[Federal Register Volume 75, Number 10 (Friday, January 15, 2010)]
[Rules and Regulations]
[Pages 2598-2722]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-31362]



[[Page 2597]]

-----------------------------------------------------------------------

Part II





Department of Transportation





-----------------------------------------------------------------------



Federal Railroad Administration



-----------------------------------------------------------------------



49 CFR Part 229, 234, 235, et al.



Positive Train Control Systems; Final Rule

  Federal Register / Vol. 75 , No. 10 / Friday, January 15, 2010 / 
Rules and Regulations  

[[Page 2598]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Railroad Administration

49 CFR Parts 229, 234, 235, and 236

[Docket No. FRA-2008-0132, Notice No. 3]
RIN 2130-AC03


Positive Train Control Systems

AGENCY: Federal Railroad Administration (FRA), Department of 
Transportation (DOT).

ACTION: Final rule; request for comment on specific issues.

-----------------------------------------------------------------------

SUMMARY: FRA is issuing regulations implementing a requirement of the 
Rail Safety Improvement Act of 2008 that defines criteria for certain 
passenger and freight rail lines requiring the implementation of 
positive train control (PTC) systems. This final rule includes required 
functionalities of PTC system technology and the means by which PTC 
systems will be certified. This final rule also describes the contents 
of the PTC implementation plans required by the statute and contains 
the process for submission of those plans for review and approval by 
FRA. These regulations could also be voluntarily complied with by 
entities not mandated to install PTC systems. This is a final rule; 
however, FRA has identified specific provisions for which we are 
considering making changes to the final rule, if warranted by the 
public comments received. We expect to publish our response to those 
comments, including any possible changes to the rule made as a result 
of them, as soon as possible following the end of the comment period. 
However, the limited areas of this rule open for additional comment do 
not affect the requirement for railroads to prepare and submit plans in 
accordance with the deadlines established in this final rule.

DATES: This final rule is effective March 16, 2010. Petitions for 
reconsideration must be received on or before March 16, 2010. Comments 
must be received on or before February 16, 2010.

ADDRESSES: Petitions for reconsideration and comments: Any petitions 
for reconsideration or comments related to Docket No. FRA-2008-0132, 
may be submitted by any of the following methods:
     Web site: The Federal eRulemaking Portal, http://www.regulations.gov. Follow the Web site's online instructions for 
submitting comments.
     Fax: 202-493-2251.
     Mail: Docket Management Facility, U.S. Department of 
Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC 
20590.
     Hand Delivery: Room W12-140 on the Ground level of the 
West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9 
a.m. and 5 p.m. Monday through Friday, except Federal holidays.
    Instructions: All submissions must include the agency name and 
docket number or Regulatory Identification Number (RIN) for this 
rulemaking. Note that all petitions received will be posted without 
change to http://www.regulations.gov including any personal 
information. Please see the Privacy Act heading in the SUPPLEMENTARY 
INFORMATION section of this document for Privacy Act information 
related to any submitted petitions, comments, or materials.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov or to Room W12-140 
on the Ground level of the West Building, 1200 New Jersey Avenue, SE., 
Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except 
Federal holidays.

FOR FURTHER INFORMATION CONTACT: Thomas McFarlin, Office of Safety 
Assurance and Compliance, Staff Director, Signal & Train Control 
Division, Federal Railroad Administration, Mail Stop 25, West Building 
3rd Floor, Room W35-332, 1200 New Jersey Avenue, SE., Washington, DC 
20590 (telephone: 202-493-6203); or Jason Schlosberg, Trial Attorney, 
Office of Chief Counsel, RCC-10, Mail Stop 10, West Building 3rd Floor, 
Room W31-217, 1200 New Jersey Avenue, SE., Washington, DC 20590 
(telephone: 202-493-6032).

SUPPLEMENTARY INFORMATION: FRA is issuing this final rule to provide 
regulatory guidance and performance standards for the development, 
testing, implementation, and use of Positive Train Control (PTC) 
systems for railroads mandated by the Rail Safety Improvement Act of 
2008 Sec.  104, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008) 
(codified at 9 U.S.C. 20157) (hereinafter ``RSIA08''), to implement PTC 
systems. These regulations may also be voluntarily complied with by 
entities not mandated to install PTC in lieu of the requirements 
contained in subpart H of part 236. The final rule establishes 
requirements for PTC system standard design and functionality, the 
associated submissions for FRA PTC system approval and certification, 
requirements for training, and required risk-based criteria. The RSIA08 
mandates that widespread implementation of PTC across a major portion 
of the U.S. rail industry be accomplished by December 31, 2015. This 
final rule intends to provide the necessary Federal oversight, 
guidance, and assistance toward successful completion of that 
congressional requirement. This final rule also necessitates or results 
in some minimal revision or amendment to parts 229, 234, and 235, as 
well as previously existing subparts A through H of part 236.

Table of Contents for Supplementary Information

I. Introduction
II. Background
    A. The Need for Positive Train Control Technology
    B. Earlier Efforts To Encourage Voluntary PTC Implementation
    C. Technology Advances Under Subpart H
III. The Rail Safety Improvement Act of 2008
IV. Public Participation
    A. RSAC Process
    B. Public Hearing and Comments Filed
V. Overview: The Proposed Rule, Comments, and Resolution of Comments
VI. Seeking Further Comments
VII. Section-by-Section Analysis
VIII. Regulatory Impact and Notices
    A. Executive Order 12866 and DOT Regulatory Policies and 
Procedures
    B. Regulatory Flexibility Act and Executive Order 13272
    C. Paperwork Reduction Act
    D. Federalism Implications
    E. Environmental Impact
    F. Unfunded Mandates Reform Act of 1995
    G. Energy Impact
    H. Privacy Act
IX. The Rule

I. Introduction

    This final rule provides new performance standards for the 
implementation and operation of PTC systems as mandated by the RSIA08 
and as otherwise voluntarily adopted. This final rule also details the 
process and identifies the documents that railroads and operators of 
passenger trains are to utilize and incorporate in their PTC 
implementation plans required by the RSIA08. The final rule also 
details the process and procedure for obtaining FRA approval of such 
plans.
    While developing this final rule, FRA applied the performance-based 
principles embodied in existing subpart H of part 236 to identify and 
remedy any weaknesses discovered in the subpart H regulatory approach, 
while exploiting lessons learned from products developed under subpart 
H. FRA has continued to make performance-based safety decisions while 
supporting railroads in their development and implementation of PTC 
system technologies. Development of this final rule was enhanced with 
the participation of the Railroad Safety

[[Page 2599]]

Advisory Committee (RSAC), which tasked a PTC Working Group to provide 
advice regarding development of implementing regulations for PTC 
systems and their deployment that are required under the RSIA08. The 
PTC Working Group made a number of consensus recommendations, which 
were identified and included in the proposed rule, and has contributed 
further refinements in the form of recommendations for resolution of 
the public comments. The preamble discusses the statutory background, 
the regulatory background, the RSAC proceedings, the alternatives 
considered and the rationale for the options selected, the proceedings 
to date, as well as the comments and conclusions on general issues. 
Other comments and resolutions are discussed within the corresponding 
section-by-section analysis.

II. Background

A. The Need for Positive Train Control Technology

    Since the early 1920s, systems have been in use that can intervene 
in train operations by warning crews or causing trains to stop if they 
are not being operated safely because of inattention, misinterpretation 
of wayside signal indications, or incapacitation of the crew. Pursuant 
to orders of the Interstate Commerce Commission (ICC)--whose safety 
regulatory activities were later transferred to FRA when it was 
established in 1967--cab signal systems, automatic train control, and 
automatic train stop systems were deployed on a significant portion of 
the national rail system to supplement and enforce the indications of 
wayside signals and operating speed limitations. However, these systems 
were expensive to install and maintain, and with the decline of 
intercity passenger service following the Second World War, the ICC and 
the industry allowed many of these systems to be discontinued. During 
this period, railroads were heavily regulated with respect to rates and 
service responsibilities. The development of the Interstate Highway 
System and other factors led to reductions in the railroads' revenues 
without regulatory relief, leading to bankruptcies, railroad mergers, 
and eventual abandonment of many rail lines. Consequently, railroads 
focused on fiscal survival, and investments in expensive relay-based 
train control technology were economically out of reach. The removal of 
these train control systems, which had never been pervasively 
installed, permitted train collisions to continue, notwithstanding 
enforcement of railroad operating rules designed to prevent them.
    As early as 1970, following its investigation of the August 20, 
1969, head-on collision of two Penn Central Commuter trains near 
Darien, Connecticut, in which 4 people were killed and 45 people were 
injured, the National Transportation Safety Board (NTSB) asked FRA to 
study the feasibility of requiring a form of automatic train control 
system to protect against train operator error and prevent train 
collisions. Following the Darien accident, the NTSB continued to 
investigate one railroad accident after another caused by human error. 
During the next two decades, the NTSB issued a number of safety 
recommendations asking for train control measures. Following its 
investigation of the May 7, 1986, rear-end collision involving a Boston 
and Maine Corporation commuter train and a Consolidated Rail 
Corporation (Conrail) freight train in which 153 people were injured, 
the NTSB recommended that FRA promulgate standards to require the 
installation and operation of a train control system that would provide 
for positive train separation. NTSB Recommendation R-87-16 (May 19, 
1987), available at http://www.ntsb.gov/Recs/letters/1987/R87_16.pdf. 
When the NTSB first established its Most Wanted List of Transportation 
Safety Improvements in 1990, the issue of Positive Train Separation was 
among the improvements listed, and it remained on the list until just 
after enactment of the RSIA08. Original ``Most Wanted'' list of 
Transportation Safety Improvements, as adopted September 1990, 
available at http://www.ntsb.gov/Recs/mostwanted/original_list.htm. 
The NTSB continues to follow the progress of the technology's 
implementation closely and participated through staff in the most 
recent PTC Working Group deliberations.
    Meanwhile, enactment of the Staggers Rail Act of 1980 signaled a 
shift in public policy that permitted the railroads to shed 
unprofitable lines, largely replace published ``tariffs'' with 
appropriately priced contract rates, and generally respond to 
marketplace realities, which increasingly demanded flexible service 
options responsive to customer needs. The advent of microprocessor-
based electronic control systems and digital data radio technology 
during the mid-1980s led the freight railroad industry, through the 
Association of American Railroads (AAR) and the Railway Association of 
Canada, to explore the development of Advanced Train Control Systems 
(ATCS). With broad participation by suppliers, railroads, and FRA, 
detailed specifications were developed for a multi-level ``open'' 
architecture that would permit participation by many suppliers while 
ensuring that systems deployed on various railroads would work in 
harmony as trains crossed corporate boundaries. ATCS was intended to 
serve a variety of business purposes, in addition to enhancing the 
safety of train operations. Pilot versions of ATCS and a similar system 
known as Advanced Railroad Electronic Systems (ARES) were tested 
relatively successfully, but the systems were never deployed on a wide 
scale primarily due to cost. However, sub-elements of these systems 
were employed for various purposes, particularly for replacement of 
pole lines associated with signal systems.
    Collisions, derailments, and incursions into work zones used by 
roadway workers continued as a result of the absence of effective 
enforcement systems designed to compensate for the effects of fatigue 
and other human factors. Renewed emphasis on rules compliance and 
federal regulatory initiatives, including rules for the control of 
alcohol and drug use in railroad operations, operational testing and 
inspection programs designed to verify railroad rules compliance, 
requirements for qualification and certification of locomotive 
engineers, and negotiated rules for roadway worker protection, led to 
substantial reductions in risk. However, the lack of an effective 
collision avoidance system allowed the continued occurrence of 
accidents, some involving tragic losses of life, serious injury, and 
significant property damage.

B. Earlier Efforts To Encourage Voluntary PTC Implementation

    As the NTSB continued to highlight the opportunities for accident 
prevention associated with emerging train control technology through 
its investigations and findings, Congress showed increasing interest, 
mandating three separate reports over the period of a decade. In 1994, 
FRA reported to Congress on this problem, calling for implementation of 
an action plan to deploy PTC systems (Report to Congress on Railroad 
Communications and Train Control (July 1994) (hereinafter ``1994 
Report'')). The 1994 Report forecasted substantial benefits of advanced 
train control technology in supporting a variety of business and safety 
purposes, but noted that an immediate regulatory mandate for PTC could 
not be justified based upon normal cost-benefit principles relying on 
direct safety

[[Page 2600]]

benefits. The report outlined an aggressive Action Plan implementing a 
public-private sector partnership to explore technology potential, 
deploy systems for demonstration, and structure a regulatory framework 
to support emerging PTC initiatives.
    Following through on the 1994 Report, FRA committed approximately 
$40 million through the Next Generation High-Speed Rail Program and the 
Research and Development Program to support development, testing, and 
deployment of PTC prototype systems in the Pacific Northwest, Michigan, 
Illinois, Alaska, and on some Eastern railroads. FRA also initiated a 
comprehensive effort to structure an appropriate regulatory framework 
for facilitating voluntary implementation of PTC and for evaluating 
future safety needs and opportunities.
    In September of 1997, FRA asked the RSAC to address the issue of 
PTC. The RSAC accepted three tasks: Standards for New Train Control 
Systems (Task 1997-06), Positive Train Control Systems-Implementation 
Issues (Task 1997-05), and Positive Train Control Systems-Technologies, 
Definitions, and Capabilities (Task 1997-04). The PTC Working Group was 
established, comprised of representatives of labor organizations, 
suppliers, passenger and freight railroads, other federal agencies, and 
interested state departments of transportation. The PTC Working Group 
was supported by FRA counsel and staff, analysts from the Volpe 
National Transportation Systems Center (Volpe Center), and advisors 
from the NTSB staff.
    In 1999, the PTC Working Group provided to the Federal Railroad 
Administrator a consensus report (Report of the Railroad Safety 
Advisory Committee to the Federal Railroad Administrator, 
Implementation of Positive Train Control Systems (August 1999) 
(hereinafter ``1999 Report'')) with an indication that it would be 
continuing its efforts. The 1999 Report defined the PTC core functions 
to include: prevention of train-to-train collisions (positive train 
separation); enforcement of speed restrictions, including civil 
engineering restrictions (curves, bridges, etc.) and temporary slow 
orders; and protection for roadway workers and their equipment 
operating within their limits of authority. The PTC Working Group 
identified additional safety functions that might be included in some 
PTC architectures: provide warning of on-track equipment operating 
outside their limits of authority; receive and act upon hazard 
information, when available, in a more timely or more secure manner 
(e.g., compromised bridge integrity, wayside detector data); and 
provide for future capability by generating data for transfer to 
highway users to enhance warning at highway-rail grade crossings. The 
PTC Working Group stressed that efforts to enhance highway-rail grade 
crossing safety must recognize the train's necessary right of way at 
grade crossings and that it is important that warning systems employed 
at highway-rail grade crossings be highly reliable and ``fail-safe'' in 
their design.
    As the PTC Working Group's work continued, other collaborative 
efforts, including development of Passenger Equipment Safety Standards 
(including private standards through the American Public Transit 
Association), Passenger Train Emergency Preparedness rules, and 
proposals for improving locomotive crashworthiness (including improved 
fuel tank standards) have targeted reduction in collision and 
derailment consequences.
    In 2003, in light of technological advances and potential increased 
cost and system savings related to prioritized deployment of PTC 
systems, the Appropriations Committees of Congress requested that FRA 
update the costs and benefits for the deployment of PTC and related 
systems. As requested, FRA carried out a detailed analysis that was 
filed in August of 2004, Benefits and Costs of Positive Train Control 
(Report in Response to Committees on Appropriations, August 2004) 
(``2004 Report''), which indicated that under one set of highly 
controversial assumptions, substantial public benefits would likely 
flow from the installation of PTC systems on the railroad system. 
Further, the total amount of these benefits was subject to considerable 
controversy. While many of the other findings of the 2004 Report were 
disputed, there were no data submitted to challenge the 2004 Report 
finding that reaffirmed earlier conclusions that the safety benefits of 
PTC systems were relatively small in comparison to the large capital 
and maintenance costs. Accordingly, FRA continued to believe that an 
immediate regulatory mandate for widespread PTC implementation could 
not be justified based upon traditional cost-benefit principles relying 
on direct railroad safety benefits.
    Despite the economic infeasibility of PTC based on safety benefits 
alone, as outlined in the 1994, 1999, and 2004 Reports, FRA continued 
with regulatory and other efforts to facilitate and encourage the 
voluntary installation of PTC systems. As part of the High-Speed Rail 
Initiative, and in conjunction with the National Railroad Passenger 
Corporation (Amtrak), the AAR, the State of Illinois, and the Union 
Pacific Railroad Company (UP), FRA created the North American Joint 
Positive Train Control (NAJPTC) Program, which set out to describe a 
single standardized open source PTC architecture and system. UP's line 
between Springfield and Mazonia, Illinois was selected for initial 
installation of a train control system to support Amtrak operations up 
to 110 miles per hour, and the system was installed and tested on 
portions of that line. Although the system did not prove viable as then 
conceived, the project hastened the development of PTC technology that 
was subsequently employed in other projects. Promised standards for 
interoperability of PTC systems also proved elusive.
    In addition to financially supporting the NAJPTC Program, FRA 
continued to work with the rail carriers, rail labor, and suppliers on 
regulatory reforms to facilitate voluntary PTC implementation. The 
regulatory reform effort culminated when FRA issued a final rule on 
March 7, 2005, establishing a technology neutral safety-based 
performance standard for processor-based signal and train control 
systems. This new regulation, codified as subpart H to part 236, was 
carefully crafted to encourage the voluntary implementation and 
operation of processor-based signal and train control systems without 
impairing technological development. 70 FR 11,052 (Mar. 7, 2005).
    FRA intended that final rule--developed through the RSAC process in 
close cooperation with rail management, rail labor, and suppliers--to 
further facilitate individual railroad efforts to voluntarily develop 
and deploy cost effective PTC technologies that would make system-wide 
deployment more economically viable. It also appeared very possible 
that major railroads would elect to make voluntary investments in PTC 
to enhance safety, improve service quality, and foster efficiency 
(e.g., better asset utilization, reduced fuel use through train 
pacing).

C. Technology Advances Under Subpart H

    While FRA and RSAC worked to develop consensus on the regulations 
that would become subpart H, the railroads continued with PTC prototype 
development. The technology neutral, performance-based regulatory 
process established by subpart H proved to be very successful in 
facilitating the development of other PTC implementation approaches. 
Although the railroads prototype development efforts were generally 
technically

[[Page 2601]]

successful and offered significant improvements in safety, costs of 
nationwide deployment continued to be untenable in the judgment of 
those determining allocation of railroad capital. Information gained 
from prototype efforts did little to reduce the estimated costs for 
widespread implementation of the core PTC safety functions on the 
nation's railroads.
    Working under subpart H, the BNSF Railway Company (BNSF), CSX 
Transportation, Inc. (CSXT), the Norfolk Southern Corporation (NS), and 
UP undertook more aggressive design and implementation work. The new 
subpart H regulatory approach also made it feasible for smaller 
railroads, such as the Alaska Railroad and the Ohio Central Railroad, 
to begin voluntary design and implementation work on PTC systems that 
best suited their needs. FRA provided, and continues to provide, 
technical assistance and guidance regarding regulatory compliance to 
enable the railroads to more effectively design, install, and test 
their respective systems.
    In December 2006, FRA approved the initial version of the 
Electronic Train Management System (ETMS[supreg]) product for 
deployment on 35 of BNSF's subdivisions (``ETMS I Configuration'') 
comprising single track territory that was either non-signaled or 
equipped with traffic control systems. ETMS is a registered trademark 
of Wabtec Railway Electronics. BNSF Railway has also referred to its 
application of this technology as ``ETMS.''
    In a separate proceeding, FRA agreed that ETMS could be installed 
in lieu of restoring a block signal system on a line for which 
discontinuance had been authorized followed by a significant increase 
in traffic. During the same period, BNSF successfully demonstrated a 
Switch Point Monitoring System (SPMS)--a system that contains devices 
attached to switches that electronically report the position of the 
switches to the railroad's central dispatching office and to the crew 
of an approaching train--and a Track Integrity Warning System (TIWS)--a 
system that also electronically reports to the railroad's central 
dispatching office and to the crew of an approaching train if there are 
any breaks in the rail that might lead to derailments or the condition 
of track occupancy. FRA believes both of these technologies help to 
reduce risk in non-signaled territory and are forward-compatible for 
use with existing and new PTC systems. To be forward-compatible, not to 
be confused with the similar concept of extensibility, a system must be 
able to gracefully provide input intended for use in later system 
versions. The introduction of a forward-compatible technology implies 
that older devices can partly understand and provide data generated or 
used by new devices or systems. The concept can be applied to 
electrical interfaces, telecommunication signals, data communication 
protocols, file formats, and computer programming languages. A standard 
supports forward-compatibility if older product versions can receive, 
read, view, play, execute, or transmit data to the new standard. In the 
case of wayside devices, they are said to be forward-compatible if they 
can appropriately communicate and interact with a PTC system when later 
installed. A wayside device might serve the function of providing only 
information or providing information and accepting commands from a new 
system.
    In addition to scheduling the installation of the ETMS I 
configuration as capital funding became available, BNSF voluntarily 
undertook the design and testing of complementary versions of ETMS that 
would support BNSF operations on more complex track configurations, at 
higher allowable train speeds, and with additional types of rail 
traffic. Meanwhile, CSXT was in the process of redesigning and 
relocating the test bed for its Communications Based Train Management 
(CBTM) system, which it has tested for several years, and UP and NS 
were working on similar systems using vital onboard processing.
    As congressional consideration of legislation that resulted in the 
RSIA08 commenced, all four major railroads had settled on the core 
technology developed for them by Wabtec Railway Electronics 
(``Wabtec''). As the legislation progressed, the railroads and Wabtec 
worked toward greater commonality in the basic functioning of the 
onboard system with a view toward interoperability. PTC applications of 
ETMS include the non-vital PTC systems of BNSF's ETMS I and ETMS II, 
CSXT's CBTM, UP's Vital Train Management System (VTMS), and NS's 
Optimized Train Control (OTC). Further work is being undertaken by BNSF 
to advance the capability of ETMS by integrating Amtrak operations 
(ETMS III). For a description of system enhancements planned by BNSF as 
per the Product Safety Plan filed in accordance with subpart H, see FRA 
Docket No. 2006-23687, Document 0017, at pp. 40-43.
    While the freight railroads' efforts for developing and installing 
PTC systems progressed over a relatively long period of time, starting 
with demonstrations of ATCS and ARES in the late 1980s and culminating 
in the initial ETMS Product Safety Plan approval in December of 2006, 
Amtrak demonstrated its ability to turn on revenue-quality PTC systems 
on its own railroad in support of high-speed rail. Beginning in the 
early 1990s, Amtrak developed plans for enhanced high-speed service on 
the Northeast Corridor (NEC), which included electrification and other 
improvements between New Haven and Boston and introduction of the Acela 
trainsets as the premium service from Washington to New York and New 
York to Boston. In connection with these improvements, which support 
train speeds up to 150 miles per hour, Amtrak undertook to install the 
Advanced Civil Speed Enforcement System (ACSES) as a supplement to 
existing cab signals and automatic train control (speed control). 
Together, these systems deliver PTC core functionalities. In support of 
this effort, FRA issued an order for the installation of the system, 
which required all passenger and freight operators in the New Haven-
Boston segment to equip their locomotives with ACSES. See 63 FR 39,343 
(July 22, 1998). ACSES was installed between 2000 and 2002, and has 
functioned successfully between New Haven and Boston, and on selected 
high-speed segments between Washington and New York, for a number of 
years.
    Amtrak voluntarily began development of an architecturally 
different PTC system, the Incremental Train Control System (ITCS), for 
installation on its Michigan Line. Amtrak developed and installed ITCS 
under waivers from specific sections of 49 CFR part 236, subparts A 
through G, granted by FRA. ITCS was applied to tenant NS locomotives as 
well as Amtrak locomotives traversing the route. Highway-rail grade 
crossings on the route were fitted with ITCS units to pre-start the 
warning systems for high-speed trains and to monitor crossing warning 
system health in real time. The ITCS was tested extensively in the 
field for safety and reliability, and it was placed in revenue service 
in 2001. As experience was gained, FRA authorized increases in speed to 
95 miles per hour; and FRA is presently awaiting final results of an 
independent assessment of verification and validation for the system 
with a view toward authorizing operations at the design speed of 110 
miles per hour.
    Despite these successes, the widespread deployment of these various 
train control systems, particularly on the general freight system, 
remained very much constrained by prohibitive capital costs. While the 
railroads were committed to installing these new systems to enhance the 
safety afforded

[[Page 2602]]

to the public and their employees, the railroads' actual widespread 
implementation remained forestalled due to an inability to generate 
sufficient funding for these new projects in excess of the capital 
expenditures necessary to cover the ongoing operating and maintenance 
costs. Accordingly, the railroads continued to plan very slow 
deployments of PTC system technologies.

III. The Rail Safety Improvement Act of 2008

    On May 1, 2007, H.R. 2095 was introduced in the House of 
Representatives, which would, among other things, mandate the 
implementation and use of PTC systems. The bill passed the House, as 
amended, on October 17, 2007. The bill was then amended and passed by 
the Senate on August 1, 2008. While the bill was awaiting final 
passage, the FRA Administrator testified before Congress that ``FRA is 
a strong supporter of PTC technology and is an active advocate for its 
continued development and deployment.'' Senate Commerce Committee 
Briefing on Metrolink Accident, 110th Cong. (Sept. 23, 2008) (written 
statement of Federal Railroad Administrator Joseph H. Boardman), 
available at http://www.fra.dot.gov/downloads/PubAffairs/09-23-08FinalStatementFRAAdministratorPTC_Sen_Boxer_Meeting.pdf.
    On September 24, 2008, the House concurred with the Senate 
amendment and added another amendment pursuant to H. Res. 1492. When 
considering the House's amendment, various Senators made statements 
referencing certain train accidents that were believed to be PTC-
preventable. For instance, Senator Lautenberg (NJ) took notice of the 
collision at Graniteville, South Carolina, in 2005, and Senators 
Lautenberg, Hutchinson (TX), Boxer (CA), Levin (MI), and Carper (DE) 
took notice of an accident at Chatsworth, California, on September 12, 
2008. According to Senator Levin, federal investigators have said that 
a collision warning system could have prevented that crash and the 
subject legislation would require that new technology to prevent 
crashes be installed in high risk tracks. Senators Carper and Boxer 
made similar statements, indicating that PTC systems are designed to 
prevent train derailments and collisions, like the one in Chatsworth. 
154 Cong. Rec. S10283-S10290 (2008). Ultimately, on October 1, 2008, 
the Senate concurred with the House amendment.
    The Graniteville accident referenced by Senator Lautenberg occurred 
in the early morning hours of January 6, 2005, when a northbound NS 
freight train, operating within non-signaled (dark) territory, 
encountered an improperly lined switch that diverted the train from the 
main line onto an industry track, where it struck the locomotive of an 
unoccupied, parked train. The collision derailed both locomotives and 
16 of the 42 freight cars of the moving train, as well as the 
locomotive and 1 of the 2 cars of the parked train. Among the derailed 
cars from the moving train were three tank cars containing chlorine, 
one of which was breached, releasing about 60 tons of chlorine gas. The 
train engineer and eight other people died as a result of chlorine gas 
inhalation. About 554 people complaining of respiratory difficulties 
were taken to local hospitals. Of these, 75 were admitted for 
treatment. Because of the chlorine release, about 5,400 people within a 
1-mile radius of the derailment site were evacuated for almost 2 weeks.
    The Chatsworth train collision occurred on the afternoon of 
September 12, 2008, when a UP freight train and a Metrolink commuter 
train collided head-on on a single main track equipped with a Traffic 
Control System (TCS) in the Chatsworth district of Los Angeles, 
California. Although NTSB has not yet released its final report, 
evidence summarized at the NTSB's public hearing suggested that the 
Metrolink passenger train was being operated on the main track past an 
absolute signal at a control point displaying a stop indication, when 
it trailed through a power-operated switch lined against its movement, 
and entered a section of single track where the opposing UP freight 
train was operating on a permissive signal indication. The UP train was 
lined to enter the siding at the control point, after which the switch 
would have been lined for the Metrolink train to proceed. As a 
consequence of the accident, 25 people died and over 130 more were 
seriously injured.
    Prior to the accidents in Graniteville and Chatsworth, the 
railroads' slow incremental deployment of PTC technologies--while not 
uniformly agreed upon by the railroads, FRA, and NTSB--was generally 
deemed acceptable by them in view of the tremendous costs involved. 
Partially as a consequence and severity of these very public accidents, 
coupled with a series of other less publicized accidents, Congress 
passed the RSIA08 and it was signed into law by the president on 
October 16, 2008, marking a public policy decision that, despite the 
implementation costs, railroad employee and general public safety 
warranted mandatory and accelerated installation and operation of PTC 
systems.
    As immediately relevant to this rulemaking, the RSIA08 requires the 
installation and operation of PTC systems on all rail main lines, 
meaning all intercity and commuter lines--with limited exceptions 
entrusted to FRA--and on freight-only rail lines when they are part of 
a Class I railroad system, carrying at least 5 million gross tons of 
freight annually, and carrying any amount of poison- or toxic-by-
inhalation (PIH or TIH) materials. While the statute vests certain 
responsibilities with the Secretary of the U.S. Department of 
Transportation, the Secretary has since delegated those 
responsibilities to the FRA Administrator. See 49 CFR 1.49(oo); 74 FR 
26,981 (June 5, 2009); see also 49 U.S.C. 103(g).
    In the RSIA08, Congress established very aggressive dates for PTC 
system build-out completion. Each subject railroad is required to 
submit to FRA by April 16, 2010, a PTC Implementation Plan (PTCIP) 
indicating where and how it intends to install PTC systems by December 
31, 2015.
    In light of the timetable instituted by Congress, and to better 
support railroads with their installation while maintaining safety, FRA 
decided that it is appropriate for mandatory PTC systems to be reviewed 
by FRA differently than the regulatory approval process provided under 
subpart H. FRA believes that it is important to develop a process more 
suited specifically for PTC systems that would better facilitate 
railroad reuse of safety documentation and simplify the process of 
showing that the installation of the intended PTC system did not 
degrade safety. FRA also believes that subpart H does not clearly 
address the statutory mandates and that such lack of clarity would 
complicate railroad efforts to comply with the new statutory 
requirements. Accordingly, FRA hereby amends part 236 by modifying 
existing subpart H and adding a new subpart I.

IV. Public Participation

A. RSAC Process

    In March 1996, FRA established the RSAC, which provides a forum for 
collaborative rulemaking and program development. The RSAC includes 
representatives from all of the agency's major stakeholder groups, 
including railroads, labor organizations, suppliers and manufacturers, 
other government agencies, and other interested parties. When 
appropriate, FRA assigns a task to the RSAC, and after consideration 
and debate, the RSAC may accept or reject

[[Page 2603]]

the task. If accepted, the RSAC establishes a working group comprised 
of persons that possess the appropriate expertise and representation of 
interests to develop recommendations to FRA for action on the task. 
These recommendations are developed by consensus. The working group may 
establish one or more task forces or other subgroups to develop facts 
and options on a particular aspect of a given task. The task force, or 
other subgroup, reports to the working group. If the working group 
comes to consensus on recommendations for action, the package is 
presented to the RSAC for a vote. If the proposal is accepted by a 
simple majority of the RSAC, the proposal is formally recommended to 
FRA. FRA then determines what action to take on the recommendation. 
Because FRA staff has played an active role at the working group and 
subgroup levels in discussing the issues and options and in drafting 
the language of the consensus proposal, and because the RSAC 
recommendation constitutes the consensus of some of the industry's 
leading experts on a given subject, FRA is generally favorably inclined 
toward the RSAC recommendation. However, FRA is in no way bound to 
follow the recommendation and the agency exercises its independent 
judgment on whether the recommended rule achieves the agency's 
regulatory goals, is soundly supported, and was developed in accordance 
with the applicable policy and legal requirements. Often, FRA varies in 
some respects from the RSAC recommendation in developing the actual 
regulatory proposal.
    In developing the proposed rule in this proceeding, FRA adopted the 
RSAC approach by re-convening the PTC Working Group that had produced 
the rule recommendation resulting in subpart H. As part of this effort, 
FRA worked with the major stakeholders affected by this rulemaking in 
collaborative a manner as possible. FRA believes establishing a 
collaborative relationship early in the product development and 
regulatory development cycles can help bridge the divide between the 
railroad carrier's management, railroad labor organizations, the 
suppliers, and FRA by ensuring that all stakeholders are working with 
the same set of data and have a common understanding of product 
characteristics and functionality or their related processes production 
methods, including the regulatory provisions, with which compliance is 
mandatory. However, where the group failed to reach consensus on an 
issue, FRA used its authority to resolve the issue, attempting to 
reconcile as many of the divergent positions as possible through 
traditional rulemaking proceedings.
    On December 10, 2008, the RSAC accepted a task (No. 08-04) entitled 
``Implementation of Positive Train Control Systems.'' The purpose of 
this task was defined as follows: ``To provide advice regarding 
development of implementing regulations for Positive Train Control 
(PTC) systems and their deployment under the Rail Safety Improvement 
Act of 2008.'' The task called for the RSAC PTC Working Group to 
perform the following:
     Review the mandates and objectives of the Act related to 
deployment of PTC systems;
     Help to describe the specific functional attributes of 
systems meeting the statutory purposes in light of available 
technology;
     Review impacts on small entities and ascertain how best to 
address them in harmony with the statutory requirements;
     Help to describe the details that should be included in 
the implementation plans that railroads must file within 18 months of 
enactment of the Act;
     Offer recommendations on the specific content of 
implementing regulations; and
    The task also required the PTC Working Group to:
     Report on the functionalities of PTC systems;
     Describe the essential elements bearing on 
interoperability and the requirements for consultation with other 
railroads in joint operations; and
     Determine how PTC systems will work with the operation of 
non-equipped trains.
    The PTC Working Group was formed from interested organizations that 
are members of the RSAC. The following organizations contributed 
members:

American Association of State Highway and Transportation Officials 
(AAHSTO)
American Chemistry Council (ACC)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
Association of American Railroads (AAR)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Maintenance of Way Employes Division (BMWED)
Brotherhood of Locomotive Engineers and Trainmen Division (BLET)
Brotherhood of Railroad Signalmen (BRS)
Federal Transit Administration* (FTA)
International Brotherhood of Electrical Workers (IBEW)
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Transport Canada*
Tourist Railway Association Inc.
United Transportation Union (UTU)
------------
    *Indicates associate (non-voting) member.

    From January to April 2009, FRA met with the entire PTC Working 
Group 5 times over the course of 12 days. During those meetings, in 
order to efficiently accomplish the tasks assigned to it, the PTC 
Working Group empowered three task forces to work concurrently. These 
task forces were the passenger, short line and regional railroad, and 
the radio and communications task forces. Each discussed issues 
specific to its particular interests and needs and produced proposed 
rule language for the PTC Working Group's consideration. The majority 
of the proposals were adopted into the proposed rule as agreed upon by 
the working group, with rule language related to a remaining few issues 
being further discussed and enhanced for inclusion into the rule by the 
PTC Working Group.
    The passenger task force discussed testing issues relating to parts 
236 and 238 and the definition of ``main line'' under the statute, 
including possible passenger terminal and limited operations exceptions 
to PTC implementation. Recommendations of the task force were presented 
to the PTC Working Group, which adopted or refined each suggestion.
    The short line and regional railroad task force was formed to 
address the questions pertaining to Class II and Class III railroads. 
Specifically, the group discussed issues regarding the trackage rights 
of Class II and III railroads using trains not equipped with PTC 
technology over a Class I railroad's PTC territory, passenger service 
over track owned by a Class II or Class III railroads where PTC would 
not otherwise be required, and rail-to-rail crossings-at-grade 
involving a Class I railroad's PTC equipped line and a Class II or III 
railroad's PTC unequipped line. After much discussion, there were no 
consensus resolutions reached to any of the main issues raised. 
However, the discussion yielded insights utilized by FRA in preparing 
this final rule.
    The radio and communications task force addressed wireless 
communications issues, particularly as they relate to communications 
security, and recommended language for Sec.  236.1033.
    FRA staff worked with the PTC Working Group and its task forces in

[[Page 2604]]

developing many facets of the final rule. FRA gratefully acknowledges 
the participation and leadership of representatives who served on the 
PTC Working Group and its task forces. These points are discussed to 
show the origin of certain issues and the course of discussion on these 
issues at the task force and working group levels. We believe this 
helps illuminate the factors FRA weighed in making its regulatory 
decisions regarding this final rule and the logic behind those 
decisions.
    In general, the PTC Working Group agreed on the process for 
implementing PTC under the statute, including decisional criteria to be 
applied by FRA in evaluating safety plans, adaptation of subpart H 
principles to support this mandatory implementation, and refinements to 
subpart H and the part 236 appendices necessary to dovetail the two 
regulatory regimes and take lessons from early implementation of 
subpart H, including most aspects of the training requirements. Notable 
accords were reached, as well, on major functionalities of PTC and on 
exceptions applicable to passenger service (terminal areas and limited 
main line exceptions). Major areas of disagreement included whether to 
allow non-equipped trains on PTC lines, extension of PTC to lines not 
within the statutory mandate, and whether to provide for onboard 
displays or terminals visible and accessible to employees other than 
the locomotive engineer when two or more persons are regularly assigned 
duties in the cab. Some additional areas of concern were discussed but 
could not be resolved in the time available. It was understood that 
where discussion did not yield agreement, FRA would make proposals 
within a Notice of Proposed Rulemaking (NPRM) and receive public 
comment.

