisionally Approved'' PTCIP is not
received by the Associate Administrator by the end of the period
indicated in this paragraph, the ``Provisional Approval'' given to the
PTCIP is automatically revoked. The revocation is retroactive to the
date the original PTCIP and NPI were first submitted to the Associate
Administrator.
(d) PTCSP and PTC System Certification. The following apply to each
PTCSP and PTC System Certification.
(1) A PTC System Certification for a PTC system may be obtained by
submitting an acceptable PTCSP. If the PTC system is the subject of a
Type Approval, the safety case elements contained in the PTCDP may be
incorporated by reference into the PTCSP, subject to finalization of
the human factors analysis contained in the PTCDP.
(2) Each PTCSP requirement under Sec. 236.1015 shall be supported
by information and analysis sufficient to establish that the
requirements of this subpart have been satisfied.
(3) If the Associate Administrator finds that the PTCSP and
supporting documentation support a finding that the system complies
with this part, the Associate Administrator may approve the PTCSP. If
the Associate Administrator approves the PTCSP, the railroad shall
receive PTC System Certification for the subject PTC system and shall
implement the PTC system according to the PTCSP.
(4) A required PTC system shall not:
(i) Be used in service until it receives from FRA a PTC System
Certification; and
(ii) Receive a PTC System Certification unless FRA receives and
approves an applicable:
(A) PTCSP; or
(B) Request for Expedited Certification (REC) as defined by Sec.
236.1031(a).
(e) Plan contents. (1) No PTCIP shall receive approval unless it
complies with Sec. 236.1011. No railroad shall receive a Type Approval
or PTC System Certification unless the applicable PTCDP or PTCSP,
respectively, comply with Sec. Sec. 236.1013 and 236.1015,
respectively.
(2) All materials filed in accordance with this subpart must be in
the English language, or have been translated into English and attested
as true and correct.
[[Page 2706]]
(3) Each filing referenced in this section may include a request
for full or partial confidentiality in accordance with Sec. 209.11 of
this chapter. If confidentiality is requested as to a portion of any
applicable document, then in addition to the filing requirements under
Sec. 209.11 of this chapter, the person filing the document shall also
file a copy of the original unredacted document, marked to indicate
which portions are redacted in the document's confidential version
without obscuring the original document's contents.
(f) Supporting documentation and information. (1) Issuance of a
Type Approval or PTC System Certification is contingent upon FRA's
confidence in the implementation and operation of the subject PTC
system. This confidence may be based on FRA-monitored field testing or
an independent assessment performed in accordance with Sec. 236.1035
or Sec. 236.1017, respectively.
(2) Upon request by FRA, the railroad requesting a Type Approval or
PTC System Certification must engage in field testing or independent
assessment performed in accordance with Sec. 236.1035 or Sec.
236.1017, respectively, to support the assertions made in any of the
plans submitted under this subpart. These assertions include any of the
plans' content requirements under this subpart.
(g) FRA conditions, reconsiderations, and modifications. (1) As
necessary to ensure safety, FRA may attach special conditions to
approving a PTCIP or issuing a Type Approval or PTC System
Certification.
(2) After granting a Type Approval or PTC System Certification, FRA
may reconsider the Type Approval or PTC System Certification upon
revelation of any of the following factors concerning the contents of
the PTCDP or PTCSP:
(i) Potential error or fraud;
(ii) Potentially invalidated assumptions determined as a result of
in-service experience or one or more unsafe events calling into
question the safety analysis supporting the approval.
(3) During FRA's reconsideration in accordance with this paragraph,
the PTC system may remain in use if otherwise consistent with the
applicable law and regulations and FRA may impose special conditions
for use of the PTC system.
(4) After FRA's reconsideration in accordance with this paragraph,
FRA may:
(i) Dismiss its reconsideration and continue to recognize the
existing FRA approved Type Approval or PTC System Certification;
(ii) Allow continued operations under such conditions the Associate
Administrator deems necessary to ensure safety; or
(iii) Revoke the Type Approval or PTC System Certification and
direct the railroad to cease operations where PTC systems are required
under this subpart.
(h) FRA access. The Associate Administrator, or that person's
designated representatives, shall be afforded reasonable access to
monitor, test, and inspect processes, procedures, facilities,
documents, records, design and testing materials, artifacts, training
materials and programs, and any other information used in the design,
development, manufacture, test, implementation, and operation of the
system, as well as interview any personnel:
(1) Associated with a PTC system for which a Type Approval or PTC
System Certification has been requested or provided; or
(2) To determine whether a railroad has been in compliance with
this subpart.
(i) Foreign regulatory entity verification. Information that has
been certified under the auspices of a foreign regulatory entity
recognized by the Associate Administrator may, at the Associate
Administrator's sole discretion, be accepted as independently Verified
and Validated and used to support each railroad's development of the
PTCSP.
(j) Processing times for PTCDP and PTCSP.
(1) Within 30 days of receipt of a PTCDP or PTCSP, the Associate
Administrator will either acknowledge receipt or acknowledge receipt
and request more information.
(2) To the extent practicable, considering the scope, complexity,
and novelty of the product or change:
(i) FRA will approve, approve with conditions, or deny the PTCDP
within 60 days of the date on which the PTCDP was filed;
(ii) FRA will approve, approve with conditions, or deny the PTCSP
within 180 days of the date on which the PTCSP was filed;
(iii) If FRA has not approved, approved with conditions, or denied
the PTCDP or PTCSP within the 60-day or 180-day window, as applicable,
FRA will provide the submitting party with a statement of reasons as to
why the submission has not yet been acted upon and a projected deadline
by which an approval or denial will be issued and any further
consultations or inquiries will be resolved.
Sec. 236.1011 PTC Implementation Plan content requirements.
(a) Contents. A PTCIP filed pursuant to this subpart shall, at a
minimum, describe:
(1) The functional requirements that the proposed system must meet;
(2) How the PTC railroad intends to comply with Sec. Sec.
236.1009(c) and (d);
(3) How the PTC system will provide for interoperability of the
system between the host and all tenant railroads on the track segments
required to be equipped with PTC systems under this subpart and:
(i) Include relevant provisions of agreements, executed by all
applicable railroads, in place to achieve interoperability;
(ii) List all methods used to obtain interoperability; and
(iii) Identify any railroads with respect to which interoperability
agreements have not been achieved as of the time the plan is filed, the
practical obstacles that were encountered that prevented resolution,
and the further steps planned to overcome those obstacles;
(4) How, to the extent practical, the PTC system will be
implemented to address areas of greater risk to the public and railroad
employees before areas of lesser risk;
(5) The sequence and schedule in which track segments will be
equipped and the basis for those decisions, and shall at a minimum
address the following risk factors by track segment:
(i) Segment traffic characteristics such as typical annual
passenger and freight train volume and volume of poison- or toxic-by-
inhalation (PIH or TIH) shipments (loads, residue);
(ii) Segment operational characteristics such as current method of
operation (including presence or absence of a block signal system),
number of tracks, and maximum allowable train speeds, including planned
modifications; and
(iii) Route attributes bearing on risk, including ruling grades and
extreme curvature;
(6) The following information relating to rolling stock:
(i) What rolling stock will be equipped with PTC technology;
(ii) The schedule to equip that rolling stock by December 31, 2015;
(iii) All documents and information required by Sec. 236.1006; and
(iv) Unless the tenant railroad is filing its own PTCIP, the host
railroad's PTCIP shall:
(A) Attest that the host railroad has made a formal written request
to each tenant railroad requesting identification of each item of
rolling stock to be PTC
[[Page 2707]]
system equipped and the date each will be equipped; and
(B) Include each tenant railroad's response to the host railroad's
written request made in accordance with paragraph (a)(6)(iii)(A) of
this section;
(7) The number of wayside devices required for each track segment
and the installation schedule to complete wayside equipment
installation by December 31, 2015;
(8) Identification of each track segment on the railroad as
mainline or non-mainline track. If the PTCIP includes an MTEA, as
defined by Sec. 236.1019, the PTCIP should identify the tracks
included in the MTEA as main line track with a reference to the MTEA;
(9) To the extent the railroad determines that risk-based
prioritization required by paragraph (a)(4) of this section is not
practical, the basis for this determination; and
(10) The dates the associated PTCDP and PTCSP, as applicable, will
be submitted to FRA in accordance with Sec. 236.1009.
(b) Additional Class I railroad PTCIP requirements. Each Class I
railroad shall include:
(1) In its PTCIP a strategy for full deployment of its PTC system,
describing the criteria that it will apply in identifying additional
rail lines on its own network, and rail lines of entities that it
controls or engages in joint operations with, for which full or partial
deployment of PTC technologies is appropriate, beyond those required to
be equipped under this subpart. Such criteria shall include
consideration of the policies established by 49 U.S.C. 20156 (railroad
safety risk reduction program), and regulations issued thereunder, as
well as non-safety business benefits that may accrue.
(2) In the Technology Implementation Plan of its Risk Reduction
Program, when first required to be filed in accordance with 49 U.S.C.
20156 and any regulation promulgated thereunder, a specification of
rail lines selected for full or partial deployment of PTC under the
criteria identified in its PTCIP.
(3) Nothing in this paragraph shall be construed to create an
expectation or requirement that additional rail lines beyond those
required to be equipped by this subpart must be equipped or that such
lines will be equipped during the period of primary implementation
ending December 31, 2015.
(4) As used in this paragraph, ``partial implementation'' of a PTC
system refers to use, pursuant to subpart H of this part, of technology
embedded in PTC systems that does not employ all of the functionalities
required by this subpart.
(c) FRA review. Within 90 days of receipt of a PTCIP, the Associate
Administrator will approve or disapprove of the plan and notify in
writing the affected railroad or other entity. If the PTCIP is not
approved, the notification will include the plan's deficiencies. Within
30 days of receipt of that notification, the railroad or other entity
that submitted the plan shall correct all deficiencies and resubmit the
plan in accordance with Sec. 236.1009 and paragraph (a) of this
section, as applicable.
(d) Subpart H. A railroad that elects to install a PTC system when
not required to do so may elect to proceed under this subpart or under
subpart H of this part.
(e) Upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA posts on its
public web site notice of receipt and reference to the public docket in
which a copy of the filing has been placed. FRA may consider any public
comment on each document to the extent practicable within the time
allowed by law and without delaying implementation of PTC systems.
(f) The PTCIP shall be maintained to reflect the railroad's most
recent PTC deployment plans until all PTC system deployments required
under this subpart are complete.
Sec. 236.1013 PTC Development Plan and Notice of Product Intent
content requirements and Type Approval.
(a) For a PTC system to obtain a Type Approval from FRA, the PTCDP
shall be filed in accordance with Sec. 236.1009 and shall include:
(1) A complete description of the PTC system, including a list of
all PTC system components and their physical relationships in the
subsystem or system;
(2) A description of the railroad operation or categories of
operations on which the PTC system is designed to be used, including
train movement density (passenger, freight), operating speeds
(including a thorough explanation of intended compliance with Sec.
236.1007), track characteristics, and railroad operating rules;
(3) An operational concepts document, including a list with
complete descriptions of all functions which the PTC system will
perform to enhance or preserve safety;
(4) A document describing the manner in which the PTC system
architecture satisfies safety requirements;
(5) A preliminary human factors analysis, including a complete
description of all human-machine interfaces and the impact of
interoperability requirements on the same;
(6) An analysis of the applicability to the PTC system of the
requirements of subparts A through G of this part that may no longer
apply or are satisfied by the PTC system using an alternative method,
and a complete explanation of the manner in which those requirements
are otherwise fulfilled;
(7) A prioritized service restoration and mitigation plan and a
description of the necessary security measures for the system;
(8) A description of target safety levels (e.g., MTTHE for major
subsystems as defined in subpart H of this part), including
requirements for system availability and a description of all backup
methods of operation and any critical assumptions associated with the
target levels;
(9) A complete description of how the PTC system will enforce
authorities and signal indications;
(10) A description of the deviation which may be proposed under
Sec. 236.1029(c), if applicable; and
(11) A complete description of how the PTC system will
appropriately and timely enforce all integrated hazard detectors in
accordance with Sec. 236.1005(c)(3), if applicable.
(b) If the Associate Administrator finds that the system described
in the PTCDP would satisfy the requirements for PTC systems under this
subpart and that the applicant has made a reasonable showing that a
system built to the stated requirements would achieve the level of
safety mandated for such a system under Sec. 236.1015, the Associate
Administrator may grant a numbered Type Approval for the system.