B. Public Hearing and Comments Filed

    FRA issued an NPRM on July 21, 2009, and accepted comments on this 
proposed regulation until August 20, 2009. A public hearing was also 
held in connection with the NPRM in Washington, DC, on August 13, 2009, 
as further described below.
    During the comment period, a number of entities filed comments 
requesting that FRA extend the comment period to the proposed rule in 
this proceeding. FRA regrettably denied those requests due to the 
urgent need to prepare, process, and publish a final rule at the 
earliest possible date. Since railroads subject to the rules are each 
required to file a PTCIP by April 16, 2010, under the terms of the 
RSIA08, it was important that FRA provide reliable guidance for this 
process to occur in a timely manner. However, FRA responded to two of 
those requests on the record, indicating that it is FRA's policy to 
consider late-filed comments to the extent practicable and inviting the 
railroads to supplement their comments as soon as possible even if it 
is necessary to file after the formal comment period has closed.
    On August 13, 2009, FRA held a hearing to provide interested 
parties an opportunity to enter oral statements into the record. The 
AAR, Amtrak, BNSF, and CSXT entered prepared statements into the record 
and UP and NS indicated their concurrence with those statements. An 
oral statement was also entered into the record by a representative of 
six (6) rail labor organizations, including the American Train 
Dispatchers Association (ATDA), BLET, BMWED, BRS, IBEW, and UTU 
(collectively, the ``Rail Labor Organizations'' or ``RLO''). AASHTO 
also provided an oral statement at the hearing, indicating that it 
fully supports the implementation of the proposed rule. Copies of the 
prepared statements and of the hearing transcript can be found in the 
docket to this proceeding.
    Subsequently, written comments were filed by the American Shortline 
and Regional Railroad Association (ASLRRA), Amtrak, APTA, ACC, AAR, 
BNSF, Caltrain, Canadian Pacific (CP), The Chlorine Institute (CI), 
CSXT, Friends of the Earth, GE Transportation (GE), HCRQ, Inc. and 
Cattron Group International (collectively, ``HCRQ/CGI''), Invensys Rail 
Group--Safetran Systems (``Safetran''), NTSB, New York State 
Metropolitan Transportation Authority (NYSMTA), NJ Transit, Northern 
Indiana Commuter Transportation District (NICTD), Pacific Southwest 
Railway Museum, RLO, Railroad Passenger Car Alliance, San Bernardino 
Railway Historical Society, Southern California Regional Rail Authority 
(SCRRA or Metrolink), The Fertilizer Institute (TFI), Tourist Railway 
Association, Trinity Railway Express (TRE or Trinity), Utah Transit 
Authority (UTA) and a number of individuals.
    After the comment period closed on August 20, 2009, the RSAC PTC 
Working Group was reconvened for 3 days. The PTC Working Group agreed 
on a number of recommendations for resolution of comments which were 
presented to the full RSAC on September 10. In voting by mail ballot 
that concluded on September 24, the RSAC adopted the recommendations, 
which are discussed below in the context of the specific issues that 
they address.

V. Overview: The Proposed Rule, Comments, and Resolution of Comments

    In broad summary, the proposed rule provided for joint filing of 
PTCIPs by all railroads engaged in joint operations. Each PTCIP was to 
be accompanied or preceded by a PTC Development Plan (PTCDP) or PTC 
Safety Plan (PTCSP) detailing the technology to be employed, or by a 
Type Approval obtained by another railroad through approval of a PTCDP. 
As further discussed below, this overall structure was generally 
embraced by the industry parties and the commenters; but the extended 
period for delivery of interoperability standards has given rise to the 
need for some significant adjustments that are included in the final 
rule.
    Under the NPRM language, Class I freight railroads would be 
required to describe in their PTCIPs the routes to be equipped based on 
traffic densities (lines carrying more than 5 million gross tons) and 
presence of PIH traffic during calendar year 2008. They would be 
permitted to amend those plans if FRA found that removal of a line was 
``consistent with safety and in the public interest.'' The discussion 
below reflects the serious objections of the Class I railroads to this 
``base year'' approach and adjustments that FRA makes in this final 
rule to provide somewhat greater flexibility on the face of the 
regulation. The discussion and final rule also provide FRA's response 
to a suggestion by the AAR that FRA create a ``de minimis'' exception 
to the requirement that lines carrying PIH traffic be equipped with 
PTC, an issue raised for the first time in response to the NPRM.
    FRA proposed to adapt the performance-based structure of subpart H, 
which had been developed through the consensus process to encourage 
deployment of PTC and related technologies to provide a means of 
qualifying PTC systems under the RSIA08. In order to promote completion 
of PTC deployment by the end of 2015, as required by law, FRA proposed 
functional requirements that could be met by available technology. 
These provisions continue to enjoy broad support from the industry 
parties and commenters, but the final rule makes numerous perfecting 
changes to the implementing language in response to specific comments.
    The NPRM set forth requirements for equipping of trains with PTC 
that reflected FRA's perception of practical considerations (e.g., not 
all locomotives can be equipped at once, and switching out locomotives 
to commit them to

[[Page 2605]]

equipped routes would involve significant cost and safety exposure), 
historic tolerance for some incidental unequipped movements under 
circumstances where strict adherence would create obvious hardship 
without commensurate safety benefits (e.g., locomotives of Class II and 
III railroads generally spend little time on Class I railroads and have 
a good safety record, yet requiring that they be equipped could result 
in expenditures greater than the previous value of the locomotives), 
and movement restrictions applicable where controlling locomotives 
might have failed onboard PTC equipment. These proposals elicited some 
strong objections and proposals for improvement. Several commenters 
asked that occasional movement of trains led by historic locomotives be 
permitted without equipping the locomotives with PTC technology. The 
final rule makes a number of changes, while endeavoring to carry 
forward the lessons of many decades and while recognizing the need for 
regulatory flexibility.
    Relying on existing train control requirements, the NPRM proposed 
that each assigned crew member be able to view the PTC display and 
perform assigned functions from their normal position in the cab. The 
NPRM also addressed the need to avoid task overload on the locomotive 
engineer by having that person perform functions that could distract 
from attention to current safety duties. FRA has considered the Class I 
railroads' argument that, if a single display was acceptable under 
subpart H, it should be acceptable under the proposed subpart I. 
Although FRA has considered carefully the carriers' arguments on this 
point, the final rule carries forward principles of crew resource 
management by ensuring that each crew member has the information and 
ability to perform their assigned function and, therefore, where a PTC 
overlay system is used, that all of the safety features of the 
underlying operation to which PTC is added will be kept.
    One of the critical choices assigned to FRA under the law was 
specification of any exceptions to passenger ``main track'' requiring 
installation of PTC. The NPRM carried forward narrow exceptions crafted 
at the request of commuter and intercity railroads. Amtrak followed 
with comments on the NPRM asking for a broader exception. They noted in 
particular that the incremental costs of PTC on some lines with limited 
freight traffic and relatively few Amtrak trains might need to be borne 
by states that support particular services, and the funding might not 
be available to do so. Following recommendations from the RSAC Working 
Group, FRA is including additional latitude to bring forward specific 
exceptions for FRA review and approval, with or without conditions.
    The NPRM was technology neutral and directed at the outcomes 
desired. A number of the comments addressed the issue of market 
concentration and absence of effective choices in selecting PTC 
technology. In this regard, some felt that FRA should specify 
attributes of interoperability in the form of open standards. The final 
rule continues to rely on safety performance as the basis for FRA 
certification of PTC systems. FRA declines at this time to deprive 
those railroads that have served as technology leaders in developing 
PTC systems of the latitude to implement their systems, given their 
apparent willingness to provide open standards for attributes of the 
technology over which they have control, and given the predictable 
delays that would ensue should alternative approaches be specified. FRA 
is aware that this creates a degree of reliance on others with respect 
to those railroads that stood back and waited for others to develop PTC 
technology. Further, some degree of market concentration may exist on 
the general freight network, in particular, given the dominance of one 
vendor or supplier with respect to the core of the onboard systems. FRA 
financially supported development of interoperability standards through 
the North American Positive Train Control Program (the technology 
selected for demonstration was not deployed, and no standards were 
delivered) and again through the American Railway Engineering and 
Maintenance Association (standards have been published and are 
available, but no railroad has signaled an intention to employ them). 
The choice of technology that will be deployed should, in FRA's view, 
be made by those who are making the investments.
    Finally, the NPRM took a traditional approach to recognition of 
technology, requiring that railroads step forward, individually or with 
their suppliers, to request recognition of PTC systems. Suppliers 
commented that they should be able to step forward without railroad 
participation and receive recognition for systems, subsystems, and 
components that would later be incorporated in PTC systems approved by 
FRA. They noted that the NPRM would burden them with reporting 
obligations while not conferring status to receive direct product 
recognition. While recognizing the commenters' logic, FRA could not 
find a means in the final rule to relieve these concerns, given limited 
technical staffing at FRA, the potential for filings representing 
technology that the industry would not employ, the inherent difficulty 
associated with addressing the safety of technology below the system 
level, and the critical need to provide rapid responses to necessary 
filings.
    Each of the comments on the NPRM, including comments not within the 
scope of this overview, is discussed in relation to the topic addressed 
in the section-by-section analysis below.

VI. Seeking Further Comments

    While this final rule is effective on the date indicated herein, 
FRA believes that certain issues warrant further discussion. 
Accordingly, FRA will continue to seek comments limited to increasing 
the clarity, certainty, and transparency of the criteria governing the 
removal from a PTCIP (and therefore from the requirement to install 
PTC) of any track segments on which PTC systems have yet to be 
installed for which a railroad seeks relief from the requirement to 
install PTC. FRA considers this issue separate and distinct from the 
discontinuance of any already installed or existing PTC systems, which 
is governed under Sec.  236.1021, part 235 of this title, and the 
``Signal Inspection Act'' (codified at 49 U.S.C. 20501-20505). Any 
further comments should be limited to the scope of the issues indicated 
in this preamble to which FRA seeks further comments.
    In Sec.  236.1005(b)(4)(i)(A)(2), the final rule provides certain 
factors that FRA will consider when determining whether to approve 
exclusion of a line from the PTCIP in the case of cessation of PIH 
traffic over a particular track segment. For instance, under Sec.  
236.1005(b)(4)(i)(A)(2)(ii), the requesting railroad must show that any 
rerouting of PIH traffic from the subject track segment is justified 
based upon the route analysis submitted. FRA seeks comments on how the 
elements of a route analysis should be weighed by FRA when determining 
whether rerouting as provided under this paragraph is sufficiently 
justified.
    Section 236.1005(b)(4)(i)(A)(2)(iii) concerns the risk remaining on 
a track segment if PIH traffic were to be removed. FRA also seeks 
comments on how to measure the appropriate level of risk established in 
Sec.  236.1005(b)(4)(i)(A)(2)(iii) to require the installation of PTC 
on lines not carrying PIH or passenger traffic. No railroad has 
supplied data supporting further track exceptions from PTC system 
installation consistent with

[[Page 2606]]

statutory and safety requirements. Thus, FRA requests additional data 
to support commenters' positions. FRA also seeks comment and 
information on ways that it might consider risk mitigations other than 
by a compensating extension of PTC or PTC technologies.
    In Sec.  236.1005(b)(4)(i), the final rule provides an exception to 
PTC system implementation where such implementation would provide only 
a de minimis PIH risk. While in the proposed rule FRA sought means to 
reduce the railroads' burdens associated with this rule, no specific de 
minimis exception was proposed. The AAR mentioned this possibility in 
its comment filed during the comment period and offered in 
supplementary comments filed after the comment period to work with FRA 
on this issue. FRA believes that the de minimis exception provided in 
this final rule falls within the scope of the issues set forth in the 
proposed rule. However, since none of the parties has had an 
opportunity to comment on this specific exception as provided in this 
final rule, FRA seeks comments on the extent of the de minimis 
exception.
    As further explained below, this final rule uses 2008 traffic data 
as an initial baseline in each PTCIP to determine the breadth and scope 
of PTC system implementation and, in recognition of the fact that 
traffic patterns are likely to change to some degree before December 
31, 2015, provides means of adjusting the track segments on which PTC 
must be installed where adjustments are appropriately justified. These 
issues relate to the potential scaling back of the breadth and scope of 
that baseline through the request by the railroads--made 
contemporaneously or subsequently to PTCIP submission and prior to 
actual PTC system implementation--on the subject track segments for FRA 
to apply certain regulatory exceptions. Under the procedures set forth 
in this final rule, requests for such amendments may be made after 
PTCIP submission. Since these issues should not affect the PTCIP 
required to be filed by the April 16, 2010, statutory deadline, FRA 
believes that time is available for some further consideration.

VII. Section-by-Section Analysis

    Unless otherwise noted, all section references below refer to 
sections in title 49 of the Code of Federal Regulations (CFR). FRA 
sought comments on all proposals made in the NPRM. This portion of the 
preamble discusses the comments received, FRA's assessment of those 
comments, and the basis for the final rule provisions. Any analysis in 
the NPRM that is not explicitly modified in this final rule remains 
applicable.

Proposed Amendments to 49 CFR Part 229

Section 229.135 Event Recorders
    The proposed amendment to the existing event recorder section of 
the Locomotive Safety Standards is intended to make that section 
parallel to the additions in Sec.  236.1005(d) below. No comments were 
received, and the section is adopted as proposed.

Proposed Amendments to 49 CFR Part 234

Section 234.275 Processor-Based Systems
    Section 234.275 presently requires that each processor-based 
system, subsystem, or component used for active warning at highway-rail 
grade crossings that is new or novel technology, or that provides 
safety-critical data to a railroad signal or train control system which 
is qualified using the subpart H process, shall also be governed by 
those requirements, including approval of a Product Safety Plan. 
Particularly with respect to high-speed rail, FRA anticipates that PTC 
systems will in some cases incorporate new or novel technology to 
provide for crossing warning system pre-starts (eliminating the 
necessity of lengthening the approach circuits for high-speed trains), 
to verify crossing system health between the wayside warning system and 
approaching trains, or to slow trains approaching locations where 
vehicle storage has been detected on a crossing, among other options. 
Indeed, each of these functions is presently incorporated in at least 
one train control system, and others may one day be feasible (including 
in-vehicle warning). There would appear to be no reason why such a 
functionality intended for inclusion in a PTC system mandated by 
subpart I could not be qualified with the rest of the PTC system under 
subpart I. On the other hand, care should be taken to set an 
appropriate safety standard taking into consideration highway users, 
occupants of the high-speed trains, and others potentially affected.
    In fact, with new emphasis on high-speed rail, FRA needs to 
consider the ability of PTC systems to integrate this type of new 
technology and thereby reduce risk associated with high-speed rail 
service. Risk includes derailment of a high-speed train with 
catastrophic consequences after encountering an obstacle at a highway-
rail grade crossing. To avoid such consequences, as many crossings as 
possible should be eliminated. To that end, 49 CFR 213.347 requires a 
warning and barrier plan to be approved for Class 7 track (speeds above 
110 miles per hour) and prohibits grade crossings on Class 8 and 9 
track (above 125 miles per hour). That leaves significant exposure on 
Class 5 and 6 track (80 miles per hour for freight and 90 miles per 
hour for passenger trains, up to 110 miles per hour for either) which 
is currently not specifically addressed by regulation.
    At the public hearing in this proceeding, the RLO indicated its 
agreement with FRA's interpretation of 49 CFR 213.347 and stated that 
significant exposure remains at highway-rail grade crossings for Class 
5 and 6 track, because ``such plans or prohibitions are not currently 
addressed by Federal Regulation.'' In addition to the proposed 
amendments to Sec.  234.275, however, the RLO believes that PTC systems 
should also be mandated under subpart I to incorporate technology that 
would verify a highway-rail grade crossing warning system's activation 
for an approaching train and slow a train approaching a location where 
such system activation could not be verified. The RLO believes that 
such verification and speed restriction enforcement would significantly 
lower the exposure for a potential collision between a highway motor 
vehicle and a train. According to the RLO, this function is currently 
incorporated into at least one deployed train control system and is 
therefore feasible. In addition, the RLO propose that certain existing 
highway-rail grade crossing warning system regulations and 
requirements, including those in parts 213 and 234, and in subpart H to 
part 236, could be cross referenced or included in subpart I to ensure 
regulatory harmony.
    While AAR understands the safety concern, it asserts that this 
function is not related to the core PTC functions mandated by Congress. 
Furthermore, asserts AAR, the cost of installing wayside interface 
units at grade crossings on PTC routes would be prohibitively expensive 
and would divert resources that would otherwise be devoted to meeting 
the mandated PTC deadline.
    The NTSB recommends that the warning and barrier protection plans 
similar to those for Class 7 track at grade crossings in 49 CFR 213.347 
should also apply to Class 5 and 6 tracks. According to the NTSB, such 
protection at crossings (similar to protection at crossings afforded 
within the ITCS project) should be integrated as part of an approved 
PTC plan to reduce the risk

[[Page 2607]]

of high-speed catastrophic derailments at such grade crossings.
    FRA, while certainly recognizing these concerns, does not choose to 
provide further prescriptive requirements for highway-rail grade 
crossings beyond those set forth in Sec.  213.347. FRA will, however, 
require that highway-rail grade crossing safety at Class 5 and 6 track 
speeds be specifically addressed within a railroad's PTCDP and PTCSP 
(see Sec. Sec.  236.1013 and 236.1015 respectively) subject to FRA 
approval. FRA has separately developed Guidelines for Highway-Rail 
Grade Crossing Safety for high-speed rail that will be employed in the 
grant review and negotiation process under the American Recovery and 
Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (2009) 
(ARRA). These Guidelines encourage use of sealed corridor strategies 
for Emerging High-Speed Rail systems and integration of highway-rail 
warning systems with PTC where feasible. See Docket No. FRA-2009-0095.

Proposed Amendments to 49 CFR Part 235

Section 235.7 Changes Not Requiring Filing of Application
    FRA amends Sec.  235.7, which allows specified changes within 
existing signal or train control systems be made without the necessity 
of filing an application. The amendments consist of adding allowance 
for a railroad to remove an intermittent automatic train stop system in 
conjunction with the implementation of a PTC system approved under 
subpart I of part 236, and a couple of minor editorial corrections.
    The changes allowable under this section, without filing of an 
application, are those identified on the basis that the resultant 
condition will be at least no less safe than the previous condition. 
The required functions of PTC within subpart I provide a considerably 
higher level of functionality related to both alerting and enforcing 
necessary operating limitations than an intermediate automatic train 
stop system does. Additionally, in the event of the loss of PTC 
functionality (see Sec.  236.1029 regarding a failure en route), the 
operating restrictions required will provide the needed level of safety 
in lieu of the railroad being expected to keep and maintain an 
underlying system such as intermittent automatic train stop for use 
only in such cases. Therefore, FRA believes that with the 
implementation of PTC under the requirements of subpart I, the safety 
value of any previously existing intermittent automatic train stop 
system is entirely obviated. There were no objections in the PTC 
Working Group to this amendment.
    The AAR submitted comment that within Sec.  236.1021, paragraphs 
(j)(2) and (j)(3) should be revised to recognize the allowance for 
removal of a signal used in lieu of an electric or mechanical lock in 
the same manner as removal of the electric or mechanical lock. These 
two paragraphs are intended to recognize that where train speed over 
the switch does not exceed 20 miles per hour, or where trains are not 
permitted to clear the main track at such switch, removal of the 
devices intended to provide the necessary protection without filing for 
approval is appropriate.
    The regulation requiring the installation of an electric or 
mechanical lock identifies the allowance for a signal used in lieu 
thereof (see Sec.  236.410). FRA agrees with the AAR that when the 
requirement for an electric or mechanical lock, or a signal used in 
lieu thereof, are eliminated, the removal of any of these devices in 
their entirety without filing for approval is appropriate. FRA is 
therefore amending paragraphs (j)(2) and (j)(3) of Sec.  236.1021 as 
recommended in order to clarify these allowances.
    For the same reasoning and in a consistent manner, FRA is amending 
paragraphs (b)(2) and (b)(3) in existing Sec.  235.7 in order to 
provide the same allowances for removal of a signal used in lieu of an 
electric or mechanical lock within block signal systems without filing 
for approval.

Proposed Amendments to 49 CFR Part 236

Section 236.0 Applicability, Minimum Requirements, and Penalties
    FRA amends this existing section of the regulation to remove manual 
block from the methods of operation permitting speeds of 50 miles per 
hour or greater for freight trains and 60 miles per hour or greater for 
passenger trains. Manual block rules create a reasonably secure means 
of preventing train collisions. However, where the attributes of block 
signal systems are not present, misaligned switches, broken rails, or 
fouling equipment may cause a train accident. FRA believes that 
contemporary expectations for safe operations require this adjustment, 
which also provides a more orderly foundation for the application of 
PTC to the subject territories. There were no objections in the PTC 
Working Group to this change and the NTSB supports the removal of 
manual block from a method of operation permitting train speeds of 
above 49 and 59 miles per hour for freight and passenger trains, 
respectively. According to the NTSB, manual block does not afford the 
level of safety that block signal or PTC systems provide for the 
detection of misaligned switches, broken rails, or fouling equipment 
that may cause a train accident.
    After review of the NPRM, AAR stated that paragraph (c)(1)(ii)(A) 
seemed to preclude the operations identified in paragraph (c)(1)(ii)(B) 
and that it was unclear whether paragraph (c)(1)(ii)(A) applies to 
opposing trains or some other condition. Therefore, the AAR recommended 
that paragraphs (c)(1)(ii)(A) and (c)(1)(ii)(B) be revised. FRA agrees 
and has therefore revised paragraphs (c)(1)(ii)(A) and (c)(1)(ii)(B), 
and added paragraphs (c)(1)(ii)(C) and (c)(1)(ii)(D), in the final rule 
to improve clarity.
    FRA has also added paragraph (d)(2) in the final rule to address 
the use of automatic cab signal, automatic train stop, or automatic 
train control systems on or after December 31, 2015. On or after 
December 31, 2015, the method of protecting high-speed train operations 
will be through the use of PTC. FRA recognizes that there may be 
justifiable reasons for continued use of automatic cab signal, 
automatic train stop, or automatic train control systems on or after 
December 31, 2015 on certain lines, where the installation of PTC would 
be inappropriate. In situations where the automatic cab signal, 
automatic train stop, or automatic train control systems are an 
integral part of the PTC system design, no action will be required by a 
railroad. In any other situation, however, FRA will only allow 
continued use of an automatic cab signal, automatic train stop, or 
automatic train control system on a case-by-case basis after sufficient 
justification has been provided to the Associate Administrator.
    FRA has also added a preemption provision at the end of section 
236.0. Part 236, which FRA inherited from the Interstate Commerce 
Commission at the time FRA was created, has had preemptive effect by 
operation of law at least since enactment of the Federal Railroad 
Safety Act of 1970 (Pub. L. 111-43). However, no preemption provision 
was ever added, largely as an historical accident. Since enactment of 
the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/
11 Commission Act of 2007), Public Law 110-53, which amended 49 U.S.C. 
20106 significantly, FRA has been updating the preemption provisions of 
its regulations to conform to the current statute as opportunities to 
do so are

[[Page 2608]]

presented. New subsection 236.0(i) is added to accomplish that and to 
recite the preemptive effect of the Locomotive Boiler Inspection Act 
(49 U.S.C. 20701-20703), which has been held by the U.S. Supreme Court 
to preempt the entire field of locomotive safety; therefore, this part 
preempts any state law, including common law, covering the design, 
construction, or material of any part of or appurtenance to a 
locomotive.
    The text of section 236.0(i)(1) and (2) directly reflects FRA's 
interpretation of 49 U.S.C. 20106, as amended. Read by itself, 49 
U.S.C. 20106(a) preempts state standards of care, including common law 
standards, Norfolk Southern Ry. v. Shanklin, 529 U.S. 344, 358-359 
(2000), CSX Transp., Inc. v. Easterwood, 507 U.S. 658, 664 (1993), but 
does not expressly state whether anything replaces the preempted 
standards of care for purposes of tort suits. The focus of that 
provision is clearly on who regulates railroad safety: The federal 
government or the states. It is about improving railroad safety, for 
which Congress deems nationally uniform standards to be necessary in 
the great majority of cases. That purpose has collateral consequences 
for tort law which new statutory section 20106 paragraphs (b) and (c) 
address. New paragraph (b)(1) creates three exceptions to the possible 
consequences flowing from paragraph (a). One of those exceptions 
(paragraph (b)(1)(B)) precisely addresses an issue presented in Lundeen 
v. Canadian Pacific Ry., 507 F.Supp.2d 1006 (D.Minn. 2007) that 
Congress wished to rectify: It allows plaintiffs to sue a railroad in 
tort for violation of its own plan, rule, or standard that it created 
pursuant to a regulation or order issued by either of the secretaries. 
None of those exceptions covers a plan, rule, or standard that a 
regulated entity creates for itself in order to produce a higher level 
of safety than federal law requires, and such plans, rules, or 
standards were not at issue in Lundeen. The key concept of section 
20106(b) is permitting actions under state law seeking damages for 
personal injury, death, or property damage to proceed using a federal 
standard of care. A plan, rule, or standard that a regulated entity 
creates pursuant to a federal regulation logically fits the paradigm of 
a federal standard of care--federal law requires it and determines its 
adequacy. A plan, rule, or standard, or portions of one, that a 
regulated entity creates on its own in order to exceed the requirements 
of federal law does not fit the paradigm of a federal standard of 
care--federal law does not require that the law be surpassed and, past 
the point at which the requirements of federal law are satisfied, says 
nothing about its adequacy. That is why FRA believes that section 
20106(b)(1)(B) covers the former, but not the latter. The basic purpose 
of the statute--improving railroad safety--is best served by 
encouraging regulated entities to do more than the law requires and 
would be disserved by increasing potential tort liability of regulated 
entities that choose to exceed federal standards, which would 
discourage them from ever exceeding federal standards again.
    In this manner, Congress adroitly preserved its policy of national 
uniformity of railroad safety regulation expressed in section 
20106(a)(1) and assured plaintiffs in tort cases involving railroads, 
such as Lundeen, of their ability to pursue their cases by clarifying 
that federal railroad safety regulations preempt the standard of care, 
not the underlying causes of action in tort. Under this interpretation, 
all parts of the statute are given meanings that work together 
effectively and serve the safety purposes of the statute.
Section 236.410 Locking, Hand-Operated Switch; Requirements
    In this final rule, FRA is removing the Note following paragraph 
(b) of this section. During FRA's review of the requirements contained 
in this part, FRA discovered that the Note following paragraph (b), 
which had previously been removed as part of FRA's 1984 amendments to 
this part, was inadvertently reprinted in the rule text several years 
later and has remained there. As reflected in the preamble discussion 
of the 1983 proposed rule, FRA moved the provisions for removal of 
electric or mechanical locks to Sec.  235.7 based on FRA's 
determination that the industry was capable of achieving compliance of 
train operations in procedures more suitable to individual properties.
    In light of the history of this section, FRA is taking the 
opportunity within this rulemaking to remove the Note following 
paragraph (b), which presents information in conflict with the 
allowances that have been added into Sec. Sec.  235.7(b)(2) and (b)(3).
Section 236.909 Minimum Performance Standard
    FRA is modifying paragraph (e)(1) of this section to include a 
requirement for the risk metric sensitivity analysis to be an integral 
part of the full risk assessment that is required to be provided in the 
Product Safety Plan (PSP) submittal in accordance with Sec.  
236.907(a)(7). Paragraph (e)(2) of this section is also being modified 
to eliminate an alternative option for a railroad to use a risk metric 
in which consequences of potential accidents are measured strictly in 
terms of fatalities.
    Prior to the modification of this section, paragraph (e)(1) 
discussed how safety and risk should be measured for the full risk 
assessment, but did not accentuate the need for running a sensitivity 
analysis on chosen risk metrics to ensure that the worst case scenarios 
for the proposed system failures or malfunctions are accounted for in 
the risk assessment. On the other hand, Appendix B to this part 
mandates that each risk metric for the proposed product must be 
expressed with an upper bound, as estimated with a sensitivity 
analysis. The FRA's experience gained while reviewing PSP documents 
required by subpart H of this part and submitted to FRA for approval 
revealed that railroads did not consider it mandatory to run a 
sensitivity analysis for the chosen risk metrics. Thus, an additional 
effort was required from the FRA staff reviewing PSP submittals to 
demonstrate to the railroads the validity and significance of such a 
request. Therefore, this final rule amends paragraph (e)(1) to 
explicitly require the performance of a sensitivity analysis for the 
chosen risk metrics. The language in paragraph (e)(1) of this section 
explains why the sensitivity analysis is needed and what key input 
parameters must be analyzed.
    FRA received comments on the proposed modification to paragraph 
(e)(1) of this section. While the RLO expressed support for making the 
risk metric sensitivity analysis an integral part of the full risk 
assessment, GE sought clarification and a sample regarding the proposed 
amendment to the clause regarding the risk assessment sensitivity 
analysis. GE believes that a literal interpretation of this clause 
would mean that the risk analysis must evaluate the risk sensitivity to 
variations in every individual electronic and mechanical component of 
the system. If so interpreted, GE asserts that the combinatorial 
calculations would present a significant barrier to the safety analysis 
and delay PTC system approval. GE further asserts that safety coverage 
of discrete component failures can be assured through other techniques 
in the overall system design. GE believes that the intent of this rule 
is that ``component'' should mean ``functional subsystem,'' as system 
safety can be completely addressed by performing the sensitivity 
analysis at that level. Accordingly, GE proffers that paragraph (e)(1) 
of this section should be modified to allow the level of detail

[[Page 2609]]

of the risk analysis to be chosen based on the system safety philosophy 
and technology chosen.
    Similar concerns were expressed by HCRQ/CGI, which questioned the 
need for an additional requirement in the rule that would require the 
sensitivity analysis to document the sensitivity to worst case failure 
scenarios. In the alternative, HCRQ/CGI suggested that the final rule 
should require a reasonable justification for all failure rates.
    In response to these comments, FRA would like to clarify that the 
lowest level of system elements constructing the overall system that 
would be subject to risk analysis and the following sensitivity 
analysis are ``components,'' ``modules,'' ``pieces of equipment,'' or 
``subsystems'' that are processor-based in nature, the functionality 
and performance of which are governed by this part. FRA declines, 
however, to provide a sample sensitivity analysis in this rulemaking 
document, as the technique of sensitivity analysis has been well 
covered by a number of system safety engineering studies.
    FRA notes that the term, ``worst case failure scenario'' is a 
subject of general theory of system safety and reliability. Therefore, 
it does not appear to be necessary to provide an interpretation of this 
term. Nonetheless, in response to comments that have been received on 
this issue, FRA would like to add a clarifying statement. A sensitivity 
analysis must be conducted by defining the range of values (i.e., lower 
bound, upper bound, and associated distribution) for key input 
parameters and assessing the impact of variations over those ranges on 
the overall system risk. The worst case analysis must consider 
realistic combinations of the key input parameters as they tend toward 
their worst case values. Justification must be provided for the ranges 
and process used in the design of the sensitivity analysis.
    Another comment from HCRQ/CGI relates to the requirement that ``the 
sensitivity analysis must confirm that the risk metrics of the system 
are not negatively affected by sensitivity analysis input parameters. * 
* *'' HCRQ/CGI requested that the meaning of the phrase ``negatively 
affected'' be specified. FRA agreed to provide such an explanation and 
therefore offered an interpretation of the words ``negatively 
affected'' in paragraph (e)(1).
    The modification to paragraph (e)(2) of this section is intended to 
clarify how the exposure and its consequences, as main components of 
the risk computation formula, must be measured. As stated in paragraph 
(e)(2), the exposure must be measured in train miles per year over the 
relevant railroad infrastructure where a proposed system is to be 
implemented. When determining the consequences of potential accidents, 
the railroad must identify the total costs involved, including those 
relating to fatalities, injuries, property damage, and other 
incidentals. This final rule eliminates the option of using an 
alternative risk metric, which would allow the measurement of 
consequences strictly in terms of fatalities. It is FRA's experience 
that measuring consequences of accidents strictly in term of fatalities 
did not serve as an adequate alternative to metrics of total cost of 
accidents for two main reasons. First, the statistical data on railroad 
accidents shows that accidents involving fatalities also cause injuries 
and significant damage to railroad property and infrastructure for both 
freight and especially passenger operations. Even though the cost of 
human life is often the highest component of monetary estimates of 
accident consequences, the dollar estimates of injuries, property 
losses, and damage to the environment associated with accidents 
involving fatalities cannot and should not be discounted in the risk 
analysis. Second, allowing fatalities to serve as the only risk metrics 
of accident consequences confused the industry and the risk assessment 
analysts attempting to determine the overall risk associated with the 
use of certain types of train control systems. As a result, some risk 
analysts inappropriately converted injuries and property damages for 
observed accidents into relative estimates of fatalities. This method 
cannot be considered acceptable because, while distorting the overall 
picture of accident consequences, it also raises questions on 
appropriateness of conversion coefficients. Therefore, FRA considers it 
appropriate to eliminate from the rule the alternative option for 
consequences to be measured in fatalities only. This approach gained 
the support of the RLO, who in their comments concur with a 
modification of paragraph (e)(2) that is eliminating an option of risk 
consequences to be measured in fatalities only.
Subpart I--Positive Train Control Systems
Section 236.1001 Purpose and Scope
    This section describes both the purpose and the scope of subpart I. 
Subpart I provides performance-based regulations for the development, 
test, installation, and maintenance of PTC systems, and the associated 
personnel training requirements, that are mandated for installation by 
FRA. This subpart details the process and identifies the documents that 
railroads and operators of passenger trains are to utilize and 
incorporate in their PTC implementation plans. This subpart also 
details the process and procedure for obtaining FRA approval of such 
plans.
    A number of railroads indicated concern with a potentially 
significant reprogramming of funds due to the statutorily mandated 
implementation of PTC systems. These railroads claim that the costs 
associated with PTC system implementation will lead to deferred capital 
improvements and maintenance elsewhere in the general railroad system, 
including degraded track, bridge, or drainage conditions, which may 
then lead to accidents. Thus, according to these railroads, the 
mandated PTC implementation, within an extremely aggressive timeframe, 
may lead to an overall reduced level of safety. FRA recognizes that the 
cost of PTC will be substantial. FRA does note that capital 
expenditures can often be financed; and the Railroad Rehabilitation and 
Improvement Financing (RRIF) program is one source of such financing. 
Other potential sources include private financing, public bond 
authority, and state and federal appropriations. It is the 
responsibility of each public and private railroad to determine 
appropriate funding sources to meet its needs.
    Various railroads also urge FRA to not use its discretion to 
require more than the minimum mandated by the RSIA08. These railroads 
note that under FRA's economic analysis, the costs of PTC 
implementation outweigh its benefits by a ratio of 15 to 1. While these 
railroads acknowledge that these costs are mostly unavoidable due to 
the congressional mandate, they believe that there are ways FRA may 
mitigate these and other costs associated with this rule. FRA has 
crafted this final rule to limit the cost of implementation and to 
avoid further PTC development that could require additional funding and 
additional time. Accordingly, in the proposed and final rule, FRA 
indicates a willingness to approve suitable systems employing non-vital 
onboard processing, to recognize wayside signal logic as an appropriate 
means of protecting movements over switches, to recognize systems that 
enforce the upper limit of restricted speed as suitable collision 
avoidance in the case of following trains and joint authorities, to 
avoid any requirements for monitoring of derails off the main line in 
conventional speed territory, to allow for conventional arrangements at 
rail-to-rail crossings at-

[[Page 2610]]

grade where speeds are moderate, and to recognize to the maximum extent 
possible safety case showings made under subpart H prior to the 
effective date of this rule. In addition, FRA has made allowances for 
operation of Class II and III locomotives in PTC territory and 
significant ``main line'' exceptions for passenger routes. Together, 
these actions will save the railroads billions of dollars of initial 
expense, as well as continuing expense in maintenance over the coming 
years.
Section 236.1003 Definitions
    Given that a natural language such as English contains, at any 
given time, a finite number of words, any comprehensive list of 
definitions must either be circular or leave some terms undefined. In 
some cases, it is not possible and indeed not necessary to state a 
definition. Where possible and practicable, FRA prefers to provide 
explicit definitions for terms and concepts rather than rely solely on 
a shared understanding of a term through use.
    Paragraph (a) reinforces the applicability of existing definitions 
of subparts A through H. The definitions of subparts A through H are 
applicable to subpart I, unless otherwise modified by this part.
    Paragraph (b) introduces definitions for a number of terms that 
have specific meanings within the context of subpart I. Paragraph (b) 
has been modified in the final rule by adding a definition for the 
term, ``Notice of Product Intent.''
    In lieu of analyzing each definition here, however, some of the 
delineated terms will be discussed as appropriate while analyzing other 
sections below.
    As a general matter, however, FRA believes it is important to 
explain certain organizational changes required pursuant to the RSIA08. 
The statute establishes the position of a Chief Safety Officer within 
FRA. The Chief Safety Officer has been designated as the Associate 
Administrator for Railroad Safety. Thus, the use of the term Associate 
Administrator in this subpart refers to the Associate Administrator for 
Railroad Safety and Chief Safety Officer, or as otherwise referenced, 
the Associate Administrator for Railroad Safety/Chief Safety Officer.
    The NPRM defined ``host railroad'' to mean ``a railroad that has 
effective operating control over a segment of track.'' This term is 
used in Sec.  236.1005(b) to identify the party responsible for 
installing PTC and in Sec.  236.1007 with respect to attributes of PTC 
systems for high-speed service. The host railroad is also responsible 
for planning and filing requirements (see, e.g., Sec.  236.1009). In 
proposing this definition, FRA sought to capture in a word the essence 
of fundamental responsibility for the rail operation. FRA considered 
terms such as ``track owner'' (used in the Track Safety Standards), but 
found that the alternatives had drawbacks of one kind or another. There 
are places, for instance, where a non-railroad State or local 
government or private corporation owns the underlying fee beneath the 
railroad infrastructure but is not engaged in any way in managing or 
benefitting from the railroad (except in some cases by receiving 
revenue from a lease). There are also situations where multiple 
railroads are dispatched from a common location, either by one of the 
railroads or by a third party. It is increasingly the case that 
commuter service is provided by a public authority through multiple 
contractors who are responsible for discrete portions of service as 
agents of the sponsoring entity (e.g., equipment maintenance, track and 
signal maintenance, train operations, dispatching). In short, it is 
hard to describe, in a common way, who is responsible here; 
nevertheless, in any concrete case, there can be but one entity 
ultimately responsible.
    The Southern California Regional Rail Authority submitted comments 
requesting that FRA provide additional clarification to what 
constitutes ``effective operating control'' as stated in the definition 
of the term ``host railroad.'' Specifically, SCRRA questioned whether 
FRA would consider control of dispatching as ``effective operating 
control'' even if responsibilities for the installation and maintenance 
of wayside devices and infrastructure are under a different party than 
the dispatcher. Although FRA does not find it necessary to change the 
definition contained in the regulation, FRA will offer clarification as 
to the intended meaning. As noted above, very often railroads cooperate 
in dispatching trains that traverse contiguous lines in order to 
maximize tactical planning and efficiency. Whether one railroad might 
dispatch another railroad's territory would not cause the dispatching 
railroad to take on the responsibilities of the host. Similarly, the 
fact that a railroad might contract with another railroad to dispatch 
all or a portion of its lines would not relieve the former railroad of 
responsibilities of the host.
    In the example of SCRRA's Metrolink operations, we would expect 
SCRRA, which defines its route structure and timetable for passenger 
operations, to undertake the duties of the host for the lines for which 
it enjoys effective control in the sense that it has the right to 
determine who operates over the lines and under what conditions. In 
general, those are the lines it owns directly or through public 
authorities that cooperate in the joint powers arrangement. Lines owned 
and operated by BNSF or UP and over which Metrolink trains operate 
would be the responsibility of BNSF and UP, respectively, even if SCRRA 
or its contractor has day-to-day responsibility for dispatching some of 
them.
    GE Transportation expressed concern regarding the definition and 
use of the term Type Approval in Sec.  236.1003 and subsequent 
sections, including Sec.  236.1031. GE Transportation notes that under 
the proposed rule Type Approvals apply only to complete PTC systems, 
although it is generally recognized in the industry that there are five 
core component subsystems in a PTC system configuration: (1) A 
locomotive onboard subsystem; (2) a dispatch center supervisory control 
and data acquisition (SCADA) subsystem; (3) a PTC server (central or 
wayside) if a server is required; (4) wayside interface units; and (5) 
a data communications network connecting the other subsystems. When a 
Type Approval is granted to a PTC system, GE Transportation suggests 
that core subsystems of that PTC system should be granted Component 
Type Approval under certain conditions. According to GE Transportation, 
the granting of such Component Type Approvals will drive simplified 
filings, faster approval, and faster deployment for new system 
configurations using a building block approach. In addition, states GE 
Transportation, it reduces the risks associated with PTC deployment by 
simplifying substitution of components in the event of a problem, the 
market for PTC system components becomes less restrictive, and the next 
logical step is for a supplier to be permitted to introduce a core 
subsystem component for approval. GE Transportation asserts that this 
will encourage market development and further reduce risks for PTC 
deployment and sustained operation.
    FRA understands GE's concern. However, it appears to be based on a 
misunderstanding of FRA's definition of ``Type Approval.'' In 
developing the ``Type Approval'' concept, FRA looked to the Federal 
Aviation Administration (FAA) model of system approval as a basis. 
However, FRA modified the FAA approach to better fit FRA's regulatory 
mandate and resources. FRA considers the ``Type Approval'' to be more 
akin to the FAA concept of an ``Airworthiness Certificate.'' Under FAA 
rules, an airworthiness certificate is only issued

[[Page 2611]]

to a system (and, in the case of the FAA, this system is an aircraft). 
This analogy is made only to make a minor clarification and should not 
necessarily be construed to entirely equate subpart I's Type Approval 
concept with that of FAA's Airworthiness Certificate concept.
    FRA has also considered GE's position that an FRA failure to issue 
component level approvals could restrict the development of new 
products. FRA notes that the current industry practice is based on 
vendor or supplier determination that there will be a market for a 
particular product. This determination may be based on a specific 
request from a customer, or on the vendor's or supplier's perception 
that there is a need for the product. While this process may consider 
the regulatory requirements that may be applicable to a component, it 
has not required FRA to issue an ``approval'' for any particular 
component. Given the number of new products that have been brought to 
market, FRA believes that this development model has worked very 
successfully. Further, the requirements of the RSIA08 require FRA to 
certify that the PTC system, not the PTC system components, meets the 
regulatory requirements. The ``Type Approval'' does not in any way 
certify a PTC system as required by statute; it only indicates to the 
system developer/integrator that FRA believes that the proposed system, 
if properly implemented, may meet the statutory requirements. FRA 
therefore declines, at this time, to issue component level ``type 
approvals''.
    The AAR believes that the definition of ``safe state'' includes 
conditions not necessarily applicable. According to AAR, this term may 
be utilized to describe the operation of a system in non-failure 
scenarios and, in fact, is arguably used in this fashion even within 
the NPRM preamble (see, e.g., 74 FR 35,966 (July 21, 2009) (``If a 
switch is misaligned, the PTC system shall provide an acceptable safe 
state of train operations.'')). Accordingly, the AAR asserts that the 
definition of ``safe state'' should be modified to strike the clause 
``when the system fails.''
    Some other commenters expressed the opinion that in the current 
definition of ``safe state,'' the clause ``cannot cause harm'' lacks 
specificity. FRA agrees to modify the definition of ``safe state'' by 
replacing the clause ``system configuration that cannot cause harm when 
the system fails'' with the clause ``system state that, when the system 
fails, cannot cause death, injury, occupational illness, or damage to 
or loss of property, or damage to the environment.'' This definition 
corresponds to that of the safe state definition in the U.S. Department 
of Defense Military Standard (MIL-STD) 882C. FRA, however, disagrees 
with AAR that the term ``safe state'' should be also applicable for the 
description of system state in non-failed conditions. The definition of 
the term ``safe state'' should not be confused with the term ``safe 
operation'' or ``operating safely.'' The term ``safe state'' was added 
in Sec.  236.1003 strictly for the purpose of defining a ``protective'' 
state (safe state) of the system, which the system must take when it 
fails. At the same time, FRA admits erroneous use of the term ``safe 
state'' in the section quoted by AAR (74 FR 35,966) and amends it to 
read: ``If a switch is misaligned, the PTC system shall provide an 
acceptable level of safety of train operations.''
Section 236.1005 Requirements for Positive Train Control Systems
    The RSIA08 specifically requires that each PTC system be designed 
to prevent train-to-train collisions, overspeed derailments, incursions 
into established work zone limits, and the movement of a train through 
a switch left in the wrong position. Section 236.1005 includes the 
minimum statutory requirements and provides amplifying information 
defining the necessary PTC functions and the situations under which PTC 
systems must be installed. Each PTC system must be reliable and perform 
the functions specified in the RSIA08.
    Train-to-train collisions. Paragraph (a)(1)(i) applies the 
statutory requirement that a mandatory PTC system must be designed to 
prevent train-to-train collisions. FRA understands this to mean head-
to-head, rear-end, and side and raking collisions between trains on the 
same, converging, or intersecting tracks. Currently available PTC 
technology can meet these needs by providing current and continuous 
guidance to the locomotive engineer and enforcement using predictive 
braking to stop short of known targets. FRA notes that the technology 
associated with currently available PTC systems may not completely 
eliminate all collisions risks. For instance, a PTC system mandated by 
this subpart is not required to prevent a collision caused by a train 
that derails and moves onto a neighboring or adjacent track (known in 
common parlance as a ``secondary collision'').
    During discussions regarding available PTC technology, it has been 
noted that this technology also has inherent limitations with respect 
to prevention of certain collisions that might occur at restricted 
speed. In signaled territory, there are circumstances under which 
trains may pass red signals, other than absolute signals without verbal 
authority, either at restricted speed or after stopping and then 
proceeding at restricted speed. To avoid rear end collisions, available 
PTC technology does not always track the rear-end of each train, but 
instead relies on the signal system to indicate the appropriate action. 
In this example, the PTC system would display ``restricted speed'' to 
the locomotive engineer as the action required and would enforce the 
upper limit of restricted speed (i.e., 15 or 20 miles per hour, 
depending on the railroad). This means that more serious rear end 
collisions will be prevented, because the upper limit of restricted 
speed is enforced. This also means that fewer low speed rear-end 
collisions will occur because a continuous reminder of the required 
action will be displayed to the locomotive engineer (rather than the 
engineer relying on the aspect displayed by the last signal, which may 
have been passed some time ago). However, some potential for a low 
speed rear-end collision will remain in these cases, and the rule is 
clear that this limitation has been accepted. Similar exposure may 
occur in non-signaled territory where trains are conducting switching 
operations or other activities under joint authorities. The PTC system 
can enforce the limits of the authority and the upper limit of 
restricted speed, but it cannot guarantee that the trains sharing the 
authority will not collide. Again, however, the likelihood and average 
severity of any potential collisions would be greatly reduced 
considering such movements would be made under restricted speed. FRA 
may address this issue in a later modification to subpart I if 
necessary as technology becomes available.
    FRA received comments on this discussion of the inherent 
limitations of available PTC technology with respect to the prevention 
of certain collisions that may occur at restricted speed from NYSMTA. 
NYSMTA sought clarification that PTC is not intended to enforce 
conformance of block entry speeds associated with wayside signal 
aspects or similar cab signal aspects provided without speed control, 
except when a train is operating under a wayside signal or cab signal 
aspect requiring a speed not to exceed restricted speed. FRA noted in 
the NPRM, and repeats here, that FRA recognizes that some PTC 
architectures will not directly enforce speed restrictions imposed by 
all intermediate signals. FRA does expect that the

[[Page 2612]]

PTCDP will be clear on how the system accomplishes train separation and 
regulation of speeds over turnouts.
    The final rule text, however, does provide an example of a 
potential train-to-train collision that a PTC system should be designed 
to prevent. Rail-to-rail crossings-at-grade--otherwise known as diamond 
crossings--present a risk of side collisions. FRA recognizes that such 
intersecting lines may or may not require PTC system implementation and 
operation. Since a train operating with an unregulated PTC system 
cannot necessarily recognize a train not operating with a PTC system or 
moving on an intersecting track without a PTC system, the PTC system--
no matter how intelligent--may not be able to prevent a train-to-train 
collision in such circumstances.
    Accordingly, paragraph (a)(1)(i) requires certain protections for 
such rail-to-rail crossings-at-grade. While these locations are 
specifically referenced in paragraph (a)(1)(i), their inclusion is 
merely illustrative and does not necessarily preclude any other type of 
potential train-to-train collision. Moreover, a host railroad may have 
alternative arrangements to the specific protections referenced in the 
associated table under paragraph (a)(1)(i), which it must submit in its 
PTCSP--discussed in detail below--and receive a PTC System 
Certification associated with that PTCSP.
    Rail-to-rail crossings-at-grade that have one or more PTC routes 
intersecting with one or more routes without a PTC system must have an 
interlocking signal arrangement in place developed in accordance with 
subparts A through G of part 236 and a PTC enforced stop on all PTC 
routes. FRA has also determined that the level of risk varies based 
upon the speeds at which the trains operate through such crossings, as 
well as the presence, or lack, of PTC equipped lines leading into the 
crossing. Accordingly, under a compromise accepted by the PTC Working 
Group, if the maximum speed on at least one of the intersecting tracks 
is more than 40 miles per hour, then the routes without a PTC system 
must also have either some type of positive stop enforcement or a 
split-point derail on each approach to the crossing and incorporated 
into the signal system, and a permanent maximum speed limit of 20 miles 
per hour. FRA expects that these protections be instituted as far in 
advance of the crossing as is necessary to stop the encroaching train 
from entering the crossing. The 40 miles per hour threshold appears to 
be appropriate given three factors. First, the frequency of collisions 
at these rail intersections is low, because typically one of the routes 
is favored on a regular basis and train crews expect delays until 
signals clear for their movement. Second, the special track structure 
used at these intersections, known as crossing diamonds, experiences 
heavy wear; and railroads tend to limit speeds over these locations to 
no more than 40 miles per hour. Finally, FRA recognizes that for a 
train on either intersecting route, elevated speed will translate into 
higher kinetic energy available to do damage in a collision-induced 
derailment. Thus, for the small number of rail crossings with one or 
more routes having an authorized train speed above 40 miles per hour, 
including higher speed passenger routes, it is particularly important 
that any collision be prevented. FRA believes that these more 
aggressive measures are required to ensure train safety in the event 
the engineer does not stop a train before reaching the crossing when 
the engineer does not have a cleared route displayed by the 
interlocking signal system and higher speed operations are possible on 
the route intersected. The split-point derail would prevent a collision 
in such a case by derailing the offending train onto the ground before 
it reaches the crossing. Should the train encounter a split-point 
derail as a result of the crew's failure to observe the signal 
indication, the slower speed at which the unequipped train is required 
to travel would minimize the damage to the unequipped train and the 
potential affect on the surrounding area.
    As an alternative to split-point derails, the non-PTC line may be 
outfitted with some other mechanism that ensures a positive stop of the 
unequipped crossing train. If a PTC system or systems are installed and 
operated on all crossing lines, there are no speed restrictions other 
than those that might be enforced as part of a civil or temporary speed 
restriction. However, the crossing must be interlocked and the PTC 
system or systems must ensure that each of the crossing trains can be 
brought safely to a stop before reaching the crossing in the event that 
another train is already cleared through or occupying the crossing.
    The Rail Labor Organizations shares FRA's concerns regarding 
diamond crossings, supporting the requirements for interlocking signal 
arrangements, a PTC enforced stop on PTC routes, and installation of 
split-point derails with a 20 miles per hour maximum authorized speed 
on the approach of any intersecting non-PTC route. However, the RLO 
believe that split-point derails should be required regardless of the 
PTC route's maximum speed in order to protect the PTC route against a 
non-equipped train passing through a stop indication and equipment 
inadvertently rolling out (i.e., a roll away) from the non-PTC route.
    AAR and CSXT challenge the imposition of split-point derails. CSXT 
believes that the proposed rule merely shifts the safety risks 
associated with Class II and III railroads, but does not eliminate them 
altogether. For instance, CSXT points out that unlike a PTC-compliant 
system, the split-point derail would not avoid derailment altogether; 
rather, it would simply cause the non-PTC Class II or III train to 
derail away from the crossing. According to CSXT, the most 
comprehensive safety regime that would avoid both collisions and 
derailments would be to require Class II and Class III railroads 
operating on PTC routes also to be PTC equipped.
    One commenter objected to the costs of derails being borne by PTC 
equipped Class I railroads. The NPRM did not purport to address who 
would pay this cost, but merely recited in a brief reference that the 
assumption had been made in the Regulatory Flexibility Analysis that 
the railroad installing PTC would bear the cost. FRA does not stipulate 
who is responsible for the cost of split-point derails at rail-to-rail 
crossings at-grade, as the cost will be borne in conformance with any 
agreements between the railroads or prior rights arising out of 
previous transactions under which property was acquired. FRA would have 
appreciated some indication of how those costs are likely to fall, but 
no information was provided on this point.
    The commenter also proposes exploration of lower-cost alternatives 
in lieu of split-point derails. FRA agrees that less expensive 
alternatives to split-point derails at rail-to-rail crossings at-grade 
can and should be proposed in a railroad's PTCIP or PTCDP. As FRA 
stated in the preamble discussion of paragraph (a)(1)(i) in the 
proposed rule, ``the non-PTC line may be outfitted with some other 
mechanism that ensures a positive stop of the unequipped * * * train.'' 
(74 FR 35,950, 35,960). FRA expects, however, that any alternative to 
the split-point derail will provide the same level of separation as 
that afforded by the installation of the split-point derail.
    CSXT submitted comments stating that the installation of split-
point derails would create a new danger, including a secondary 
collision. However, FRA believes that these aggressive measures at 
locations where train speeds exceed 40 miles per hour through rail-to-
rail crossings at-grade, where not all routes

[[Page 2613]]

have been equipped with a PTC system or positive stop enforcement, are 
necessary in order to ensure train safety. FRA fully agrees that full 
PTC technology that provides positive stop enforcement from all 
directions is a more desirable method of protecting such locations. 
However, where such technology has not been installed, the prescribed 
use of split-point derails in approach to the crossing-at-grade is 
deemed necessary in the event the engineer of a train operating on a 
line without positive stop enforcement does not have a cleared route 
and fails to stop the train prior to reaching the crossing. The split-
point derail, in combination with the required speed limitation of 20 
miles per hour or less, would prevent a collision by derailing the 
offending train onto the ground before it reached the crossing. Should 
such a train encounter a split-point derail in its derailing position 
as a result of the crew's failure to observe or adhere to the signal 
indication, the slower speed at which an unequipped train is required 
to travel would minimize damage to the unequipped train and the 
potential effect on the surrounding area.
    FRA has also considered the comments of the RLO that more secure 
arrangements should be provided at each rail-to-rail crossing-at-grade, 
regardless of speed. FRA believes that where the PTC-equipped and non-
PTC-equipped lines of the Class I railroads intersect, the railroads 
will generally utilize the available PTC technology to ensure a 
positive stop short of the crossing for any train required to stop 
short of the interlocking. The WIU at the location and available 
onboard capability supported by a radio data link should make this an 
obvious solution. FRA will scrutinize Class I PTCDPs to ensure that 
this is the case. FRA remains concerned that more aggressive solutions 
for intersections with Class II and III lines could impose substantial 
costs without returning significant benefits.
    Overspeed derailments. Paragraph (a)(1)(ii) requires that PTC 
systems mandated under subpart I be designed to prevent overspeed 
derailments and addresses specialized requirements for doing so. FRA 
notes that a number of passenger train accidents with a significant 
number of injuries have been caused by trains exceeding the maximum 
allowable speed at turnouts and crossovers and upon entering stations. 
Accordingly, FRA emphasizes the importance of enforcement of turnout 
and crossover speed restrictions, as well as civil speed restrictions.
    For instance, in the Chicago region, two serious train accidents 
occurred on the same Metra commuter line when locomotive engineers 
operated trains at more than 60 miles per hour while traversing between 
tracks using crossovers, which were designed to be safely traversed at 
10 miles per hour. For illustrative purposes, the rule text makes clear 
that such derailments may be related to railroad civil engineering 
speed restrictions, slow orders, and excessive speeds over switches and 
through turnouts and that these types of speed restrictions are to be 
enforced by the system.
    The UTA and APTA each submitted the same basic comment pertaining 
to paragraph (a)(1)(ii), with which SCRRA concurred. They contend that 
speed restrictions are often set at a speed that is far below a speed 
that would cause a derailment. Therefore, they request that a PTC 
system should allow or display a speed higher than the actual speed 
restriction, but well short of a speed that may cause a derailment.
    The RLO submitted a comment that, while the language ``prevent 
overspeed derailments'' accurately reflects the language found in the 
RSIA08, this paragraph misses the congressional intent of the statute 
and appears to be unenforceable unless a derailment occurs in 
conjunction with a PTC system that fails to enforce an overspeed event. 
The RLO believe that FRA should amend this paragraph to establish that 
it will be a violation of this section if the PTC system fails to 
enforce an overspeed condition that is not corrected by the locomotive 
engineer regardless of whether or not such overspeed results in a 
derailment. Since most overspeed occurrences do not result in a 
derailment, the RLO asserts that waiting for a derailment to happen 
before declaring that the PTC system is not operating as intended is 
contrary to the purpose of the law.
    FRA intends and believes that the PTC core feature concerning 
``overspeed derailments'' is such that the system shall enforce various 
speed restrictions (i.e., civil speed restrictions, temporary slow 
orders, excessive speeds over switches and through turnouts and 
crossovers, etc.) regardless of whether a derailment actually occurs. 
However, FRA elects to leave the rule text of paragraph (a)(1)(ii) as 
it was written in the proposed rule. FRA is aware of various train 
control systems that have a tolerance of 3 miles per hour before the 
system displays a warning to the train operator and that apply a 
penalty brake application when the train reaches a speed 5 miles per 
hour above the posted speed restriction. Appropriate speed margins or 
leeways associated with maximum authorized speed are expected, but they 
must be presented, justified, and approved within the context of a 
railroad's PTCDP and PTCSP.
    Roadway work zones. Paragraph (a)(1)(iii) requires that PTC systems 
mandated under subpart I be designed to prevent incursions into 
established work zone limits. Work zone limits are defined by time and 
space. The length of time a work zone limit is applicable is determined 
by human elements. Working limits are obtained by contacting the train 
dispatcher, who will confirm an authority only after it has been 
transmitted to the PTC system's server. Paragraph (a)(1)(iii) 
emphasizes the importance of each PTC system to provide positive 
protection for roadway workers working within the limits of their work 
zone. Accordingly, once a work zone limit has been established, the PTC 
system must be notified. The PTC system must continue to obey that 
limit until it is notified by the dispatcher or roadway worker in 
charge, with verification from the other, either that the limit has 
been released and the train is authorized to enter or the roadway 
worker in charge has authorized movement of the train through the work 
zone.
    As a way to achieve this technological functionality, FRA's Office 
of Railroad Development has funded the development of a Roadway Worker 
Employee in Charge (EIC) Portable Terminal that allows the EIC to 
control the entry of trains into the work zone. While no rule includes 
the commonly used term EIC, FRA recognizes that it is the equivalent to 
the term ``Roadway Worker In Charge'' as used in part 214. With the 
portable terminal, the EIC can directly control the entry of trains 
into the work zone and restrict the speed of the train through the work 
zone. If the EIC does not grant authority for the train to enter the 
work zone, the train is forced to a stop by the PTC system prior to 
violating the work zone authority limits. If the EIC authorizes entry 
of the train into the work zone, the EIC may establish a maximum 
operating speed for the train consistent with the safety of the roadway 
work employees. This speed is then enforced on the train authorized to 
enter and pass through the work zone. The technology is significantly 
less complex than the technology associated with dispatching systems 
and the PTC onboard system. In view of this, FRA strongly encourages 
deployment of such portable terminals as opposed to current methods 
that only require the locomotive engineer to, in some manner, 
``acknowledge'' his or her

[[Page 2614]]

authority to operate into or through the limits of the work zone (e.g., 
by pressing a soft key on the onboard display, even if in error).
    Pending the adoption of more secure technology, such as the EIC 
Portable Terminal, FRA will scrutinize each submitted PTCDP and PTCSP 
to determine whether they leave any opportunity for single point human 
failure in the enforcement of work zone limits. FRA again notes that 
some methods in the past have allowed the locomotive engineer to simply 
acknowledge a work zone warning, even if inappropriately, after which 
the train could proceed into the work zone. FRA expects that more 
secure procedures will be included in safety plans submitted under 
subpart I.
    The RLO submitted a comment that, in order for a PTC system to 
effectively perform the core function of protecting roadway workers 
operating within the limits of their authority, the PTC system must be 
designed in a manner that prevents override of an enforced stop prior 
to entering an established work zone through simple acknowledgement of 
the existence of work zone limits by a member of the train crew (i.e., 
by pressing a soft key on the onboard display, even if in error). The 
RLO expressed support for FRA's intention to closely scrutinize each 
PTCSP to determine whether they leave any opportunity for a single 
point human failure in the enforcement of work limits. The RLO strongly 
encouraged FRA to withhold approval of any PTC system that does not 
enforce a positive stop at the entrance to established work zones until 
notified directly by the dispatcher or the roadway worker in charge, 
with verification from the other, that the movement into the work zone 
has been authorized by the roadway worker in charge.
    FRA agrees with the concern expressed by the RLO on this issue. 
However, in the spirit of staying strictly within the mandate of the 
RSIA08 relating to required PTC functionality, FRA will require that 
the actual method of enforcement and acknowledgement associated with 
work zones be presented within the PTCDP and PTCSP and subject to FRA 
approval. FRA continues to strongly encourage use of EIC portable 
terminals with electronic handshake of acknowledgement and 
authorizations to enter work zones.
    Movement over main line switches. Paragraph (a)(1)(iv) requires 
that PTC systems mandated under subpart I be designed to prevent the 
movement of a train through a main line switch in the improper 
position. Given the complicated nature of switches--especially when 
operating in concert with wayside, cab, or other similar signal 
systems--the final rule provides more specific requirements in 
paragraph (e) as discussed further below.
    In numerous paragraphs, the final rule requires various operating 
requirements based primarily on signal indications. Generally, these 
indications are communicated to the engineer, who would then be 
expected to operate the train in accordance with the indications and 
authorities provided. However, a technology that receives the same 
information does not necessarily have the wherewithal to respond unless 
it is programmed to do so. Thus, paragraph (a)(2) requires PTC systems 
implemented under subpart I to obey and enforce all such indications 
and authorities provided by these safety-critical underlying systems. 
The integration of the delivery of the indication or authority with the 
PTC system's response to those communications must be described and 
justified in the PTCDP--further described below--and the PTCSP, as 
applicable, and then must comply with those descriptions and 
justifications. Again, FRA recognizes that in the case of intermediate 
signals, this may not involve direct enforcement of the signal 
indication.
    APTA submitted a comment that the draft language of paragraph 
(a)(2) appears to disallow systems such as moving block overlays that 
may provide superior service. Since APTA does not believe this was the 
intent of the provision, APTA suggests that FRA clarify the language in 
this paragraph.
    Paragraph (a)(2) is clear that the specified functions must be 
performed ``except as justified'' in the PTCDP or PTCSP. Here, FRA 
specifically intends to afford a means by which advanced systems 
permitting moving block operations could be qualified, either as stand-
alone systems or as overlays integrated with the existing signal and 
train control arrangements.
    The PTC Working Group had extensive discussions concerning the 
monitoring of main line switches and came to the following general 
conclusions:
    First, signal systems do a good job of monitoring switch position, 
and enforcement of restrictions imposed in accordance with the signal 
system is the best approach within signaled territory (main track and 
controlled sidings). As a general rule, the enforcement required for 
crossovers, junctions, and entry into and departure from controlled 
sidings will be a positive stop, and the enforcement provided for other 
switches (providing access to industry tracks and non-signaled sidings 
and auxiliary tracks) will be display and enforcement of the upper 
limit of restricted speed. National Transportation Safety Board 
representatives were asked to evaluate whether this strategy meets the 
needs of safety from their perspective. The NTSB returned with a list 
of accidents caused by misaligned switches that it had investigated in 
recent years, none of which was in signaled territory. Based on that 
data, the NTSB staff decided that it was not necessary to monitor 
individual switches in signaled territory.
    In a filing to this proceeding, the NTSB indicated that switch 
monitoring in both dark and signaled territories must demonstrate that 
a train will be stopped before crossing through a misaligned switch. 
Although the NTSB recognizes that signal systems currently provide 
information about switch positions, it asserts that FRA must ensure 
that any PTC system that uses the signal system to monitor switch 
positions will provide adequate safeguards to prevent trains from being 
routed through misaligned switches. Accordingly, the NTSB agreed with 
FRA's decision to protect switches within sidings with speed limits 
greater than 20 miles per hour to prevent switch misalignment 
accidents.
    Second, switch monitoring functions of contemporary PTC systems 
provide an excellent approach to addressing this requirement in dark 
territory. However, it is important to ensure that switch position is 
determined with the same degree of integrity that one would expect 
within a signaling system (e.g., fail-safe point detection, proper 
verification of adjustment). The PTC Working Group puzzled over sidings 
in dark territory and how to handle the requirement for switch 
monitoring in connection with those situations. (While these are not 
``controlled'' sidings, as such, they will often be mapped so that 
train movements into and out of the sidings are appropriately 
constrained.) At the final PTC Working Group meeting, a proposal was 
accepted that would treat a siding as part of the main line track 
structure requiring monitoring of each switch off of the siding if the 
siding is non-signaled and the authorized train speed within the siding 
exceeds 20 miles per hour. This issue is more fully discussed below.
    Other functions. While FRA has included the core PTC system 
requirements in Sec.  236.1005, there is the possibility that other 
functions may be explicitly or implicitly required elsewhere in subpart 
I. Accordingly, under paragraph (a)(3), each PTC system required by 
subpart I must also perform

[[Page 2615]]

any other functions specified in subpart I. According to 49 U.S.C. 
20157(g), FRA must prescribe regulations specifying in appropriate 
technical detail the essential functionalities of positive train 
control systems and the means by which those systems will be qualified.
    In addition to the general performance standards required under 
paragraphs (a)(1)-(3), paragraph (a)(4) contains more detailed 
standards relating to the situations paragraphs (a)(1)-(3) intend to 
prevent. Paragraph (a)(4) defines specific situations where FRA has 
determined that specific warning and enforcement measures are necessary 
to provide for the safety of train operations, their crews, and the 
public and to accomplish the goals of the PTC system's essential core 
functions. Under paragraph (a)(4)(i), FRA intends to prevent unintended 
movements onto PTC main lines and possible collisions at switches by 
ensuring proper integration and enforcement of the PTC system as it 
relates to derails and switches protecting access to the main line.
    Paragraph (a)(4)(ii) intends to account for operating restrictions 
associated with a highway-rail grade crossing active warning system 
that is in a reduced or non-operative state and unable to provide the 
required warning for the motoring public. In this situation, the PTC 
system must provide positive protection and enforcement related to the 
operational restrictions of alternative warning that are issued to the 
crew of any train operating over such crossing in accordance with part 
234. Paragraph (a)(4)(iii) concerns the movement of a PTC operated 
train in conjunction with the issuance of an after arrival mandatory 
directive. While FRA recognizes that the use of after arrival mandatory 
directives poses a risk that the train crew will misidentify one or 
more trains and proceed prematurely, PTC provides a means to intervene 
should that occur. Further, such directives may sometimes be considered 
operationally useful. Accordingly, FRA fully expects that the PTC 
system will prevent collisions between the receiving trains and the 
approaching train or trains.
    Numerous comments were received related to PTC system functional 
requirements associated with highway-rail grade crossing active warning 
systems. At the public hearing, the RLO asserted that the use of 
technologies providing warning system pre-starts, activation 
verification, and various health monitoring information related to the 
warning system to approaching trains needs to be a required component 
of the PTC system warning and enforcement functionalities where 
warranted. AASHTO submitted comments expressing agreement that 
inclusion of hazard warning detection in PTC systems for highway-rail 
grade crossing warning systems is a significant enhancement to mitigate 
potential risk. AASHTO also underlined its position of enhancing grade 
crossing safety further by implementation of a program to fully 
eliminate at-grade highway-rail crossings through consolidation and 
grade separation wherever possible.
    Some commenters expressed various logistic concerns with the 
proposed rule language relating to operational restrictions issued in 
response to a warning system malfunction as required by Sec. Sec.  
234.105, 236.106, and 236.107 of this part. Other commenters asserted 
that any PTC system functional requirements related to highway-rail 
grade crossing warning systems fall entirely outside the scope of the 
statutory mandate contained within the RSIA08 and therefore should not 
be addressed in this rulemaking.
    The AAR stated that, while they understand the safety concern, this 
function is not even remotely related to the ``core'' PTC functions 
mandated by Congress. Furthermore, the AAR asserts that the great cost 
of installing wayside interface units at grade crossings on PTC routes 
would be prohibitively expensive and would divert resources that would 
otherwise be devoted to meeting the mandated PTC deadline.
    NJ Transit stated that the RSIA08 does not indicate a requirement 
for highway-rail grade crossing inclusion in the PTC system speed and 
stop enforcement. Thus, the requirement contained in paragraph 
(a)(4)(ii) to include warning and enforcement functionality simply adds 
an additional effort to an already extremely aggressive December 31, 
2015, mandate for PTC.
    APTA and SCRRA stated that the requirements contained in proposed 
paragraph (a)(4)(ii) were unclear. APTA and SCRRA recommended that FRA 
should clarify that the language in paragraph (a)(4)(ii) is intended 
solely to provide that a dispatcher can place a restriction on a 
crossing that the PTC system must enforce in the event that a 
malfunction is reported. However, according to APTA, paragraph 
(a)(4)(ii) should not be read to require a PTC system to protect a 
grade crossing and restrict or prevent a movement authority of a train 
from being advanced across the crossing in the event of a failure being 
detected in real time; nor should paragraph (a)(4)(ii) be interpreted 
to require a grade crossing warning system to self-monitor and, if in a 
degraded condition, impose a speed restriction or stop for an 
approaching train.
    NYSMTA states that the addition of highway-rail grade crossings to 
this subpart falls outside the statutory mandate for PTC systems within 
the RSIA08. This additional functionality presents an additional burden 
for LIRR and Metro-North. Both railroads have hundreds of grade 
crossings in their rail networks. NYSMTA further asserted that the 
language in paragraph (a)(4)(ii) was ambiguous with respect to whether 
``warning or enforcement'' of reported grade crossing failures would be 
required, and what constitutes a ``warning.'' Required enforcement will 
increase the capital cost of PTC, have an adverse impact on operations, 
risk modifications to ACSES that could trigger verification and 
validation, and create a further impediment to meeting the other 
requirements of the proposed FRA regulations. NYSMTA therefore 
recommended that the final rule be limited at this time to the four 
requirements of the RSIA08.
    FRA believes that, although the RSIA08 does not specifically 
require PTC systems to cover highway-rail grade crossing warning system 
malfunctions and associated operational requirements, it does stipulate 
that FRA must develop rules and standards for PTC system functionality, 
which include the four core features identified. In light of the 
safety-critical nature of the specified operational limitations for 
providing alternative warning to highway users pursuant to Sec. Sec.  
234.105, 236.106, and 236.107, and the catastrophic consequences that 
have often been experienced when those operational limitations have not 
been accomplished (including actual and potential impacts with motor 
vehicles involving serious injury and loss of life) and the fact that 
these operational limitations equate to speed and stop targets that PTC 
systems may surely warn and enforce, FRA intends to carry the language 
contained within the proposed paragraph into this final rule. Although 
FRA believes that the proposed rule was clear that its purpose was to 
enforce dispatcher-issued ``stop-and-flag'' orders and slow orders 
associated with credible reports of highway-rail grade crossing warning 
device malfunctions, reference has been added to ``mandatory 
directives,'' a term with a well-established meaning in FRA regulatory 
parlance (see 49 CFR part 220).
    While FRA recognizes that technologies exist to provide even 
further interface with warning system activation and health, and 
encourages railroads to include these technologies

[[Page 2616]]

to the extent possible, FRA elects to not require those interfaces 
beyond that which has been already identified within this paragraph.
    The NTSB submitted comments recommending that requirements for 
warning and barrier protection plans for Class 7 track should also 
apply to Class 5 and 6 tracks as part of an approved PTCSP in order to 
reduce the risk of high-speed catastrophic derailments at associated 
grade crossings. FRA notes that the requirements contained within Sec.  
213.347 of this part require that a warning/barrier plan be approved 
and adhered to for Class 7 track operations and prohibit grade 
crossings on Class 8 and 9 track. Those requirements do not, however, 
address Class 5 and 6 tracks specifically. Therefore, FRA believes that 
this comment falls outside the scope of the present rulemaking. As 
noted elsewhere in this preamble, FRA has developed Guidelines for 
Highway-Rail Grade Crossing Safety on high-speed rail lines that 
endeavor to improve engineering with a strong emphasis on closures. 
Those Guidelines will be used to review and negotiate grants under 
ARRA.
    FRA recognizes that movable bridges, including draw bridges, 
present an operational issue for PTC systems. Under subpart C, Sec.  
236.312 already governs the interlocking of signal appliances with 
movable bridge devices and FRA believes that this section should 
equally apply to PTC systems governing movement over such bridges. 
While subparts A through H apply to PTC systems--as stated in Sec.  
236.1001--paragraph (a)(4)(iv) proposes to make this abundantly clear. 
Accordingly, in paragraph (a)(4)(iv) and consistent with Sec.  236.312, 
movable bridges within a PTC route are to be equipped with an 
interlocked signal arrangement which is also to be integrated into the 
PTC system. A train shall be forced to stop prior to the bridge in the 
event that the bridge locking mechanism is not locked, the locking 
device is out of position, or the bridge rails of the movable span are 
out of position vertically or horizontally from the rails of the fixed 
span. Effective locking of the bridge is necessary to assure that the 
bridge is properly seated and thereby capable to support both the 
weight of the bridge and that of a passing train(s) and preventing 
possible derailment or other potential unsafe conditions. Proper track 
rail alignment is also necessary to prevent derailments, either of 
which again could result in damage to the bridge or a train derailing 
off the bridge. No comments were received on this issue, and the 
provision is carried forward in the final rule.
    Paragraph (a)(4)(v) requires that hazard detectors integrated into 
the PTC system--as required by paragraph (c) of this section or the FRA 
approved PTCSP--must provide an appropriate warning and associated 
applicable enforcement through the PTC system. There are many types of 
hazard detection systems and devices. Each type has varying operational 
requirements, limitations, and warnings based on the types and levels 
of hazard indications and severities. FRA expects this enforcement to 
include a positive stop where necessary to protect the train (e.g., 
areas with high water, flood, rock slide, or track structure flaws) or 
to provide an appropriate warning with possible movement restriction 
being acknowledged (i.e., hot journal or flat wheel detection). The 
details of these warnings and associated required enforcements are to 
be specifically addressed within a PTCDP and PTCSP subject to FRA 
approval, and the PTC system functions are to be maintained in 
accordance with the system specifications. FRA does not expect that all 
hazard detectors be integrated into the PTC systems, but where they 
are, they must interact properly with the PTC system to protect the 
train from the hazard that the detector is monitoring. With the 
exception of the RLO's strong emphasis on safety in PTC system 
deployment, no comments were received on this issue; and the provision 
is carried forward in the final rule.
    Paragraph (a)(5) addresses the issue of broken rails, which is the 
leading cause of train derailments. FRA proposes to strictly limit the 
speed of passenger and freight operations in those areas where broken 
rail detection is not provided. Under Sec.  236.0(c), as amended in 
this final rule, 24 months after the publication of this final rule, 
freight trains operating at or above 50 miles per hour, and passenger 
trains operating at or above 60 miles per hour, are required to have a 
block signal system unless a PTC system meeting the requirements of 
this part is installed. Since current technology for block signal 
systems relies on track circuits--which also provide for broken rail 
detection--this final rule requires limiting speeds where broken rail 
detection is not available to the maximums allowed under amended Sec.  
236.0 when a block signal system is not installed. No comments were 
received on this issue, and the provision is carried forward in the 
final rule.
    Deployment requirements. Paragraph (a) of 49 U.S.C. 20157, as 
enacted by the RSIA08, reads as follows:

    ``(a) IN GENERAL.--
    ``(1) PLAN REQUIRED.--Not later than 18 months after the date of 
enactment of the Rail Safety Improvement Act of 2008, each Class I 
railroad carrier and each entity providing regularly scheduled 
intercity or commuter rail passenger transportation shall develop 
and submit to the Secretary of Transportation a plan for 
implementing a positive train control system by December 31, 2015, 
governing operations on--
    ``(A) its main line over which intercity rail passenger 
transportation or commuter rail passenger transportation, as defined 
in section 24102, is regularly provided;
    ``(B) its main line over which poison- or toxic-by-inhalation 
hazardous materials, as defined in parts 171.8, 173.115, and 173.132 
of title 49, Code of Federal Regulations,
    are transported; and
    ``(C) such other tracks as the Secretary may prescribe by 
regulation or order.
    ``(2) IMPLEMENTATION.--The plan shall describe how it will 
provide for interoperability of the system with movements of trains 
of other railroad carriers over its lines and shall, to the extent 
practical, implement the system in a manner that addresses areas of 
greater risk before areas of lesser risk. The railroad carrier shall 
implement a positive train control system in accordance with the 
plan.''