(c) Each Type Approval shall be valid for a period of 5 years,
subject to automatic and indefinite extension provided that at least
one PTC System Certification using the subject PTC system has been
issued within that period and not revoked.
(d) The Associate Administrator may prescribe special conditions,
amendments, and restrictions to any Type Approval as necessary for
safety.
(e) If submitted, an NPI must contain the following information:
(1) A description of the railroad operation or categories of
operations on which the proposed PTC system is designed to be used,
including train movement density (passenger, freight), operating speeds
(including a thorough explanation of intended compliance with Sec.
236.1007), track characteristics, and railroad operating rules;
(2) An operational concepts document, including a list with
complete descriptions of all functions
[[Page 2708]]
that the proposed PTC system will perform to enhance or preserve
safety;
(3) A description of target safety levels (e.g., MTTHE for major
subsystems as defined in subpart H of this part), including
requirements for system availability and a description of all backup
methods of operation and any critical assumptions associated with the
target levels;
(4) A complete description of how the proposed PTC system will
enforce authorities and signal indications; and
(5) A complete description of how the proposed PTC system will
appropriately and timely enforce all integrated hazard detectors in
accordance with Sec. 236.1005(c)(3), if applicable.
Sec. 236.1015 PTC Safety Plan content requirements and PTC System
Certification.
(a) Before placing a PTC system required under this part in
service, the host railroad must submit to FRA a PTCSP and receive a PTC
System Certification. If the Associate Administrator finds that the
PTCSP and supporting documentation support a finding that the system
complies with this part, the Associate Administrator approves the PTCSP
and issues a PTC System Certification. Receipt of a PTC System
Certification affirms that the PTC system has been reviewed and
approved by FRA in accordance with, and meets the requirements of, this
part.
(b) A PTCSP submitted under this subpart may reference and utilize
in accordance with this subpart any Type Approval previously issued by
the Associate Administrator to any railroad, provided that the
railroad:
(1) Maintains a continually updated PTCPVL pursuant to Sec.
236.1023;
(2) Shows that the supplier from which they are procuring the PTC
system has established and can maintain a quality control system for
PTC system design and manufacturing acceptable to the Associate
Administrator. The quality control system must include the process for
the product supplier or vendor to promptly and thoroughly report any
safety-relevant failure and previously unidentified hazards to each
railroad using the product; and
(3) Provides the applicable licensing information.
(c) A PTCSP submitted in accordance with this subpart shall:
(1) Include the FRA approved PTCDP or, if applicable, the FRA
issued Type Approval;
(2)(i) Specifically and rigorously document each variance,
including the significance of each variance between the PTC system and
its applicable operating conditions as described in the applicable
PTCDP from that as described in the PTCSP, and attest that there are no
other such variances; or
(ii) Attest that there are no variances between the PTC system and
its applicable operating conditions as described in the applicable
PTCDP from that as described in the PTCSP; and
(3) Attest that the system was otherwise built in accordance with
the applicable PTCDP and PTCSP and achieves the level of safety
represented therein.
(d) A PTCSP shall include the same information required for a PTCDP
under Sec. 236.1013(a). If a PTCDP has been filed and approved prior
to filing of the PTCSP, the PTCSP may incorporate the PTCDP by
reference, with the exception that a final human factors analysis shall
be provided. The PTCSP shall contain the following additional elements:
(1) A hazard log consisting of a comprehensive description of all
safety-relevant hazards not previously addressed by the vendor or
supplier to be addressed during the life-cycle of the PTC system,
including maximum threshold limits for each hazard (for unidentified
hazards, the threshold shall be exceeded at one occurrence);
(2) A description of the safety assurance concepts that are to be
used for system development, including an explanation of the design
principles and assumptions;
(3) A risk assessment of the as-built PTC system described;
(4) A hazard mitigation analysis, including a complete and
comprehensive description of each hazard and the mitigation techniques
used;
(5) A complete description of the safety assessment and
Verification and Validation processes applied to the PTC system, their
results, and whether these processes address the safety principles
described in Appendix C to this part directly, using other safety
criteria, or not at all;
(6) A complete description of the railroad's training plan for
railroad and contractor employees and supervisors necessary to ensure
safe and proper installation, implementation, operation, maintenance,
repair, inspection, testing, and modification of the PTC system;
(7) A complete description of the specific procedures and test
equipment necessary to ensure the safe and proper installation,
implementation, operation, maintenance, repair, inspection, testing,
and modification of the PTC system on the railroad and establish
safety-critical hazards are appropriately mitigated. These procedures,
including calibration requirements, shall be consistent with or explain
deviations from the equipment manufacturer's recommendations;
(8) A complete description of any additional warning to be placed
in the Operations and Maintenance Manual in the same manner specified
in Sec. 236.919 and all warning labels to be placed on equipment as
necessary to ensure safety;
(9) A complete description of the configuration or revision control
measures designed to ensure that the railroad or its contractor does
not adversely affect the safety-functional requirements and that
safety-critical hazard mitigation processes are not compromised as a
result of any such change;
(10) A complete description of all initial implementation testing
procedures necessary to establish that safety-functional requirements
are met and safety-critical hazards are appropriately mitigated;
(11) A complete description of all post-implementation testing
(validation) and monitoring procedures, including the intervals
necessary to establish that safety-functional requirements, safety-
critical hazard mitigation processes, and safety-critical tolerances
are not compromised over time, through use, or after maintenance
(adjustment, repair, or replacement) is performed;
(12) A complete description of each record necessary to ensure the
safety of the system that is associated with periodic maintenance,
inspections, tests, adjustments, repairs, or replacements, and the
system's resulting conditions, including records of component failures
resulting in safety-relevant hazards (see Sec. 236.1037);
(13) A safety analysis to determine whether, when the system is in
operation, any risk remains of an unintended incursion into a roadway
work zone due to human error. If the analysis reveals any such risk,
the PTCDP and PTCSP shall describe how that risk will be mitigated;
(14) A more detailed description of any alternative arrangements as
already provided under Sec. 236.1005(a)(1)(i).
(15) A complete description of how the PTC system will enforce
authorities and signal indications, unless already completely provided
for in the PTCDP;
(16) A description of how the PTCSP complies with Sec.
236.1019(f), if applicable;
(17) A description of any deviation in operational requirements for
en route failures as specified under Sec. 236.1029(c), if applicable
and unless already completely provided for in the PTCDP;
(18) A complete description of how the PTC system will
appropriately and
[[Page 2709]]
timely enforce all integrated hazard detectors in accordance with Sec.
236.1005;
(19) An emergency and planned maintenance temporary rerouting plan
indicating how operations on the subject PTC system will take advantage
of the benefits provided under Sec. 236.1005(g) through (k); and
(20) The documents and information required under Sec. 236.1007
and Sec. 236.1033.
(e) The following additional requirements apply to:
(1) Non-vital overlay. A PTC system proposed as an overlay on the
existing method of operation and not built in accordance with the
safety assurance principles set forth in Appendix C of this part must,
to the satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in Sec. 236.1005;
(ii) Obtain at least 80 percent reduction of the risk associated
with accidents preventable by the functions set forth in Sec.
236.1005, when all effects of the change associated with the PTC system
are taken into account. The supporting risk assessment shall evaluate
all intended changes in railroad operations coincident with the
introduction of the new system; and
(iii) Maintain a level of safety for each subsequent system
modification that is equal to or greater than the level of safety for
the previous PTC systems.
(2) Vital overlay. A PTC system proposed on a newly constructed
track or as an overlay on the existing method of operation and built in
accordance with the safety assurance principles set forth in Appendix C
of this part must, to the satisfaction of the Associate Administrator,
be shown to:
(i) Reliably execute the functions set forth in Sec. 236.1005; and
(ii) Have sufficient documentation to demonstrate that the PTC
system, as built, fulfills the safety assurance principles set forth in
Appendix C of this part. The supporting risk assessment may be
abbreviated as that term is used in subpart H of this part.
(3) Stand-alone. A PTC system proposed on a newly constructed
track, an existing track for which no signal system exists, as a
replacement for an existing signal or train control system, or
otherwise to replace or materially modify the existing method of
operation, shall:
(i) Reliably execute the functions required by Sec. 236.1005 and
be demonstrated to do so to FRA's satisfaction; and
(ii) Have a PTCSP establishing, with a high degree of confidence,
that the system will not introduce new hazards that have not been
mitigated. The supporting risk assessment shall evaluate all intended
changes in railroad operations in relation to the introduction of the
new system and shall examine in detail the direct and indirect effects
of all changes in the method of operations.
(4) Mixed systems. If a PTC system combining overlay, stand-alone,
vital, or non-vital characteristics is proposed, the railroad shall
confer with the Associate Administrator regarding appropriate
structuring of the safety case and analysis.
(f) When determining whether the PTCSP fulfills the requirements
under paragraph (d) of this section, the Associate Administrator may
consider all available evidence concerning the reliability and
availability of the proposed system and any and all safety consequences
of the proposed changes. In any case where the PTCSP lacks adequate
data regarding safety impacts of the proposed changes, the Associate
Administrator may request the necessary data from the applicant. If the
requested data is not provided, the Associate Administrator may find
that potential hazards could or will arise.
(g) If a PTCSP applies to a system designed to replace an existing
certified PTC system, the PTCSP will be approved provided that the
PTCSP establishes with a high degree of confidence that the new system
will provide a level of safety not less than the level of safety
provided by the system to be replaced.
(h) When reviewing the issue of the potential data errors (for
example, errors arising from data supplied from other business systems
needed to execute the braking algorithm, survey data needed for
location determination, or mandatory directives issued through the
computer-aided dispatching system), the PTCSP must include a careful
identification of each of the risks and a discussion of each applicable
mitigation. In an appropriate case, such as a case in which the
residual risk after mitigation is substantial or the underlying method
of operation will be significantly altered, the Associate Administrator
may require submission of a quantitative risk assessment addressing
these potential errors.
Sec. 236.1017 Independent third party Verification and Validation.
(a) The PTCSP must be supported by an independent third-party
assessment when the Associate Administrator concludes that it is
necessary based upon the criteria set forth in Sec. 236.913, with the
exception that consideration of the methodology used in the risk
assessment (Sec. 236.913(g)(2)(vii)) shall apply only to the extent
that a comparative risk assessment was required. To the extent
practicable, FRA makes this determination not later than review of the
PTCIP and the accompanying PTCDP or PTCSP. If an independent assessment
is required, the assessment may apply to the entire system or a
designated portion of the system.
(b) If a PTC system is to undergo an independent assessment in
accordance with this section, the host railroad may submit to the
Associate Administrator a written request that FRA confirm whether a
particular entity would be considered an independent third party
pursuant to this section. The request should include supporting
information identified in paragraph (c) of this section. FRA may
request further information to make a determination or provide its
determination in writing.
(c) As used in this section, ``independent third party'' means a
technically competent entity responsible to and compensated by the
railroad (or an association on behalf of one or more railroads) that is
independent of the PTC system supplier and vendor. An entity that is
owned or controlled by the supplier or vendor, that is under common
ownership or control with the supplier or vendor, or that is otherwise
involved in the development of the PTC system is not considered
``independent'' within the meaning of this section.
(d) The independent third-party assessment shall, at a minimum,
consist of the activities and result in the production of documentation
meeting the requirements of Appendix F to this part, unless excepted by
this part or by FRA order or waiver.
(e) Information provided that has been certified under the auspices
of a foreign railroad regulatory entity recognized by the Associate
Administrator may, at the Associate Administrator's discretion, be
accepted as having been independently verified.
Sec. 236.1019 Main line track exceptions.
(a) Scope and procedure. This section pertains exclusively to
exceptions from the rule that trackage over which scheduled intercity
and commuter passenger service is provided is considered main line
track requiring installation of a PTC system. One or more intercity or
commuter passenger railroads, or freight railroads conducting joint
passenger and freight operation over the same segment of track may file
a main line track exclusion addendum (``MTEA'') to its PTCIP requesting
to designate track as not main line subject to the conditions set forth
in paragraphs
[[Page 2710]]
(b) or (c) of this section. No track shall be designated as yard or
terminal unless it is identified in an MTEA that is part of an FRA
approved PTCIP.
(b) Passenger terminal exception. FRA will consider an exception in
the case of trackage used exclusively as yard or terminal tracks by or
in support of regularly scheduled intercity or commuter passenger
service where the MTEA describes in detail the physical boundaries of
the trackage in question, its use and characteristics (including track
and signal charts) and all of the following apply:
(1) The maximum authorized speed for all movements is not greater
than 20 miles per hour, and that maximum is enforced by any available
onboard PTC equipment within the confines of the yard or terminal;
(2) Interlocking rules are in effect prohibiting reverse movements
other than on signal indications without dispatcher permission; and
(3) Either of the following conditions exists:
(i) No freight operations are permitted; or
(ii) Freight operations are permitted but no passengers will be
aboard passenger trains within the defined limits.
(c) Limited operations exception. FRA will consider an exception in
the case of a track segment used for limited operations (at speeds not
exceeding those permitted under Sec. 236.0 of this part) under one of
the following sets of conditions:
(1) The trackage is used for limited operations by at least one
passenger railroad subject to at least one of the following conditions:
(i) All trains are limited to restricted speed;
(ii) Temporal separation of passenger and other trains is
maintained as provided in paragraph (e) of this section; or
(iii) Passenger service is operated under a risk mitigation plan
submitted by all railroads involved in the joint operation and approved
by FRA. The risk mitigation plan must be supported by a risk assessment
establishing that the proposed mitigations will achieve a level of
safety not less than the level of safety that would obtain if the
operations were conducted under paragraph (c)(1) or (c)(2) of this
section.
(2) Passenger service is operated on a segment of track of a
freight railroad that is not a Class I railroad on which less than 15
million gross tons of freight traffic is transported annually and on
which one of the following conditions applies:
(i) If the segment is unsignaled and no more than four regularly
scheduled passenger trains are operated during a calendar day, or
(ii) If the segment is signaled (e.g., equipped with a traffic
control system, automatic block signal system, or cab signal system)
and no more than 12 regularly scheduled passenger trains are operated
during a calendar day.
(3) Not more than four passenger trains per day are operated on a
segment of track of a Class I freight railroad on which less than 15
million gross tons of freight traffic is transported annually.
(d) A limited operations exception under paragraph (c) is subject
to FRA review and approval. FRA may require a collision hazard analysis
to identify hazards and may require that specific mitigations be
undertaken. Operations under any such exception shall be conducted
subject to the terms and conditions of the approval. Any main line
track exclusion is subject to periodic review.
(e) Temporal separation. As used in this section, temporal
separation means that limited passenger and freight operations do not
operate on any segment of shared track during the same period and also
refers to the processes or physical arrangements, or both, in place to
ensure that temporal separation is established and maintained at all
times. The use of exclusive authorities under mandatory directives is
not, by itself, sufficient to establish that temporal separation is
achieved. Procedures to ensure temporal separation shall include
verification checks between passenger and freight operations and
effective physical means to positively ensure segregation of passenger
and freight operations in accordance with this paragraph.
(f) PTCSP requirement. No PTCSP--filed after the approval of a
PTCIP with an MTEA--shall be approved by FRA unless it attests that no
changes, except for those included in an FRA approved RFA, have been
made to the information in the PTCIP and MTEA required by paragraph (b)
or (c) of this section.
(g) Designation modifications. If subsequent to approval of its
PTCIP or PTCSP the railroad seeks to modify which track or tracks
should be designated as main line or not main line, it shall request
modification of its PTCIP or PTCSP, as applicable, in accordance with
Sec. 236.1021.
Sec. 236.1021 Discontinuances, material modifications, and
amendments.
(a) No changes, as defined by this section, to a PTC system, PTCIP,
PTCDP, or PTCSP, shall be made unless:
(1) The railroad files a request for amendment (``RFA'') to the
applicable PTCIP, PTCDP, or PTCSP with the Associate Administrator; and
(2) The Associate Administrator approves the RFA.
(b) After approval of an RFA in accordance with paragraph (a) of
this section, the railroad shall immediately adopt and comply with the
amendment.
(c) In lieu of a separate filing under part 235 of this chapter, a
railroad may request approval of a discontinuance or material
modification of a signal or train control system by filing an RFA to
its PTCIP, PTCDP, or PTCSP with the Associate Administrator.
(d) An RFA made in accordance with this section will not be
approved by FRA unless the request includes:
(1) The information listed in Sec. 235.10 of this chapter and the
railroad provides FRA upon request any additional information necessary
to evaluate the RFA (see Sec. 235.12), including:
(2) The proposed modifications;
(3) The reasons for each modification;
(4) The changes to the PTCIP, PTCDP, or PTCSP, as applicable;
(5) Each modification's effect on PTC system safety;
(6) An approximate timetable for filing of the PTCDP, PTCSP, or
both, if the amendment pertains to a PTCIP; and
(7) An explanation of whether each change to the PTCSP is planned
or unplanned.
(i) Unplanned changes that affect the Type Approval's PTCDP require
submission and approval in accordance with Sec. 236.1013 of a new
PTCDP, followed by submission and approval in accordance with Sec.
236.1015 of a new PTCSP for the PTC system.
(ii) Unplanned changes that do not affect the Type Approval's PTCDP
require submission and approval of a new PTCSP.
(iii) Unplanned changes are changes affecting system safety that
have not been documented in the PTCSP. The impact of unplanned changes
on PTC system safety has not yet been determined.
(iv) Planned changes may be implemented after they have undergone
suitable regression testing to demonstrate, to the satisfaction of the
Associate Administrator, they have been correctly implemented and their
implementation does not degrade safety.
(v) Planned changes are changes affecting system safety in the
PTCSP and have been included in all required analysis under Sec.
236.1015. The impact of these changes on the PTC system's safety has
been incorporated as an integral part of the approved PTCSP safety
analysis.
[[Page 2711]]
(e) If the RFA includes a request for approval of a discontinuance
or material modification of a signal or train control system, FRA will
publish a notice in the Federal Register of the application and will
invite public comment in accordance with part 211 of this chapter.
(f) When considering the RFA, FRA will review the issue of the
discontinuance or material modification and determine whether granting
the request is in the public interest and consistent with railroad
safety, taking into consideration all changes in the method of
operation and system functionalities, both within normal PTC system
availability and in the case of a system failed state (unavailable),
contemplated in conjunction with installation of the PTC system. The
railroad submitting the RFA must, at FRA's request, perform field
testing in accordance with Sec. 236.1035 or engage in Verification and
Validation in accordance with Sec. 236.1017.
(g) FRA may issue at its discretion a new Type Approval number for
a PTC system modified under this section.
(h) Changes requiring filing of an RFA. Except as provided by
paragraph (i), an RFA shall be filed to request the following:
(1) Discontinuance of a PTC system, or other similar appliance or
device;
(2) Decrease of the PTC system's limits (e.g., exclusion or removal
of a PTC system on a track segment);
(3) Modification of a safety critical element of a PTC system; or
(4) Modification of a PTC system that affects the safety critical
functionality of any other PTC system with which it interoperates.
(i) Discontinuances not requiring the filing of an RFA. It is not
necessary to file an RFA for the following discontinuances:
(1) Removal of a PTC system from track approved for abandonment by
formal proceeding;
(2) Removal of PTC devices used to provide protection against
unusual contingencies such as landslide, burned bridge, high water,
high and wide load, or tunnel protection when the unusual contingency
no longer exists;
(3) Removal of the PTC devices that are used on a movable bridge
that has been permanently closed by the formal approval of another
government agency and is mechanically secured in the closed position
for rail traffic; or
(4) Removal of the PTC system from service for a period not to
exceed 6 months that is necessitated by catastrophic occurrence such as
derailment, flood, fire, or hurricane, or earthquake.
(j) Changes not requiring the filing of an RFA. When the resultant
change to the PTC system will comply with an approved PTCSP of this
part, it is not necessary to file for approval to decrease the limits
of a system when it involves the:
(1) Decrease of the limits of a PTC system when interlocked
switches, derails, or movable-point frogs are not involved;
(2) Removal of an electric or mechanical lock, or signal used in
lieu thereof, from hand-operated switch in a PTC system where train
speed over such switch does not exceed 20 miles per hour, and use of
those devices has not been part of the considerations for approval of a
PTCSP; or
(3) Removal of an electric or mechanical lock, or signal used in
lieu thereof, from a hand-operated switch in a PTC system where trains
are not permitted to clear the main track at such switch and use of
those devices has not been a part of the considerations for approval of
a PTCSP.
(k) Modifications not requiring the filing of an RFA. When the
resultant arrangement will comply with an approved PTCSP of this part,
it is not necessary to file an application for approval of the
following modifications:
(1) A modification that is required to comply with an order of the
Federal Railroad Administration or any section of part 236 of this
title;
(2) Installation of devices used to provide protection against
unusual contingencies such as landslide, burned bridges, high water,
high and wide loads, or dragging equipment;
(3) Elimination of existing track other than a second main track;
(4) Extension or shortening of a passing siding; or
(5) The temporary or permanent arrangement of existing systems
necessitated by highway-rail grade separation construction. Temporary
arrangements shall be removed within six months following completion of
construction.
Sec. 236.1023 Errors and malfunctions.
(a) Each railroad implementing a PTC system on its property shall
establish and continually update a PTC Product Vendor List (PTCPVL)
that includes all vendors and suppliers of each PTC system, subsystem,
component, and associated product, and process in use system-wide. The
PTCPVL shall be made available to FRA upon request.
(b)(1) The railroad shall specify within its PTCSP all contractual
arrangements with hardware and software suppliers or vendors for
immediate notification between the parties of any and all safety-
critical software failures, upgrades, patches, or revisions, as well as
any hardware repairs, replacements, or modifications for their PTC
system, subsystems, or components.
(2) A vendor or supplier, on receipt of a report of any safety-
critical failure to their product, shall promptly notify all other
railroads that are using that product, whether or not the other
railroads have experienced the reported failure of that safety-critical
system, subsystem, or component.
(3) The notification from a supplier to any railroad shall include
explanation from the supplier of the reasons for such notification, the
circumstances associated with the failure, and any recommended
mitigation actions to be taken pending determination of the root cause
and final corrective actions.
(c) The railroad shall:
(1) Specify the railroad's process and procedures in its PTCSP for
action upon their receipt of notification of safety-critical failure,
as well as receipt of a safety-critical upgrade, patch, revision,
repair, replacement, or modification.
(2) Identify configuration/revision control measures in its PTCSP
that are designed to ensure the safety-functional requirements and the
safety-critical hazard mitigation processes are not compromised as a
result of any change and that such a change can be audited.
(d) The railroad shall provide to the applicable vendor or supplier
the railroad's procedures for action upon notification of a safety-
critical failure, upgrade, patch, or revision for the PTC system,
subsystem, component, product, or process, and actions to be taken
until the faulty system, subsystem, or component has been adjusted,
repaired or replaced.
(e) After the product is placed in service, the railroad shall
maintain a database of all safety-relevant hazards as set forth in the
PTCSP and those that had not previously been identified in the PTCSP.
If the frequency of the safety-relevant hazard exceeds the thresholds
set forth in the PTCSP, or has not been previously identified in the
appropriate risk analysis, the railroad shall:
(1) Notify the applicable vendor or supplier and FRA of the
failure, malfunction, or defective condition that decreased or
eliminated the safety functionality;
(2) Keep the applicable vendor or supplier and FRA apprised on a
continual basis of the status of any and all subsequent failures; and
(3) Take prompt counter measures to reduce or eliminate the
frequency of the
[[Page 2712]]
safety-relevant hazards below the threshold identified in the PTCSP.
(f) Each notification to FRA required by this section shall:
(1) Be made within 15 days after the vendor, supplier, or railroad
discovers the failure, malfunction, or defective condition. However, a
report that is due on a Saturday or a Sunday may be delivered on the
following Monday and one that is due on a holiday may be delivered on
the next business day;
(2) Be transmitted in a manner and form acceptable to the Associate
Administrator and by the most expeditious method available; and
(3) Include as much available and applicable information as
possible, including:
(i) PTC system name and model;
(ii) Identification of the part, component, or system involved,
including the part number as applicable;
(iii) Nature of the failure, malfunctions, or defective condition;
(iv) Mitigation taken to ensure the safety of train operation,
railroad employees, and the public; and
(v) The estimated time to correct the failure.
(4) In the event that all information required by paragraph (f)(3)
of this section is not immediately available, the non-available
information shall be forwarded to the Associate Administrator as soon
as practicable in supplemental reports.
(g) Whenever any investigation of an accident or service difficulty
report shows that a PTC system or product is unsafe because of a
manufacturing or design defect, the railroad and its vendor or supplier
shall, upon request of the Associate Administrator, report to the
Associate Administrator the results of its investigation and any action
taken or proposed to correct that defect.