    It is plain on the face of the statute that certain actions are 
required and some are discretionary and that these actions must come 
together progressively over a period beginning on April 16, 2010 (18 
months after enactment) and ending on December 31, 2015. FRA has 
included revisions in this final rule designed to fully express this 
intent.
    In paragraph (b) of Sec.  236.1005 in the NPRM, FRA proposed to use 
2008 traffic levels as a baseline to fix the network that would receive 
PTC, subject to any subsequently requested and approved amendments to 
the PTCIP that would justify removal of the line, and subject to the 
addition of lines that might qualify under the statutory mandate based 
on later data. In addition to FRA's understanding of the rail lines 
Congress intended to cover, FRA had several other fundamental reasons 
for doing so. First, in order to reach completion by December 31, 2015, 
as required by law, the railroads and FRA need to identify the relevant 
route structure very early in the short implementation period and the 
railroads need to stage the financing and logistics to reach 
completion. Otherwise, the statutory deadline will not be met. Second, 
2009 traffic levels will be notably atypical as a result of the 
recession, which has caused overall traffic levels to fall by as much 
as 20%. Third, the burden of installing PTC, which the statute applies 
obligatorily to very large railroads but not to others, may create an 
incentive to further ``spin off'' certain lines to avoid installing PTC

[[Page 2617]]

on lines Congress intended to cover. Finally, FRA was concerned about 
responsive and anticipatory actions being taken by some railroads in 
the face of emerging regulatory influences. Accordingly, FRA sought in 
the NPRM to take a snapshot of the Class I system at the time the 
Congress directed the implementation of PTC and then, using its 
discretionary authority under the statute, to evaluate what adjustments 
may be in order.
    The Class I railroads responded with the suggestion that FRA is 
without discretion to require inclusion of lines that do not qualify as 
of 2015. However, FRA has already quoted the statute, which makes clear 
the inclusion of FRA-identified lines in the 2015 mandate. The 
statutory ``shall'' applies to these lines. Also, FRA and its 
predecessor agency have long enjoyed the power to require installation 
of train control under the ``Signal Inspection Act'' (codified at 49 
U.S.C. 20501-20505). Further, FRA has been mandated since 1970 to issue 
rules and standards covering ``every area of railroad safety'' (49 
U.S.C. 20103). In conferring new responsibilities, the Congress in no 
sense repealed what preceded them.
    Arguing in the alternative, the Class I railroads said that FRA had 
failed to rely on its discretionary authority to accomplish its 
purpose. In fact, the subject statutory provisions were called out in 
the authority section of the NPRM text, with the exception of the 
Signal Inspection Act, as codified (an oversight remedied here).\1\ FRA 
also explicitly stated in the preamble to the NPRM its intention to use 
its statutory discretion to preserve congressional intent and tied that 
intention to the use of 2008 traffic levels. The railroads' ancillary 
claim is that, in effect, FRA would be ``arbitrary and capricious'' 
should the agency require PTC on lines not carrying PIH as of the end 
of 2015 absent a further congressional mandate or a showing that PTC on 
the subject lines would be ``cost beneficial.''
---------------------------------------------------------------------------

    \1\ Here we recognize the interest of railroads that will be 
making very costly investments to meet the requirements of the 
statute and this rule. The ``Signal Inspection Act,'' as codified, 
makes it explicit that the presence of a signal or train control 
system on one line may not be considered in a civil action with 
respect to an accident on another line. This law is also explicit 
that, once installed, such a system may not be removed without 
approval. 49 U.S.C. 20501-20505. It should have been cited in the 
NPRM.
---------------------------------------------------------------------------

    FRA is very conscious of the fact that PTC is expensive, and the 
agency's regulatory evaluation for the proposed rule does not seek to 
conceal it. The unit costs will be particularly high during the period 
before December 31, 2015, and trying to do too much too fast could 
result in significant disruption of rail transportation. Accordingly, 
during the initial implementation period, FRA will not exercise its 
authority to require a build out of the PTC network beyond something on 
the order of what the Congress contemplated. However, FRA will exercise 
its discretion to ensure that the network design reflects safety needs 
and places a value on PTC that reflects an understanding of the value 
applied by the Congress.
    FRA understands the arguments surrounding PTC costs and benefits, 
having filed three congressionally-required reports since 1994 with 
information on the subject, having worked through the RSAC for several 
years evaluating this issue, having funded PTC technology development 
and overseen PTC pilot projects from the State of Washington to the 
State of South Carolina, and having provided testimony to the Congress 
on many occasions. However, FRA believes that the issue is now 
presented in a different light than before. The Congress was aware that 
the monetized safety benefits of PTC were not large in comparison with 
the loss of life and injuries associated with PTC-preventable 
accidents. With the passage of RSIA08, Congress has in effect set its 
own value on PTC and directed implementation of PTC without regard to 
the rules by which costs and benefits are normally evaluated in 
rulemaking.
    One could conclude that the Congress set the value only with 
respect to passenger trains and PIH releases, but that would assume 
that the interest expressed by the Congress over much more than a 
decade and a half was so limited. In fact, longtime congressional 
interest stemmed in large part from the loss of life among railroad 
crew members in collisions, as well the potential for release of other 
hazardous materials. Most of the NTSB investigations and investigations 
pertaining to this ``most wanted'' transportation safety improvement in 
fact derived from such events.
    In this light, the focus of the statute on PIH and scheduled 
passenger trains was clearly intended to provide specific guidance to 
the agency--a minimum standard for action--and reflected the prominence 
of passenger train accidents (Placentia, CA, April 23, 2002; 
Chatsworth, CA); and PIH releases (Macdona, TX, June 28, 2004; 
Graniteville, SC) in the most serious of the recent PTC-preventable 
accidents. FRA does not take this to mean that the Congress meant us to 
be indifferent to the crew fatality at Shepherd, Texas, on September 
15, 2005, which resulted from a misaligned main track switch in a 
collision very similar to the one at Graniteville. Nor do we believe 
that FRA was expected to be indifferent to the collision between two 
freight trains at Anding, Mississippi, on July 10, 2005, which killed 
four crew members, or the collision with release of liquefied propylene 
gas and ensuing explosion at Texarkana, Arkansas, on October 15, 2005, 
which killed a resident of a community abutting the railroad.\2\ See, 
e.g., Rail Safety Reauthorization: Hearing Before the Subcomm. on 
Surface Transportation and Merchant Marine of the S. Comm. on Commerce, 
Science, & Transportation, 110th Cong. (May 22, 2007) (statement of 
Robert L. Sumwalt, Vice Chairman, National Transportation Safety 
Board). Thus, FRA was provided latitude to require PTC system 
installation and operation on lines beyond those specifically 
prescribed by Congress. While FRA has enjoyed the same latitude under 
pre-existing authority, RSIA08 indicates Congress' elevated concern 
that FRA ensure the more serious and thoughtful proliferation of PTC 
system technologies. Although, as noted above, FRA would expect to 
exercise any such authority with significant reserve, given the high 
costs involved, it would be an abdication of the agency's 
responsibility not to determine that the basic core of the Class I 
system is addressed, as would be the case based on 2008 traffic 
patterns.
---------------------------------------------------------------------------

    \2\ Unique among these events, the Texarkana collision may not 
have been prevented by PTC technology now being perfected. However, 
the consequences which ensued, including the fatality, destruction 
of two residences and a highway bridge, and a significant evacuation 
are illustrative of the consequences that can result from release of 
flammable compressed gases in train accidents. There are 
approximately 100,000 carloads of PIH commodities shipped each year. 
There are approximately 228,000 carloads of flammable compressed 
gases (other than those classified as PIH) shipped each year.
---------------------------------------------------------------------------

    The tone of the Class I freight railroad comments justified FRA's 
concerns that railroads might take the wrong lesson from the statutory 
mandate. The lesson FRA perceives is that the core of the national rail 
system, which carries passenger and PIH traffic, needs to be equipped 
with PTC and that Congress used 5 million gross tons of freight 
traffic, the presence of PIH traffic, and the presence of passenger 
service as readily perceptible markers identifying the core lines on 
which Congress wants PTC to be installed. In making its judgments, 
Congress was necessarily looking at the national rail system as it 
existed in 2008 when the statute was passed. A corollary of that lesson 
is that the later disappearance or diminution of

[[Page 2618]]

one of those markers from a line does not necessarily mean that 
Congress would no longer see that line as part of the core national 
rail system meriting PTC. An alternative response would be to adopt 
policies and tactics that penalize rail passenger service and attempt 
to drive PIH traffic off the network, consolidating the traffic that 
remains on the smallest possible route structure for PTC.
    The freight railroads do not pretend that FRA is wrong in 
perceiving that the freight railroads wish to remove PIH traffic from 
the network. That is wise, since the public record is replete with 
pleas from the Class I railroads to remove their common carrier 
obligation to transport PIH traffic. Rather, they contend, in effect, 
that FRA should not trouble itself with this issue, since the Congress 
and the Surface Transportation Safety Board (STB) will ensure that PIH 
shippers receive fair treatment, and the Pipeline and Hazardous 
Materials Safety Administration (PHMSA) Rail Route Analysis Rule will 
determine whether the traffic goes on the safest and most secure 
routes.
    There are significant problems with this contention. First, while 
the Congress shows no interest in relieving the carriers of duty to 
transport PIH commodities, and STB has likewise brushed back a recent 
attempt by a Class I railroad to avoid this duty (see Surface 
Transportation Board Decision, Union Pacific Railroad Company--Petition 
for Declaratory Order, STB Finance Docket No. 35219 (June 11, 2009)), 
it is by no means yet determined how the cost burden associated with 
PTC will be borne. A railroad seeking to make the most favorable case 
for burdening a PIH shipper with the cost of PTC installation would 
first clear a line of overhead traffic through rerouting and then seek 
to surcharge the remaining shipper(s) for the incremental cost of 
installing the system. Under those circumstances, would the STB decide 
that the railroad should transfer all of those costs to other shippers, 
or would the STB uphold the surcharge in whole or in part, thereby 
potentially making the cost of transportation unsupportable?
    The carriers would have us rely on the PHMSA Rail Route Analysis 
Rule in determining whether the PIH criterion requires installation of 
PTC on a particular line. The Class I railroads' comments state that 
``FRA is not even the DOT agency with substantive responsibility for 
how railroads route TIH.'' This is an odd point, considering that: (1) 
The statutory authority for both this rulemaking and the Rail Route 
Analysis Rulemaking are vested in the Secretary of Transportation, and 
FRA and PHMSA have a long and well established history of working 
together for the safe transportation of hazardous materials; (2) as 
reflected in the rulemaking documents, FRA initiated the Rail Routing 
action in concert with PHMSA and participated in developing the 
proposed rule well before the Congress mandated that the rulemaking be 
concluded; (3) the final rule affirms that PHMSA issued the revision in 
coordination with FRA and TSA; (4) by delegation from the Secretary, 
FRA is the agency responsible for administering and enforcing the Rail 
Route Analysis Rule and has issued a final rule (73 FR 72,194 (Nov. 26, 
2008)) detailing the procedures railroads must follow when challenging 
FRA enforcement decisions; and (5) FRA and has worked with TSA to 
provide funding and oversight for development of the risk model 
intended for use under the rule.
    As it happens, FRA has good reason to be concerned with rail 
routing of PIH commodities (as well as explosives and high level 
radioactive waste, which are also covered by the PHMSA rule), both on 
the merits of the routing decisions (as the agency responsible for 
administering the rule) and in relation to the incidental impacts of 
re-routing decisions on the network of lines that will be equipped with 
PTC technology. Because the Rail Route Analysis Rule addresses both 
security and safety risks, operations under that rule necessarily lack 
the transparency typically afforded to safety risks.
    Significant re-routing has already occurred since 2008 as a result 
of the TSA Rail Transportation Security Rule (73 FR 72,130 (Nov. 26, 
2008)). In its comments, CSXT states that the TSA rule ``required 
railroads to modify their routing operations to ensure that only 
attended interchanges are used for transporting TIH.'' The resulting 
changes are said to be ``dramatic.'' Comment of CSX Transportation, 
Inc., Docket FRA-2008-0132-0028.1, at 12 (Aug. 24, 2009). However, the 
TSA regulation requires a secure chain of custody, not re-routing; and 
so any re-routing resulting from the TSA regulation presumably resulted 
not from the direct command of the rule itself but from the desire to 
hold down costs by focusing the handoffs of these commodities where 
personnel are already employed to oversee the transfers. This is 
perfectly sensible, of course, to the extent that the re-routing did 
not create greater safety or security concerns. However, since 
railroads have contended for years that their current routings were 
already optimized for safety, investigation is warranted.
    The Rail Route Analysis Rule is only now being put into effect. 
Most railroads will not complete their initial analysis until the first 
quarter of 2009, using 12 months of 2008 data (per their request in the 
subject rulemaking). While the rule requires railroads to consider the 
use of interchange agreements when considering alternative routes, FRA 
has not had the opportunity to verify that this has actually occurred 
with the two railroads opting to comply with the September 2009 due 
date for use of only six months of data.
    The risk model intended to provide the foundation for the rail 
routing process is still subject to considerable refinement. No 
methodology is currently specified for evaluating the potential impact 
of a PTC system (which would vary in risk reduction depending upon the 
underlying or previous method of operation). Under these circumstances, 
there is a distinct possibility the railroads may not give sufficient 
weight to train control (existing or planned).\3\ Railroads are not 
required to submit their route analysis and route selections to FRA for 
approval. While FRA intends to aggressively oversee railroads' route 
analysis and route selections during FRA's normal review process, 
including their consideration of PTC, and require rerouting when 
justified, this process will be resource-intensive and time-consuming 
to complete. So FRA sees no reason necessarily to defer in this context 
to decision making made under the Rail Route Analysis Rule, even as to 
the role of PTC in safeguarding the transportation of traffic within 
its ambit (PIH, certain explosives, and spent nuclear fuel). Instead, 
those decisions are simply useful information under this rule. In April 
of 2010 when railroads must complete their PTCIP's, a railroad may know 
its own routing decisions under the Rail Route Analysis Rule, but not 
FRA's evaluation of those decisions. Furthermore, the Rail Route 
Analysis Rule analysis does not consider the safety risk posed by the 
rail movement of hazardous materials it does not cover--but, as noted 
above, this is a legitimate concern when deciding where to put PTC.
---------------------------------------------------------------------------

    \3\ At least one Class I railroad consolidated some of its PIH 
traffic on signalized lines prior to adoption of the Rail Route 
Analysis Rule. This reflects a recognition that method of operations 
matters, but that is not the same thing as having completed a fully 
mature routing analysis against the 27 factors--something that will 
occur only over time in the face of great complexity.
---------------------------------------------------------------------------

    The Rail Route Analysis Rule considers both safety and security, 
and PHMSA and FRA have worked with TSA to ensure that the inherently

[[Page 2619]]

speculative risk of a security incident does not overwhelm known safety 
risks in the decision making. At the same time, the structure is very 
responsive to known threats and special circumstances. However, FRA is 
aware of at least one railroad that has balanced its evaluation of 
safety and security risks under the rule affording equal weight to each 
across the board. FRA will be working with that railroad to determine 
the basis for this action and may later require the railroad to revise 
its analysis and possibly reroute traffic. See Railroad Safety 
Enforcement Procedures; Enforcement, Appeal and Hearing Procedures for 
Rail Routing Decisions, 73 FR 72,194 (Nov. 26, 2008).
    Since any given railroad may have thousands of origin-destination 
pairs for its PIH traffic, and since railroads are just at the 
threshold of cooperation to evaluate interline re-routing options, this 
new program will settle out over a period of several years during which 
lessons are learned. As custodian of this program, FRA is best situated 
to conclude that using the products of initial analysis within a 
framework that confers significant discretion to utilize judgment 
should not control where PTC is built--particularly given the strong 
incentives that carriers perceive to reduce the wayside mileage 
equipped with PTC and the fact that installation of PTC might overwhelm 
other considerations with respect to PIH routing.
    In the proposed rule, FRA said that changes from the 2008 base 
could be granted if ``consistent with safety.'' Even though this is a 
familiar phrase drawn from FRA's basic safety statute, concern was 
expressed regarding how this term might be applied. The final rule 
further defines that standard by adding a rule for FRA decision making, 
i.e., if the remaining safety risk on the line exceeds the average 
safety risk per route mile on lines carrying PIH traffic, as determined 
in accordance with Appendix B to 49 CFR part 236, FRA denies the 
request. The provision leaves open the possibility of granting the 
request if the railroad making application offers a compensating 
further build out on another line where the resources would be better 
spent because they would enhance safety to a greater degree. FRA has 
available to it adequate data to construct a simple risk model for use 
in this context and expects to do so when reviewing such requests. This 
provision treats similarly risky rail lines similarly in carrying out 
the perceived congressional intent for PTC to be installed on the 
portion of the rail system Congress described, and it is an appropriate 
exercise of FRA's statutory discretion because it is rationally related 
to the reduction in risk Congress sought to achieve across the national 
rail system.
    The structure of paragraph (b) of Sec.  236.1005 is as follows:
    Paragraph (b)(1) brings together the policy of the statute 
requiring a phased, risk-based roll out of PTC with the types of lines 
required to be equipped. FRA has included the additional language 
``progressively equip'' to remind the industry that the law does not 
expect a risk-based implementation in which no safety benefits are 
achieved until December 31, 2015. To the contrary, the law and FRA 
evidence a strong expectation that PTC safety benefits will be 
increasingly achieved as lines and locomotives are equipped. See Sec.  
236.1006. FRA was distressed to hear claims in the Class I railroad 
testimonies and filings to the effect that, not only are the railroads 
under no legal obligations to deploy incrementally and take advantage 
of safety technology required by the law, FRA is without authority to 
require PTC system operation until December 31, 2015. We consider both 
claims to be without merit on the face of the law, including FRA's pre-
existing authority over signal and train control systems.
    Paragraph (b)(2) describes the operation of the 2008 baseline as 
the initial point of PTC implementation. The section is clear that if 
any track segment mandated for PTC exclusively on the basis of PIH 
traffic falls below 5 million gross tons for two consecutive years, the 
line would be eligible for removal. The paragraph also identifies the 
presence of PIH traffic in 2008 (or prior to filing the PTCIP) as 
initially identifying the track segment in the PTCIP for PTC 
implementation, but refers to paragraph (b)(4) as a means of removing 
it.
    Paragraph (b)(3) refers to changed conditions after the filing of 
the PTCIP that might require a line or track segment to be added. This 
could occur, inter alia, because overall freight volume increases, a 
shipper requests PIH service on the line, or PIH traffic is (actually 
or prospectively) rerouted over the line to satisfy the Rail Route 
Analysis Rule. The provision requires ``prompt'' filing when conditions 
change. It makes clear that the railroad will have at least 24 months 
after approval of its RFA to install the PTC system on the line.
    In the NPRM, FRA proposed that, in order to have a line segment no 
longer carrying the PIH traffic be excepted from the requirement that 
it be initially equipped, the railroad would need to provide estimated 
traffic projections for the next 5 years (e.g., as a result of planned 
rerouting, coordinations, location of new business on the line). In 
addition, where the request involves prior or planned rerouting of PIH 
traffic, the railroad would be required to provide a supporting 
analysis that takes into consideration the rail security provisions of 
the PHMSA rail routing rule, including any railroad-specific and 
interline routing impacts. FRA proposed that it could approve an 
exception if FRA finds that it would be consistent with safety and in 
the public interest.
    The AAR acknowledged in its comments that ``FRA does offer 
railroads the ability to apply to FRA for approval to not install PTC 
on a route which, in 2015, is no longer used for PIH traffic or which 
no longer meets the definition of a main line.'' However, asserted AAR, 
``FRA approval is predicated on the nebulous criteria of ``consistent 
with safety and in the public interest.''
    In this final rule, paragraph (b)(4) provides the methods by which 
a railroad may seek the exclusion or removal of track segments from its 
PTCIP. Paragraph (b)(4)(i) deals with the evaluation of track segments 
that no longer carry 5 million gross tons or PIH traffic that the 
railroad seeks to remove from the PTCIP, either at the time of initial 
filing or through an RFA thereafter. A request to remove a line would 
need to be accompanied by future traffic projections. FRA understands 
that, in some cases, railroads will not be able to state with certainty 
whether total tonnage or PIH traffic will return to a line; and 
certainty is not required. However, in other cases a railroad may in 
fact be able to make reasonable projections (because of control over a 
parallel main line that is approaching capacity, planned coordination 
with another railroad, etc.).
    In the case of cessation of passenger service or a decline of 
tonnage on a PIH line, FRA anticipates that approval of such requests 
will normally be routine. However, in light of AAR's comments, the 
final rule provides that, where PIH traffic has been removed (or is 
projected to be removed), three conditions must be met in order for FRA 
to approve such requests. First, it is not expected that there will be 
any local PIH traffic on the subject track segment. Second, to the 
extent overhead traffic has been (or will be) removed from the line, 
the request must be supported by routing analysis justifying the 
alternative routing of any traffic formerly traversing the line or 
which might traverse the line as an alternative routing. This is not 
the same routing analysis required under part 49 CFR part 172, but it 
may be presented

[[Page 2620]]

in the same format. The difference is that, under the Rail Route 
Analysis Rule, the current best route for the movement of security 
sensitive materials (which included PIH materials) must be determined, 
taking into consideration both safety and security and assuming the 
existing method of operation, any changes that a carrier may reasonably 
be anticipated to occur in the upcoming year, and any mitigation 
measures that the carrier intends to implement. That is a tactical 
question, which focuses on a particular geographical or logistical 
area. The question that needs to be addressed for PTC planning is the 
future best route, taking into consideration the fact that any route 
used for PIH will need to be equipped within the schedule contained in 
the approved PTCIP (but not later than December 31, 2015, for the least 
risky lines that need to be equipped). This is a strategic question, 
which applies to the carrier's entire network. Accordingly, this 
analysis would need to show that, even by equipping the subject line 
with PTC, it would not have an advantage over the route proposed to be 
selected.
    As noted in section VI of this preamble, FRA seeks comments on how 
elements of a route analysis should be weighed by FRA when determining 
whether rerouting under this paragraph is sufficiently justified.
    FRA includes one additional requirement that invokes its 
discretionary authority under the law. Even if a line has not or will 
not carry PIH traffic after the 2008 base year or later time period 
prior to filing of the PTCIP (i.e., for those filing a PTCIP for new 
service initiated after the statutory deadlines), the final rule 
requires an additional test that fleshes out the ``consistent with 
safety'' notion contained in the proposed rule with the desired 
objective of providing greater predictability, transparency, and 
consistency in decision making. This test requires that, in order for a 
track segment to be excluded, the remaining risk on the line not exceed 
the average risk extant on lines required to be equipped with PTC 
because they meet the threshold for tonnage of 5 million gross tons and 
carry PIH traffic. The effect of this test should be to allow a 
majority of lines that formerly carried PIH, which has been removed for 
legitimate reasons, to be removed from the PTCIP. With no intercity/
commuter passenger traffic and no PIH, these will mostly be lines with 
moderate traffic involving commodities such as coal or grain and 
minimal quantities of other hazardous materials. However, with respect 
to lines with higher risk, PTC may be required despite the 
consolidation of PIH traffic on other lines. For instance, FRA does not 
believe that consolidation of PIH traffic due to security reasons 
should unduly influence PTC deployment. Train crews, roadway workers, 
and communities along the routes have a strong interest in seeing PTC 
provided for their benefit. Examples of lines that could be captured by 
this requirement are very high density lines to coal fields or between 
major terminals where collision risk is significant and other very 
dangerous or environmentally sensitive hazardous materials are 
transported in significant quantities (e.g., flammable compressed gas, 
halogenated organic compounds). Non-signaled lines with traffic nearing 
capacity and many manually operated switches, together with significant 
hazardous materials, would also be candidates for retention.
    As previously noted in the Introduction and section VI to this 
preamble, FRA seeks further comments on paragraph (b)(4)(i). This 
provision describes the specific considerations FRA will take into 
account in determining whether a deviation from the baseline is 
``consistent with safety.'' FRA believes that this final rule could 
still benefit from input concerning this application of the 
``consistent with safety'' standard FRA has applied for decades in 
considering waivers under 49 U.S.C. 20103(d) and whether FRA should 
interpret that standard differently or in greater detail here. 
Accordingly, FRA continues to seek comments on this issue with the 
desired objective of providing greater predictability, transparency, 
and consistency in decision making. More specifically, FRA seeks 
comments that would help clarify what issues, facts, standards, and 
methodologies it should consider when determining whether to approve a 
request for amendment made pursuant to paragraph (b)(4)(i). FRA also 
seeks comments on how it should compare the levels of risk between 
lines with PIH and lines without PIH for the purposes of paragraph 
(b)(4)(i).
    Paragraph (b)(4)(ii) contains a new provision that provides a basis 
for a railroad to request removal of a track segment from a PTCIP 
either at the time of initial filing or through an RFA thereafter. The 
provision is being added in an effort to respond to comments submitted 
on the NPRM requesting a de minimis exception for low density track 
segments with minimal PIH traffic. The AAR noted that, under the 
proposed regulations, even one car containing PIH on a main line would 
require installation of PTC. AAR believes that this position is 
untenable in light of the cost-benefit concerns (e.g., the 15-to-1 cost 
to benefit ratio under FRA's economic analysis), especially on routes 
with minimal PIH traffic. The AAR takes the position that it would 
therefore be arbitrary and capricious for FRA to not employ a de 
minimis exception. According to AAR, its preliminary analysis shows 
that a meaningful de minimis exception could save the industry hundreds 
of millions of dollars without significantly changing the safety 
benefit calculation.
    The AAR and some of its member railroads assert that FRA has the 
authority to include a de minimis exception in the final rule. In 
separate comments, CSXT also recommends that FRA recognize a de minimis 
exception for PIH transport. CSXT asserts that, in cases where a 
limited quantity of PIH materials are transported on a particular 
route--or where a segment of track happens to carry PIH materials on a 
single occasion because of mere happenstance--there are no safety 
benefits that would justify costly PTC implementation. In addition, in 
the absence of specific language in the RSIA08 that would preclude FRA 
from recognizing a de minimis exception, CSXT asserts that FRA 
possesses the requisite authority to do so. In support of this 
assertion, CSXT points to three cases from the DC Circuit (Shays v. 
FEC, 414 F.3d 76 (DC Cir. 2005); Environmental Def. Fund, Inc. v. EPA, 
82 F.3d 451 (D.C. Cir. 1996); and State of Ohio v. EPA, 997 F.2d 1520 
(DC Cir. 1993)), in which the DC Circuit acknowledged the inherent 
authority conferred upon agencies, in the absence of an express 
prohibition, to promulgate a de minimis exception as a tool for 
implementing legislative design and avoiding pointless expenditures of 
effort.
    FRA has reviewed the suggestion of the Class I railroads that FRA 
possesses an inherent, or at least reasonably inferred, authority to 
withhold any requirement for deployment of PTC on lines with very low 
risk. FRA agrees that, as a general matter, it has an inherent 
authority to create de minimis exceptions in its regulations to 
statutes FRA administers. In fact, FRA has utilized this inherent 
authority in this final rule in the following areas: Providing limited 
exceptions for yard operations; addressing the movement of equipment 
with inoperative PTC systems; and providing for limited movements by 
non-equipped trains operated by Class II and Class III

[[Page 2621]]

railroads over PTC equipped main line.\4\ FRA believes these are all 
appropriate uses of its discretionary authority. Based on existing case 
law, as well as its review of the comments provided in this proceeding, 
FRA believes that a de minimis exception to the statutory mandate 
requiring the installation of PTC systems on any and all main lines 
transporting any quantity of PIH hazardous materials should also be 
provided to low density main lines with minimal safety hazards that 
carry a truly minimal quantity of PIH hazardous materials.
---------------------------------------------------------------------------

    \4\ This is not to say that there are independent justifications 
for each of these decisions. Yard operations involve a mix of 
switching movements and train movements and have never been within 
public expectations for PTC because of issues of impracticability 
and inapplicability, as well as greatly reduced safety concerns. 
Movement of trains with inoperative PTC equipment has historically 
been allowed for and governed within Interstate Commerce Commission 
and FRA regulations, and proceeding otherwise would be a virtual 
impossibility. FRA does not understand RSIA08 to specify whether all 
trains operating on PTC lines must be PTC equipped, and accordingly 
FRA believes that it is required to make discretionary decisions in 
that regard. That said, the de minimis concept clearly offers an 
alternative justification for each of these decisions.
---------------------------------------------------------------------------

    With this said, however, and as explained below, that discretionary 
authority will not sustain the creation of the broad-brush exception 
sought by the Class I railroads in this proceeding. United States 
Circuit Court decisions recognize that federal agencies may promulgate 
de minimis exemptions to statutes they administer. See, e.g., Shays v. 
FEC, 414 F.3d 76, 113 (DC Cir. 2005); Ass'n of Admin. Law Judges v. 
FLRA, 397 F.3d 957, 961-62 (DC Cir. 2005) (``[T]he Congress is always 
presumed to intend that pointless expenditures of effort be avoided'' 
and that such authority ``is inherent in most statutory schemes, by 
implication.''); Environmental Defense Fund, Inc. v. EPA, 82 F.3d 451, 
466 (DC Cir. 1996) (``[C]ategorical exemptions from the requirements of 
a statute may be permissible as an exercise of agency power, inherent 
in most statutory schemes, to overlook circumstances that in context 
may fairly be considered de minimis.'') (inner quotations and citation 
omitted); Alabama Power Co. v. Costle, 636 F.2d 323, 360 (DC Cir. 1979) 
(the ability to create a de minimis exemption ``is not an ability to 
depart from the statute, but rather a tool to be used in implementing 
the legislative design.''); New York v. EPA, 443 F.3d 880, 888 (DC Cir. 
2006) (noting the maxim de minimis non curat lex--``the law cares not 
for trifles.'').
    However, ``a de minimis exemption cannot stand if it is contrary to 
the express terms of the statute.'' Environmental Defense Fund, 82 F.3d 
at 466 (citing Public Citizen v. Young, 831 F.2d 1108, 1122 (DC Cir. 
1987)). In other words, agency authority to promulgate de minimis 
exemptions does not extend to ``extraordinarily rigid'' statutes. See 
Shays, 414 F.3d at 114 (``By promulgating a rigid regime, Congress 
signals that the strict letter of its law applies in all 
circumstances.''); Ass'n of ALJs, 397 F.3d at 962; Alabama Power, 636 
F.2d at 360-61 (As long as the Congress has not been ``extraordinarily 
rigid'' in drafting the statute, however, ``there is likely a basis for 
an implication of de minimis authority.''). Furthermore, such authority 
does not extend to situations ``where the regulatory function does 
provide benefits, in the sense of furthering regulatory objectives, but 
the agency concludes that the acknowledged benefits are exceeded by the 
costs.'' Public Citizen v. FTC, 869 F.2d 1541, 1557 (DC Cir. 1989) 
(quoting Alabama Power, 636 F.2d at 360-61) (emphasis removed); see 
also Shays, 414 F.3d at 114; Kentucky Waterways Alliance v. Johnson, 
540 F.3d 466, 483 (6th Cir. 2008). ``Instead, situations covered by a 
de minimis exemption must be truly de minimis.'' Shays, 414 F.3d at 
114. That is, they must cover only situations where ``the burdens of 
regulation yield a gain of trivial or no value.'' Environmental Defense 
Fund at 466 (inner quotations omitted) (citing Alabama Power, 636 F.2d 
at 360-61).
    In this case, where release of the contents of one PIH tank car can 
have catastrophic consequences (e.g., the 2005 Graniteville accident), 
FRA must determine whether the gain yielded by installing PTC on any 
rail line that carries a minimal amount of PIH materials is ``of 
trivial or no value.'' During the RSAC Working Group discussions 
conducted on August 31-September 2, 2009, the major freight railroads 
suggested that any track segment carrying fewer than 100 PIH cars 
annually should be considered to present a de minimis risk and be 
subject to an exception. (Their representatives were very clear that 
the request did not extend to lines carrying intercity or commuter 
passenger trains.) During the Working Group discussion, AAR was asked 
to describe additional safety limitations that might apply to these 
types of track segments (e.g., tonnage, track class, population 
densities). The AAR elected not to do so, adhering to the simple less 
than 100 car exception. Subsequently, in an October 7, 2009, docket 
filing, AAR suggested that safety mitigations could be applied where 
necessary to bring risk down to de minimis levels.
    FRA has considered AAR's proposed exception and has noted that, 
although the number of cars appears small, in fact only about 100,000 
loaded PIH cars are offered for transportation in the United States 
each year (approximately 200,000 loads and residue cars). Accordingly, 
FRA would expect that such an exception might have a significant impact 
on the number of miles of railroad subject to the PTC mandate. None of 
the filings in this docket, and none of the discussion in the PTC 
Working Group, shed light on the relevant facts despite an express 
request from FRA to Class I railroads to supply facts bearing on their 
requested exception. Based on the limited information available to FRA, 
FRA believes that such an exception would excuse installation of PTC on 
roughly 10,000 miles of railroad out of the almost 70,000 route miles 
FRA has projected would need to be equipped based on the proposed 
requirements. Based on the limited information available, it appears 
that some of the lines within the AAR request carry very heavy tonnages 
(with many train movements raising the risk for a collision) at freight 
speeds up to 60 or 70 miles per hour (predicting severe outcomes when 
accidents do occur). Putting trains with PIH bulk cargoes into this mix 
in the absence of effective train control would not be a de minimis 
risk as to those cars of PIH actually transported. Further, any public 
policy decision to excuse PTC installation under these circumstances 
would have to ignore other risk on those track segments. Creating a de 
minimis exception for less than 100 PIH cars on a very busy and risk-
laden track segment simply on the basis of the number of PIH cars 
would, accordingly, ignore the separate charge that the Congress gave 
to the agency in 1970 to adopt regulations ``as necessary'' for ``every 
area of railroad safety'' (49 U.S.C. 20103(a)) and the value that the 
Congress has obviously placed on PTC as a means of reducing risk within 
the reach of the four PTC core functions under the RSIA08. Further, it 
would stand on its head the structure of 49 U.S.C. 20157, as added by 
the RSIA08, which mandates completion by the end of 2015 of PTC on (1) 
lines of intercity and commuter passenger trains, (2) lines of Class I 
railroads carrying 5 million gross tons and PIH, and (3) ``such other 
tracks as the Secretary may prescribe by regulation or order.''
    FRA believes that the broad-based type of de minimis exception 
sought by the AAR and its member railroads based

[[Page 2622]]

solely on the number of PIH cars transported annually is not supported 
either legally or on a safety basis. However, FRA believes a limited 
exception is necessary and justified for those main lines that 
transport a truly limited quantity of PIH materials and that pose 
little safety hazard to the general public by not being equipped with 
an operational PTC system. Thus, FRA is including paragraph (b)(4)(ii) 
in this final rule to permit railroads exclude these types of main 
track segments from the statutory requirement to install a PTC system. 
The initial qualifying criterion is that of less than 100 PIH cars per 
year (loaded or residue), as suggested by the AAR.
    In order to foster as much clarity as possible regarding the 
exceptions provided, FRA has broken the concept into two separate 
divisions. The first creates a presumption that a requested exception 
will be provided based on existing circumstances on the line, plus an 
operating restriction. The second involves more challenging 
circumstances and involves no presumption, but the railroad may proffer 
safety mitigations in order to drive down risk to demonstrably 
negligible levels (subject to FRA review). Both are limited to lines 
that carry less than 15 million gross tons of traffic annually, a 
figure three times the threshold in the law. FRA has no confidence that 
a railroad could assure ``negligible risk'' in a busier and therefore 
more complex operation, and allowing for consideration of lines with 
more traffic could lead to neglect of other risk of concern (e.g., harm 
to train crews in collisions, casualties to roadway workers, release of 
other hazardous materials).
    Paragraph (b)(4)(ii)(B) specifies additional tests that apply to 
the first exception:
     The line segment must consist exclusively of Class 1 or 2 
track under the Track Safety Standards (maximum authorized speed 25 
mph);
     The line segment must have a ruling grade of less than 1 
percent; and
     Any train transporting a car containing PIH materials 
(including a residue car) must be operated under conditions of temporal 
separation, as explained in Sec.  236.1019(e) and in Appendix A to part 
211 of this title, from other trains using the line segment, as 
documented by a temporal separation plan submitted with the request and 
approved by FRA.