(h) PTC system and product suppliers and vendors shall:
(1) Promptly report any safety-relevant failures or defective
conditions, previously unidentified hazards, and recommended mitigation
actions in their PTC system, subsystem, or component to each railroad
using the product; and
(2) Notify FRA of any safety-relevant failure, defective condition,
or previously unidentified hazard discovered by the vendor or supplier
and the identity of each affected and notified railroad.
(i) The requirements of this section do not apply to failures,
malfunctions, or defective conditions that:
(1) Are caused by improper maintenance or improper usage; or
(2) Have been previously identified to the FRA, vendor or supplier,
and applicable user railroads.
(j) When any safety-critical PTC system, subsystem, or component
fails to perform its intended function, the cause shall be determined
and the faulty product adjusted, repaired, or replaced without undue
delay. Until corrective action is completed, a railroad shall take
appropriate action to ensure safety and reliability as specified within
its PTCSP.
(k) Any railroad experiencing a failure of a system resulting in a
more favorable aspect than intended or other condition hazardous to the
movement of a train shall comply with the reporting requirements,
including the making of a telephonic report of an accident or incident
involving such failure, under part 233 of this chapter. Filing of one
or more reports under part 233 of this chapter does not exempt a
railroad, vendor, or supplier from the reporting requirements contained
in this section.
Sec. 236.1025 [Reserved]
Sec. 236.1027 PTC system exclusions.
(a) The requirements of this subpart apply to each office
automation system that performs safety-critical functions within, or
affects the safety performance of, the PTC system. For purposes of this
section, ``office automation system'' means any centralized or
distributed computer-based system that directly or indirectly controls
the active movement of trains in a rail network.
(b) Changes or modifications to PTC systems otherwise excluded from
the requirements of this subpart by this section do not exclude those
PTC systems from the requirements of this subpart if the changes or
modifications result in a degradation of safety or a material decrease
in safety-critical functionality.
(c) Primary train control systems cannot be integrated with
locomotive electronic systems unless the complete integrated systems:
(1) Have been shown to be designed on fail-safe principles;
(2) Have demonstrated to operate in a fail-safe mode;
(3) Have a manual fail-safe fallback and override to allow the
locomotive to be brought to a safe stop in the event of any loss of
electronic control; and
(4) Are included in the approved and applicable PTCDP and PTCSP.
(d) PTC systems excluded by this section from the requirements of
this subpart remain subject to subparts A through H of this part as
applicable.
Sec. 236.1029 PTC system use and en route failures.
(a) When any safety-critical PTC system component fails to perform
its intended function, the cause must be determined and the faulty
component adjusted, repaired, or replaced without undue delay. Until
repair of such essential components are completed, a railroad shall
take appropriate action as specified in its PTCSP.
(b) Where a PTC onboard apparatus on a controlling locomotive that
is operating in or is to be operated within a PTC system fails or is
otherwise cut-out while en route (i.e, after the train has departed its
initial terminal), the train may only continue in accordance with the
following:
(1) The train may proceed at restricted speed, or if a block signal
system is in operation according to signal indication at medium speed,
to the next available point where communication of a report can be made
to a designated railroad officer of the host railroad;
(2) Upon completion and communication of the report required in
paragraph (b)(1) of this section, or where immediate electronic report
of said condition is appropriately provided by the PTC system itself, a
train may continue to a point where an absolute block can be
established in advance of the train in accordance with the following:
(i) Where no block signal system is in use, the train may proceed
at restricted speed, or
(ii) Where a block signal system is in operation according to
signal indication, the train may proceed at a speed not to exceed
medium speed.
(3) Upon reaching the location where an absolute block has been
established in advance of the train, as referenced in paragraph (b)(2)
of this section, the train may proceed in accordance with the
following:
(i) Where no block signal system is in use, the train may proceed
at medium speed; however, if the involved train is a passenger train or
a train hauling any amount of PIH material, it may only proceed at a
speed not to exceed 30 miles per hour.
(ii) Where a block signal system is in use, a passenger train may
proceed at a speed not to exceed 59 miles per hour and a freight train
may proceed at a speed not to exceed 49 miles per hour.
(iii) Except as provided in paragraph (c), where a cab signal
system with an automatic train control system is in operation, the
train may proceed at a speed not to exceed 79 miles per hour.
(c) In order for a train equipped with PTC traversing a track
segment equipped with PTC to deviate from the operating limitations
contained in paragraph (b) of this section, the deviation must be
described and justified in the FRA approved PTCDP or PTCSP, or the
Order of Particular Applicability, as applicable.
[[Page 2713]]
(d) Each railroad shall comply with all provisions in the
applicable PTCDP and PTCSP for each PTC system it uses and shall
operate within the scope of initial operational assumptions and
predefined changes identified.
(e) The normal functioning of any safety-critical PTC system must
not be interfered with in testing or otherwise without first taking
measures to provide for the safe movement of trains, locomotives,
roadway workers, and on-track equipment that depend on the normal
functioning of the system.
(f) The PTC system's onboard apparatus shall be so arranged that
each member of the crew assigned to perform duties in the locomotive
can receive the same PTC information displayed in the same manner and
execute any functions necessary to that crew member's duties. The
locomotive engineer shall not be required to perform functions related
to the PTC system while the train is moving that have the potential to
distract the locomotive engineer from performance of other safety-
critical duties.
Sec. 236.1031 Previously approved PTC systems.
(a) Any PTC system fully implemented and operational prior to March
16, 2010, may receive PTC System Certification if the applicable PTC
railroad, or one or more system suppliers and one or more PTC
railroads, submits a Request for Expedited Certification (REC) letter
to the Associate Administrator. The REC letter must do one of the
following:
(1) Reference a product safety plan (PSP) approved by FRA under
subpart H of this part and include a document fulfilling the
requirements under Sec. Sec. 236.1011 and 236.1013 not already
included in the PSP;
(2) Attest that the PTC system has been approved by FRA and in
operation for at least 5 years and has already received an assessment
of Verification and Validation from an independent third party under
part 236 or a waiver supporting such operation; or
(3) Attest that the PTC system is recognized under an Order issued
prior to March 16, 2010.
(b) If an REC letter conforms to paragraph (a)(1) of this section,
the Associate Administrator, at his or her sole discretion, may also
issue a new Type Approval for the PTC system.
(c) In order to receive a Type Approval or PTC System Certification
under paragraph (a) or (b) of this section, the PTC system must be
shown to reliably execute the functionalities required by Sec. Sec.
236.1005 and 236.1007 and otherwise conform to this subpart.
(d) Previous approval or recognition of a train control system,
together with an established service history, may, at the request of
the PTC railroad, and consistent with available safety data, be
credited toward satisfaction of the safety case requirements set forth
in this part for the PTCSP with respect to all functionalities and
implementations contemplated by the approval or recognition.
(e) To the extent that the PTC system proposed for implementation
under this subpart is different in significant detail from the system
previously approved or recognized, the changes shall be fully analyzed
in the PTCDP or PTCSP as would be the case absent prior approval or
recognition.
(f) As used in this section--
(1) Approved refers to approval of a Product Safety Plan under
subpart H of this part.
(2) Recognized refers to official action permitting a system to be
implemented for control of train operations under an FRA order or
waiver, after review of safety case documentation for the
implementation.
(g) Upon receipt of an REC, FRA will consider all safety case
information to the extent feasible and appropriate, given the specific
facts before the agency. Nothing in this section limits re-use of any
applicable safety case information by a party other than the party
receiving:
(1) A prior approval or recognition referred to in this section; or
(2) A Type Approval or PTC System Certification under this subpart.
Sec. 236.1033 Communications and security requirements.
(a) All wireless communications between the office, wayside, and
onboard components in a PTC system shall provide cryptographic message
integrity and authentication.
(b) Cryptographic keys required under paragraph (a) of this section
shall:
(1) Use an algorithm approved by the National Institute of
Standards (NIST) or a similarly recognized and FRA approved standards
body;
(2) Be distributed using manual or automated methods, or a
combination of both; and
(3) Be revoked:
(i) If compromised by unauthorized disclosure of the cleartext key;
or
(ii) When the key algorithm reaches its lifespan as defined by the
standards body responsible for approval of the algorithm.
(c) The cleartext form of the cryptographic keys shall be protected
from unauthorized disclosure, modification, or substitution, except
during key entry when the cleartext keys and key components may be
temporarily displayed to allow visual verification. When encrypted keys
or key components are entered, the cryptographically protected
cleartext key or key components shall not be displayed.
(d) Access to cleartext keys shall be protected by a tamper
resistant mechanism.
(e) Each railroad electing to also provide cryptographic message
confidentiality shall:
(1) Comply with the same requirements for message integrity and
authentication under this section; and
(2) Only use keys meeting or exceeding the security strength
required to protect the data as defined in the railroad's PTCSP and
required under Sec. 236.1013(a)(7).
(f) Each railroad, or its vendor or supplier, shall have a
prioritized service restoration and mitigation plan for scheduled and
unscheduled interruptions of service. This plan shall be included in
the PTCDP or PTCSP as required by Sec. Sec. 236.1013 or 236.1015, as
applicable, and made available to FRA upon request, without undue
delay, for restoration of communication services that support PTC
system services.
(g) Each railroad may elect to impose more restrictive requirements
than those in this section, consistent with interoperability
requirements specified in the PTCSP for the system.
Sec. 236.1035 Field testing requirements.
(a) Before any field testing of an uncertified PTC system, or a
product of an uncertified PTC system, or any regression testing of a
certified PTC system is conducted on the general rail system, the
railroad requesting the testing must provide:
(1) A complete description of the PTC system;
(2) An operational concepts document;
(3) A complete description of the specific test procedures,
including the measures that will be taken to protect trains and on-
track equipment;
(4) An analysis of the applicability of the requirements of
subparts A through G of this part to the PTC system that will not apply
during testing;
(5) The date the proposed testing shall begin;
(6) The test locations; and
(7) The effect on the current method of operation the PTC system
will or may have under test.
(b) FRA may impose additional testing conditions that it believes
may be necessary for the safety of train operations.
[[Page 2714]]
(c) Relief from regulations other than from subparts A through G of
this part that the railroad believes are necessary to support the field
testing, must be requested in accordance with part 211 of this title.
Sec. 236.1037 Records retention.
(a) Each railroad with a PTC system required to be installed under
this subpart shall maintain at a designated office on the railroad:
(1) A current copy of each FRA approved Type Approval, if any,
PTCDP, and PTCSP that it holds;
(2) Adequate documentation to demonstrate that the PTCSP and PTCDP
meet the safety requirements of this subpart, including the risk
assessment;
(3) An Operations and Maintenance Manual, pursuant to Sec.
236.1039; and
(4) Training and testing records pursuant to Sec. 236.1043(b).
(b) Results of inspections and tests specified in the PTCSP and
PTCDP must be recorded pursuant to Sec. 236.110.
(c) Each contractor providing services relating to the testing,
maintenance, or operation of a PTC system required to be installed
under this subpart shall maintain at a designated office training
records required under Sec. 236.1039(b).
(d) After the PTC system is placed in service, the railroad shall
maintain a database of all safety-relevant hazards as set forth in the
PTCSP and PTCDP and those that had not been previously identified in
either document. If the frequency of the safety-relevant hazards
exceeds the threshold set forth in either of these documents, then the
railroad shall:
(1) Report the inconsistency in writing by mail, facsimile, e-mail,
or hand delivery to the Director, Office of Safety Assurance and
Compliance, FRA, 1200 New Jersey Ave, SE, Mail Stop 25, Washington, DC
20590, within 15 days of discovery. Documents that are hand delivered
must not be enclosed in an envelope;
(2) Take prompt countermeasures to reduce the frequency of each
safety-relevant hazard to below the threshold set forth in the PTCSP
and PTCDP; and
(3) Provide a final report when the inconsistency is resolved to
the FRA Director, Office of Safety Assurance and Compliance, on the
results of the analysis and countermeasures taken to reduce the
frequency of the safety-relevant hazard(s) below the threshold set
forth in the PTCSP and PTCDP.
Sec. 236.1039 Operations and Maintenance Manual.
(a) The railroad shall catalog and maintain all documents as
specified in the PTCDP and PTCSP for the installation, maintenance,
repair, modification, inspection, and testing of the PTC system and
have them in one Operations and Maintenance Manual, readily available
to persons required to perform such tasks and for inspection by FRA and
FRA-certified state inspectors.
(b) Plans required for proper maintenance, repair, inspection, and
testing of safety-critical PTC systems must be adequate in detail and
must be made available for inspection by FRA and FRA-certified state
inspectors where such PTC systems are deployed or maintained. They must
identify all software versions, revisions, and revision dates. Plans
must be legible and correct.
(c) Hardware, software, and firmware revisions must be documented
in the Operations and Maintenance Manual according to the railroad's
configuration management control plan and any additional configuration/
revision control measures specified in the PTCDP and PTCSP.
(d) Safety-critical components, including spare equipment, must be
positively identified, handled, replaced, and repaired in accordance
with the procedures specified in the PTCDP and PTCSP.
(e) Each railroad shall designate in its Operations and Maintenance
Manual an appropriate railroad officer responsible for issues relating
to scheduled interruptions of service contemplated by Sec. 236.1029.
Sec. 236.1041 Training and qualification program, general.
(a) Training program for PTC personnel. Employers shall establish
and implement training and qualification programs for PTC systems
subject to this subpart. These programs must meet the minimum
requirements set forth in the PTCDP and PTCSP in Sec. Sec. 236.1039
through 236.1045, as appropriate, for the following personnel:
(1) Persons whose duties include installing, maintaining,
repairing, modifying, inspecting, and testing safety-critical elements
of the railroad's PTC systems, including central office, wayside, or
onboard subsystems;
(2) Persons who dispatch train operations (issue or communicate any
mandatory directive that is executed or enforced, or is intended to be
executed or enforced, by a train control system subject to this
subpart);
(3) Persons who operate trains or serve as a train or engine crew
member subject to instruction and testing under part 217 of this
chapter, on a train operating in territory where a train control system
subject to this subpart is in use;
(4) Roadway workers whose duties require them to know and
understand how a train control system affects their safety and how to
avoid interfering with its proper functioning; and
(5) The direct supervisors of persons listed in paragraphs (a)(1)
through (a)(4) of this section.
(b) Competencies. The employer's program must provide training for
persons who perform the functions described in paragraph (a) of this
section to ensure that they have the necessary knowledge and skills to
effectively complete their duties related to operation and maintenance
of the PTC system.
Sec. 236.1043 Task analysis and basic requirements.
(a) Training structure and delivery. As part of the program
required by Sec. 236.1041, the employer shall, at a minimum:
(1) Identify the specific goals of the training program with regard
to the target population (craft, experience level, scope of work,
etc.), task(s), and desired success rate;
(2) Based on a formal task analysis, identify the installation,
maintenance, repair, modification, inspection, testing, and operating
tasks that must be performed on a railroad's PTC systems. This includes
the development of failure scenarios and the actions expected under
such scenarios;
(3) Develop written procedures for the performance of the tasks
identified;
(4) Identify the additional knowledge, skills, and abilities above
those required for basic job performance necessary to perform each
task;
(5) Develop a training and evaluation curriculum that includes
classroom, simulator, computer-based, hands-on, or other formally
structured training designed to impart the knowledge, skills, and
abilities identified as necessary to perform each task;
(6) Prior to assignment of related tasks, require all persons
mentioned in Sec. 236.1041(a) to successfully complete a training
curriculum and pass an examination that covers the PTC system and
appropriate rules and tasks for which they are responsible (however,
such persons may perform such tasks under the direct onsite supervision
of a qualified person prior to completing such training and passing the
examination);
(7) Require periodic refresher training and evaluation at intervals
specified in the PTCDP and PTCSP that includes classroom, simulator,
computer-based, hands-on, or other formally structured
[[Page 2715]]
training and testing, except with respect to basic skills for which
proficiency is known to remain high as a result of frequent repetition
of the task; and
(8) Conduct regular and periodic evaluations of the effectiveness
of the training program specified in Sec. 236.1041(a)(1) verifying the
adequacy of the training material and its validity with respect to
current railroads PTC systems and operations.
(b) Training records. Employers shall retain records which
designate persons who are qualified under this section until new
designations are recorded or for at least one year after such persons
leave applicable service. These records shall be kept in a designated
location and be available for inspection and replication by FRA and
FRA-certified State inspectors
Sec. 236.1045 Training specific to office control personnel.
(a) Any person responsible for issuing or communicating mandatory
directives in territory where PTC systems are or will be in use shall
be trained in the following areas, as applicable:
(1) Instructions concerning the interface between the computer-
aided dispatching system and the train control system, with respect to
the safe movement of trains and other on-track equipment;
(2) Railroad operating rules applicable to the train control
system, including provision for movement and protection of roadway
workers, unequipped trains, trains with failed or cut-out train control
onboard systems, and other on-track equipment; and
(3) Instructions concerning control of trains and other on-track
equipment in case the train control system fails, including periodic
practical exercises or simulations, and operational testing under part
217 of this chapter to ensure the continued capability of the personnel
to provide for safe operations under the alternative method of
operation.
(b) [Reserved]
Sec. 236.1047 Training specific to locomotive engineers and other
operating personnel.
(a) Operating personnel. Training provided under this subpart for
any locomotive engineer or other person who participates in the
operation of a train in train control territory shall be defined in the
PTCDP as well as the PTCSP. The following elements shall be addressed:
(1) Familiarization with train control equipment onboard the
locomotive and the functioning of that equipment as part of the system
and in relation to other onboard systems under that person's control;
(2) Any actions required of the onboard personnel to enable, or
enter data to, the system, such as consist data, and the role of that
function in the safe operation of the train;
(3) Sequencing of interventions by the system, including pre-
enforcement notification, enforcement notification, penalty application
initiation and post-penalty application procedures;
(4) Railroad operating rules and testing (part 217) applicable to
the train control system, including provisions for movement and
protection of any unequipped trains, or trains with failed or cut-out
train control onboard systems and other on-track equipment;
(5) Means to detect deviations from proper functioning of onboard
train control equipment and instructions regarding the actions to be
taken with respect to control of the train and notification of
designated railroad personnel; and
(6) Information needed to prevent unintentional interference with
the proper functioning of onboard train control equipment.
(b) Locomotive engineer training. Training required under this
subpart for a locomotive engineer, together with required records,
shall be integrated into the program of training required by part 240
of this chapter.
(c) Full automatic operation. The following special requirements
apply in the event a train control system is used to effect full
automatic operation of the train:
(1) The PTCDP and PTCSP shall identify all safety hazards to be
mitigated by the locomotive engineer.
(2) The PTCDP and PTCSP shall address and describe the training
required with provisions for the maintenance of skills proficiency. As
a minimum, the training program must:
(i) As described in Sec. 236.1043(a)(2), develop failure scenarios
which incorporate the safety hazards identified in the PTCDP and PTCSP
including the return of train operations to a fully manual mode;
(ii) Provide training, consistent with Sec. 236.1047(a), for safe
train operations under all failure scenarios and identified safety
hazards that affect train operations;
(iii) Provide training, consistent with Sec. 236.1047(a), for safe
train operations under manual control; and
(iv) Consistent with Sec. 236.1047(a), ensure maintenance of
manual train operating skills by requiring manual starting and stopping
of the train for an appropriate number of trips and by one or more of
the following methods:
(A) Manual operation of a train for a 4-hour work period;
(B) Simulated manual operation of a train for a minimum of 4 hours
in a Type I simulator as required; or
(C) Other means as determined following consultation between the
railroad and designated representatives of the affected employees and
approved by FRA. The PTCDP and PTCSP shall designate the appropriate
frequency when manual operation, starting, and stopping must be
conducted, and the appropriate frequency of simulated manual operation.
(d) Conductor training. Training required under this subpart for a
conductor, together with required records, shall be integrated into the
program of training required under this chapter.
Sec. 236.1049 Training specific to roadway workers.
(a) Roadway worker training. Training required under this subpart
for a roadway worker shall be integrated into the program of
instruction required under part 214, subpart C of this chapter
(``Roadway Worker Protection''), consistent with task analysis
requirements of Sec. 236.1043. This training shall provide instruction
for roadway workers who provide protection for themselves or roadway
work groups.
(b) Training subject areas. (1) Instruction for roadway workers
shall ensure an understanding of the role of processor-based signal and
train control equipment in establishing protection for roadway workers
and their equipment.
(2) Instruction for all roadway workers working in territories
where PTC is required under this subpart shall ensure recognition of
processor-based signal and train control equipment on the wayside and
an understanding of how to avoid interference with its proper
functioning.
(3) Instructions concerning the recognition of system failures and
the provision of alternative methods of on-track safety in case the
train control system fails, including periodic practical exercises or
simulations and operational testing under part 217 of this chapter to
ensure the continued capability of roadway workers to be free from the
danger of being struck by a moving train or other on-track equipment.
0
12. Amend Appendix A to part 236 by adding entries for subpart I as
follows:
Appendix A to Part 236--Civil Penalties \1\
---------------------------------------------------------------------------
\1\ The Administrator reserves the right to assess a civil
penalty of up to $100,000 per day for any violation where
circumstances warrant. See 459 CFR part 209, Appendix A.
[[Page 2716]]
------------------------------------------------------------------------
Willful
Section Violation violation
------------------------------------------------------------------------
* * * * * * *
------------------------------------------------------------------------
Subpart I--Positive Train Control Systems
------------------------------------------------------------------------
236.1005 Positive Train Control System
Requirements:
Failure to complete PTC system 16,000 25,000
installation on track segment where
PTC is required prior to 12/31/2015
Commencement of revenue service 16,000 25,000
prior to obtaining PTC System
Certification......................
Failure of the PTC system to perform 5,000 7,500
a safety-critical function required
by this section....................
Failure to provide notice, obtain 5,000 7,500
approval, or follow a condition for
temporary rerouting when required..
Exceeding the allowed percentage of 5,000 7,500
controlling locomotives operating
out of an initial terminal after
receiving a failed initialization..
236.1006 Equipping locomotives operating
in PTC territory:
Operating in PTC territory a 15,000 25,000
controlling locomotive without a
required and operative PTC onboard
apparatus..........................
Failure to report as prescribed by 5,000 7,500
this section.......................
Non-compliant operation of 15,000 25,000
unequipped trains in PTC territory.
236.1007 Additional requirements for
high-speed service:
Operation of passenger trains at 15,000 25,000
speed equal to or greater than 60
mph on non-PTC-equipped territory
where required.....................
Operation of freight trains at speed 15,000 25,000
equal to or greater than 50 mph on
non-PTC-equipped territory where
required...........................
Failure to fully implement incursion 5,000 7,500
protection where required..........
236.1009 Procedural requirements:
Failure to file PTCIP when required. 5,000 7,500
Failure to amend PTCIP when required 5,000 7,500
Failure to obtain Type Approval when 5,000 7,500
required...........................
Failure to update NPI............... 5,000 7,500
Operation of PTC system prior to 16,000 25,000
system certification...............
236.1011 PTCIP content requirements:
Failure to install a PTC system in 11,000 16,000
accordance with subpart I when so
required...........................
236.1013 PTCDP content requirements and
Type Approval:
Failure to maintain quality control 5,000 7,500
system.............................
Inappropriate use of Type Approval.. 5,000 7,500
236.1015 PTCSP content requirements and
PTC System Certification:
Failure to implement PTC system in 16,000 25,000
accordance with the associated
PTCSP and resultant system
certification......................
Failure to maintain PTC system in 16,000 25,000
accordance with the associated
PTCSP and resultant system
certification......................
Failure to maintain required 2,500 5,000
supporting documentation...........
236.1017 Independent third party
Verification and Validation:
Failure to conduct independent third 11,000 16,000
party Verification and Validation
when ordered.......................
236.1019 Main line track exceptions:
Revenue operations conducted in non- 16,000 25,000
compliance with the passenger
terminal exception.................
Revenue operations conducted in non- 16,000 25,000
compliance with the limited
operations exception...............
Failure to request modification of 11,000 16,000
the PTCIP or PTCSP when required...
Revenue operations conducted in 16,000 25,000
violation of (c)(2)................
Revenue operations conducted in 25,000 25,000
violation of (c)(3)................
236.1021 Discontinuances, material
modifications, and amendments:
Failure to update PTCDP when 5,000 7,500
required...........................
Failure to update PTCSP when 5,000 7,500
required...........................
Failure to immediately adopt and 5,000 7,500
comply with approved RFA...........
Discontinuance or modification of a 11,000 16,000
PTC system without approval when
required...........................