Limiting maximum authorized train speed reduces the kinetic energy 
available in any accident, and the forces impinging on the tank should 
be sustainable.\5\ Placing a limit on ruling grade helps to avoid any 
situation in which a train ``gets away'' as a result of a failure to 
invoke a brake application until momentum is such that no stop is 
possible (as the surface between the brake shoe and wheel ``goes 
liquid''). (PTC can prevent the initial overspeed and intervene early.) 
Requiring that a train carrying PIH and other trains be ``temporally 
separated'' can help prevent a collision in which a PIH car is struck 
directly by the locomotive of another train while traversing a turnout 
(potentially exceeding the force levels the tank can withstand). Given 
these combinations of circumstances, a de minimis exception should 
ordinarily be warranted. FRA would withhold approval only upon a 
showing of special circumstances, such as where there might be a need 
to protect movements over a moveable bridge. Should FRA identify such a 
circumstance, the railroad might elect to proceed under the additional 
exception.
---------------------------------------------------------------------------

    \5\ See Engineering Studies on Structural Integrity of Railroad 
Tank Cars Under Accident Conditions (DOT/FRA/ORD-9/18; October 
2009); see also 78 FR 17,818, 17,821 (Apr. 1, 2008) (discussion of 
proposed limitation on PIH train speeds in non-signaled territory 
prior to introduction of fully crashworthy tank cars, which was 
later withdrawn for other reasons).
---------------------------------------------------------------------------

    Paragraph (b)(4)(ii)(C) provides an alternative path to a de 
minimis exception by opening the door for proposed risk mitigations 
that could drive risk down to negligible levels. The railroad could 
offer any combination of operating procedures, technology, or other 
means of risk reduction. Basically, the paragraph requires the railroad 
to ``make its case'' to FRA as to why a limited exception should be 
provided for the identified main line. The railroad must provide FRA 
sufficient information to justify the application of a de minimis 
exception to the identified track segment, including current and future 
traffic predictions, detailed information regarding the safety hazards 
present on the involved track segment, and an explanation of how the 
proposed mitigations would reduce the risk to a negligible level. FRA 
believes that, beyond the relatively narrow categorical exception 
provided in (B), a separate case-by-case analysis of each request is 
necessary to properly apply its inherent discretionary authority to 
grant de minimis exceptions in this area. Approaching the issue in this 
manner also permits full consideration of mitigations tailored to the 
particular circumstances. FRA would evaluate the submittal and, if 
satisfied that the proffered mitigations would be successful, approve 
the exception of the line segment. FRA wishes to note that elements of 
PTC technology may in some cases provide the means for accomplishing 
this. Developing a track database for a line segment, installing an 
intermittent data radio capability, and utilizing PTC-equipped 
locomotives on the line could be used to enforce temporary speed 
restrictions and enforce track warrants without the major expense on 
the wayside. Where necessary, based on somewhat higher train speeds, 
key switches could be monitored; or, alternately, only those trains 
containing PIH cars could be speed restricted (with speed enforced on 
board). The notion here is to leverage investments already made with 
modest additional expenditures that capture the bulk of the safety 
benefits while specially protecting trains with PIH cars.
    FRA believes that the savings from these provisions should be 
substantial. Most of the line segments falling within the criteria set 
forth for de minimis risk will be non-signaled lines with limited 
freight traffic. The ability to omit equipping these routes with full 
data radio infrastructure and with switch position monitoring at all 
switches should constitute a significant savings. In fact, based on 
available information, FRA believes that as much as 3,500 miles of 
railroad could be included in one of the exceptions provided. FRA 
estimates that the gross savings from omitting PTC from these lines 
might amount to about $175 million and that mitigations might offset 
roughly $32 million of those savings, for net savings still exceeding 
$140 million. Of that amount, approximately $15 million could come from 
the first exception, which deals with very low risk lines left in their 
current state and operated under temporal separation of trains 
containing PIH traffic.
    This provision was developed in the absence of a robust record. On 
October 7, 2009, the AAR filed supplementary comments offering to work 
with FRA on a more flexible process for de minimis exceptions that 
would consider safety mitigations designed expressly to drive risk down 
to de minimis levels on candidate line segments. FRA attempted to 
respond to this late-filed comment in full recognition that the final 
rule will impose substantial costs and that avoiding unnecessary cost 
is desirable. However none of the parties has had an opportunity to 
comment on the exception provided in this final rule. Accordingly, FRA 
seeks comments on the extent of the de minimis exception. Such comments 
should be supported by sufficient and applicable safety data. FRA notes 
that the time required for

[[Page 2623]]

refinement of this provision should fit within the existing PTC system 
implementation timetable, since any lines where risk is low will be 
slated for PTC system installation relatively late in the 
implementation period that ends on December 31, 2015.
    Paragraph (b)(5) addresses an additional reason for proposing to 
use 2008 data as a baseline for PTC installation, rather than de facto 
conditions in 2015: i.e., the prospect that Class I railroads will 
divest lines in order to avoid the PTC mandate. Based on past practice 
at the Interstate Commerce Commission and STB, lines sales can occur 
under circumstances where the new operator of the line is to a large 
extent the alter ego of the seller. The seller may retain overhead 
trackage rights or merely lease the line; or circumstances may be such 
that the seller is the only available interchange partner and thus 
continues to enjoy the ``long haul'' portion of the rate. Typically the 
buyer will have a lower cost structure, and to the extent the sale is 
merely a recognition that the line has declined in traffic and will 
need to be redeveloped as a source of carload traffic, that may be the 
best way to preserve rail service. However, to the extent that the 
seller sheds costs while retaining significant practical control and 
depriving the buyer of adequate revenues, safety issues can arise. FRA 
has historically been reluctant to allow discontinuance of signal 
systems in some of these cases, particularly where it remained within 
the seller's ability to rebuild overhead traffic on the line 
downstream, where the seller retained the right to repossess the 
property at a later time, or where the line carried passenger traffic.
    This background may help explain why FRA made reference to the 
issue of whether omitting PTC on a line that carried PIH traffic in 
2008 might be ``in the public interest'' in the proposed rule. In 
references during the subsequent RSAC working group deliberations, some 
question was raised about what that could mean. In light of that 
confusion, FRA has omitted the phrase from the final rule but has added 
language addressing the issue of line sales that expresses more 
directly how FRA would handle line sales and modifications to a PTCIP. 
FRA's purpose is to ensure that decisions regarding where PTC is 
deployed are made in light of all the relevant circumstances. To the 
extent that this approach represents an exercise of discretionary 
authority (and should any such exercise in fact occur), FRA would 
expect to make the decision based upon safety criteria after the STB 
had determined the public interest with respect to rail service. Again, 
FRA would expect to recognize the value that the Congress placed on PTC 
as a means of risk reduction while not rewarding transactions designed 
to avoid installation of PTC on the line in question.
    Paragraph (b)(6) states that no new intercity or commuter passenger 
service shall commence after December 31, 2015, until a PTC system 
certified under this subpart has been installed and made operative. FRA 
believes this is a clearly necessary requirement to satisfy the 
statute. In response to the comments, FRA has removed the reference to 
``continuing'' of previous passenger service. FRA agrees that the 
remedy associated with any delays in completing PTC system installation 
should be determined based upon circumstances at the time and without 
disfavoring passenger service in relation to freight service.
    General objections to a 2008 baseline. FRA is aware that the 
approach embodied in the final rule may not play out as an elegantly 
optimized risk reduction strategy. If FRA were writing on a blank 
slate, the agency may have considered factors that drive risk and 
thresholds for those factors, taking into consideration more than PIH 
and intercity or commuter passenger traffic. Some lines that the 
Congress has required to be equipped by the end of 2015 because of PIH 
traffic would be left for deployment well downstream. Under such a 
hypothetical scenario, others with heavy train counts or without signal 
systems (and with robust traffic) may have been in theory added to the 
list for deployment of PTC by the end of 2015. But FRA is not writing 
on a clean slate. Rather, FRA is endeavoring to implement the statute 
with fidelity both to its terms and its intent, utilizing the 
discretion underscored by the law to get the job done.
    Part of the complexity of this task is the schedule. FRA has 
labored to publish this final rule as soon as humanly possible so that 
the industry could be ready to file PTC Implementation Plans by the 
statutory deadline of April 16, 2010. FRA will then be required, again 
by the statute, to approve or disapprove each plan within a period of 
90 days. Accordingly, establishing some degree of order in framing the 
Implementation Plan requirements is clearly necessary. Taking the 2008 
traffic base as a known starting point, and evaluating any deviations 
from that base, will permit FRA to identify any potentially 
inappropriate traffic consolidations and focus on those areas as 
matters for review. FRA could, of course, take a different approach and 
order a categorically broader implementation. However, that has been 
understandably opposed by the railroads; and crafting any such approach 
would likely not have been feasible during the time available for this 
rulemaking. Accordingly, what we have done in Sec.  236.1011(b) is to 
require the PTCIP to include a statement of criteria that the Class I 
railroad will apply in planning future deployment of PTC and a 
requirement that the railroad's Risk Reduction Program Plan (required 
by the RSIA08 to be filed in 2013) contain a specification of 
additional lines that will be equipped in full (meeting all of the 
requirements of subpart I) or as a partial implementation (subset of 
functionalities). Approaching the end of the initial deployment period, 
therefore, FRA should be in a position to consider whether requiring 
additional PTC deployments will be appropriate to address remaining 
risk or whether elective actions by the railroads will meet that need. 
Over time, then, any rough edges that remain should be smoothed over.
    Another objection to the 2008 baseline is that more may need to be 
accomplished (i.e., the need to capture more lines) in the period 
between enactment and December 31, 2015. FRA responds as follows: 
First, no more will need to be done than the Congress likely expected. 
If FRA, an expert agency, did not foresee the ``dramatic'' 
consolidation of PIH traffic resulting from the TSA rule, it is fairly 
unlikely that the Congress did. Second, the Class I freight industry 
has had it within its control to get this done, and one of FRA's major 
objectives in conducting this rulemaking has been to ensure success by 
keeping the technology bar at a reasonable height and deferring as much 
as possible to work already accomplished. During the September 10, 
2009, RSAC meeting, the leaders of the Interoperable Train Control 
project--an effort led by BNSF, CSXT, NS, and UP to develop 
interoperability standards for the general freight system--advised that 
those standards will not be available until the end of 2010 to the many 
commuter railroads and Amtrak working in concert with a major freight 
carrier. But the industry developed Advanced Train Control Standards in 
the 1980s, standards that FRA pronounced mature in its 1994 Report, 
after which the industry abandoned the project. PTC interoperability 
standards were identified as a need in the consensus report of the 
original PTC

[[Page 2624]]

Working Group to the FRA Administrator in 1999, and creation of such 
standards was a major deliverable of the North American PTC Program 
(funded jointly by the FRA, industry, and the State of Illinois). That 
delivery was never made. In the interim, the major signal suppliers, 
working through the American Railway Engineering and Maintenance 
Association managed to produce interoperability standards (again with 
FRA support), but these are not standards that the freight railroads 
have elected to employ. Accordingly, FRA concludes that the principal 
obstacle to completion of PTC is the perfection of technology, 
including interoperability standards, by an industry that has had two 
decades to work. Any further delays in that quadrant should not deprive 
the Nation of a reasonably scaled PTC deployment.
    Other comments. FRA received generally favorable comments on the 
base year issue from Friends of the Earth\6\ and the Rail Labor 
Organizations. The Chlorine Institute also urged the broadest 
application of PTC to the national rail network, and the American 
Chemistry Council submitted generally favorable comments without 
lingering on this specific issue. The Fertilizer Institute commented 
that limiting lines to the 2008 PIH network could restrict shipping 
options in the future and also advocated a broader mandate.
---------------------------------------------------------------------------

    \6\ Friends of the Earth also made detailed comments regarding 
administration of the Rail Route Analysis Rule that are beyond the 
scope of this proceeding.
---------------------------------------------------------------------------

    Final rule adjustments. FRA has further considered the need to 
optimize the risk reduction strategy captured in this final rule with 
respect to lines that may no longer carry PIH traffic as of some point 
(whether at filing of the PTCIP or thereafter). FRA has included a 
requirement that the subject line from which PIH has been removed would 
be required to be equipped with PTC only if the line's remaining 
traffic involves a level of risk that is above the average for lines 
that carry PIH traffic. As noted above, FRA would expect most lines 
from which PIH traffic might be legitimately removed, exclusive of 
those that carry intercity or commuter passenger traffic (which will 
need to be equipped in any event), to fall below the average risk level 
and be removed from the PTCIP. These will be primarily what are 
referred to as branch lines or secondary main lines, carrying moderate 
traffic volumes. However, if a line such as a very busy coal line with 
intermixed general freight (including, e.g., flammable compressed gas 
or halogenated organic compounds) were in question, FRA would expect 
that line to remain equipped. Further optimization of this approach is 
offered in the form of compensating risk reduction. That is, a railroad 
could offer up a line that was not included in 2008 traffic base for 
PTC implementation if it carries traffic that involves very substantial 
risk. Although this option is offered, FRA does not expect any such 
situation to arise. Based on FRA's review of known traffic flows and 
densities, FRA expects that most lines omitted from those reported in 
the PTCIP based on 2008 data will fall into a very low range of risk in 
relation to lines carrying PIH traffic. Further, FRA believes it is 
very unlikely that any legitimate consolidation of PIH traffic after 
2008 would have utilized a line that was not previously carrying at 
least some PIH traffic. In short, although the agency may not have 
taken the same approach, there is wisdom behind the congressional 
formulation based on conditions when the Congress acted.
    In summary, FRA has fashioned an approach to review of candidate 
track segments for PTC Implementation that seeks to uphold the letter 
and the intent of the RSIA08, that utilizes FRA discretionary authority 
sparingly but in a risk-informed manner, that it is administrable 
within the time allowed by law to review PTCIPs, that offers the best 
chance of creating some stability in deployment strategy by permitting 
the agency to focus on areas of greatest sensitivity early in the 
process (including, as necessary, a threshold evaluation of whether 
Rail Route Analysis Rule decisions require further evaluation), and 
that will ensure, to the extent possible, that safety alone is the 
governing criterion in determining where PTC will be required to be 
deployed.
    Paragraph (c) provides amplifying information regarding the 
installation and integration of hazard detectors into PTC systems. 
Paragraph (c)(1) reiterates FRA's position that any hazard detectors 
that are currently integrated into an existing signal and train control 
system must be integrated into mandatory PTC systems and that the PTC 
system will enforce as appropriate on receipt of a warning from the 
detector. Paragraph (c)(2) states that each PTCSP submitted by a 
railroad must identify any additional hazard detectors that will be 
used to provide warnings to the crew which a railroad may elect to 
install. If the PTCSP so provides, the PTCSP must clearly define the 
actions required by the crew upon receipt of the alarm or other warning 
or alert. FRA does not expect a railroad to install hazard detectors at 
every location where a hazard might possibly exist.
    Paragraph (c)(3) requires, in the case of high-speed service (as 
described in Sec.  236.1007 as any service operating at speeds greater 
than 90 miles per hour), that the hazard analysis address any hazards 
on the route and provide a reason why additional hazard detectors are 
not required to provide warning and enforcement for hazards not already 
protected by an existing hazard detector. The hazard analysis must 
clearly identify the risk associated with the hazard, and the 
mitigations taken if a hazard detector is not installed and interfacing 
with a PTC system. For instance, in the past, large motor vehicles with 
parallel or overhead structures have been left fouling active passenger 
rail lines. Depending upon the circumstances, such events can cause 
catastrophic train accidents. Although not every such event can be 
prevented, detection of such obstacles may make it more likely that the 
accident could be prevented.
    In its comments, Amtrak assumes that on those lines where FRA has 
previously approved such speeds (e.g., portions of Amtrak's Northeast 
Corridor (NEC) and Michigan line), a new hazard analysis, which would 
serve only to allow that which is already allowed, will not be 
required. If so, it asserts that the rule should make that explicit. 
FRA has done so in the final rule. No further changes were indicated by 
the comments.
    Under paragraph (d), the final rule requires that each lead 
locomotive operating with a PTC system be equipped with an operative 
event recorder that captures safety-critical data routed to the 
engineer's display that the engineer must obey, including all mandatory 
directives that have been electronically delivered to the train, 
maximum authorized speeds, warnings presented to the crew, including 
countdowns to braking enforcement and warnings indicating that braking 
enforcement is in effect, and the current system state (``ACTIVE'', 
``FAILED'', ``CUTIN'', ``CUTOUT'', etc.)
    FRA intends that this information be available in the event of an 
accident with a PTC-equipped system to determine root causes and the 
necessary actions that must be taken to prevent reoccurrence. Although 
FRA expects implemented PTC systems will prevent PTC-preventable 
accidents, in the event of system failure FRA believes it is necessary 
to capture available data relating to the event. Further, FRA sees 
value in capturing information regarding any accident that may occur 
outside of the control of a PTC system

[[Page 2625]]

as it is currently designed--including the prevention of collisions 
with trains not equipped with PTC systems--and accidents that could 
otherwise have been prevented by PTC technology, but were unanticipated 
by the system developers, the employing railroad, or FRA.
    The data may be captured in the locomotive event recorder, or a 
separate memory module. If the locomotive is placed in service on or 
after October 1, 2009, the event recorder and memory module, if used, 
shall be crashworthy, otherwise known as crash-hardened, in accordance 
with Sec.  229.135. For locomotives built prior to that period, the 
data shall be protected to the maximum extent possible within the 
limits of the technology being used in the event recorder and memory 
module.
    One commenter stated that paragraph (d) was not clear. The 
commenter is unsure if FRA is requiring that all of the operator's 
display be recorded and replicated upon playback. FRA only requires 
that the railroad capture the safety-critical data routed to the 
display which the engineer must obey. The choice of format to play back 
this data has been left to the railroad, keeping in mind that whatever 
format used for data playback needs to be available to FRA for accident 
investigations and other investigation activities.
    As required by the RSIA08 and by paragraph (a)(1)(iv), as noted 
above, a PTC system required by subpart I must be designed to prevent 
the movement of a train through a main line switch in the wrong 
position. Paragraph (e) provides amplifying information on switch point 
monitoring, indication, warning of misalignment, and associated 
enforcement. According to the statute, each PTC system must be designed 
to prevent ``the movement of a train through a switch left in the wrong 
position.'' FRA understands ``wrong position'' to mean not in the 
position for the intended movement of the train. FRA believes that 
Congress' use of the phrase ``left in the wrong position'' was 
primarily directed at switches in non-signaled (dark) territory such as 
the switch involved in the aforementioned accident at Graniteville, 
South Carolina. FRA also believes that, in order to prevent potential 
derailment or divergence to an unintended route, it is critical that 
all associated switches be monitored by a PTC system in some manner to 
detect whether they are in their proper position for train movements. 
If a switch is misaligned, the PTC system must provide an acceptable 
level of safety for train operations.
    Prior to the statute, PTC provided for positive train separation, 
speed enforcement, and work zone protection. The addition of switch 
point monitoring and run through prevention would have eliminated the 
Graniteville accident where a misaligned switch resulted in the 
unintended divergence of a train operating on the main track onto a 
siding track and the collision of that train with another parked train 
on the siding. The resulting release of chlorine gas caused nine deaths 
and required the evacuation of the entire town while remediation 
efforts were in progress.
    As discussed above, FRA considered requiring PTC systems to be 
interconnected with each main line switch and to individually monitor 
each switch's point position in such a manner as to provide for a 
positive stop short of any misalignment condition. However, after 
further consideration and discussion with the PTC Working Group, FRA 
believes that such an approach may be overly aggressive and terribly 
expensive in signaled territory.
    Under paragraph (e), FRA instead provides to treat switches 
differently, depending upon whether they are within a wayside or cab 
signal system--or are provided other similar safeguards (i.e., distant 
switch indicators and associated locking circuitry) required to meet 
the applicable switch position standards and requirements of subparts A 
through G--within non-signaled (dark) territory.
    While a PTC system in dark territory would be required to enforce a 
positive stop--as discussed in more detail below--a PTC system in 
signaled territory would require a train to operate at no more than the 
upper limit of restricted speed between the associated signal, over any 
switch in the block governed by the signal, and until reaching the next 
subsequent signal that is displaying a signal indication more 
permissive than proceed at restricted speed.
    Signaled territory includes various types of switches, including 
power-operated switches, hand-operated switches, spring switches, 
electrically-locked switches, electro-pneumatic switches, and hydra 
switches, to name the majority. Each type of switch poses different 
issues as it relates to PTC system enforcement. We will look at power- 
and hand-operated switches as examples.
    On a territory without a PTC system, if a power-operated switch at 
an interlocking or control point were in a condition resulting in the 
display of a stop indication by the signal system, an approaching train 
would generally have to stop only a few feet from the switch, and in 
the large majority of cases no more than several hundred feet away from 
it. In contrast, in PTC territory adhering to the aforementioned overly 
aggressive requirement, a train would have to stop at the signal, which 
may be in close proximity to its associated switch, and operate at no 
more than the upper limit of restricted speed to that switch, where it 
would have to stop again. FRA believes that, since the train would be 
required to stop at the signal, and must operate at no more than the 
upper limit of restricted speed until it completely passes the switch 
(with the crew by rule watching for and prepared to stop short of, 
among other concerns, an improperly lined switch), a secondary enforced 
stop at the switch would be unnecessarily redundant.
    Operations using hand-operated switches would provide different, 
and arguably greater, difficulties and potential risks. Generally, in 
between each successive interlocking and control point, signal spacing 
along the right of way can approximately be 1 to 3 miles or more apart, 
determined by the usual length of track circuits and the sufficient 
number of indications that would provide optimal use for train 
operations. Each signal governs the movement through the entire 
associated block up to the next signal. Thus, a train approaching a 
hand-operated switch may encounter further difficulties since its 
governing signal may be much further away than the governing signal for 
a power-operated switch. If within signaled territory a hand-operated 
switch outside of an interlocking or control point were in a condition 
resulting in the display of a restricted speed signal indication by the 
signal system, an approaching train may be required to stop before 
entering the block governed by the signal and proceed at restricted 
speed, or otherwise reduce its speed to restricted speed as it enters 
the block governed by the signal. The train must then be operated at 
restricted speed until the train reaches the next signal displaying an 
indication more permissive than proceed at restricted speed, while 
passing over any switch within the block. The governing signal, 
however, may be anywhere from a few feet to more than a mile from the 
hand-operated switch. For instance, if a signal governs a 3 mile long 
block, and there is a switch located 1.8 miles after passing the 
governing signal (stated in advance of the signal), and that switch is 
misaligned, the train would have to travel that 1.8 miles at restricted 
speed. Even if the train crew members were able to correct the 
misaligned switch,

[[Page 2626]]

they would need to remain at restricted speed at least until the next 
signal (absent an upgrade of a cab signal indication).
    In signaled territory, to require a PTC system to enforce a 
positive stop of an approaching train at each individual misaligned 
switch would be an unnecessary burden on the industry, particularly 
since movement beyond the governing signal would be enforced by the PTC 
system to a speed no more than the upper limit of restricted speed. 
Accordingly, in signaled territory, paragraph (e)(1) requires a PTC 
system to enforce the upper limit of restricted speed through the 
block. By definition, at restricted speed, the locomotive engineer must 
be prepared to stop within one-half the range of vision short of any 
misaligned switch or broken rail, etc., not to exceed 15 or 20 miles 
per hour depending on the operating rule of the railroad. Accordingly, 
if a PTC system is integrated with the signal system, and a train is 
enforced by the PTC system to move at restricted speed past a signal 
displaying a restricted speed indication, FRA feels comfortable that 
the PTC system will meet the statutory mandate of preventing the 
movement of the train through the switch left in the wrong position by 
continuously displaying the speed to be maintained (i.e., restricted 
speed) and by enforcing the upper limit of the railroads' restricted 
speed rule (but not to exceed 20 mph). While this solution would not 
completely eliminate human factors associated with movement through a 
misaligned switch, it would significantly mitigate the risk of a train 
moving through such a switch and would be much more cost effective.
    Moreover, it would be cost prohibitive to require the industry to 
individually equip each of the many thousands of hand-operated switches 
with a wayside interface unit (WIU) necessary to interconnect with a 
PTC system in order to provide a positive stop short of any such switch 
that may be misaligned. Currently each switch in signaled territory has 
its position monitored by a switch circuit controller (SCC). When a 
switch is not in its normal position, the SCC opens a signal control 
circuit to cause the signal governing movement over the switch location 
to display its most restrictive aspect (usually red). A train 
encountering a red signal at the entrance to a block will be required 
to operate at restricted speed through the entire block, which can be 
several miles in length depending on signal spacing. The signal system 
is not capable of informing the train crew which switch, if any, in the 
block may be in an improper position since none of switches are 
equipped with an independent WIU. There could be many switches within 
the same block in a city or other congested area. Thus, there is a 
possibility that one or more switches may be not in its proper position 
and the signal system would be unable to transmit which switch or 
switches are not in normal position. The governing signal could also be 
displaying a red aspect on account of a broken rail, broken bond wire, 
broken or wrapped line wire, bad insulated joint, bad insulated switch 
or gage rods, or other defective condition.
    FRA believes that requiring a PTC system to enforce the upper limit 
of restricted speed in the aforementioned situations is statutorily 
acceptable. The statute requires each PTC system to prevent ``the 
movement of a train through a switch left in the wrong position.'' 
Under this statutory language, the railroad's intended route must 
factor into the question of whether a switch is in the ``wrong'' 
position. In other words, in order to determine whether a switch is in 
the ``wrong position,'' we must know the switch's ``right position.'' 
The ``right position'' is determined by the intended route of the 
railroad. Thus, when determining whether a switch is in the wrong 
position, it is necessary to know the railroad's intended route and 
whether the switch is properly positioned to provide for the train to 
move through the switch to continue on that route. The intended route 
is normally determined by the dispatcher.
    Under the final rule, when a switch is in the wrong position, the 
PTC system must have knowledge of that information, must communicate 
that information to the railroad (e.g., the locomotive engineer or 
dispatcher), and must control the train accordingly. Once the PTC 
system or railroad has knowledge of the switch's position, FRA expects 
the position to be corrected in accordance with part 218 before the 
train operates through the switch. See, e.g., Sec. Sec.  218.93, 
218.103, 218.105, 218.107.
    If the PTC system forces the train to move at no more than the 
upper limit of restricted speed, the railroad will have knowledge that 
a misaligned switch may be within the subject block, and the railroad, 
by rule or dispatcher permission, will then make the decision to move 
through the switch (i.e., the railroad's intent has changed as 
indicated by rule or dispatcher instructions), so the switch will no 
longer be in the ``wrong position.'' The RSAC PTC Working Group was 
unanimous in concluding that these arrangements satisfy the safety 
objectives of RSIA08. Utilization of the signal system to detect 
misaligned switches and facilitate safe movements also provides an 
incentive to retain existing signal systems, with substantial 
additional benefits in the form of broken rail detection and detection 
of equipment fouling the main line.
    Paragraph (e)(2) addresses movements over switches in dark 
territory and under conditions of excessive risk, even within block 
signal territory. In dark territory, by definition, there are no 
signals available to provide any signal indication or to interconnect 
with the switches or PTC system. Without the benefit of a wayside or 
cab signal system, or other similar system of equivalent safety, the 
PTC system will have no signals to obey. In such a case, the PTC system 
may be designed to allow for virtual signals, which are waypoints in 
the track database that would correspond to the physical location of 
the signals had they existed without a switch point monitoring system. 
Accordingly, paragraph (e)(2)(i) requires that in dark territory where 
PTC systems are implemented and governed by this subpart, the PTC 
system must enforce a positive stop for each misaligned switch whereas 
the lead locomotive must be stopped short of the switch to preclude any 
fouling of the switch. Once the train stops, the railroad will have an 
opportunity to correct the switch's positioning and then continue its 
route as intended.
    Unlike in signaled territory, FRA expects that on lines requiring 
PTC in dark territory, each switch will be equipped with a WIU to 
monitor the switch's position. A WIU is a device that aggregates 
control and status information from one or more trackside devices for 
transmission to a central office and/or an approaching train's onboard 
PTC equipment, as well as disaggregating received requests for 
information, and promulgates that request to the appropriate wayside 
device. Most of the switches in dark territory are hand-operated with a 
much smaller number of them being spring and hydra switches. In dark 
territory, usually none of the switches have their position monitored 
by a SCC and railroads have relied on the proper handling of these 
switches by railroad personnel. When it is necessary to throw a main 
line switch from normal to reverse, an obligation arises under the 
railroad's rules to restore the switch upon completion of the 
authorized activity. Switch targets or banners are intended to provide 
minimal visual indication of the switch's position, but in the typical 
case trains are not required to operate at a speed permitting them to 
stop short of open switches. As

[[Page 2627]]

evidenced by the issuance of Emergency Order No. 24 and the subsequent 
Railroad Operating Rules Final Rule (73 FR 8,442 (Feb. 13, 2008)), 
proper handling of main line switches cannot be guaranteed in every 
case. However, now with the implementation and operation of PTC 
technology, if a switch is not in the normal position, that information 
will be transmitted to the locomotive. The PTC system will then know 
which switch is not in the normal position and require a positive stop 
at that switch location only.
    In the event that movement through a misaligned switch would result 
in an unacceptable risk, whether in dark or signaled territory, 
paragraph (e)(2)(ii) requires the PTC system to enforce a positive stop 
on each train before it crosses the switch in the same manner as 
described above for trains operating in dark, PTC territory. FRA 
acknowledges that regardless of a switch's position, and regardless of 
whether the switch is in dark or signaled territory, movement through 
certain misaligned switches--even at low speeds--may still create an 
unacceptable risk of collision with another train.
    FRA understands the term ``unacceptable risk'' to mean risk that 
cannot be tolerated by the railroad's management (and in this case FRA 
plays the role of ensuring consistency). It is a type of identified 
risk that must be eliminated or controlled. For instance, such an 
unacceptable risk may exist with a hand-operated crossover between two 
main tracks, between a main track and a siding or auxiliary track, or 
with a hand-operated switch providing access to another subdivision or 
branch line. The switches mentioned in paragraph (e)(2)(ii) are in 
locations where, if the switch is left lined in the wrong position, a 
train would be allowed to traverse through the crossover or turnout and 
potentially into the path of another train operating on an adjoining 
main track, siding, or other route. Even if such switches were located 
within a signaled territory, the signal governing movements over the 
switch locations, for both tracks as may be applicable, would be 
displaying their most restrictive aspect (usually red). This 
restrictive signal indication would in turn allow both trains to 
approach the location at restricted speed where one or both of the 
crossover switches are lined in the reverse position. Since the PTC 
system is not capable of actually enforcing restricted speed other than 
its upper limits, the PTC system would enforce a 15 or 20 mile per hour 
speed limit dependent upon the operating rules of the railroad. 
However, there is normally up to as much as a 5 mile per hour tolerance 
allowed for each speed limit before the PTC system will actually 
enforce the applicable required speed. Thus, in reality, the PTC system 
would not enforce the restricted speed condition until each train 
obtained a speed of up to 25 miles per hour. In this scenario, it is 
conceivable that two trains both operating at a speed of up to 25 miles 
per hour could collide with each other at a combined impact speed 
(closing speed) of up to 50 miles per hour. While these examples are 
provided in the rule text, they are merely illustrative and do not 
limit the universe of what FRA may consider an unacceptable risk for 
the purpose of paragraph (e). FRA emphasizes that FRA maintains the 
final determination as to what constitutes acceptable or unacceptable 
risk in accordance with paragraph (e)(2)(ii).
    Caltrain submitted a comment recommending the removal of the 
following text from this section: ``Unacceptable risk includes 
conditions when traversing the switch, even at low speeds, could result 
in direct conflict with the movement of another train (including a 
hand-operated crossover between main track, a hand-operated crossover 
between main track and an adjoining siding or auxiliary track, or a 
hand-operated switch providing access to another subdivision or branch 
line, etc.)'' Caltrain asserted that the PTC Safety Plan is required 
to, and will address, whether a particular configuration is an 
acceptable risk. The examples cited can include a non-signaled siding 
or auxiliary track several feet below the grade of the mainline track. 
The possibility of the equipment on the auxiliary track conflicting 
with movement on the main line track is no greater at a crossover than 
if it is a single switch and turnout. Main to main crossovers are 
another topic that will be addressed in the risk analysis.
    FRA believes it to be important to identify the requirement that a 
PTC system must enforce a positive stop short of any main line switch, 
and any switch on a siding where the allowable speed is in excess of 20 
miles per hour, if movement of a train over such a switch not in its 
proper position could create an unacceptable risk. FRA is providing 
within the language of the rule example of movements through an 
improperly lined switch that FRA believes would result in unacceptable 
risk. This unacceptable risk is not related to the potential ``roll-
out'' of equipment from another track onto the main track, which was 
referenced in the comment submitted by Caltrain, but constitutes any 
situation where a movement may diverge from one track onto an adjacent 
track potentially directly in front of a proceeding movement of a 
separate train on that track.
    Furthermore, FRA provides in paragraph (e)(3) that a railroad may 
submit, with justification, alternative PTC system enforcement 
associated with unacceptable risk of train movements through improperly 
aligned switches in their applicable PTCDP or PTCSP for FRA approval. 
FRA therefore elects to leave the rule text of paragraph (e)(2)(ii) as 
it was written in the proposed rule.
    The PTC system must also enforce a positive stop short of any 
misaligned switch on a PTC controlled siding in dark territory where 
the allowable track speed is in excess of 20 miles per hour. Sidings 
are used for meeting and passing trains and where those siding 
movements are governed by the PTC system, safety necessitates the 
position of the switches located on sidings to be monitored in order to 
protect train movements operating on them. Conversely, on signaled 
sidings, train movements are governed and protected by the associated 
signal indications, track circuits, and monitored switches, none of 
which are present in dark territory.
    Paragraph (e)(3) notes that while switch position detection and 
enforcement must be accomplished, the PTCSP may include a safety 
analysis for alternative means of PTC system enforcement associated 
with switch position. Moreover, an identification and justification of 
any alternate means of protection other than that provided in this 
section shall be identified and justified. FRA recognizes that, in 
certain circumstances, this flexibility may allow the reasonable use of 
a track circuit in lieu of individually monitored switches (addressing 
rail integrity as well as identification of open switches).
    Paragraph (e)(4) provides amplifying information regarding existing 
standards of subparts A through G of this part related to switches, 
movable-point frogs, and derails in the route governed that are equally 
applicable to PTC systems unless otherwise provided in a PTCSP approved 
under this subpart. This paragraph explains that the FRA required and 
accepted railroad industry standard types of components used to 
monitored switch point position and how those devices are required to 
function. This paragraph allows for some alternative method to be used 
to accomplish the same level of protection if it is identified and 
justified in a PTCSP approved under this subpart.