236.1023 Errors and malfunctions:
Railroad failure to provide proper 5,000 7,500
notification of PTC system error or
malfunction........................
Failure to maintain PTCPVL.......... 2,500 5,000
Supplier failure to provide proper 5,000 7,500
notification of previously
identified PTC system error or
malfunction........................
Failure to provide timely 5,000 7,500
notification.......................
Failure to provide appropriate 15,000 25,000
protective measures in the event of
PTC system failure.................
236.1027 Exclusions:
Integration of primary train control 5,000 7,500
system with locomotive electronic
system without approval............
236.1029 PTC system use and en route
failures:
Failure to determine cause of PTC 5,000 7,500
system component failure without
undue delay........................
Failure to adjust, repair, or 5,000 7,500
replace faulty PTC system component
without undue delay................
Failure to take appropriate action 15,000 25,000
pending adjustment, repair, or
replacement of faulty PTC system
component..........................
Non-compliant train operation within 5,000 7,500
PTC-equipped territory with
inoperative PTC onboard apparatus..
Interference with the normal 15,000 25,000
functioning of safety-critical PTC
system.............................
Improper arrangement of the PTC 2,500 5,000
system onboard apparatus...........
[[Page 2717]]
236.1033 Communications and security
requirements:
Failure to provide cryptographic 5,000 7,500
message integrity and
authentication.....................
Improper use of revoked 5,000 15,000
cryptographic key..................
Failure to protect cryptographic 5,000 15,000
keys from unauthorized disclosure,
modification, or substitution......
Failure to establish prioritized 5,000 7,500
service restoration and mitigation
plan for communication services....
236.1035 Field testing requirements:
Field testing without authorization 10,000 20,000
or approval........................
236.1037 Records retention:
Failure to maintain records and 7,500 15,000
databases as required..............
Failure to report inconsistency..... 10,000 20,000
Failure to take prompt 10,000 20,000
countermeasures....................
Failure to provide final report..... 2,500 5,000
236.1039 Operations and Maintenance
Manual:
Failure to implement and maintain 3,000 6,000
Operations and Maintenance Manual
as required........................
236.1043 Task analysis and basic
requirements:
Failure to develop and maintain an 10,000 20,000
acceptable training program........
Failure to train persons as required 2,500 5,000
Failure to conduct evaluation of 2,500 5,000
training program as required.......
Failure to maintain records as 1,500 3,000
required...........................
236.1045 Training specific to office
control personnel:
Failure to conduct training unique 2,500 5,000
to office control personnel........
236.1047 Training specific to locomotive
engineers and other operating
personnel:
Failure to conduct training unique 2,500 5,000
to locomotive engineers and other
operating personnel................
236.1049 Training specific to roadway
workers:
Failure to conduct training unique 2,500 5,000
to roadway workers.................
------------------------------------------------------------------------
0
13. Revise Appendix B to part 236 to read as follows:
Appendix B to Part 236--Risk Assessment Criteria
The safety-critical performance of each product for which risk
assessment is required under this part must be assessed in
accordance with the following minimum criteria or other criteria if
demonstrated to the Associate Administrator for Safety to be equally
suitable:
(a) How are risk metrics to be expressed? The risk metric for
the proposed product must describe with a high degree of confidence
the accumulated risk of a train control system that operates over
the designated life-cycle of the product. Each risk metric for the
proposed product must be expressed with an upper bound, as estimated
with a sensitivity analysis, and the risk value selected must be
demonstrated to have a high degree of confidence.
(b) How does the risk assessment handle interaction risks for
interconnected subsystems/components? The risk assessment of each
safety-critical system (product) must account not only for the risks
associated with each subsystem or component, but also for the risks
associated with interactions (interfaces) between such subsystems.
(c) What is the main principle in computing risk for the
previous and current conditions? The risk for the previous condition
must be computed using the same metrics as for the new system being
proposed. A full risk assessment must consider the entire railroad
environment where the product is being applied, and show all aspects
of the previous condition that are affected by the installation of
the product, considering all faults, operating errors, exposure
scenarios, and consequences that are related as described in this
part. For the full risk assessment, the total societal cost of the
potential numbers of accidents assessed for both previous and new
system conditions must be computed for comparison. An abbreviated
risk assessment must, as a minimum, clearly compute the MTTHE for
all of the hazardous events identified for both previous and current
conditions. The comparison between MTTHE for both conditions is to
determine whether the product implementation meets the safety
criteria as required by subpart H or subpart I of this part as
applicable.
(d) What major system characteristics must be included when
relevant to risk assessment? Each risk calculation must consider the
total signaling and train control system and method of operation, as
subjected to a list of hazards to be mitigated by the signaling and
train control system. The methodology requirements must include the
following major characteristics, when they are relevant to the
product being considered:
(1) Track plan infrastructure, switches, rail crossings at grade
and highway-rail grade crossings as applicable;
(2) Train movement density for freight, work, and passenger
trains where applicable and computed over a time span of not less
than 12 months;
(3) Train movement operational rules, as enforced by the
dispatcher, roadway worker/Employee in Charge, and train crew
behaviors;
(4) Wayside subsystems and components;
(5) Onboard subsystems and components;
(6) Consist contents such as hazardous material, oversize loads;
and
(7) Operating speeds if the provisions of part 236 cite
additional requirements for certain type of train control systems to
be used at such speeds for freight and passenger trains.
(e) What other relevant parameters must be determined for the
subsystems and components? In order to derive the frequency of
hazardous events (or MTTHE) applicable for a product, subsystem or
component included in the risk assessment, the railroad may use
various techniques, such as reliability and availability
calculations for subsystems and components, Fault Tree Analysis
(FTA) of the subsystems, and results of the application of safety
design principles as noted in Appendix C to this part. The MTTHE is
to be derived for both fail-safe and non-fail-safe subsystems or
components. The lower bounds of the MTTF or MTBF determined from the
system sensitivity analysis, which account for all necessary and
well justified assumptions, may be used to represent the estimate of
MTTHE for the associated non-fail-safe subsystem or component in the
risk assessment.
(f) How are processor-based subsystems/components assessed? (1)
An MTTHE value must be calculated for each processor-based subsystem
or component, or both, indicating the safety-critical behavior of
the integrated hardware/software subsystem or component, or both.
The human factor impact must be included in the assessment, whenever
applicable, to provide the integrated MTTHE value. The MTTHE
calculation must consider the rates of failures caused by permanent,
transient, and intermittent faults accounting for the fault coverage
of the integrated hardware/software subsystem or component, phased-
interval maintenance, and restoration of the detected failures.
(2) Software fault/failure analysis must be based on the
assessment of the design and implementation of all safety-related
software including the application code, its operating/executive
program, COTS software, and associated device drivers, as well as
historical performance data, analytical methods and experimental
safety-critical performance testing performed on the subsystem or
component. The software assessment process must demonstrate through
repeatable predictive results that all software defects have been
identified and
[[Page 2718]]
corrected by process with a high degree of confidence.
(g) How are non-processor-based subsystems/components assessed?
(1) The safety-critical behavior of all non-processor-based
components, which are part of a processor-based system or subsystem,
must be quantified with an MTTHE metric. The MTTHE assessment
methodology must consider failures caused by permanent, transient,
and intermittent faults, phase-interval maintenance and restoration
of operation after failures and the effect of fault coverage of each
non-processor-based subsystem or component.
(2) MTTHE compliance verification and validation must be based
on the assessment of the design for adequacy by a documented
verification and validation process, historical performance data,
analytical methods and experimental safety-critical performance
testing performed on the subsystem or component. The non-processor-
based quantification compliance must be demonstrated to have a high
degree of confidence.
(h) What assumptions must be documented for risk assessment? (1)
The railroad shall document any assumptions regarding the derivation
of risk metrics used. For example, for the full risk assessment, all
assumptions made about each value of the parameters used in the
calculation of total cost of accidents should be documented. For
abbreviated risk assessment, all assumptions made for MTHHE
derivation using existing reliability and availability data on the
current system components should be documented. The railroad shall
document these assumptions in such a form as to permit later
comparisons with in-service experience.
(2) The railroad shall document any assumptions regarding human
performance. The documentation shall be in such a form as to
facilitate later comparisons with in-service experience.
(3) The railroad shall document any assumptions regarding
software defects. These assumptions shall be in a form that permit
the railroad to project the likelihood of detecting an in-service
software defect. These assumptions shall be documented in such a
form as to permit later comparisons with in-service experience.
(4) The railroad shall document all of the identified safety-
critical fault paths to a mishap as predicted by the safety analysis
methodology. The documentation shall be in such a form as to
facilitate later comparisons with in-service faults.
0
14. Revise Appendix C to part 236 to read as follows:
Appendix C to Part 236--Safety Assurance Criteria and Processes
(a) What is the purpose of this appendix? This appendix provides
safety criteria and processes that the designer must use to develop
and validate the product that meets safety requirements of this
part. FRA uses the criteria and processes set forth in this appendix
to evaluate the validity of safety targets and the results of system
safety analyses provided in the RSPP, PSP, PTCIP, PTCDP, and PTCSP
documents as appropriate. An analysis performed under this appendix
must:
(1) Address each of the safety principles of paragraph (b) of
this appendix, or explain why they are not relevant, and
(2) Employ a validation and verification process pursuant to
paragraph (c) of this appendix.
(b) What safety principles must be followed during product
development? The designer shall address each of the following safety
considerations principles when designing and demonstrating the
safety of products covered by subpart H or I of this part. In the
event that any of these principles are not followed, the PSP or
PTCDP or PTCSP shall state both the reason(s) for departure and the
alternative(s) utilized to mitigate or eliminate the hazards
associated with the design principle not followed.
(1) System safety under normal operating conditions. The system
(all its elements including hardware and software) must be designed
to assure safe operation with no hazardous events under normal
anticipated operating conditions with proper inputs and within the
expected range of environmental conditions. All safety-critical
functions must be performed properly under these normal conditions.
The system shall operate safely even in the absence of prescribed
operator actions or procedures. The designer must identify and
categorize all hazards that may lead to unsafe system operation.
Hazards categorized as unacceptable, which are determined by hazard
analysis, must be eliminated by design. Best effort shall also be
made by the designer to eliminate by design the hazards categorized
as undesirable. Those undesirable hazards that cannot be eliminated
should be mitigated to the acceptable level as required by this
part.
(2) System safety under failures.
(i) It must be shown how the product is designed to eliminate or
mitigate unsafe systematic failures--those conditions which can be
attributed to human error that could occur at various stages
throughout product development. This includes unsafe errors in the
software due to human error in the software specification, design,
or coding phases; human errors that could impact hardware design;
unsafe conditions that could occur because of an improperly designed
human-machine interface; installation and maintenance errors; and
errors associated with making modifications.
(ii) The product must be shown to operate safely under
conditions of random hardware failures. This includes single
hardware failures as well as multiple hardware failures that may
occur at different times but remain undetected (latent) and react in
combination with a subsequent failure at a later time to cause an
unsafe operating situation. In instances involving a latent failure,
a subsequent failure is similar to there being a single failure. In
the event of a transient failure, and if so designed, the system
should restart itself if it is safe to do so. Frequency of attempted
restarts must be considered in the hazard analysis required by Sec.
236.907(a)(8).
(iii) There shall be no single point failures in the product
that can result in hazards categorized as unacceptable or
undesirable. Occurrence of credible single point failures that can
result in hazards must be detected and the product must achieve a
known safe state that eliminates the possibility of false activation
of any physical appliance.
(iv) If one non-self-revealing failure combined with a second
failure can cause a hazard that is categorized as unacceptable or
undesirable, then the second failure must be detected and the
product must achieve a known safe state that eliminates the
possibility of false activation of any physical appliance.
(v) Another concern of multiple failures involves common mode
failures in which two or more subsystems or components intended to
compensate one another to perform the same function all fail by the
same mode and result in unsafe conditions. This is of particular
concern in instances in which two or more elements (hardware or
software, or both) are used in combination to ensure safety. If a
common mode failure exists, then any analysis performed under this
appendix cannot rely on the assumption that failures are
independent. Examples include: The use of redundancy in which two or
more elements perform a given function in parallel and when one
(hardware or software) element checks/monitors another element (of
hardware or software) to help ensure its safe operation. Common mode
failure relates to independence, which must be ensured in these
instances. When dealing with the effects of hardware failure, the
designer shall address the effects of the failure not only on other
hardware, but also on the execution of the software, since hardware
failures can greatly affect how the software operates.