[[Page 2628]]

    The AAR submitted comment that the language within paragraph 
(e)(4), which was presumably derived from subpart C of this part, 
prescribes conditions under which ``movement authorities can only be 
provided.'' (emphasis added). The AAR contends that, in the context of 
PTC design, this paragraph seems to prescribe a specific method (the 
withholding of movement authorities) to provide switch position 
protection per the requirements identified by paragraphs (e)(1) through 
(e)(3). The AAR asserts that paragraph (e)(4) should be clarified or 
revised to allow for PTC systems that may meet these requirements by 
methods other than, or in addition to, those methods prescribed by 
paragraph (e)(4). Thus, the AAR suggests rewording paragraph (e)(4) to 
include the language: ``unrestricted movement authorities can only be 
provided''.
    FRA agrees with the principle of the AAR's comment. The intention 
appears to be that the permissiveness of all movement authorities over 
any switches, movable-point frogs, or derails must be determined by 
control circuits or their electronic equivalent selected through a 
circuit controller or functionally equivalent device that is operated 
directly by the switch points, derail, or switch locking mechanism, or 
through relay or electronic device controlled by such circuit 
controller or functionally equivalent device. Unrestricted movement 
authorities can only be provided when each switch, movable-point frog, 
or derail in the route governed is in proper position. FRA has 
therefore revised paragraph (e)(4) to read as follows: ``The control 
circuit or electronic equivalent for all movement authorities over any 
switches, movable-point frogs, or derails shall be selected through 
circuit controller or functionally equivalent device operated directly 
by switch points, derail, or by switch locking mechanism, or through 
relay or electronic device controlled by such circuit controller or 
functionally equivalent device, for each switch, movable-point frog, or 
derail in the route governed. Circuits or electronic equivalents shall 
be arranged so that any movement authorities less restrictive than 
those prescribed in paragraphs (e)(1) and (e)(2) of this section can 
only be provided when each switch, movable-point frog, or derail in the 
route governed is in proper position, and shall be in accordance with 
subparts A through G of this part, unless it is otherwise provided in a 
PTCSP approved under this subpart.''
    Paragraph (f) provides amplifying information for determining 
whether a PTC system is considered to be configured to prevent train-
to-train collisions, as required under paragraph (a). FRA will consider 
the PTC system as providing the required protection if the PTC system 
enforces the upper limits of restricted speed. These criteria will 
allow following trains to pass intermediate signals displaying a 
restricting aspect and will allow for the issuance of joint mandatory 
directives.
    Where a wayside signal displays a ``Stop,'' ``Stop and Proceed,'' 
or ``Restricted Proceed'' indication, paragraph (f)(1)(i) requires the 
PTC system to enforce the signal indication accordingly. In the case of 
a ``Stop'' or ``Stop and Proceed'' indication, operating rules require 
that the train will be brought to a stop prior to passing the signal 
displaying the indication. The train may then proceed at 15 or 20 miles 
per hour, as applicable according to the host railroad's operating 
rule(s) for restricted speed. In the case of a ``Restricted Proceed'' 
indication, the train would be allowed to pass the signal at 15 or 20 
miles per hour. Some existing PTC systems do not enforce the stop 
indication under these circumstances, and FRA believes that this is 
acceptable. However, in either event, the speed restriction would be 
enforced until the train passes a more favorable signal indication. NJ 
Transit asserted, and FRA agrees, that in dark territory where trains 
operate by mandatory directive, the PTC system would be expected to 
enforce the upper limit of restricted speed on a train when the train 
was allowed into a block already occupied by another preceding train 
traveling in the same direction. In freight operations, there may be 
situations where, in order to accomplish local switching, further 
latitude would be necessary, so long as the upper limit of restricted 
speed is enforced.
    NJ Transit suggests that the FRA consider modifying the verbiage to 
more clearly define the expectation of the operating rules and 
enforcement requirements associated with the Stop and Proceed 
indication.
    FRA fully understands the concern presented by NJ Transit, but 
suggests that the recommended modification to verbiage is already 
provided for in the language of paragraph (f)(1)(ii). FRA has therefore 
elected to retain the language of paragraph (f) in the final rule.
    Paragraphs (g) through (k) all concern situations where temporary 
rerouting may be necessary and would affect application of the 
operational rules under subpart I. While the final rule attempts to 
reduce the opportunity for PTC and non-PTC trains to co-exist on the 
same track, FRA recognizes that this may not always be possible, 
especially when a track segment is out of service and a train must be 
rerouted in order to continue to destination. Accordingly, paragraph 
(g) allows for temporary rerouting of traffic between PTC equipped 
lines and lines not equipped with PTC systems. FRA anticipates two 
situations--emergencies and planned maintenance--that would justify 
such rerouting.
    Paragraph (g) provides the preconditions and procedural rules to 
allow or otherwise effectuate a temporary rerouting in the event of an 
emergency or planned maintenance that would prevent usage of the 
regularly used track. Historically, FRA has dealt with temporary 
rerouting on an ad hoc basis. For instance, on November 12, 1996, FRA 
granted UP, under its application RS&I-AP-No. 1099, conditional 
approval for relief from the requirements of Sec.  236.566, which 
required equipping controlling locomotives with an operative apparatus 
responsive to all automatic train stop, train control, or cab signal 
territory equipment. The conditional approval provided for ``detour 
train movements necessitated by catastrophic occurrence such as 
derailment, flood, fire, or hurricane'' on certain listed UP 
territories configured with automatic cab signals (ACS) or automatic 
train stop (ATS). Ultimately, the relief would allow trains not 
equipped with the apparatus required under Sec.  236.566 to enter those 
ACS and ATS territories. However, the relief was conditional upon 
establishing an absolute block in advance of each train movement--as 
prescribed by General Code of Operating Rules (GCOR) 11.1 and 11.2--and 
notifying the applicable FRA Regional Headquarters. The detour would 
only be permissible for up to seven days and FRA could modify or 
rescind the relief for railroad non-compliance.
    On February 7, 2006, that relief was temporarily extended to 
include defined territory where approximately two months of extensive 
track improvements were necessary. Additional conditions for this 
relief included a maximum train speed of 65 miles per hour and 
notification to the FRA Region 8 Headquarters within 24 hours of the 
beginning of the non-equipped detour train movements and immediately 
upon any accident or incident. On February 27, 2007, FRA provided 
similar temporary relief for another three months on the same 
territory.
    While the aforementioned conditional relief was provided on an ad 
hoc basis, FRA feels that codifying rules regulating temporary 
rerouting involving PTC system track or locomotive equipment is

[[Page 2629]]

necessary due to the potential dangers of allowing mixed PTC and non-
PTC traffic on the same track and the inevitable increased presence of 
PTC and PTC-like technologies. Moreover, FRA believes that the subject 
railroads and FRA would benefit from more regulatory flexibility to 
work more quickly and efficiently to provide for temporary rerouting to 
mitigate the problems associated with emergency situations and 
infrastructure maintenance.
    Under the final rule, FRA is providing for temporary rerouting of 
non-PTC trains onto PTC track and PTC trains onto non-PTC track. A 
train will not be considered rerouted for purposes of the conditions 
set forth in this section if it operates on a PTC line that is other 
than its ``normal route,'' which is equipped and functionally 
responsive to the PTC system over which it is subsequently operated, or 
if it is a non-PTC train (not a passenger train or a freight train 
having any PIH materials) operating on a non-PTC line that is other 
than its ``normal route.''
    Paragraph (g) effectively provides temporary civil penalty immunity 
from various applicable requirements of this subpart, including 
provisions under subpart I relating to controlling locomotives, similar 
to how waivers from FRA have provided certain railroads immunity from 
Sec.  236.566.
    FRA expects that emergency rerouting will require some flexibility 
in order to respond to circumstances outside of the railroad's 
control--most notably changes in the weather, vandalism, and other 
unexpected occurrences--that would result in potential loss of life or 
property or prevent the train from continuing on its normal route. 
While paragraph (g) lists a number of possible emergency circumstances, 
they are primarily included for illustrative purposes and are not a 
limiting factor in determining whether an event rises to an emergency. 
For instance, FRA would also consider allowing rerouting in the event 
use of the track is prevented by vandalism or terrorism. While these 
events are not the primary reasons for which paragraph (g) would allow 
rerouting, FRA recognizes that they may fall outside of the railroad's 
control.
    In the event of an emergency that would prevent usage of the track, 
temporary rerouting may occur instantly by the railroad without 
immediate FRA notice or approval. By contrast, the vast majority of 
maintenance activities can be predicted by railroad operators. While 
the final rule provides for temporary rerouting for such activities, 
the lack of exigent circumstances does not require the allowance of 
instantaneous rerouting without an appropriate request and, in cases 
where the request is for rerouting to exceed 30 days, FRA approval. 
Accordingly, under paragraph (g), procedurally speaking, temporary 
rerouting for emergency circumstances will be treated differently than 
temporary rerouting for planned maintenance. While FRA continues to 
have an interest in monitoring all temporary rerouting to ensure that 
it is occurring as contemplated by FRA and within the confines of the 
rule, the timing of FRA notification, and the approval procedures, 
reflects the aforementioned differences.
    When an emergency circumstance occurs that would prevent usage of 
the regularly used track, and would require temporary rerouting, the 
subject railroad must notify FRA within one business day after the 
rerouting commences. To provide for communicative flexibility in 
emergency situations, the final rule provides for such notification to 
be made in writing or by telephone. FRA provides that written 
notification may be accomplished via overnight mail, e-mail, or 
facsimile. In any event, the railroad should take the steps necessary 
for the method of notification selected to include confirmation that an 
appropriate person actually on duty with FRA receives the notification 
and FRA is duly aware of the situation.
    While telephone notification may provide for easy communications by 
the railroad, a mere phone call would not provide for documentation of 
information required under paragraph (g). Moreover, if for some reason 
the phone call is made at a time when the designated telephone operator 
is not on duty or if the caller is only able to leave a message with 
the FRA voice mail system, the possibility exists that the applicable 
FRA personnel would not be timely notified of the communication and its 
contents.
    Emergency rerouting can only occur without FRA approval for 
fourteen (14) consecutive calendar days. If the railroad requires more 
time, it must make a request to the Associate Administrator. The 
request must be made directly to the Associate Administrator and 
separately from the initial notification sometime before the 14-day 
emergency rerouting period expires. Unless the Associate Administrator 
notifies the railroad of his or her approval before the end of the 
allowable emergency rerouting timeframe, the relief provided by 
paragraph (g) will expire at the end of that timeframe.
    While a mere notification is necessary to commence emergency 
rerouting, a request must be made, with subsequent FRA approval, to 
perform planned maintenance rerouting. The relative predictability of 
planned maintenance activities allows railroads to provide FRA with 
much more advanced request of any necessary rerouting and allows FRA to 
review that request. FRA requires that the request be made at least 10 
calendar days before the planned maintenance rerouting commences.
    To ensure a retrievable record, the request must be made in 
writing. It may be submitted to FRA by fax, e-mail, or courier. Because 
of security protocols placed in effect after the terrorist attacks of 
September 11, 2001, regular mail undergoes irradiation to ensure that 
any pathogens have been destroyed prior to delivery. The irradiation 
process adds significant delay to FRA's receipt of the document, and 
the submitted document may be damaged due to the irradiation process. 
Thus, FRA implores those making a rerouting request in writing to 
deliver the request through other, more acceptable, means.
    The lack of emergency circumstances makes telephonic communication 
less necessary, since the communication need not be immediate, and less 
preferable, since it may not be accurately documented for subsequent 
reference and review. Like notifications for emergency rerouting, the 
request for planned rerouting must include the number of days that the 
rerouting should occur. If the planned maintenance will require 
rerouting up to 30 days, then the request must be made with the 
Regional Administrator. If it will require rerouting for more than 30 
days, then the request must be made with the Associate Administrator. 
These longer time periods reflects FRA's opportunity to review and 
approve the request. In other words, since FRA expects that the review 
and approval process will provide more confidence that a higher level 
of safety will be maintained, the rerouting period for planned 
maintenance activities may be more than the 14 days allotted for 
emergency rerouting.
    Regardless of whether the temporary rerouting is the result of an 
emergency situation or planned maintenance, the communication to FRA 
required under paragraph (g) must include the information listed under 
paragraph (i). This information is necessary to provide FRA with 
context and details of the rerouting. To attempt to provide railroads 
with the flexibility intended under paragraph (g), and to attempt to 
prevent enforcement of the rules from which the railroad should be 
receiving relief, FRA must be able to coordinate with its inspectors 
and other personnel.

[[Page 2630]]

This information may also eventually be important to FRA in developing 
statistical analyses and models, reevaluating its rules, and 
determining the actual level of danger inherent in mixing PTC and non-
PTC traffic on the same tracks.
    For emergency rerouting purposes, the information is also necessary 
for FRA to determine whether it should order the railroad or railroads 
to cease rerouting or provide additional conditions that differ from 
the standard conditions specified in paragraph (i). FRA recognizes the 
importance of allowing temporary rerouting to occur automatically in 
emergency circumstances. However, FRA must also maintain its 
responsibility of ensuring that such rerouting occurs lawfully and as 
intended by the rules. Accordingly, the final rule provides the 
opportunity for FRA to review the information required by paragraph (g) 
to be submitted in accordance with paragraph (i) and order the railroad 
or railroads to cease rerouting if FRA finds that such rerouting is not 
appropriate or permissible in accordance with the requirements of 
paragraphs (g) through (i), and as may be so directed in accordance 
with paragraph (k), as discussed further below.
    For rerouting due to planned maintenance, the information required 
under paragraph (i) is equally applicable and will be used to determine 
whether the railroad should not reroute at all. If the request for 
planned maintenance is for a period of up to 30 days, then the request 
and information must be sent in writing to the Regional Administrator 
of the region in which the temporary rerouting will occur. While such a 
request is self-executing--meaning that it will automatically be 
considered permissible if not otherwise responded to--the Regional 
Administrator may prevent the temporary rerouting from starting by 
simply notifying the railroad or railroads that its request is not 
approved. The Regional Administrator may otherwise provide conditional 
approval, request that further information be supplied to the Regional 
Administrator or Associate Administrator, or disapprove the request 
altogether. If the railroad still seeks to reroute due to planned 
maintenance activities, it must provide the Regional Administrator or 
Associate Administrator, as applicable, the requested information. If 
the Regional Administrator requests further information, no planned 
maintenance rerouting may occur until the information is received and 
reviewed and the Regional Administrator provides his or her approval. 
Likewise, no planned maintenance rerouting may occur if the Regional 
Administrator disapproves of the request. If the Regional Administrator 
does not provide notice preventing the temporary rerouting, then the 
planned maintenance rerouting may begin and occur as requested. 
However, once the planned maintenance rerouting begins, the Regional 
Administrator may at any time order the railroad or railroads to cease 
the rerouting in accordance with paragraph (k).
    Requests for planned maintenance rerouting exceeding 30 days, 
however, must be made to the Associate Administrator and are not self-
executing. No such rerouting may occur without Associate Administrator 
approval, even if the date passes on which the planned maintenance was 
scheduled to commence. Under paragraph (h), like the Regional 
Administrator, the Associate Administrator may provide conditional 
approval, request further information, or disapprove of the request to 
reroute. Once approved rerouting commences, the Associate Administrator 
may also order the rerouting to cease in accordance with paragraph (k).
    Where a train rerouted onto a track equipped with a PTC system is, 
for whatever reason, not compatible and functionally responsive to that 
PTC system (e.g., an unequipped controlling locomotive, or one equipped 
but not compatible with the associated wayside, office, or 
communications system), such train must be operated in accordance with 
Sec.  236.1029. Where any train is rerouted onto a track segment that 
is not equipped with a PTC system, such train must be operated in 
accordance with the operating rules applicable to the track segment on 
which the train is being rerouted.
    Moreover, as referenced in paragraph (g) as it applies to both 
emergency and planned maintenance circumstances, the track upon which 
FRA expects the rerouting to occur would require certain mitigating 
protections listed under paragraph (j) in light of the mixed PTC and 
non-PTC traffic. While FRA purposefully intends paragraph (j) to apply 
similarly to Sec.  236.567, FRA recognizes that Sec.  236.567 does not 
account for the statutory mandates of interoperability and the core PTC 
safety functions. Accordingly, paragraph (j) must be more restrictive.
    Section 236.567, which applies to territories where ``an automatic 
train stop, train control, or cab signal device fails and/or is cut out 
en route,'' requires trains to proceed at either restricted speed or, 
if an automatic block signal system is in operation according to signal 
indication, at no more than 40 miles per hour to the next available 
point of communication where report must be made to a designated 
officer. Where no automatic block signal system is in use, the train 
shall be permitted to proceed at restricted speed or where an automatic 
block signal system is in operation according to signal indication but 
not to exceed medium speed to a point where absolute block can be 
established. Where an absolute block is established in advance of the 
train on which the device is inoperative, the train may proceed at not 
to exceed 79 miles per hour. Paragraph (j) utilizes that absolute block 
condition, which more actively engages the train dispatcher in managing 
movement of the train over the territory (in both signaled and non-
signaled territory). Recognizing that re-routes under this section will 
occur in non-signaled territory, the maximum authorized speeds 
associated with such territory are used as limitations on the speed of 
re-routed trains. FRA agrees with the comments of labor representatives 
in the PTC Working Group who contend that the statutory mandate alters 
to some extent what would otherwise be considered reasonable for these 
circumstances.
    It should be noted that this paragraph (j) was added by FRA after 
further consideration of this issue and was not part of the PTC Working 
Group consensus. FRA received several comments associated with the 
temporary rerouting requirements and the restrictive operational 
conditions imposed by paragraphs (j)(1) and (j)(2) as being overly 
burdensome, unsupported and inappropriate. Specifically, the idea that 
a train rerouted from a PTC line to a non-PTC line should be treated 
differently than the existing traffic on the non-PTC line is 
unjustified. The commenters suggest current FRA operational 
requirements contained in Sec. Sec.  236.0(c) and (d) providing for 
speeds greater than 49 miles per hour for freight and 59 miles per hour 
for passenger trains where a block signal system and/or an automatic 
cab signal, automatic train stop, or automatic train control system is 
in place, is applied safely today and should continue as the applicable 
regulation for this reroute scenario. Thus, the commenters suggest 
rewording paragraph (j)(2) to read as follows: ``Each rerouted train 
movement shall operate in accordance with Sec.  236.0.''
    When the PTC Working Group was reconvened following the public 
hearing and the NPRM comment period, the PTC Working Group formed three

[[Page 2631]]

separate task forces for the purpose of discussing and resolving 
several specific issues. One such task force, deemed the Operational 
Conditions Task Force, was assigned the task of resolving the issues 
associated with operational limitations presented in the proposed rule 
associated with temporary rerouting within Sec.  236.1005, unequipped 
trains operating within a PTC system within Sec.  236.1006, and en 
route failures within Sec.  236.1029.
    Following significant discussion of these issues, a PTC Working 
Group task force recommended rule text changes that would maintain the 
intended level of safety in an acceptable manner while recognizing the 
impractical nature and perhaps even resultant increase in risk 
associated with restricting the operation of a rerouted train from a 
PTC-equipped line onto a non-PTC equipped line more than other 
similarly equipped trains that normally operated on the non-PTC 
equipped line. Therefore, the task force recommended that paragraph (j) 
be revised to read as follows: ``(j) Rerouting conditions. Rerouting of 
operations under paragraph (g) of this section may occur according to 
the following: (1) Where a train not equipped with a PTC system is 
rerouted onto a track equipped with a PTC system, it shall be operated 
in accordance with Sec.  236.1029; (2) Where any train is rerouted onto 
a track not equipped with a PTC system, it shall be operated in 
accordance with the operating rules applicable to the line on which it 
is routed.''
    This recommended revision to paragraph (j) was presented to the PTC 
Working Group and gained consensus from the group. However, upon 
further consideration, FRA has decided to adopt a slight variation of 
the recommended revised rule text in order to provide additional 
clarification regarding the applicability of paragraph (j)(1) to either 
a train not equipped with a PTC system, or one not equipped with a PTC 
system that is compatible and functionally responsive to the PTC system 
utilized on the line on which the train is rerouted. Therefore, 
paragraph (j) has been revised in the final rule to read as follows: 
``(j) Rerouting conditions. Rerouting of operations under paragraph (g) 
of this section may occur under the following conditions: (1) Where a 
train not equipped with a PTC system is rerouted onto a track equipped 
with a PTC system, or a train not equipped with a PTC system that is 
compatible and functionally responsive to the PTC system utilized on 
the line to which the train is being rerouted, the train shall be 
operated in accordance with Sec.  236.1029; or (2) Where any train is 
rerouted onto a track not equipped with a PTC system, the train shall 
be operated in accordance with the operating rules applicable to the 
line on which the train is rerouted.''
    Paragraph (k), as previously noted, provides the Regional 
Administrator with the ability to order the railroad or railroads to 
cease rerouting operations that were requested for up to 30 days. The 
Associate Administrator may order a railroad or railroads to cease 
rerouting operations regardless of the length of planned maintenance 
rerouting requested. FRA believes this is an important measure 
necessary to prevent rerouting performed not in accordance with the 
rules and FRA's expectations based on the railroad's communications and 
to ensure the protection of train crews and the public. However, FRA is 
confident that in the vast majority of cases railroads will utilize the 
afforded latitude reasonably and only under necessary circumstances.
    FRA expects each host railroad to develop a plan to govern 
operations in the event temporary rerouting is performed in accordance 
with this section. Thus, as noted further below in Sec.  236.1015, this 
final rule requires that each PTCSP include a plan accounting for such 
rerouted operations.
Section 236.1006 Equipping Locomotives Operating in PTC Territory
    As reflected by Sec.  236.566, the basic rule for train control 
operations is that all trains will be equipped with responsive onboard 
apparatus. Paragraph (a) so provided in the NPRM, and the language is 
continued in the final rule. Paragraph (a) requires that, as a general 
rule, all trains operating over PTC territory must be PTC-equipped. In 
other words, paragraph (a) requires that each controlling locomotive be 
operated with a PTC onboard apparatus if it is controlling a train 
operating on a track equipped with a PTC system in accordance with 
subpart I. The PTC onboard apparatus should operate and function in 
accordance with the PTCSP governing the particular territory. 
Accordingly, it must successfully and sufficiently interoperate with 
the host railroad's PTC system.
    In the NPRM, FRA recognized the possibility of controlling 
locomotives not necessarily being placed in a train's lead position and 
sought comments on this issue. Comments were filed indicating that the 
lead locomotive is not always necessarily the controlling locomotive. 
In light of this information, the final rule reflects a change from 
``lead locomotive'' to ``controlling locomotive'' as necessary. FRA's 
understanding of a ``controlling locomotive'' is the same understanding 
as it is used in part 232 and as defined in Sec.  232.5. Hence, a 
definition has been added to Sec.  236.1003 merely cross-referencing to 
Sec.  232.5.
    First, it is understood that during the time PTC technology is 
being deployed to meet the statutory deadline of December 31, 2015, 
there will be movements over PTC lines by trains with controlling 
locomotives not equipped with a PTC onboard apparatus. In general, 
Class I railroad locomotives are used throughout the owning railroad's 
system and, under shared power agreements, on other railroads 
nationally. FRA anticipates that the gradual equipping of locomotives--
which will occur at a relatively small number of specialized facilities 
and which will require a day or two of out of service time as well as 
time in transit--will extend well into the implementation period that 
ends on December 31, 2015. It will not be feasible to tie locomotives 
down to PTC lines, and the RSAC stakeholders fully understood that 
point. The RLO did urge that railroads make every effort to use 
equipped locomotives as controlling units, and FRA believes that, in 
general, railroads will do so in order to obtain the benefits of their 
investment.
    The debate on this point has dealt with the possibility of 
exceptions, which was addressed in paragraph (b) in the NPRM. The 
discussion below pertains to the issue of temporary and permanent 
exceptions to the rule.
    The first issue arose under proposed paragraphs (b)(1) and (b)(2), 
which endeavored to set out the rules for the transitional period 
during which PTC will be deployed. It is well understood and accepted 
that it is not feasible to require all trains operating on a PTC line 
to be PTC-equipped and operative from the first day the system is 
turned on. Locomotive fleets will be equipped over a multi-year period, 
and deployment of locomotives will be driven by many factors, of which 
PTC status is only one. Efficient use of locomotives requires them to 
be available for use on multiple routes and even under ``shared power'' 
agreements with other railroads. In some cases, even when a PTC-
equipped locomotive is placed in a consist destined for a PTC line 
there may be legitimate reasons why it is not placed in the controlling 
position.
    Accordingly, the NPRM provided what FRA thought was a very modest 
proposal that equipped locomotives placed in the lead on trains bound 
for PTC territory have their PTC equipment turned on. FRA even made 
allowance for a declining percentage of such locomotives being 
dispatched into PTC

[[Page 2632]]

territory after having failed ``initialization.'' The reaction from 
Class I railroad commenters was startling, to say the least.
    The AAR stated that the proposal was beyond FRA's authority and 
that FRA has no ability to require use of PTC before December 31, 2015. 
According to AAR, railroads will be required to use PTC-equipped 
locomotives on PTC routes come December 31, 2015, and AAR does not 
understand how this obligation could be addressed in the implementation 
plan other than to state PTC-equipped locomotives would be used on PTC 
routes. In the AAR's view, requiring PTC-equipped locomotives to be 
turned on would create a disincentive to equip locomotives early. 
Limiting the ability of railroads to operate trains with locomotives 
that fail initialization could result in railroads attempting to avoid 
rail system congestion by delaying the equipping of locomotives. To 
avoid such a disincentive for equipping locomotives, AAR believes that 
FRA should permit, without limitation, the operation of locomotives 
that fail initialization before December 31, 2015.
    CSXT asserted that the requirements contained in paragraph 
(b)(2)(iii) with respect to the allowable percentage of controlling 
locomotives operating out of each railroad's initial terminals with 
failed systems over track segments equipped with PTC will deter early 
implementation efforts and unfairly punish railroads that are 
diligently working to implement PTC on designated tracks. In addition, 
CSXT questioned the usefulness of such a provision, as CSXT argued that 
there is no meaningful difference between a locomotive that is not 
equipped with PTC and a locomotive that is equipped with a PTC system 
that is not fully functioning.
    Recognizing that matching PTC lines with PTC-equipped controlling 
locomotives will be a key factor in obtaining the benefits of this 
technology in the period up to December 31, 2015, FRA requested 
comments on whether PTCIPs should be required to include power 
management elements describing how this will be accomplished to the 
degree feasible. In response, NJ Transit asserted that the PTCIP does 
require both the lines risk assessment (to establish the track segment 
order of PTC commissioning) and the schedule to equip rolling stock and 
suggests that these schedules can and should indicate the effort of a 
railroad to assure that vehicles are equipped and available for the PTC 
equipped lines. According to NJ Transit, inclusion of a power 
management plan as well within the PTCIP provides an additional effort 
that has a high probability of requiring updates during the PTC 
implementation period, while the schedules and a good faith effort 
alone may serve the purpose most efficiently, especially for the short 
time period anticipated (this should be recognized as 2012 through 2015 
at worst). NJ Transit suggests that FRA should not include this plan as 
a PTCIP requirement, but require the best good faith effort by each 
railroad for providing equipped vehicles during the short interim 
period subject to this concern.
    The AAR also stated that, for trains in long-haul service, the 
train's point of origin or location where the locomotive was added to 
the train may be many crew districts or hundreds or thousands of miles 
prior to the location where the locomotive's onboard PTC apparatus is 
initialized for operation in PTC-equipped territory. In this case, the 
paragraph is overly restrictive and should be modified to be predicated 
on the location prior to entering PTC-equipped territory where 
initialization failed. Accordingly, AAR suggests that paragraph 
(b)(2)(i) be revised to read: ``The subject locomotive failed 
initialization at the point of crew origin for the train or at the 
location where the locomotive was added to the PTC initialized train.''
    The RLO also urges FRA to adopt a requirement that railroads place 
equipped engines in the lead or controlling position whenever such 
equipped engines are in the engine consist during the implementation 
period. The RLO states that implementing such consist management 
initiatives will help identify any problems in the interface of the 
onboard and wayside systems. In the future, states the RLO, railroad 
operations will come to rely heavily upon the proper function of these 
PTC systems. According to the RLO, requiring railroads to adopt this 
approach would require the minor operational maneuver of switching a 
trailing unit to the train's lead position. Since technical anomalies 
that go undetected can be catastrophic, the RLO asserts that FRA should 
not squander the opportunity for discovering them during the 
implementation period.
    During the public hearing conducted on August 13, 2009, FRA 
specifically asked how the RLO expected a railroad to handle the 
situation where an engine that is PTC-equipped may be positioned with 
long hood forward or may have a broken air conditioning system. In its 
comments dated August 20, 2009, the RLO responded by stating that it is 
broadly accepted industry practice to operate trains with the short 
hood in the direction of movement. Operating trains with the long hood 
forward presents safety concerns because the engineer has a limited 
view of the track with that configuration. However, if any safety 
feature or safe practice is impaired, altered, or compromised in any 
locomotive, it should not be in the lead or operating position of the 
train. Therefore, if the engine is not equipped with air conditioning 
or if the long hood is facing forward, the railroad would have three 
choices: grant the crew the right to switch a fully-compliant 
locomotive to the lead at the first location where this can be 
accomplished, do not operate at all, or remove the engine from the 
engine consist entirely. The RLO asserts that this approach would 
create the safest possible working environment, as the safest 
locomotive is the one with PTC, AC, and the short hood forward.
    GE asserts that, by using emerging technology, it is possible to 
operate a PTC system from the lead controlling locomotive using at 
least some parts of a PTC system on trailing locomotives in the consist 
if the onboard network is extended through the locomotive consist. 
According to GE, this can provide a useful contingent operation if some 
component fails in the locomotive and a backup component on a trailing 
unit is linked over the network, providing higher overall PTC 
availability. For example, should the data radio fail on the lead 
locomotive, PTC could continue to operate through a working radio on 
the second or third locomotive unit.
    FRA agrees that PTC-equipped locomotives should be utilized when 
available on PTC territory during the implementation period, and it is 
recognized that it is possible for a unit to serve as the controlling 
locomotive when not positioned first in the consist. FRA believes that 
railroads have strong incentives to take advantage of their investments 
in PTC, but also includes in the final rule a requirement that the 
PTCIP include goals for PTC-equipped locomotives in PTC territory.
    This issue was discussed further in the PTC Working Group during 
the review of the comments, but no formal resolution was achieved. FRA 
is not obligated to provide any exception here whatsoever, and the 
contention that FRA may not require use of PTC prior to December 31, 
2015, is utterly without merit. Nevertheless, FRA does not wish to 
proceed in such a manner as to create even a temporary disincentive to 
deploy PTC locomotives on PTC-equipped lines. However, clearly leaving 
the carriers to their own devices without

[[Page 2633]]

accountability or oversight appears unwarranted given the tenor of 
their comments and the known conflicts among departments of the 
railroad that can arise during any implementation of new technology. 
Leaving the use of available PTC technology wholly unregulated until 
December 31, 2015, would not only open the possibility that safety 
gains would not be made during the period, it would also increase the 
possibility that PTC systems would not be sufficiently stable and 
reliable as of the statutory completion date.
    Accordingly, FRA has included in the final rule, in lieu of the 
language initially proposed, a requirement that each railroad include 
in its PTCIP specific goals for progressively effective use of its 
equipped locomotives on PTC lines that have been made operational. FRA 
would review the goals and stated justification as part of its review 
of the PTCIP. The railroad would then be required to report annually 
its progress toward achieving its goals, including any adjustments 
required to remedy shortfalls. Although FRA does not intend to second 
guess details of power management, FRA does believe it is reasonable to 
expect results in the form of steadily declining PTC-preventable 
accidents during the implementation period. The only way to accomplish 
that is to ensure that PTC onboard apparatus is deployed on PTC lines 
in reasonable proportion to its deployment elsewhere and that, when so 
deployed, it is utilized as intended.
    The second major issue arose under paragraph (b)(4), which proposed 
limited exceptions for movements of Class II and III trains over PTC 
lines of the Class I railroads. The disagreements attendant to that 
proposal warrant more detailed treatment.
    New PTC systems will be like existing train control systems in the 
sense that they are comprised of onboard and wayside components. They 
will also involve a more substantial centralized ``office'' function. 
The railroad that has the right to control movements over a line of 
railroad (generally the entity providing or contracting for the 
dispatching function) will provide for equipping of the wayside and 
appropriate links to and interface with the office. In preparing the 
recommendations that led to the NPRM, the PTC Working Group discussed 
at great length the issues related to operation of PTC-equipped 
locomotives, and locomotives not equipped with PTC onboard apparatus, 
over lines equipped with PTC. As explained above, the PTC Working Group 
recognized that the typical rule with respect to train control 
territory is that all controlling locomotives must be equipped and 
operative (see Sec.  236.566). It was also noted in the discussion that 
the Interstate Commerce Commission (FRA's predecessor agency in the 
regulation of this subject matter) and FRA have provided some relief 
from this requirement in discrete circumstances where safety exposure 
was considered relatively low and the hardship associated with 
equipping additional locomotives was considered substantial. (For 
instance, in the case of intermittent automatic train stop installed 
many years ago on the former Atchison, Topeka and Santa Fe Railroad 
(now BNSF Railway), only passenger trains were subject to the 
requirement for onboard apparatus. That arrangement continues to the 
present day, and it is particularly unusual since none of the host 
railroad's locomotives are equipped, while all Amtrak locomotives 
operating over the territory must be equipped.)
    The ASLRRA noted that its member railroads conduct limited 
operations over Class I railroad lines that will be required to be 
equipped with PTC systems in a substantial number of locations. These 
operations are principally related to the receipt and delivery of 
carload traffic in interchange. The small railroad service extends onto 
the Class I railroad track in order to hold down costs and permit both 
the small railroad and the Class I railroad to retain traffic that 
might be priced off the railroad if the Class I had to dispatch a crew 
to pick up or place the cars. This, in turn, supports competitive 
transportation options for small businesses, including marginal small 
businesses in rural areas.
    The ASLRRA advocated an exception that would permit the trains of 
its members and other small railroads to continue use of existing 
trackage rights and agreements without the necessity for equipping 
their locomotives with PTC technology. They suggested that any 
incremental risk be mitigated by requiring that such trains proceed 
subject to the requirement for an absolute block in advance (similar to 
operating rules consistent with Sec.  236.567 applicable to trains with 
failed onboard train control systems). This position was consistently 
opposed both by the rail labor organizations and the Class I railroads. 
These organizations took the position that all trains should be 
equipped with PTC in order to gain the benefits sought by the 
congressional mandate and to provide the host railroad the full benefit 
of its investment in safety. Informal discussions suggested that Class 
I railroads might offer technical or financial assistance to certain 
small railroads in equipping their locomotives, but that this would, of 
course, be done based on the corporate interest of the Class I 
railroad. Although, in general, market forces and the public interest 
can be expected to correspond over time, this is not always the case. 
So, for instance, there is a risk that requiring all Class II and Class 
III railroads operating on Class I PTC lines to be equipped with PTC 
could be financially unsustainable absent a more generous division of 
the rate or other assistance (technical or otherwise) from the Class I 
interchange partner. A Class I railroad might respond to such 
situations based exclusively on the value of the traffic interchanged 
with respect to the transportation charge recovered for the long haul 
less costs. Although that might be a good market decision for the Class 
I railroad, the result could be loss of rail service for a rural 
community and diversion of the traffic to the highway--a result that 
might not be in the public interest. Over the past several decades the 
federal government and many of the states have made investments in 
light density rail service (through grants, loans, or tax concessions) 
that could be undermined should this occur.
    In the PTC Working Group and in informal discussions around its 
activities, Class I railroads indicated that they intended to take a 
strong position against non-equipped trains operating on their PTC 
lines, and that in order to enforce this restriction fairly, they 
understood that they would need to equip their own locomotives, 
including older road switchers that might venture onto PTC-equipped 
lines only occasionally. However, during these discussions, FRA was not 
able to develop a clear understanding regarding the extent to which the 
Class I railroads, under previously executed private agreements or 
because of a senior position derived from a prior transaction, enjoy 
the effective ability to enforce a requirement that all trains be 
equipped.
    Proposed rule. On this question of non-equipped trains on PTC 
lines, the proposed rule represented a compromise position between the 
requests of the Class II and III railroads and the Class I railroads 
and labor organizations. It proposed to permit the practice only on 
territory where there was no scheduled intercity or commuter passenger 
service. On any given subject track segment, a particular Class II or 
III railroad could operate up to 4 trains per day (2 round trips) for 
up to 20 miles in perpetuity. For hauls in excess of 20