(3) Closed loop principle. System design adhering to the closed
loop principle requires that all conditions necessary for the
existence of any permissive state or action be verified to be
present before the permissive state or action can be initiated.
Likewise the requisite conditions shall be verified to be
continuously present for the permissive state or action to be
maintained. This is in contrast to allowing a permissive state or
action to be initiated or maintained in the absence of detected
failures. In addition, closed loop design requires that failure to
perform a logical operation, or absence of a logical input, output
or decision shall not cause an unsafe condition, i.e. system safety
does not depend upon the occurrence of an action or logical
decision.
(4) Safety assurance concepts. The product design must include
one or more of the following Safety Assurance Concepts as described
in IEEE-1483 standard to ensure that failures are detected and the
product is placed in a safe state. One or more different principles
may be applied to each individual subsystem or component, depending
on the safety design objectives of that part of the product.
(i) Design diversity and self-checking concept. This concept
requires that all critical functions be performed in diverse ways,
using diverse software operations and/or diverse hardware channels,
and that critical hardware be tested with Self-Checking routines.
Permissive outputs are allowed only if the results of the diverse
operations correspond, and the Self-Checking
[[Page 2719]]
process reveals no failures in either execution of software or in
any monitored input or output hardware. If the diverse operations do
not agree or if the checking reveals critical failures, safety-
critical functions and outputs must default to a known safe state.
(ii) Checked redundancy concept. The Checked Redundancy concept
requires implementation of two or more identical, independent
hardware units, each executing identical software and performing
identical functions. A means is to be provided to periodically
compare vital parameters and results of the independent redundant
units, requiring agreement of all compared parameters to assert or
maintain a permissive output. If the units do not agree, safety-
critical functions and outputs must default to a known safe state.
(iii) N-version programming concept. This concept requires a
processor-based product to use at least two software programs
performing identical functions and executing concurrently in a
cycle. The software programs must be written by independent teams,
using different tools. The multiple independently written software
programs comprise a redundant system, and may be executed either on
separate hardware units (which may or may not be identical) or
within one hardware unit. A means is to be provided to compare the
results and output states of the multiple redundant software
systems. If the system results do not agree, then the safety-
critical functions and outputs must default to a known safe state.
(iv) Numerical assurance concept. This concept requires that the
state of each vital parameter of the product or system be uniquely
represented by a large encoded numerical value, such that permissive
results are calculated by pseudo-randomly combining the
representative numerical values of each of the critical constituent
parameters of a permissive decision. Vital algorithms must be
entirely represented by data structures containing numerical values
with verified characteristics, and no vital decisions are to be made
in the executing software, only by the numerical representations
themselves. In the event of critical failures, the safety-critical
functions and outputs must default to a known safe state.
(v) Intrinsic fail-safe design concept. Intrinsically fail-safe
hardware circuits or systems are those that employ discrete
mechanical and/or electrical components. The fail-safe operation for
a product or subsystem designed using this principle concept
requires a verification that the effect of every relevant failure
mode of each component, and relevant combinations of component
failure modes, be considered, analyzed, and documented. This is
typically performed by a comprehensive failure modes and effects
analysis (FMEA) which must show no residual unmitigated failures. In
the event of critical failures, the safety-critical functions and
outputs must default to a known safe state.
(5) Human factor engineering principle. The product design must
sufficiently incorporate human factors engineering that is
appropriate to the complexity of the product; the educational,
mental, and physical capabilities of the intended operators and
maintainers; the degree of required human interaction with the
component; and the environment in which the product will be used.
(6) System safety under external influences. The product must be
shown to operate safely when subjected to different external
influences, including:
(i) Electrical influences such as power supply anomalies/
transients, abnormal/improper input conditions (e.g., outside of
normal range inputs relative to amplitude and frequency, unusual
combinations of inputs) including those related to a human operator,
and others such as electromagnetic interference or electrostatic
discharges, or both;
(ii) Mechanical influences such as vibration and shock; and
(iii) Climatic conditions such as temperature and humidity.
(7) System safety after modifications. Safety must be ensured
following modifications to the hardware or software, or both. All or
some of the concerns identified in this paragraph may be applicable
depending upon the nature and extent of the modifications. Such
modifications must follow all of the concept, design, implementation
and test processes and principles as documented in the PSP for the
original product. Regression testing must be comprehensive and
documented to include all scenarios which are affected by the change
made, and the operating modes of the changed product during normal
and failure state (fallback) operation.
(c) What standards are acceptable for Verification and
Validation? (1) The standards employed for Verification or
Validation, or both, of products subject to this subpart must be
sufficient to support achievement of the applicable requirements of
subpart H and subpart I of this part.
(2) U.S. Department of Defense Military Standard (MIL-STD) 882C,
``System Safety Program Requirements'' (January 19, 1993), is
recognized as providing appropriate risk analysis processes for
incorporation into verification and validation standards.
(3) The following standards designed for application to
processor-based signal and train control systems are recognized as
acceptable with respect to applicable elements of safety analysis
required by subpart H and subpart I of this part. The latest
versions of the standards listed below should be used unless
otherwise provided.
(i) IEEE standards as follows:
(A) IEEE 1483-2000, Standard for the Verification of Vital
Functions in Processor-Based Systems Used in Rail Transit Control.
(B) IEEE 1474.2-2003, Standard for user interface requirements
in communications based train control (CBTC) systems.
(C) IEEE 1474.1-2004, Standard for Communications-Based Train
Control (CBTC) Performance and Functional Requirements.
(ii) CENELEC Standards as follows:
(A) EN50129: 2003, Railway Applications: Communications,
Signaling, and Processing Systems-Safety Related Electronic Systems
for Signaling; and
(B) EN50155:2001/A1:2002, Railway Applications: Electronic
Equipment Used in Rolling Stock.
(iii) ATCS Specification 200 Communications Systems
Architecture.
(iv) ATCS Specification 250 Message Formats.
(v) AREMA 2009 Communications and Signal Manual of Recommended
Practices, Part 16, Part 17, 21, and 23.
(vi) Safety of High-Speed Ground Transportation Systems.
Analytical Methodology for Safety Validation of Computer Controlled
Subsystems. Volume II: Development of a Safety Validation
Methodology. Final Report September 1995. Author: Jonathan F.
Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
(vii) IEC 61508 (International Electrotechnical Commission),
Functional Safety of Electrical/Electronic/Programmable/Electronic
Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
(A) IEC 61508-1 (1998-12) Part 1: General requirements and IEC
61508-1 Corr. (1999-05) Corrigendum 1--Part 1: General Requirements.
(B) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/
electronic/programmable electronic safety-related systems.
(C) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC
61508-3 Corr. 1 (1999-04) Corrigendum 1--Part 3: Software
requirements.
(D) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations
and IEC 61508-4 Corr. 1 (1999-04) Corrigendum 1--Part 4: Definitions
and abbreviations.
(E) IEC 61508-5 (1998-12) Part 5: Examples of methods for the
determination of safety integrity levels and IEC 61508-5 Corr. 1
(1999-04) Corrigendum 1--Part 5: Examples of methods for
determination of safety integrity levels.
(F) IEC 61508-6 (2000-04) Part 6: Guidelines on the applications
of IEC 61508-2 and -3.
(G) IEC 61508-7 (2000-03) Part 7: Overview of techniques and
measures.
(H) IEC 62278: 2002, Railway Applications: Specification and
Demonstration of Reliability, Availability, Maintainability and
Safety (RAMS);
(I) IEC 62279: 2002 Railway Applications: Software for Railway
Control and Protection Systems;
(4) Use of unpublished standards, including proprietary
standards, is authorized to the extent that such standards are shown
to achieve the requirements of this part. However, any such
standards shall be available for inspection and replication by FRA
and for public examination in any public proceeding before the FRA
to which they are relevant.
(5) The various standards provided in this paragraph are for
illustrative purposes only. Copies of these standards can be
obtained in accordance with the following:
(i) U.S. government standards and technical publications may be
obtained by contacting the federal National Technical Information
Service, 5301 Shawnee Rd, Alexandria, VA 22312.
(ii) U.S. National Standards may be obtained by contacting the
American
[[Page 2720]]
National Standards Institute, 25 West 43rd Street, 4 Floor, New
York, NY 10036.
(iii) IEC Standards may be obtained by contacting the
International Electrotechnical Commission, 3, rue de Varemb[eacute],
P.O. Box 131 CH--1211, GENEVA, 20, Switzerland.
(iv) CENLEC Standards may be obtained by contacting any of one
the national standards bodies that make up the European Committee
for Electrotechnical Standardization.
(v) IEEE standards may be obtained by contacting the IEEE
Publications Office, 10662 Los Vaqueros Circle, P.O. Box 3014, Los
Alamitos, CA 90720-1264.
(vi) AREMA standards may be obtained from the American Railway
Engineering and Maintenance-of-Way Association, 10003 Derekwood
Lane, Suite 210, Lanham, MD 20706.
0
15. Revise Appendix D to part 236 to read as follows:
Appendix D to Part 236--Independent Review of Verification and
Validation
(a) This appendix provides minimum requirements for independent
third-party assessment of product safety verification and validation
pursuant to subpart H or subpart I of this part. The goal of this
assessment is to provide an independent evaluation of the product
manufacturer's utilization of safety design practices during the
product's development and testing phases, as required by any
mutually agreed upon controlling documents and standards and the
applicable railroad's:
(1) Railroad Safety Program Plan (RSPP) and Product Safety Plan
(PSP) for processor based systems developed under subpart H or,
(2) PTC Product Development Plan (PTCDP) and PTC Safety Plan
(PTCSP) for PTC systems developed under subpart I.
(b) The supplier may request advice and assistance of the
reviewer concerning the actions identified in paragraphs (c) through
(g) of this appendix. However, the reviewer shall not engage in any
design efforts associated with the product, the products subsystems,
or the products components, in order to preserve the reviewer's
independence and maintain the supplier's proprietary right to the
product.
(c) The supplier shall provide the reviewer access to any and
all documentation that the reviewer requests and attendance at any
design review or walkthrough that the reviewer determines as
necessary to complete and accomplish the third party assessment. The
reviewer may be accompanied by representatives of FRA as necessary,
in FRA's judgment, for FRA to monitor the assessment.
(d) The reviewer shall evaluate the product with respect to
safety and comment on the adequacy of the processes which the
supplier applies to the design and development of the product. At a
minimum, the reviewer shall compare the supplier processes with
acceptable validation and verification methodology and employ any
other such tests or comparisons if they have been agreed to
previously with FRA. Based on these analyses, the reviewer shall
identify and document any significant safety vulnerabilities which
are not adequately mitigated by the supplier's (or user's)
processes. Finally, the reviewer shall evaluate and document the
adequacy of the railroad's
(1) RSPP, the PSP, and any other documents pertinent to a
product being developed under subpart H of this part; or
(2) PTCDP and PTCSP for systems being developed under subpart I
of this part.
(e) The reviewer shall analyze the Hazard Log and/or any other
hazard analysis documents for comprehensiveness and compliance with
applicable railroad, vendor, supplier, industry, national, and
international standards.
(f) The reviewer shall analyze all Fault Tree Analyses (FTA),
Failure Mode and Effects Criticality Analysis (FMECA), and other
hazard analyses for completeness, correctness, and compliance with
applicable railroad, vendor, supplier, industry, national and
international standards.
(g) The reviewer shall randomly select various safety-critical
software, and hardware modules, if directed by FRA, for audit to
verify whether the requirements of the applicable railroad, vendor,
supplier, industry, national, and international standards were
followed. The number of modules audited must be determined as a
representative number sufficient to provide confidence that all
unaudited modules were developed in compliance with the applicable
railroad, vendor, supplier, industry, national, and international
standards.
(h) The reviewer shall evaluate and comment on the plan for
installation and test procedures of the product for revenue service.
(i) The reviewer shall prepare a final report of the assessment.