[[Page 2634]]

miles, the practice could continue until the end of 2020.
    FRA offered this proposal in order to limit the burden on small 
entities and to avoid costs that were both avoidable and more greatly 
disproportionate to anticipated benefits than the basic requirements of 
the congressional mandate. FRA noted that the exceptions would 
constitute a small portion of the movements over the PTC-equipped line. 
FRA asserted that the accident/incident data show that the risk 
attendant upon these movements is small. As reflected in the NPRM, a 
review of the last seven years of accident data covering 3,312 
accidents that were potentially preventable by PTC showed that there 
were only two of those accidents that involved a Class I railroad's 
train and a Class II or III railroad's train. (Left unstated in the 
NPRM was the fact that the presence of PTC would have prevented one of 
the accidents even absent equipping of the tenant train, while the 
other would not be prevented due to limitations of PTC architectures 
with respect to low-speed rear-end collisions.) FRA believed that the 
low level of risk revealed by these statistics justified an exception 
for Class II and III railroad trains traversing a PTC-equipped line for 
a relatively short distance. FRA noted that the cost of equipping those 
trains would be high when viewed in the context of the financial 
strength of the Class II or III railroad and the marginal safety 
benefits would be relatively low in those cases where a small volume of 
traffic is moved over the PTC-equipped line.
    Comments on the NPRM exceptions; FRA response. None of the 
commenters responded directly to FRA's safety analysis, but they did 
take strong and disparate stands. The RLO filed joint comments that 
protested allowing an unequipped train owned by a Class II or III 
railroad to move on PTC-required track with only minor restrictions. 
The RLO believed that there are alternatives that are consistent with 
safety and the intent of RSIA08, including temporal separation or using 
the host railroad's equipped locomotives. According to the RLO, simply 
limiting the number of moves and miles of unequipped locomotives on 
PTC-required track would not eliminate the risk associated with the 
hazard or provide compliance with the intent of RSIA08.
    The AAR has also expressed concerns with the proposal, stating that 
``[s]urely Congress did not enact a requirement for the Class I 
railroads to spend billions of dollars on PTC systems only to permit 
Class II and III railroads to operate trains unequipped with PTC 
technology on the PTC routes. AAR asserts that FRA has not shown that 
there would actually be a financial strain on Class II and III 
railroads. According to AAR, a Class II or III railroad would not have 
to equip a locomotive with PTC technology until December 31, 2015. In 
any event, states AAR, the statute makes no distinction among Class I, 
II, or III operations on a PTC route.
    CSXT disagreed with FRA's interpretation of RSIA08, stating that 
the statute, on its face, does not exempt Class II and III railroads 
from the PTC requirements. To the contrary, asserted CSXT, the statute 
appears to contemplate that Class II and III railroads traveling on PTC 
lines would be subject to the PTC requirements since each PTCIP for 
those lines ``must provide for interoperability of the system with 
movements of trains of other railroad carriers,'' (emphasis original) 
which presumably includes Class II and III railroads. CSXT also 
questioned whether entities that carry a wide variety of commodities, 
including PIH traffic, but without the financial wherewithal to adopt 
PTC technologies, should be permitted to impose an arguably increased 
safety risk on the public and other railroads. In any event, stated 
CSXT, the Class II and III railroads would only be responsible for 
outfitting their locomotives, and not wayside units, with PTC 
technologies.
    Moreover, according to CSXT, the exemption under proposed paragraph 
(b)(4)(B)(ii) was unclear as to its application This section allowed 
Class II and III railroads to operate on PTC operated track segments to 
the extent that any single railroad is allowed ``less than four such 
unequipped trains'' over any given track segment. CSXT questions 
whether the number of trains is limited per a common holding company or 
each railroad subsidiary. (The intent is that the limit will be applied 
to each separate railroad company, regardless of common ownership.)
    Recognizing FRA's concerns with imposing the costs of PTC 
implementation on Class II and III railroads, AAR believes FRA is 
mixing up Congress' concern about the ability of Class II and III 
railroads to finance installation of PTC on their own routes with the 
ability of Class II and III railroads to operate locomotives equipped 
with PTC technology over Class I track. The AAR notes that FRA's own 
analysis shows that the cost of equipping locomotives with PTC 
technology amounts to less than a third of total PTC development and 
installation costs. According to AAR, a Class II or III railroad 
qualifying for the proposed exception likely would only need to equip 
only one or two locomotives with PTC technology by sometime after 2015.
    In any event, AAR asserts that this proposed exemption for Class II 
and III railroads is inconsistent with the plain language of the 
statute, which does not distinguish between Class I, II, or III 
operations on a main line with PIH materials. Congress determined that 
PTC should be required on Class I routes meeting the statutory criteria 
regardless of any cost-benefit analysis. The AAR believes that it is 
inconceivable that Congress intended unequipped locomotives be 
permitted to operate routinely where PTC is required, thus undercutting 
the benefit of equipping a PTC route with PTC technology.
    The AAR also challenges FRA's conclusion about the ``marginal 
safety benefit,'' which seems premised on its analysis of train-to-
train collisions, questioning whether FRA has concluded that a train 
operated by a Class II or III railroad poses less of a risk with 
respect to each of the core PTC functions than a train operated by a 
Class I railroad. Leaving aside AAR's objection to any exception 
permitting Class II and III railroads to conduct routine operations 
over PTC routes with unequipped locomotives, AAR does not agree with 
the proposal to wait until December 31, 2020, to impose the twenty-mile 
limitation. According to AAR, FRA has no factual basis for its concern 
that Class II and III railroads will be unable to obtain the technology 
as suppliers seek to equip their bigger Class I customers first. In 
fact, states AAR, it is more likely that Class I railroads will work 
with their Class II and III partners to prepare for the 2015 
implementation deadline.
    The Canadian Pacific Railway does not support the operation of 
unequipped locomotives on PTC equipped lines after December 31, 2015. 
It is CP's position that all trains operating on PTC territory after 
December 31, 2015, must be controlled by a locomotive equipped for PTC 
operation, regardless of whether or not the locomotive in the 
controlling position is considered ``historic.''
    NYSMTA, the parent organization for the Long Island Rail Road and 
Metro-North Railroad, asserted that subpart I of this part should 
require all operators on the same trackage as commuter railroads to be 
fully equipped, as is the case in the existing FRA regulation, and that 
all trains (including those of all Class II and Class III tenant 
railroads) operating in cab signal/train control territory must have 
operative cab signal and ATC. Thus, NYSMTA suggested that subpart

[[Page 2635]]

I should not permit any trains to enter or operate in PTC territory 
that are not equipped with operative PTC systems except where en route 
failures occur within PTC territory. NYSMTA suggested that the 
definition of ``equipped'' for paragraphs (a) through (b)(3) be 
clarified to mean the onboard PTC system equipment has been fully 
commissioned, has passed all acceptance tests and has met reliability 
and availability demonstration tests. In the final rule, FRA continues 
to make clear that all trains operating on intercity/commuter passenger 
territory must be equipped.
    FRA received a number of comments regarding the operation of 
historic locomotives over rail lines that will need to be equipped with 
a PTC system, from commenters such as the San Bernardino Railway 
Historical Society, the Pacific Southwest Railway Museum, the Railroad 
Passenger Car Alliance, and J.L. Patterson & Associates. These 
commenters requested that FRA provide clarification that a historic 
locomotive, as defined in 49 CFR 229.125(h), which is not equipped with 
PTC may be operated over rail lines equipped with PTC systems in 
limited excursion service, provided an excursion operating management 
plan is included in the PTC railroad's PTCIP that is consistent with 
the provisions of Sec.  236.1029(b) of this part.
    These locomotives might include steam locomotives many decades old. 
FRA notes that these operations are relatively infrequent, and they 
normally receive additional oversight by host railroads as a matter of 
course.
    Final rule. The final rule provides exceptions for trains operated 
by Class II and III railroads, including tourist or excursion 
railroads. The exceptions are limited to lines not carrying intercity 
or commuter passenger service, except where the host railroad and the 
passenger railroad (if different entities) have requested an exception 
in the PTC Implementation Plan, as further discussed below, and FRA has 
approved that element of the plan. Examples of potentially acceptable 
instances concerning non-equipped operations on an intercity/commuter 
route might include a weekend excursion operation during periods 
scheduled passenger service is very light or in terminal areas under 
circumstances where all trains will be operated at reduced speed and 
risk is otherwise very limited.
    FRA presumes for purposes of this final rule that there will be 
circumstances rooted in previously executed private agreements under 
which the Class I railroad would be entitled to require the small 
railroad to use a controlling locomotive equipped with PTC as a 
condition of operating onto the property. FRA wishes to emphasize that, 
in issuing this final rule, FRA does not intend to influence the 
exercise of private rights or to suggest that public policy would 
disfavor an otherwise legitimate restriction on the use of unequipped 
locomotives on PTC lines. FRA also notes that, in the absence of clear 
guidance on this issue, a substantial number of waiver requests could 
be expected that would have to be resolved without the benefit of 
decisional criteria previously examined and refined through the 
rulemaking process.
    With respect to limited operations of Class II or III railroads on 
Class I PTC lines, FRA continues to believe that the risk in question 
is very small in relation to the direct and indirect costs of equipping 
locomotives with PTC and maintaining those locomotives over time 
(including configuration management). FRA has also considered the 
issues required applicable statutes concerning the affect of 
regulations on small entities. (See also discussion of de minimis 
exceptions in the preamble to Sec.  236.1005.) Although FRA does expect 
that over time Class II and III railroads will participate more fully 
in the use of PTC technologies, both as tenants and hosts, the initial 
costs and logistical challenges of PTC system operation will be 
significantly greater than the costs and challenges after interoperable 
PTC systems have been demonstrated to be reliable and after the market 
for PTC equipment and services settles. Mandating that every locomotive 
leading a Class II or III train be PTC equipped during the initial roll 
out would create significant incentives to shed marginally profitable 
traffic with unpredictable societal effects. FRA does believe that, as 
the end of the initial implementation approaches, smaller railroads can 
begin the process of joining the PTC community by equipping locomotives 
used for longer hauls on PTC lines. FRA will also review the experience 
of Class I railroads as of that general time period (end of 2015, 
beginning of 2016) to evaluate what additional requirements might be 
appropriate and sustainable.
    FRA has adopted final language sufficiently flexible to permit 
occasional tourist, historic and excursion service on PTC lines. Much 
of the subject equipment is used very lightly and in fact may spend the 
great majority of its time on static display. Ending the educational 
and recreational role of occasional excursion service is no part of 
what the Congress was addressing through the mandate underlying this 
rule.
    Paragraph (b)(3) references the fact that operation of trains with 
failed onboard PTC apparatus is governed by the safeguards of Sec.  
236.1029, where applicable; and paragraph (c) applies the same 
principle to non-equipped trains operating on PTC territory.
Section 236.1007 Additional Requirements for High-Speed Service
    Since the early 1990's, there has been an interest centered around 
designated high-speed corridors for the introduction of high-speed 
rail, and a number of states have made progress in preparing rail 
corridors through safety improvements at highway-rail grade crossings, 
investments in track structure, and other areas. FRA has administered 
limited programs of assistance using appropriated funds. With the 
passage of ARRA, which provides $8 billion in capital assistance for 
high-speed rail corridors and intercity passenger rail service, and the 
President's announcement in April 2009 of a Vision for High-Speed Rail 
in America, FRA expects those efforts to increase considerably. FRA 
believes that railroads conducting high-speed operations in the United 
States can provide a world class service as safe as, or better than, 
any high-speed operations conducted elsewhere. In anticipation of such 
service, and to ensure public safety, FRA proposed three tiers of 
requirements for PTC systems operating in high-speed service. The 
proposed performance thresholds were intended to increase safety 
performance targets as the maximum speed limits increase to compensate 
for increased risks, including the potential frequency and adverse 
consequences of a collision or derailment. These thresholds were 
supported by AASHTO and are adopted as proposed.
    Section 236.1007 sets the intervals for the high-speed safety 
performance targets for operations with: maximum speeds at or greater 
than 60 and 50 miles per hour for passenger service and freight 
operations, respectively, under paragraph (a); maximum speeds greater 
than 90 miles per hour under paragraph (b); maximum speeds greater than 
125 miles per hour under paragraph (c); and maximum speeds greater than 
150 mph under paragraph (d). The reader should note that the 
requirements increase as speed rises. Thus, for instance, operations 
with trains moving above 125 miles per hour must, in addition to the 
requirements under paragraph (c), adhere to the requirements under 
paragraphs (a) and (b).

[[Page 2636]]

    Paragraph (a) addresses the PTC system requirements for territories 
where speeds are greater than 59 miles per hour for passenger service 
and 49 miles per hour for freight service. Under 49 CFR 236.0 as it 
existed directly previous to the issuance of this final rule, block 
signal systems were required at these speeds (unless a manual block 
system was in place, an option that this final rule phases out). The 
final rule expects covered operations moving at these speeds to have 
implemented a PTC system that provides, either directly or with another 
technology, all of the statutory PTC system functions along with the 
safety-critical functions of a block signal system as defined in the 
existing standards of subparts A through F of part 236. The safety-
critical functions of a block signal system include track circuits, 
which assist in broken rail detection and unintended track occupancies 
(equipment rolling out), and fouling circuits, which can identify 
equipment that is intruding on the clearance envelope and may prevent 
raking collisions. FRA recognizes that advances in technology may 
render current block signal, fouling, and broken rail detection systems 
obsolete and FRA does not want to preclude the introduction of suitable 
and appropriate advanced technologies. Accordingly, FRA believes that 
alternative mechanisms providing the same functionality are entirely 
acceptable and FRA encourages their development and use to the extent 
they do not have an adverse impact on the level of safety.
    Paragraph (b) addresses system requirements for territories where 
operating speeds are greater than 90 miles per hour, which is currently 
the maximum allowable operating speed for passenger trains on Class 5 
track. At these higher speeds, the implemented PTC system must not only 
comply with paragraph (a), but also be shown to be fail-safe (as 
defined in Appendix C) and at all times prevent unauthorized intrusion 
of rail traffic onto the higher speed line operating with a PTC system. 
FRA intends this concept of fail-safe application to be understood in 
its commonplace meaning; i.e., that insofar as feasible the system is 
designed to fail to a safe state, which normally means that each 
subject train will be brought to a stop. Further, FRA understands that 
there are aspects of current system design and operation that may 
create a remote opportunity for a ``wrong-side'' or unsafe failure and 
that these issues would be described in the PTCSP and mitigations would 
be provided. FRA recognizes that, as applied in the general freight 
system, this final rule could create a significant challenge related to 
interoperability of freight equipment operating over the same 
territory. Accordingly, FRA requested comment on whether, where 
operations do not exceed 125 miles per hour or some other value, the 
requirement for compliance with Appendix C safety assurance principles 
might be limited to the passenger trains involved, with ``non-vital'' 
onboard processing permitted for the intermingled freight trains. No 
comments were received on this issue, apart from the general concern of 
the RLO that very safe technology be employed in all PTC systems, and 
the restriction is adopted as proposed.
    As speed increases, it also becomes more important that inadvertent 
incursions on the PTC-equipped track be prevented at switch locations. 
In this final rule, FRA expects that this be done by effective means 
that might include use of split-point derails properly placed, 
equipping of tracks providing entry with PTC, or arrangement of tracks 
and switches in such a way as to divert an approaching movement which 
is not authorized to enter onto the PTC line. The protection mechanism 
on the slower speed line must be integrated with the PTC system on the 
higher speed line in a manner to provide appropriate control of trains 
operating on the higher speed line if a violation is not prevented for 
whatever reason.
    Paragraph (c) addresses high-speed rail operations exceeding 125 
miles per hour, which is the maximum speed for Class 7 track under 
Sec.  213.307. At these higher speeds, the consequences of a derailment 
or collision are significantly greater than at lower speeds due to the 
involved vehicle's increased kinetic energy. In such circumstances, in 
addition to meeting the requirements under paragraphs (a) and (b), 
including having a fail-safe PTC system, the entity operating above 125 
miles per hour must provide an additional safety analysis (the HSR-125) 
providing suitable evidence to the Associate Administrator that the PTC 
system can support a level of safety equivalent to, or better than, the 
best level of safety of comparable rail service in either the United 
States or a foreign country over the 5 year period preceding the 
submission of the PTCSP. Additionally, PTC systems on these high-speed 
lines must provide the capability, as appropriate, to detect incursion 
from outside the right of way and provide warnings to trains. Each 
subject railroad is free to suggest in its HSR-125 any method to the 
Associate Administrator that ensures that the subject high-speed lines 
are corridors effectively sealed and protected from such incursions 
(see Sec.  213.347 of this title), including such hazards as motor 
vehicles falling on the track structure from highway bridges.
    Paragraph (d) addresses the highest speeds existing or currently 
contemplated for rail operations exceeding 150 miles per hour. FRA 
expects these operations to be governed by a Rule of Particular 
Applicability and the HSR-125 required by paragraph (c) shall be 
developed as part of an overall system safety plan approved by the 
Associate Administrator. The quantitative risk showing required for 
operations above 125 miles per hour is not required to include 
consideration of acts of deliberate violence. The reason for this 
exclusion is simply to remove speculative or extraordinary 
considerations from the analysis. However, FRA and the Department of 
Homeland Security will certainly expect that security considerations 
are taken into account in system planning.
    AASHTO believed that the proposed rule appropriately addressed the 
PTC related safety levels for high-speed rail. According to AASHTO, the 
proposed rule text provided a clear position for the levels of safety 
required for high-speed rail at speeds that are achieved today, and for 
speeds that may be achieved in the future, allowing for benchmarking 
against precedent levels achieved in the U.S. and internationally. 
AASHTO also commented that, in PTC systems running over federally 
designated high-speed rail corridors, highway-rail grade crossings 
should either be eliminated or protected by hazard warning detection 
systems.
    Amtrak notes that it currently operates safely above 90 miles per 
hour on the Northeast Corridor and on its Michigan line, with the full 
knowledge, approval, and authorization of the FRA, based on past and 
remaining safety procedures and equipment. Amtrak also states that it 
currently operates above 125 mph on portions of the Northeast Corridor. 
Accordingly, Amtrak asserts that services above 90 and 125 miles per 
hour that existed as of October 16, 2008, the date of RSIA08, should be 
exempted or ``grandfathered'' from the requirements of this section.
    FRA agrees that Amtrak has been providing safe passenger service at 
speeds between 90 and 150 miles per hour on the Northeast Corridor as 
well as its Michigan line, and that the train control systems in use 
(ACSES with Cab Signals, and ITCS) have records of safe operations. 
Given the value of service experience and the extraordinary burden of 
review and decision making associated with this rule, FRA intends to 
give full credit to established safety

[[Page 2637]]

records in conducting these reviews, simplifying the task for all 
concerned.
Section 236.1009 Procedural Requirements
    Section 236.1009 establishes the regulatory procedures that must be 
followed by each Class I railroad carrier and each entity providing 
regularly scheduled intercity or commuter rail passenger transportation 
to obtain the required FRA certification of PTC systems prior to 
operating the system or component in revenue service. FRA is 
implementing these requirements to support more rapid FRA review and 
decision making, while reducing the administrative burden on the 
railroads.
    While the current subpart H of this part provides a technically 
sound procedure for obtaining FRA approval of various processor-based 
signal and train control systems, it was crafted with the presumption 
that PTC implementation was a strictly voluntary action on the part of 
railroads. Arguably FRA could have simply amended subpart H to include 
requirements relating to implementation plans and to modify the 
language to equate ``approval'' under subpart H with ``certification'' 
under the statute. However, FRA believes that such a resultant amended 
subpart H would still remain unsuitable to support the RSIA08 
implementation schedule. Accordingly FRA has developed the new 
procedures of this section to avoid redundancy, provide sufficient 
flexibility to accompany the varying needs of those seeking 
certification, and to mitigate the financial risk associated with 
technological investment necessary to comply with the regulatory 
requirements.
    Generally speaking, there are three documents associated with the 
new procedures of this section: the PTCIP, PTCDP, and PTCSP. The 
details of each document are set forth in Sec. Sec.  236.1011, 
236.1013, and 236.1015, respectively. To summarize these sections, the 
PTCIP is the written plan that defines the specific details of how and 
when the railroad will implement the PTC system. The PTCDP provides a 
detailed discussion of the proposed technology and product that will be 
implemented according to the PTCIP. The PTCSP provides the railroad-
specific information demonstrating that the PTC system, as implemented 
by the railroad, meets the required safety performance objectives. 
Certification of a PTC system by FRA for revenue operations is based on 
the review and approval of the information provided in these documents.
    Paragraph (a) requires that a PTCIP be filed by ``host'' railroads 
as defined in Sec.  236.1003 that are required to install a PTC system 
on one or more main lines in accordance with Sec.  236.1005(b). This 
generally is each Class I railroad and each entity providing regularly 
scheduled intercity or commuter rail passenger transportation as 
defined by statute. However, Class II and III railroads that host 
intercity or commuter rail service will also need to file 
implementation plans, whether or not they directly procure or manage 
installation of the PTC system.
    Intercity and commuter railroads that are tenants on Class I, II, 
or III freight lines must also join with their host railroad in filing 
these plans. FRA believes that the railroad that maintains operational 
control over a particular track segment is generally in the best 
position to develop and submit the PTCIP, since that railroad is more 
knowledgeable of the conditions of, and operations over, its track. FRA 
recognizes that, in cases where a tenant passenger railroad operates 
over a Class II or III railroad, the passenger railroad may be required 
to take a more active role in planning the PTC system deployment by 
working with the host railroad. In the case of an intercity or commuter 
railroad providing service over a Class I railroad, it may be 
sufficient for the passenger railroad to file a letter associating 
itself with the Class I railroad's plan to the extent it impacts the 
passenger service. AAR also expressed some confusion whether the 
requirement to file joint plans was only required when freight and 
passenger railroads conduct operations over the same route. The final 
rule does not levy any requirement for joint filing in the case where 
another railroad has freight trackage rights over a Class I railroad's 
PTC line. FRA expects that the host Class I railroad will address these 
types of operations and discuss the issue of interoperability in its 
PTCIP as required by law.
    The Class I railroads generally opposed the requirement for a host 
railroad and tenant passenger railroad to file a joint PTCIP as being 
excessively burdensome and unnecessary because it merely appears to be 
intended to address interoperability issues. Beyond possibly addressing 
the interoperability issue, the AAR maintained that nothing further 
would be gained by requiring the joint filing of a PTCIP.
    FRA has taken note of these objections. However, FRA believes that 
the joint filing requirement provides motivation for the proactive 
involvement by both parties in the decision-making process, especially 
with regards to interoperable equipment requirements and operating 
procedures. This joint filing requirement reflects FRA's position that 
communication between all parties involved in establishing 
interoperability is absolutely essential to ensure the implementation 
of timely, cost effective solutions.
    Some railroads have also expressed concern that they will be 
required to support installation of PTC over Class II and III railroads 
that would otherwise not be required to implement PTC, were it not for 
the passenger/commuter railroad presence. Amtrak noted that the 
requirement for joint filings would, as a practical manner, require 
Amtrak to take a dominant role in the development and preparation of 
the required documentation.
    While FRA appreciates the difficulties that both the passenger/
commuter railroad, as well as the Class II or III railroad may 
experience, FRA believes that this is essentially a commercial matter 
between the parties involved, which would be best resolved with 
government participation only as a last resort. This position is 
consistent with the underlying philosophy of sections 151 through 188 
of title 45 of the United States Code.
    Although FRA believes that the resolution of differences between 
host and tenant railroads is a commercial issue, provisions have been 
made if a host freight railroad and tenant passenger railroad cannot 
come to an agreement to jointly file a PTCIP by April 16, 2010. In this 
situation, each railroad must file an individual PTCIP, together with a 
notification to the Associate Administrator, indicating that a joint 
filing was not possible and an explanation of why the subject railroads 
could not agree upon a final PTCIP for joint filing.
    Both the freight and passenger/commuter railroads have strenuously 
objected to the assessment of civil penalties in the event that 
agreement cannot be reached. Amtrak claimed that failure to come to 
agreement did not rise to the level of an act that warranted penalty. 
AAR asserted that imposition of penalties would not be an appropriate 
way to resolve good faith disputes over the implementation of PTC. 
Concern has also been raised that, in the event of a dispute, the 
resolution process does not appear to have any established milestones. 
NYSMTA expressed concern related to the ability of railroads to fairly 
and quickly resolve disputes related to the development of host/tenant 
interoperability agreements required by RSIA08. NYSMTA asserted that, 
even though FRA provides for dispute resolution in Sec.  236.1009, 
there are no time limits or standards to ensure

[[Page 2638]]

that disputes are resolved fairly and in a manner that does not affect 
railroads' ability to comply with the statutory/mandatory 
implementation of PTC by December 31, 2015.
    FRA has taken note of these objections and concerns. FRA believes 
that the milestones are self-evident. Railroads are required to file 
implementation plans by April 16, 2010. Thus, failure to file an 
implementation plan (either jointly or individually) by April 16, 2010, 
constitutes a violation of the RSIA08. Railroads are also required to 
complete implementation by December 31, 2015. FRA does not intend to 
set any specific deadline for completion of mediation or arbitration 
other than to state that the mediation or arbitration must be resolved 
in time to allow both parties to complete the timely submission of 
their PTCIP by April 16, 2010, and to complete PTC installation by 
December 31, 2015.
    FRA will exercise its prosecutorial discretion if railroads have 
unresolved conflicts, but have filed individual implementation plans in 
accordance with paragraph (a)(4) of this section and are engaged in 
good faith mediation or arbitration.
    Caltrain requested clarification of the meaning of the term 
``confer,'' as used in paragraph (a)(4)(iv) of this section. During the 
conference process, FRA will request that all parties to the dispute 
advise FRA of where their differences arise, so that FRA can evaluate 
the potential impact on completion of the statutorily-required build 
out and understand the nature and extent of their disagreement. FRA may 
propose alternative solutions for consideration by both parties in the 
dispute. FRA is not, however, obligated to act as either a mediator or 
arbitrator of essentially commercial disputes. FRA expects that the 
disputing parties will submit such issues to a mutually acceptable 
mediator or arbitrator. If the disputing parties are unable to find a 
mutually agreeable private mediator or arbitrator, FRA may agree to 
mediate the dispute as a last resort. Otherwise, the disputing parties 
will need to seek judicial resolution of their issues.
    It was also commented that if a PTCIP or request for amendment 
(RFA), as provided in Sec.  236.1021, is submitted after April 16, 
2010, in accordance with this rule, paragraph (a) does not provide the 
subject railroads with an opportunity to file separately. FRA intends, 
in such a situation, that if a railroad wishes to use track that would 
require the installation of a PTC system, and the parties have 
difficulty reaching agreement, then such usage would be delayed until 
the parties jointly file a mutually acceptable PTCIP and the jointly-
filed PTCIP is approved by FRA.
    FRA notes that new passenger railroads are likely to begin 
operations during the period between issuance of this final rule and 
the end of the implementation period for PTC (December 31, 2015). 
Railroads that are required to install PTC, who intend to commence 
operations after April 16, 2010, but before December 31, 2015, would be 
expected to file a PTCIP that meets the requirements of paragraph (a) 
as soon as possible after the decision is made to commence operations. 
Any railroad commencing operations after December 31, 2015, that is 
required to install PTC, will not be authorized to commence revenue 
operations until the PTC installation is complete.
    During review of the NPRM, AAR noted that paragraph (a)(2)(i) had 
not been updated to reflect an RSAC agreement. FRA agrees and has 
updated paragraph (a)(2)(i) to include the language, ``[a] PTCIP if it 
becomes a host railroad of a main line track segment for which it is 
required to implement and operate a PTC system in accordance with Sec.  
236.1005(b).''
    Paragraph (b) in the proposed rule required the submission of a 
PTCDP when the PTCIP is submitted to FRA for approval. Some railroads, 
primarily those owned or operated by government agencies, who submitted 
comments on this issue indicated that, while they would be able to 
identify the general functional requirements of the PTC system, they 
expected public procurement regulations would preclude contract award 
and identification of a particular vendor or supplier and the 
associated product details in time to meet the statutory submission 
deadline. They requested that FRA not require submission of the PTCDP 
at the same time (or before) the PTCIP.
    NYSMTA submitted comments asserting that simultaneous submissions 
would be problematic for LIRR. In view of the complexities and unknown 
factors associated with developing PTC solutions for LIRR's dark and 
ABS territories, and in light of its unique signaling applications and 
operating rules, LIRR was identified as being at high risk of non-
compliance with the April 16, 2010, PTCDP submission deadline, despite 
its best efforts. Inasmuch as the RSIA08 does not explicitly stipulate 
a timeframe for a PTCDP, NYSMTA requested that the regulation be 
modified to allow for submission of a PTCDP after the April 16, 2010, 
deadline, at least with regard to dark territory and ABS territories.
    APTA submitted similar comments stating that the inclusion of the 
PTCDP or PTCSP in the April 2010 submission is problematic. Noting that 
submittal of these plans implies the selection of specific hardware and 
systems, APTA asserted that such submission is not possible given the 
current state of development of industry standards by the Railroad 
Electronics Standards Committee (RESC). Without available industry 
standards, APTA asserted that it would be impossible for the vast 
majority of public agencies that operate passenger rail systems to 
identify and contract with vendors or suppliers by the April 2010 
deadline. Even though the freight railroads may have selected a 
proprietary technology as a basis for their PTC implementation, the 
competition standards for publicly funded contracts limit the ability 
of public agencies to follow a similar procurement strategy. 
Additionally, the lack of specific hardware and system standards to 
support interoperability further limits the ability of public agencies 
to enter into contracts by April 2010. Thus, if required to submit 
PTCDP and PTCSP documents by April 16, 2010, the documents would, of 
necessity, be incomplete and unacceptable.
    APTA further claimed that the sole legislative requirement tied to 
April 2010 is for submission of the PTCIP. Thus, APTA believes FRA 
should allow submission of the PTCIP in a ``product neutral'' fashion 
to meet the statutory deadline and should defer submission of the PTCDP 
and PTCSP to allow flexibility and avoid incomplete submissions and the 
compilation and review of documents that cannot be approved.
    Amtrak similarly expressed concern with the inadequate amount of 
time necessary to prepare the PTCIPs for its own NEC and Michigan Line 
and for the Class II and III railroads over which Amtrak operates (to 
the extent that those lines are not found to constitute other than 
``main lines'') and to review those PTCIPs submitted by the Class I 
railroads and develop full PTCDPs. Because of the severe burden on 
Amtrak's resources, Amtrak recommended that the filing deadline for 
PTCDPs be extended at least 9 months beyond April 16, 2010.
    As a government agency, FRA clearly understands the position faced 
by these railroads. However, FRA believes that a meaningful 
implementation plan cannot be created if a railroad has not identified 
and does not understand the technology it proposes to implement. 
Without this knowledge, it is not possible to have any informed 
discourse on system

[[Page 2639]]

interoperability and implementation scheduling between railroads, 
vendors or suppliers, and FRA. Therefore, in this final rule, FRA has 
provided several mechanisms that eliminate the need for each railroad 
to submit a PTCDP for a proposed PTC system, while still providing FRA 
sufficient information to carry out its regulatory responsibilities.
    One such mechanism, as specified in paragraph (b) is through the 
use of a Type Approval. The Type Approval is a number assigned to a 
particular off-the-shelf or modified PTC system product--described in a 
PTCDP in accordance with Sec.  236.1013--indicating FRA's belief that 
the product could fulfill the requirements of subpart I. FRA's issuance 
of a Type Approval does not mean that the product will meet the 
requirements of subpart I. The Type Approval applies to the technology 
designed and developed, but not yet implemented, and does not bestow 
any ownership or other similar interests or rights to any railroad. 
Each Type Approval number remains under the control of the FRA, and can 
be issued or revoked in accordance with this subpart.
    FRA expects the Type Approval process to provide a variety of 
benefits to FRA and the industry. If a railroad submits a PTCDP 
describing a PTC system, and the PTC system receives a Type Approval, 
then other railroads intending to use the same PTC system without 
variances may, in accordance with paragraph (b)(1), simply rely on the 
Type Approval number without having to file a separate PTCDP. While the 
railroad filing the PTCDP must expend resources to develop and submit 
the PTCDP, all other railroads using the same PTC system would not. 
This should not only provide significant cost and time savings for a 
number of railroads, but should remove a significant level of 
redundancy from the approval process that is currently inherent in 
subpart H.
    If, however, a railroad intends to use a modified version of a PTC 
system that has already received a Type Approval number, and the 
variances between the two systems are of a safety-critical nature, the 
railroad must submit a new PTCDP. The railroad may submit a new PTCDP 
that fully complies with the content requirements under Sec.  236.1013 
or supply a Type Approval number for the other PTC system upon which 
the modified PTC system will rely and a document that fulfills the 
content requirements under Sec.  236.1013 with respect to the safety-
critical variances between the system described within the original 
PTCDP and the system as modified.
    This final rule does not preclude a railroad from submitting its 
PTCDP before its PTCIP for FRA review and approval. FRA encourages an 
earlier submission of the PTCDP to further reduce the required 
regulatory effort necessary to review the PTCIP and PTCDP if submitted 
together. More importantly, it would present an opportunity for FRA to 
issue a Type Approval for the proposed PTC system before April 16, 
2010, thus providing other railroads intending to use the same or 
similar PTC system the opportunity to leverage off of the work already 
performed by simply submitting the Type Approval and--in the event of 
any variances--a much less burdensome PTCDP. FRA also believes this 
regulatory procedure may incentivize railroads using the same or 
similar PTC system to jointly develop and submit a PTCDP, thus further 
reducing the paperwork burden on FRA and the industry as a whole and 
increasing confidence in the interoperability between systems.
    Vendors believe that FRA should type approve specific components, 
so the vendor may sell the type approved products. FRA believes that 
such a request may be based on the mistaken belief that FRA has adopted 
the FAA aviation model of type certifying aircraft frames, aircraft 
engines, and propellers (see 14 CFR part 21, subparts B-G). This is 
not, however, the case. FRA has adopted some elements of the FAA 
Airworthiness Certificate process (see 14 CFR part 21, subpart H), 
which addresses the suitability of an entire aircraft for a particular 
purpose. FRA will apply a similar standard and certify only complete 
PTC systems.
    Another mechanism FRA is adding that will enable railroads to meet 
their statutory obligations in preparing and submitting a PTCIP, while 
providing enough information to FRA to facilitate FRA's evaluation of 
the technical feasibility of the PTCIP, can be found in the provisions 
of paragraph (c).
    Paragraph (c) allows a railroad to file an abbreviated PTCDP, 
called a Notice of Product Intent (NPI), with their PTCIP. The NPI, 
detailed in Sec.  236.1013(e), is handled in a manner similar to a full 
PTCDP, with certain key exceptions. First, a PTCIP may be submitted 
with a NPI in lieu of either a complete PTCDP (or reference to an 
approved Type Approval). Any PTCIP submitted with an NPI and approved 
by FRA will only receive ``Provisional Approval.'' The Provisional 
Approval will only be valid for a maximum period of 270 days 
(approximately 9 months), by which time a railroad must resubmit its 
PTCIP with a complete PTCDP or reference to an approved Type Approval. 
If the railroad submits the updated PTCIP within that period, FRA will 
treat the updated filing in the same manner as FRA would have treated 
the original PTCIP submission. If the railroad fails to update the 
PTCIP before the end of that period, the Provisional Approval will 
automatically be revoked, and the revocation will be considered as 
retroactive to the original due date. FRA has no intention of extending 
any Provisional Approval beyond the 270 day period and will not 
entertain requests to that effect. Each railroad is expected to be 
capable of fully defining the product they intend to use within the 270 
day period. Use of an NPI by a railroad allows for incremental, albeit 
limited, submission of the PTCDP.
    Railroads would still be required to fully describe their plans for 
the use and completion of the PTCDP in their PTCIPs. Having the PTCDP 
development extend beyond the PTCIP due date may be beneficial to the 
entire industry, since it allows for practical development of PTC 
systems for railroads with unique technical requirements or financing 
restrictions while potentially increasing the number of viable 
suppliers, products, and systems. In addition to being practical, this 
approach would further the industry interests of having a more even 
distribution of the workload for commuter rail agencies and for FRA 
staff. Additionally, it enhances the ability of railroads to provide 
sufficient detail in the PTCDP, due to greater confidence in the 
overall design solution, thereby reducing the need for revision and the 
associated burden on FRA and railroad staff.
    FRA clearly recognizes, regardless of the approach taken, that a 
vendor or supplier to the railroad may prepare part, if not all, of the 
required documentation. Notwithstanding that fact, the railroad remains 
responsible for the completeness and accuracy of any documentation 
submitted. For instance, FRA may find that the PTCDP does not 
adequately conform to this subpart or otherwise has insufficient 
information to justify approval. FRA may also determine that there are 
issues raised by the PTCDP that would adversely affect the ability of 
FRA to eventually certify the system. If such a situation were to 
arise, the railroad would need to address the issues and resubmit the 
documentation for FRA approval.
    The third mechanism available to railroads is described in 
paragraph (d). This paragraph allows railroads the opportunity to file 
a Request for Expedited Certification (REC) in lieu of an approved 
PTCDP or a Type