The report shall be submitted to the railroad prior to the
commencement of installation testing and contain at least the
following information:
(1) Reviewer's evaluation of the adequacy of the PSP in the case
of products developed under subpart H, or PTCSP for products
developed under subpart I of this part, including the supplier's
MTTHE and risk estimates for the product, and the supplier's
confidence interval in these estimates;
(2) Product vulnerabilities, potentially hazardous failure
modes, or potentially hazardous operating circumstances which the
reviewer felt were not adequately identified, tracked, mitigated,
and corrected by either the vendor or supplier or the railroad;
(3) A clear statement of position for all parties involved for
each product vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by
the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each applicable vendor, supplier, industry,
national, or international standard, procedure or process which was
not properly followed;
(6) Identification of the software verification and validation
procedures, as well as the hardware verification validation
procedures if deemed appropriate by FRA, for the product's safety-
critical applications, and the reviewer's evaluation of the adequacy
of these procedures;
(7) Methods employed by the product manufacturer to develop
safety-critical software;
(8) If deemed applicable by FRA, the methods employed by the
product manufacturer to develop safety-critical hardware by
generally acceptable techniques;
(9) Method by which the supplier or railroad addresses
comprehensiveness of the product design which considers the safety
elements listed in paragraph (b) of appendix C to this part.
0
16. Revise Appendix E to part 236 to read as follows:
Appendix E to Part 236--Human-Machine Interface (HMI) Design
(a) This appendix provides human factors design criteria
applicable to both subpart H and subpart I of this part. HMI design
criteria will minimize negative safety effects by causing designers
to consider human factors in the development of HMIs. The product
design should sufficiently incorporate human factors engineering
that is appropriate to the complexity of the product; the gender,
educational, mental, and physical capabilities of the intended
operators and maintainers; the degree of required human interaction
with the component; and the environment in which the product will be
used.
(b) As used in this section, ``designer'' means anyone who
specifies requirements for--or designs a system or subsystem, or
both, for--a product subject to subpart H or subpart I of this part,
and ``operator'' means any human who is intended to receive
information from, provide information to, or perform repairs or
maintenance on a safety-critical product subject to subpart H or I
of this part.
(c) Human factors issues the designers must consider with regard
to the general function of a system include:
(1) Reduced situational awareness and over-reliance. HMI design
must give an operator active functions to perform, feedback on the
results of the operator's actions, and information on the automatic
functions of the system as well as its performance. The operator
must be ``in-the-loop.'' Designers must consider at a minimum the
following methods of maintaining an active role for human operators:
(i) The system must require an operator to initiate action to
operate the train and require an operator to remain ``in-the-loop''
for at least 30 minutes at a time;
(ii) The system must provide timely feedback to an operator
regarding the system's automated actions, the reasons for such
actions, and the effects of the operator's manual actions on the
system;
(iii) The system must warn operators in advance when it requires
an operator to take action;
(iv) HMI design must equalize an operator's workload; and
(v) HMI design must not distract from the operator's safety
related duties.
(2) Expectation of predictability and consistency in product
behavior and communications. HMI design must accommodate an
operator's expectation of logical and consistent relationships
between actions and results. Similar objects must behave
consistently when an operator performs the same action upon them.
[[Page 2721]]
(3) End user limited ability to process information. HMI design
must therefore minimize an operator's information processing load.
To minimize information processing load, the designer must:
(i) Present integrated information that directly supports the
variety and types of decisions that an operator makes;
(ii) Provide information in a format or representation that
minimizes the time required to understand and act; and
(iii) Conduct utility tests of decision aids to establish clear
benefits such as processing time saved or improved quality of
decisions.
(4) End user limited memory. HMI design must therefore minimize
an operator's information processing load.
(i) To minimize short-term memory load, the designer shall
integrate data or information from multiple sources into a single
format or representation (``chunking'') and design so that three or
fewer ``chunks'' of information need to be remembered at any one
time.
(ii) To minimize long-term memory load, the designer shall
design to support recognition memory, design memory aids to minimize
the amount of information that must be recalled from unaided memory
when making critical decisions, and promote active processing of the
information.
(d) Design systems that anticipate possible user errors and
include capabilities to catch errors before they propagate through
the system;
(1) Conduct cognitive task analyses prior to designing the
system to better understand the information processing requirements
of operators when making critical decisions; and
(2) Present information that accurately represents or predicts
system states.
(e) When creating displays and controls, the designer must
consider user ergonomics and shall:
(1) Locate displays as close as possible to the controls that
affect them;
(2) Locate displays and controls based on an operator's
position;
(3) Arrange controls to minimize the need for the operator to
change position;
(4) Arrange controls according to their expected order of use;
(5) Group similar controls together;
(6) Design for high stimulus-response compatibility (geometric
and conceptual);
(7) Design safety-critical controls to require more than one
positive action to activate (e.g., auto stick shift requires two
movements to go into reverse);
(8) Design controls to allow easy recovery from error; and
(9) Design display and controls to reflect specific gender and
physical limitations of the intended operators.
(f) The designer shall also address information management. To
that end, HMI design shall:
(1) Display information in a manner which emphasizes its
relative importance;
(2) Comply with the ANSI/HFS 100-1988 standard;
(3) Utilize a display luminance that has a difference of at
least 35cd/m2 between the foreground and background (the displays
should be capable of a minimum contrast 3:1 with 7:1 preferred, and
controls should be provided to adjust the brightness level and
contrast level);
(4) Display only the information necessary to the user;
(5) Where text is needed, use short, simple sentences or phrases
with wording that an operator will understand and appropriate to the
educational and cognitive capabilities of the intended operator;
(6) Use complete words where possible; where abbreviations are
necessary, choose a commonly accepted abbreviation or consistent
method and select commonly used terms and words that the operator
will understand;
(7) Adopt a consistent format for all display screens by placing
each design element in a consistent and specified location;
(8) Display critical information in the center of the operator's
field of view by placing items that need to be found quickly in the
upper left hand corner and items which are not time-critical in the
lower right hand corner of the field of view;
(9) Group items that belong together;
(10) Design all visual displays to meet human performance
criteria under monochrome conditions and add color only if it will
help the user in performing a task, and use color coding as a
redundant coding technique;
(11) Limit the number of colors over a group of displays to no
more than seven;
(12) Design warnings to match the level of risk or danger with
the alerting nature of the signal; and
(13) With respect to information entry, avoid full QWERTY
keyboards for data entry.
(g) With respect to problem management, the HMI designer shall
ensure that the:
(1) HMI design must enhance an operator's situation awareness;
(2) HMI design must support response selection and scheduling;
and
(3) HMI design must support contingency planning.
(h) Ensure that electronics equipment radio frequency emissions
are compliant with appropriate Federal Communications Commission
regulations. The FCC rules and regulations are codified in Title 47
of the Code of Federal Regulations (CFR).
(1) Electronics equipment must have appropriate FCC Equipment
Authorizations. The following documentation is applicable to
obtaining FCC Equipment Authorization:
(i) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987
issue) FCC Equipment Authorization Program for Radio Frequency
Devices. This document provides an overview of the equipment
authorization program to control radio interference from radio
transmitters and certain other electronic products and an overview
of how to obtain an equipment authorization.
(ii) OET Bulletin 63: (October 1993) Understanding The FCC Part
15 Regulations for Low Power, Non-Licensed Transmitters. This
document provides a basic understanding of the FCC regulations for
low power, unlicensed transmitters, and includes answers to some
commonly-asked questions. This edition of the bulletin does not
contain information concerning personal communication services (PCS)
transmitters operating under Part 15, Subpart D of the rules.
(iii) 47 Code of Federal Regulations Parts 0 to 19. The FCC
rules and regulations governing PCS transmitters may be found in 47
CFR, Parts 0 to 19.
(iv) OET Bulletin 62 (December 1993) Understanding The FCC
Regulations for Computers and other Digital Devices. This document
has been prepared to provide a basic understanding of the FCC
regulations for digital (computing) devices, and includes answers to
some commonly-asked questions.
(2) Designers must comply with FCC requirements for Maximum
Permissible Exposure limits for field strength and power density for
the transmitters operating at frequencies of 300 kHz to 100 GHz and
specific absorption rate (SAR) limits for devices operating within
close proximity to the body. The Commission's requirements are
detailed in parts 1 and 2 of the FCC's Rules and Regulations (47 CFR
1.1307(b), 1.1310, 2.1091, 2.1093). The following documentation is
applicable to demonstrating whether proposed or existing
transmitting facilities, operations or devices comply with limits
for human exposure to radiofrequency RF fields adopted by the FCC:
(i) OET Bulletin No. 65 (Edition 97-01, August 1997),
``Evaluating Compliance With FCC Guidelines For Human Exposure To
Radiofrequency Electromagnetic Fields'',
(ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August
1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997)
and
(iii) OET Bulletin No 65 Supplement C (Edition 01-01, June
2001).
(3) The bulletin and supplements offer guidelines and
suggestions for evaluating compliance. However, they are not
intended to establish mandatory procedures. Other methods and
procedures may be acceptable if based on sound engineering practice.
0
17. Add an Appendix F to part 236 to read as follows:
Appendix F to Part 236--Minimum Requirements of FRA Directed
Independent Third-Party Assessment of PTC System Safety Verification
and Validation
(a) This appendix provides minimum requirements for mandatory
independent third-party assessment of PTC system safety verification
and validation pursuant to subpart H or I of this part. The goal of
this assessment is to provide an independent evaluation of the PTC
system manufacturer's utilization of safety design practices during
the PTC system's development and testing phases, as required by the
applicable PSP, PTCDP, and PTCSP, the applicable requirements of
subpart H or I of this part, and any other previously agreed-upon
controlling documents or standards.
(b) The supplier may request advice and assistance of the
independent third-party reviewer concerning the actions identified
in paragraphs (c) through (g) of this appendix. However, the
reviewer should not engage in design efforts in order to preserve
the reviewer's independence and maintain the
[[Page 2722]]
supplier's proprietary right to the PTC system.
(c) The supplier shall provide the reviewer access to any and
all documentation that the reviewer requests and attendance at any
design review or walkthrough that the reviewer determines as
necessary to complete and accomplish the third party assessment. The
reviewer may be accompanied by representatives of FRA as necessary,
in FRA's judgment, for FRA to monitor the assessment.
(d) The reviewer shall evaluate with respect to safety and
comment on the adequacy of the processes which the supplier applies
to the design and development of the PTC system. At a minimum, the
reviewer shall evaluate the supplier design and development process
regarding the use of an appropriate design methodology. The reviewer
may use the comparison processes and test procedures that have been
previously agreed to with FRA. Based on these analyses, the reviewer
shall identify and document any significant safety vulnerabilities
which are not adequately mitigated by the supplier's (or user's)
processes. Finally, the reviewer shall evaluate the adequacy of the
railroad's applicable PSP or PTCSP, and any other documents
pertinent to the PTC system being assessed.
(e) The reviewer shall analyze the Hazard Log and/or any other
hazard analysis documents for comprehensiveness and compliance with
railroad, vendor, supplier, industry, national, or international
standards.
(f) The reviewer shall analyze all Fault Tree Analyses (FTA),
Failure Mode and Effects Criticality Analysis (FMECA), and other
hazard analyses for completeness, correctness, and compliance with
railroad, vendor, supplier, industry, national, or international
standards.
(g) The reviewer shall randomly select various safety-critical
software modules, as well as safety-critical hardware components if
required by FRA for audit to verify whether the railroad, vendor,
supplier, industry, national, or international standards were
followed. The number of modules audited must be determined as a
representative number sufficient to provide confidence that all
unaudited modules were developed in compliance with railroad,
vendor, supplier, industry, national, or international standards
(h) The reviewer shall evaluate and comment on the plan for
installation and test procedures of the PTC system for revenue
service.
(i) The reviewer shall prepare a final report of the assessment.
The report shall be submitted to the railroad prior to the
commencement of installation testing and contain at least the
following information:
(1) Reviewer's evaluation of the adequacy of the PSP or PTCSP
including the supplier's MTTHE and risk estimates for the PTC
system, and the supplier's confidence interval in these estimates;
(2) PTC system vulnerabilities, potentially hazardous failure
modes, or potentially hazardous operating circumstances which the
reviewer felt were not adequately identified, tracked or mitigated;
(3) A clear statement of position for all parties involved for
each PTC system vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by
the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each applicable vendor, supplier, industry,
national or international standard, process, or procedure which was
not properly followed;
(6) Identification of the hardware and software verification and
validation procedures for the PTC system's safety-critical
applications, and the reviewer's evaluation of the adequacy of these
procedures;
(7) Methods employed by PTC system manufacturer to develop
safety-critical software; and
(8) If directed by FRA, methods employed by PTC system
manufacturer to develop safety-critical hardware.
Issued in Washington, DC, on December 30, 2009.
Joseph C. Szabo,
Administrator.
[FR Doc. E9-31362 Filed 1-12-10; 11:15 am]
BILLING CODE 4910-06-P