[[Page 2640]]

Approval, and the subsequent PTCSP developed in accordance with Sec.  
236.1015 in order to receive PTC System Certification. A REC applies 
only to PTC systems that have already been in revenue service and meet 
the criteria of Sec.  236.1031(a). If a PTC system is not eligible for 
expedited certification, the railroad will be limited to the options 
presented in paragraphs (b) and (c).
    Paragraph (e) requires that each PTCIP, PTCDP, and PTCSP must 
comply with the content requirements in Sec. Sec.  236.1011, 236.1013, 
and 236.1015, respectively. If the submissions do not comply with their 
respective regulatory requirements, then they may not be approved. 
Without approval, a PTC system may not receive a Type Approval or PTC 
System Certification. Ultimately, PTC System Certification is FRA's 
formal recognition that the PTC system, as described and implemented, 
meets the statutory requirements and the provisions of subpart I. It 
does not imply FRA endorsement or approval of the PTC system itself.
    In the interest of an open market, FRA does not want to preclude 
the ability of PTC system suppliers outside of the United States from 
manufacturing PTC systems or selling them to the regulated railroads. 
However, in order to ensure the safety and reliability of those 
systems, FRA needs to be able to conduct an adequate review of the 
submitted plans. Accordingly, paragraph (e) requires that all materials 
submitted in accordance with this subpart be in the English language, 
or be translated into the English language and attested as true and 
correct.
    Under subpart H of this part, a railroad may seek confidential 
treatment for what it deems to be trade secrets, commercial, or 
financial information that is privileged or confidential under 
Exemption 4 of the Freedom of Information Act (FOIA), 5 U.S.C. 
552(b)(4), or the Trade Secrets Act, 18 U.S.C. 1905, and submit such 
requests in accordance with Sec.  209.11. A railroad may request 
similar confidential treatment under subpart I. As with subpart H, 
should a FOIA request be made for information submitted under this rule 
for which the submitting party has requested confidential treatment, 
the submitting company will be notified of the request in accordance 
with the submitter consultation provisions of the Department's FOIA 
regulations (Sec.  7.17) and will be afforded the opportunity to submit 
detailed written objections to the release of information as provided 
for in Sec.  7.17(a). FRA strongly encourages submitting parties to 
request confidential treatment only for those portions of documents 
that truly justify such treatment (i.e., trade secrets and security 
sensitive information).
    While FRA continues to believe that there is no need at this time 
to substantially revise Sec.  209.11, FRA will require an additional 
document to assist FRA in efficiently and correctly reviewing requests 
for confidentiality. Under Sec.  209.11, a redacted and an unredacted 
copy of the same document must be submitted. When FRA review is 
required to determine whether confidentiality should be afforded, FRA 
personnel must painstakingly compare side-by-side the two versions to 
determine what information has been redacted. This process may result 
in information for which exemption from disclosure is being requested 
to be misidentified. To reduce this burden, and ensure that the 
intellectual property of the railroad and their suppliers is 
appropriately guarded, FRA requires that any material submitted for 
confidential treatment under subpart I and Sec.  209.11 include a third 
version that would indicate, without fully obscuring, the redacted 
portions for which protection is requested. For instance, in order to 
indicate without obscuring the plan's redacted portions, the railroad 
may use the highlighting, underlining, or strikethrough functions of 
its word processing program. This document will also be treated as 
confidential under Sec.  209.11. FRA could amend Sec.  209.11 to 
include this requirement. However, FRA does not believe it to be 
necessary at this time.
    FRA is allowing the submission of an adequate GIS shapefile to 
fulfill some of the PTCIP content requirements under Sec.  236.1011. 
However, with respect to requesting confidential treatment of specific 
information contained in a GIS shapefile, which includes primarily map 
data, FRA recognizes that visually blocking out the information would 
defeat the purpose. For instance, a black dot over a particular map 
location, or a black line over a particular route, would actually 
reveal the location. Thus, FRA expects that a railroad seeking 
confidential treatment for portions of a GIS shapefile will submit 
three versions of the shapefile to comply with paragraph (e). 
Alternatively, a single shapefile can include three separate layers 
each representing the three levels of confidentiality, with specific 
instructions indicating which elements are being displayed and how to 
handle the file for confidentiality purposes. FRA also expects that the 
version for public consumption would not include the information for 
which the railroad is seeking confidential treatment.
    NICTD strongly urged FRA to only accept PTCIPs that provided full 
public disclosure of all the information needed to obtain components 
from multiple suppliers, including message interface standards, 
functional allocation for each subsystem, and safety allocation for 
each subsystem (e.g., identifying which hazards and safety-critical 
assumptions are made for each subsystem). NICTD asserted that it was 
not requesting proprietary information for any subsystems, but merely 
the ability to utilize alternative sources to fulfill the subsystem 
requirements within the overall PTC system. According to NICTD, this 
would substantially improve the likelihood of commuter railroads being 
able to obtain components from the multiple suppliers that are 
currently more than willing to develop components that will safely 
operate with other systems. Moreover, NICTD stated that this would 
facilitate compliance with interoperability requirements, as the 
knowledge gained would simplify development of interoperable systems 
and reduce procurement delays. Amtrak agrees on the need for full 
public disclosure and asserts that it should be able to review and 
comment on the PTCIPs of the Class I railroads. FRA understands these 
positions, but FRA will not make any flat pronouncements about the 
confidentiality of information it has not yet received.
    FRA expects that FRA-monitored laboratory or field testing or an 
independent third party assessment may be necessary to support 
conclusions made and included in a railroad's submitted PTCDP or PTCSP. 
This issue is addressed in paragraph (f). The procedural requirements 
to effectuate either of those requirements can be found in Sec. Sec.  
236.1035 and Sec.  236.1017, respectively.
    Paragraph (g) makes clear that FRA approval of a plan submitted 
under subpart I may be contingent upon any number of factors and that, 
once the plan is approved, FRA maintains the authority to modify or 
revoke the resulting Type Approval or PTC System Certification. Under 
paragraph (g)(1), FRA reserves the right to attach additional 
requirements as a condition for approval of a PTCIP, or issuance of a 
Type Approval or PTC System Certification. In the preparation of any of 
these plans, railroads may have inadvertently failed to fully address 
hazards and risks associated with all of these components.
    FRA believes that paragraph (g)(1) will make the regulatory process 
more efficient and stable. Rather than reject a railroad's plan 
completely, and

[[Page 2641]]

consequently delay the railroad's implementation of its PTC system, FRA 
would prefer to add additional conditions during the approval process 
to address these oversights. When determining whether to attach 
conditions to plan approval, FRA will consider whether: (1) The plan 
includes a well-defined and discrete technical or security issue that 
affects system safety; (2) the risk or safety significance of an issue 
can be adequately determined; (3) the issue affects public health and 
safety; (4) the issue is not already being processed under an existing 
program or process; and (5) the issue cannot be readily addressed 
through other regulatory programs and processes, existing regulations, 
policies, guidance, or voluntary industry initiatives.
    Paragraph (g)(2) provides FRA the right to reconsider an issued 
Type Approval or PTC System Certification as a consequence of the 
discovery of potential error, fraud or new information regarding system 
safety that was not previously identified. FRA issuance of each Type 
Approval or PTC System Certification under performance-based 
regulations assumes that the model of the train control system and its 
associated probabilistic data adequately accounts for the behavior of 
all design features of the system that could contribute to system risk. 
Different system design approaches may result in different levels of 
detail introducing different approximations or errors associated with 
the safety performance. There are some characteristics for which 
modeling methods may not fully capture the behavior of the system, or 
there may be elements of the system for which historical performance 
data may not be currently available. These potential inconsistencies in 
the failure analysis could introduce significant variations between the 
predicted and actual performances. Because of the design complexity 
associated with train control systems, FRA recognizes that these 
inconsistencies may not be the result of deliberate acts by any 
individuals or organizations, but simply reflect the level of 
analytical detail, the availability of comprehensive information, the 
qualification and experience of the analyst team, and the railroad's 
and FRA's resource limitations.
    In paragraph (g)(3), FRA indicates that the railroad may be allowed 
to continue operations using the system, although such continued 
operations may have special conditions attached to mitigate any adverse 
consequences. It is FRA's intent, to the maximum extent possible and 
when consistent with safety, to assist railroads in keeping the systems 
in operation. FRA expects that, if it places a condition on PTC system 
operations, each railroad will have a predefined process and procedure 
in place that would allow continued railroad operations, albeit under 
reduced capability, until appropriate mitigations are in place, and the 
system can be restored to full operation. In certain dire situations, 
FRA may actually order the suspension or discontinuation of operations 
until the root cause of the situation is understood and adequate 
mitigations are in place. FRA believes that suspending a Type Approval 
or a PTC System Certification pending a more detailed analysis of the 
situation may be appropriate, and that any such suspension must be done 
without prejudice. FRA expects to take such an action only in the most 
extreme circumstances and after consultation with the affected parties.
    After reconsidering its issuance of a Type Approval or PTC System 
Certification, under paragraph (g)(4), FRA may either dismiss its 
reconsideration and continue to recognize the existing FRA approved 
Type Approval or PTC System Certification, allow continued operations 
with certain conditions attached, or order the railroad to cease 
applicable operations by revoking its Type Approval or PTC System 
Certification. If FRA dismisses its reconsideration and continues to 
recognize the Type Approval, any conditions required during the 
reconsideration period would no longer be applicable. If FRA will allow 
continued operations, FRA may order the continuation of conditions that 
were required during the reconsideration period or impose additional 
conditions. FRA expects that revocation of a Type Approval or PTC 
System Certification would occur in very narrow circumstances, where 
the risks to safety appear insurmountable. Regrettably, there may be a 
few situations in which the inconsistencies are the result of 
deliberate fraudulent representations. In such situations, FRA may also 
seek criminal or civil penalties against the entities involved.
    APTA submitted comments asserting that the NPRM offered minimal 
guidance on what criteria FRA will use in accepting or rejecting a 
railroad's plan. Therefore, APTA asserted that FRA should draft and vet 
criteria that accomplishes the basic purposes of PTC, while allowing 
for innovation in meeting the performance requirements envisioned in 
the proposed regulation. FRA believes that this concern arises from the 
fact that this regulation, like subpart H of this part, is a 
performance-based rule. While performance-based rules provide maximum 
flexibility to railroads and vendors or suppliers, they also introduce 
a degree of ambiguity.
    FRA, in consultation with the RSAC PTC Working Group, has developed 
and vetted model templates for both the PTCIP and the risk 
prioritization scheme to provide some degree of specificity without 
unnecessary constraints. It should be carefully noted that these 
templates are, by necessity, general in nature and must be customized 
by the individual railroad to reflect its individual operations. What 
may be applicable for one railroad may not be applicable to another. 
FRA has also provided vetted guidance as to acceptable design, 
verification and validation, and human factors in the appendices to 
this part. Again, given the wide variety of potential solutions that 
may be adopted by various railroads, FRA is reluctant to provide more 
detailed guidance. However, if a PTCIP content requirement under Sec.  
236.1011 is fulfilled in a submitted GIS shapefile, then the written 
PTCIP should simply cross-reference appropriately.
    Paragraph (h) relates to FRA's authority to conduct inspections to 
ensure that a railroad is in compliance with subpart I. FRA inspections 
may be required to determine whether a particular railroad has 
implemented a PTC system where necessary. For instance, FRA may need to 
confirm whether a track segment is subject to five million gross tons 
or more of annual railroad traffic, PIH materials, or passenger 
traffic. FRA may also need to inspect locomotives to determine whether 
they are equipped with a PTC onboard apparatus or to review locomotive 
logs to determine whether the locomotive has entered PTC territory. 
Paragraph (h) simply reiterates FRA's statutory authority to inspect 
the railroads and gather information necessary to enforce its 
regulations.
    In order to maintain an open marketplace, this final rule has been 
drafted to allow domestic railroads to purchase PTC systems from 
outside of the United States. FRA recognizes that PTC systems have been 
used in revenue service across the globe and that acceptable products 
may be available in other countries. FRA also recognizes that such use 
may fall under the jurisdiction of a foreign regulatory entity much 
like FRA. Accordingly, under paragraph (i), in the event information 
relating to a particular PTC system has been certified under the 
auspices of a regulatory entity in a foreign government, FRA is willing 
to consider that information as independently Verified and Validated to 
support the

[[Page 2642]]

railroad's PTCSP development. The phrase ``under the auspices'' intends 
to reflect the possibility of certification contractually performed by 
a private entity on behalf of a foreign government agency. However, the 
foreign regulatory entity must be recognized by the Associate 
Administrator. A railroad seeking to enjoy the benefits of paragraph 
(i) must communicate that interest in its PTCSP, and is strongly 
encouraged to communicate such a desire well before submission of the 
PTCSP for approval.
    Finally, the AAR noted that, unlike the precedent set by subpart H 
and the RSIA08, FRA did not include time frames for the agency to 
respond to the submissions of the PTCDP or PTCSP. The AAR urged FRA to 
include specific deadlines for these filings to ensure a common 
understanding of the time allotted to carry out the regulatory 
responsibilities. Accordingly, AAR proposed that FRA agree to respond 
within 60 and 120 days of the submission of a PTCDP and PTCSP, 
respectively. This 180-day approval period for both the development and 
safety plans is consistent with existing subpart H, which allows 180 
days for approval of a product safety plan.
    FRA agrees that the railroads need, for their planning purposes, an 
estimated amount of time within which FRA will provide a response 
regarding the acceptability of their PTCSP submission. FRA also 
believes that this information would be appropriately placed in Sec.  
236.1009. Accordingly, FRA is adding paragraph (j) to this section, 
which contains target deadlines for FRA review. FRA will acknowledge 
receipt of a PTCDP or PTCSP submission within 30 days. Depending upon 
the complexity of the system and the amount of participation by FRA in 
the PTCDP or PTCSP development process, FRA will endeavor to approve, 
approve with conditions, or deny approval of the PTCDP and PTCSP within 
60 and 180 days, respectively. If FRA is unable to complete its review 
of the PTCDP or PTCSP within these estimated time periods, FRA will 
advise the submitter accordingly.
    When reviewing the procedural requirements contained in the 
proposed rule, the RLO expressed concern that this streamlined process 
may result in degradation of safety and significant concern with the 
ability of FRA to adequately staff the oversight process with a 
sufficient number of people with the requisite skill sets. FRA 
appreciates these concerns, and is undertaking plans to ensure that 
this new process does not result in any degradation of safety. FRA will 
continue to apply the same technical standards as used in earlier PTC 
system approvals. FRA has also taken steps to ensure that it has 
sufficient people, with the appropriate skills, to ensure proper safety 
oversight of this new process. A task analysis to determine the desired 
skills, as well as appropriate placement within the agency of 
additional staff members has been completed The RSIA08 authorizes an 
additional 200 full time positions to FRA, and FRA is ready to recruit 
the necessary technical staff as appropriations permit.
Section 236.1011 PTC Implementation Plan Content Requirements
    This section describes the minimum required contents of a PTC 
Implementation Plan. A PTCIP is a railroad's plan for complying with 
the installation of mandatory PTC systems required by RSIA08. The PTCIP 
consists of implementation schedules, narratives, rules, technical 
documentation, and relevant excerpts of agreements that an individual 
railroad will use to complete mandatory PTC implementation. FRA will 
measure the railroad's progress in meeting the required implementation 
date based on the schedule and other information in the PTCIP. While 
the final rule does not specify or mandate any specific organization 
for the PTCIP, it must at least clearly indicate which portions intend 
to address compliance with the various plan requirements under this 
section. The PTCIP must also clearly identify each referenced document 
and either include a copy of each document (or its applicable excerpt) 
or indicate where FRA and the public may view that document. Should FRA 
not be able to readily determine adequate response to the required 
information, FRA will assume that the information has not been 
submitted, and will handle the document accordingly. The lack of the 
required information may result in FRA's disapproval of a PTCIP. To 
facilitate timely and successful submittals, FRA, through assistance 
from a PTCIP Task Force drawn from the PTC Working Group, developed a 
template that can be used to format the documents that must be 
submitted. FRA, however, wishes to emphasize that the use of such a 
template is strictly voluntary, and encourages railroads to prepare and 
submit the documents in the structure most economical for the railroad. 
FRA does not believe it is necessary to require that the railroads 
expend their limited resources in reformatting documents when such an 
activity adds no real value. However, while the template may be a 
useful tool, in light of the various forms a PTCIP may be required to 
take and the type of system the railroad intends to implement, complete 
adherence to the template will not guarantee FRA approval of the 
submitted PTCIP.
    FRA expects each PTCIP to include various highly specific and 
descriptive elements relating to each railroad's infrastructure and 
operations. FRA recognizes manual assembly of each piece of data into a 
PTCIP may be exceptionally onerous and time consuming and may make the 
PTCIP prone to errors. In light of the foregoing, and due to the 
statutory requirement that Congress be apprised on the progress of the 
railroad carriers in implementing their PTC systems, FRA believes that 
electronic submission of much of this information may be warranted and 
preferred. To facilitate collection of this data, FRA will accept the 
submission of this data in electronic format.
    FRA believes that the preferred, least costly, and least error-
prone method to comply with this section is for railroads to submit an 
electronic geographic digital system map containing the aforementioned 
segment attribute information in shapefile format, which is a data 
format structure compatible with most Geographic Information System 
(GIS) software packages. Using GIS provides an efficient means for 
organizing basic transportation-related geographic data to facilitate 
the input, analysis, and display of transport networks. Railways around 
the world rely on GIS to manage key information for rail operations, 
maintenance, asset management, and decision support systems. FRA 
believes that the railroads may have already identified track segments, 
and their physical and operational characteristics, in shapefile 
format. Accordingly, each shapefile document must provide the following 
identifiable information for each track segment: Owning railroad(s); 
distance; signal system; track class; subdivision; number and location 
of sidings; maximum allowable speed; number and location of mainline 
tracks; annual volume of gross tonnage; annual number of cars carrying 
hazmat; annual number of cars carrying PIH; passenger traffic volume; 
average daily through trains; WIUs; switches; and at-grade rail-to-rail 
crossings.
    Paragraph (a) cites the minimum requirements that must be addressed 
in the PTCIP. However, given the wide diversity of railroads and their 
operating environments, FRA recognizes that additional factors may 
arise that reflect the unique operational characteristics of a 
particular railroad. It is beholden to each railroad to carefully 
analyze the

[[Page 2643]]

circumstances associated with its operations and address any of these 
elements that may affect implementation planning. During its review of 
a PTCIP, FRA will carefully evaluate the plan to determine if the 
submitting railroad(s) have indeed addressed unique railroad issues. 
FRA wishes to make clear that in those situations, where additional 
factors that are unique to a railroad have not been addressed, FRA will 
return the PTCIP unapproved.
    Paragraph (a)(1) requires that the railroad describe the functional 
requirements that the technology will employ in its PTC system. Here, 
FRA broadly defines the term ``technology'' to include all applicable 
tools, machines, methods, and techniques.
    Paragraph (a)(2) requires that the railroad describe how it will 
address fulfilling the requirements associated with the submittal of an 
NPI (see 49 CFR 236.1009(c)) temporarily in lieu of a PTCDP and the 
requirements associated with a PTCSP (see 49 CFR 236.1009(d)).
    In RSIA08, Sec.  20157(a)(2) requires that a railroad describe how 
it will ``provide for interoperability of the system with movements of 
trains of other railroad carriers over its lines.''
    Practically speaking, this means that each locomotive operating 
within PTC territory must be able to communicate with, and respond to, 
the PTC systems installed on each PTC territory's track and signal 
system, except in those limited situations established elsewhere in 
this final rule. For this reason, paragraph (a)(3) requires that the 
PTCIP describe how the PTC system will provide for interoperability of 
the system between the host and all tenant railroads on the lines 
required to be equipped with PTC systems under this subpart.
    Interoperability means the ability of diverse systems and 
organizations to work together (inter-operate), taking into account the 
technical, operational, and organizational factors that may impact 
system-to-system performance. FRA expects each PTC system required by 
subpart I to exhibit syntactic interoperability--so that it may 
successfully communicate and exchange data with other PTC systems--and 
semantic interoperability--so that it may automatically, accurately, 
and meaningfully interpret the exchanged information to prove useful to 
the end user of each communicating PTC system. To achieve semantic 
interoperability, both sides must defer to a common information 
exchange reference model. In other words, the content of the 
information sent must be the same as what is received and understood. 
Taking syntactic and semantic interoperability together, FRA expects 
each PTC system to provide services to, and accept services from, other 
PTC systems and to use those services exchanged to enable the PTC 
systems to operate effectively together and to provide the intended 
results. The degree of interoperability should be defined in the PTCIP 
when referring to specific cases.
    Interoperability is achieved through four interrelated means: 
Product testing, industry and community partnership, common technology 
and intellectual property, and standard implementation.
    Product testing includes conformance testing and product 
comparison. Conformance testing ensures that the product complies with 
an appropriate standard. FRA recognizes that certain standards attempt 
to create a framework that would result in the development of the same 
end product. However, many standards apply only to core elements and 
allow developers to enhance or otherwise modify products as long as 
they adhere to those core elements. Thus, if an end product is 
developed in different ways to conform to the same standard, there may 
still be discrepancies between each instantiation of the end product 
due to the existence of variables outside of the core elements. 
Accordingly, FRA believes that comparison testing must also occur to 
ensure that each instantiation of the same product, regardless of the 
means upon which it is created to meet the same standard, is ultimately 
identical. In regards to PTC systems, such comparison testing must 
occur on all portions that relate to each system's interoperability 
with other systems. Thus, it is also important that the PTC system be 
formally tested in a production scenario--as they will be finally 
implemented--to ensure that it will actually intercommunicate and 
interoperate with other PTC systems as advertised and intended.
    To reach interoperability between the various applicable PTC 
systems, each PTCDP must also show that the systems share common 
product engineering. Product engineering refers to the common standard, 
or a sub-profile thereof, as defined by the industry and community 
partnerships, specifically intended to achieve interoperability. 
Without common product engineering, the systems will be unable to 
intercommunicate or otherwise interact as necessary to comply with the 
proposed rule.
    FRA expects that each interoperability standard for PTC systems 
will be developed by a partnership between various industry 
participants. Industry and community partnerships, either domestic or 
international, usually sponsor standard workgroups to define a common 
standard to provide system intercommunications for a specific purpose. 
At times, an industry or community will sub-profile an existing 
standard produced by another organization to reduce options and thus 
making interoperability more achievable. Thus, in each PTCDP, the 
railroad must discuss how it developed or adopted a standard commonly 
accepted by that partnership.
    In the proposed rule, FRA noted that means of achieving 
interoperability include having the various entities involved using the 
same PTC system product or obtaining its components from the same 
developer. In its comments, NICTD expressed its belief that this 
conclusion does not meet RSIA08's interoperability requirements. 
According to NICTD, while the freight railroads are free to choose 
their own supplier, their essential monopoly power has the potential to 
force commuter railroads to use the same supplier and thereby prevent 
commuter railroads from meeting the requirement to use open competitive 
bids from multiple suppliers for a system. Since the quantity of units 
required from the commuter railroads is substantially less than those 
required for the freight railroads, NICTD asserts this greatly reduces 
the ability of the commuter railroads to obtain system components that 
meet their specific operating needs, as the single supplier will not 
have the resources available to support those needs. NICTD also 
believes that this is in direct contrast with the FRA statement 
relating to performance standards: ``FRA intends the proposed rule to 
accelerate the promotion of, and not hinder, cost effective 
technological innovation by encouraging an efficient utilization of 
resources, an increased level of competition, and more innovative user 
applications and technological developments.''
    Safetran also believes that each railroad should be free to choose 
a supplier. According to Safetran, the freight railroads through their 
implementation and development plans could specify a specific product 
or supplier preventing other railroads from using open competitive bids 
from multiple suppliers for a system and achieving the cost savings of 
competitive bidding. Safetran urges FRA to accept PTCIPs and PTCDPs 
that require public disclosure of all information needed to enable 
development of PTC components from multiple suppliers. This does not 
require disclosure of proprietary

[[Page 2644]]

information, but does require disclosure of interface specifications as 
well as required functional attributes, assigned safety attributes and 
stimulus/response attributes.
    While FRA does not necessarily require this approach--since the 
agency seeks to maintain an open and competitive marketplace--FRA 
believes that this is a suitable means to achieve interoperability. 
This technique may provide similar technical results when using PTC 
system products from different vendors or suppliers relying on the same 
intellectual property. FRA recognizes that certain developers with an 
intellectual property interest in a particular technology may provide a 
non-exclusive license of its intellectual property to another entity so 
that the licensee may introduce into the marketplace a substantially 
similar product reliant on that intellectual property. In such a case, 
FRA foresees that the use of a common PTC system technology--even if it 
is proprietary to a single or multiple entities and licensed to 
railroads--could reduce the variability between components, thus 
providing for a more efficient means to achieve interoperability.
    In order for interoperability to actually occur between multiple 
entities' PTC systems, there must be some standard to which they all 
adhere. Thus, FRA also expects that each PTCDP will provide assurances 
of a common interoperability standard agreed to between all entities 
using PTC systems that must interoperate.
    Since each of these interrelated means has an important role in 
reducing variability in intercommunication, each railroad's PTCIP must 
clearly describe the elements required under paragraph (a)(1)-(3).
    During review of the NPRM, AAR noted paragraph (a)(3)(i) had not 
been updated to reflect an RSAC agreement. FRA agrees and has revised 
paragraph (a)(3)(i) to include the language: ``include relevant 
provisions of agreements, executed by all applicable railroads, in 
place to achieve interoperability.''
    Much of the remaining information required in a PTCIP under this 
final rule relies on the location, length, and characteristics of each 
track segment. Therefore, a common understanding of a track segment is 
necessary. A track is the main designation for describing a physical 
linear portion of the network. Each line of railroad has a station 
location referencing system, which serves to locate inventory features 
and defects along the length of the track. Because some tracks can be 
very long, track or line segments are established to divide the track 
into smaller ``management units.'' Typically, segment's boundaries are 
established at point of switch (POS) locations, but may also be located 
at mile markers, grade crossings, or other readily identifiable 
locations. Inspection, condition assessment, and maintenance planning 
is performed individually on each segment. After the track network 
hierarchy is established, the attribute information associated with 
each track is defined. This attribute information describes the track 
layout (e.g., curves and grades), the track structure (e.g., rail 
weights and tie specifications), track clearance issues, and other 
track related items such as turnouts, rail-to-rail at-grade crossings, 
highway-rail grade crossings, drainage culverts, and bridges. Inventory 
information about these track attributes can be quite detailed. The 
benefits of a complete and accurate track inventory provides a record 
of the track network's properties and information about the existing 
track materials at the specific locations when maintenance or repair is 
necessary.
    Paragraphs (a)(4) and (a)(5) require the railroad to put its entire 
implementation plan into an understandable context, primarily as it 
relates to the sequence and schedule of track segment implementation 
events. Under RSIA08, 49 U.S.C. 20157(a)(2), Congress requires each 
subject railroad to describe in its PTCIP how it shall, to the extent 
practical, implement the PTC system in a manner that addresses areas of 
greater risk before areas of lesser risk. Accordingly, under paragraph 
(a)(4), the PTCIP must discuss the railroad's areas of risk and the 
criteria by which these risks were evaluated and prioritized for PTC 
system implementation. To this end, the railroad must clearly identify 
all track segments that must be equipped, the basis for that decision 
for each segment (which might be done by categories of segments), and, 
as provided in paragraph (a)(5), the dates that implementation of each 
segment will be completed, taking into account the time necessary to 
fulfill the procedural requirements related to PTCSP submission, 
review, and approval. At a minimum, the deployment decisions must be 
based on segment traffic characteristics such as passenger and freight 
traffic volumes, the quantity of PIH and other hazardous materials, 
current methods of operations, existence of block signals and other 
traditional train control technologies, the number and class of tracks, 
authorized and allowable speeds for each segment, and other unusual 
characteristics that may adversely impact safety, such as unusual 
ruling grades and other track geometries. In cases where deployment of 
the PTC system cannot be accomplished in order of areas with the 
greatest risk to areas with the least risk, paragraph (a)(9) requires 
that the railroad explain why such a deployment was not practical and 
the steps that will be taken to minimize adverse consequences to the 
public until the track segment can be equipped.
    Paragraphs (a)(6) and (a)(7) require the PTCIP to include 
information regarding the rolling stock and wayside devices that will 
be equipped with the appropriate PTC technology. For a PTC system to 
work as intended, PTC system components must be installed and operated 
in all applicable offices and on all applicable onboard and wayside 
subsystems. Accordingly, the PTCIP must identify which technologies 
will be installed on each subsystem and when they are scheduled to be 
installed.
    Under paragraph (a)(6), each host railroad filing the PTCIP must 
include a comprehensive list of all rolling stock upon which a PTC 
onboard apparatus must be operative. FRA understands that, in most 
situations, the rolling stock referenced in paragraph (a)(6) may only 
apply to controlling locomotives. However, in the interest of not 
hindering creative technological innovations, FRA presumes the 
possibility that PTC system technology may also be attached to 
additional rolling stock to provide other functions, including 
determining train capacity and length or providing certain acceptable 
and novel train controls. To be kept apprised of these possibilities, 
FRA is requiring in paragraph (a)(6) that each PTCIP include a list of 
all rolling stock equipped with PTC technology. FRA believes that the 
PTCIP should also identify any risks associated with trains operated by 
tenant railroads and not equipped with PTC system technology and the 
efforts that the host railroad has made to establish the extent of that 
risk. FRA understands that a host railroad may not receive cooperation 
from a tenant railroad in collecting the necessary rolling stock 
information. Nevertheless, FRA expects each host railroad to make a 
good faith effort. Identification of those tenant railroads from whom 
the host railroad attempted to obtain the requisite and applicable 
information from, but failed to address a host railroad's written 
request, may establish a good faith effort by the host railroad.
    One railroad has requested that FRA eliminate the requirement for a 
power (locomotive) equipage plan in the PTCIP to avoid the need for 
updates to the

[[Page 2645]]

PTCIP. Instead of requiring such a plan, the railroad recommends that 
FRA rely on railroad scheduling and good faith effort to drive 
installations during the period 2012 through 2015. FRA carefully 
considered this proposal, but has rejected it. Without an understanding 
of what portion of the locomotive fleet has been equipped and what 
portion remains to be equipped, FRA cannot accurately assess the extent 
to which PTC could be used in revenue service. FRA is required to make 
regular reports to Congress on the status of industry compliance and 
the operational capability of existing PTC systems. Since PTC is an 
integrated system, which requires both wayside and onboard equipment to 
be installed and operational, evaluation of the state of system 
deployment requires knowledge of the state of both subsystems.
    Furthermore, the elimination of the equipage plan does not appear 
to provide any significant advantages to the railroad. Regardless of 
whether the railroad is required to maintain an equipage schedule for 
the PTCIP, or rely on railroad scheduling and good faith efforts, the 
railroad will still need to maintain some type of schedule to ensure 
the completion of required PTC installations by 2015. FRA believes that 
formalizing the schedule provides a planning tool that should 
facilitate completion of the installation process. If the equipage plan 
were unalterable, FRA could understand the railroad's concerns about 
being locked into an unrealistic and unobtainable schedule. However, 
FRA believes these concerns are unfounded because any plan in the 
PTCIP, including the equipage plan, can be adjusted to reflect changing 
circumstances.
    Paragraph (a)(7) requires the railroad to provide the number of 
wayside devices required for each track segment in its PTCIP and an 
installation schedule for the completion of wayside equipment 
installation by December 31, 2015. The selection and identification of 
a technology discussed in the PTCIP will also, to a great extent, 
determine the distribution of the functional behaviors of each of the 
PTC subsystems (e.g., office, wayside, communications, and back 
office). The WIU is a type of remote terminal unit (RTU) that is part 
of a larger PTC system, which is a type of SCADA. As a whole, the safe 
and efficient operation of a SCADA--a centralized system that covers 
large areas, monitors and control systems, and passes status 
information from, and operational commands to, RTUs--is largely 
dependent on the ability of each of its RTUs to accurately receive and 
distribute the required information. As such, a PTC system cannot 
properly operate without properly functioning WIUs to provide and 
receive status information and react appropriately to control 
information.
    It is commonly understood that a WIU device is capable of 
communicating directly to the office, train, or other wayside unit. FRA 
recognizes that there may not be the same number of WIUs and devices 
that they monitor. Depending on the architecture and technology used, a 
single WIU may communicate the necessary information as it relates to 
multiple devices. FRA is comfortable with this type of consolidation 
provided that, in the event of a failure of any one of the devices 
being monitored, the most restrictive condition will be transmitted to 
the train or office, except where the system may uniquely identify the 
failed device in a manner that will provide safe movement of the train 
when it reaches the subject location.
    Because of the critical role that WIU's play in the proper and safe 
operation of PTC systems, paragraph (a)(7) requires that the railroad 
identify the number of WIU's required to be installed on any given 
track segment and the schedule for installing the WIU's associated with 
that segment. This information is necessary to fully and meaningfully 
fulfill the RSIA08 requirement that by December 31, 2012, Congress 
shall receive a report on the progress of the railroad carriers in 
implementing PTC systems. See 49 U.S.C. 20157(d). To comply with this 
statutory requirement, each railroad must determine the number of WIUs 
it will need to procure and the location--as defined by the applicable 
subdivision--where each WIU will be installed. FRA believes that, if a 
railroad does not perform these traditional engineering tasks, it will 
risk exceeding the statutory implementation deadline of December 31, 
2015. FRA considers this information an integral part of the PTCIP that 
must be submitted to FRA for approval.
    NYSMTA asserts that the requirement in paragraph (a)(7) to include 
the quantities of devices for each track segment in the PTCIP requires 
prior completion of the full design of the PTC system. However, NYSMTA 
asserts that it is not feasible to complete all of the survey and 
design necessary to meet this requirement by April 2010. Therefore, 
NYSMTA suggested that the requirement be reworded to read as follows: 
``Identification of each PTC subsystem and major assembly, and an 
estimated number of each required for each line segment.''
    FRA recognizes the potential for technological improvements that 
may modify the number and types of WIUs required. FRA also recognizes 
that during testing and installation, it may be discovered that 
additional WIU installations may be necessary. In either case, the 
railroad will be required to submit an RFA in accordance with Sec.  
236.1021 indicating how the railroad intends to appropriately revise 
its schedule to reflect the resulting necessary changes. Nevertheless, 
regardless of whether FRA approves or disapproves the RFA, if a 
railroad is required to submit its PTCIP by April 16, 2010, 
implementation must still be completed by the statutory deadline of 
December 31, 2015.
    One railroad recommended that paragraph (a)(7) should be revised to 
require railroads to identify each PTC subsystem and assembly and the 
estimated number of each subsystem required for each track segment. 
However, FRA does not believe that this change is required. First, FRA 
believes that the discussion of WIU requirements in paragraph (a)(7) is 
already generalized and implementation independent. Second, this final 
rule already provides for corrections in inventory count by submission 
of an RFA with the revised count. Therefore, FRA has not adopted this 
recommendation.
    Under paragraph (a)(8), each railroad must also identify in its 
PTCIP which of its track segments are either main line or not main 
line. This list must be made based solely on the statutory and 
regulatory definitions regardless of whether FRA may later deem a track 
segment as other than main line. If a railroad has a main line that it 
believes should be considered not main line, it may file with the PTCIP 
a main line track exception addendum (MTEA) in accordance with Sec.  
236.1019, as further discussed below. Each track segment included in 
the MTEA should be indicated on the list required under paragraph 
(a)(8), so that the PTCIP accounts for each track segment with an 
appropriate cross-reference to the subject MTEA.
    Paragraph (a)(9) requires that the plan call out the basis for a 
railroad's determination that risk-based prioritization required by 
paragraph (a)(4) of this section is not practical. FRA recognizes that 
there may be situations where risk is somewhat evenly distributed and 
where other factors related to practical considerations--such as the 
need to establish reliable operation of the system in less complex 
environments before installation in more complex

[[Page 2646]]

environments--may be the prudent course. However, the burden of 
establishing the reasonableness of this approach would be on the 
railroad, starting with a showing that risk does not vary substantially 
among the track segments in question.
    As mentioned elsewhere in this document, various railroads 
incorrectly asserted that they would not have to ``turn on'' their 
respective PTC systems until December 31, 2015. FRA recognizes that, 
although an approved PTCIP will include a progressive roll-out 
schedule, a PTC system cannot be operated in revenue service until it 
receives PTC System Certification. To avoid the possibility of a 
delayed plan submission that would frustrate the schedule, FRA has 
added paragraph (a)(10), which requires the railroad(s) to set its own 
due dates for such submissions. The ultimate due date, of course, is 
subject to FRA's approval of the PTCIP.
    Paragraph (b) of Sec.  236.1011 contains provisions related to 
further PTC deployment by the Class I railroads. As noted in the NPRM, 
the specific characteristics of the PTC route structure, with the focus 
on PIH traffic as an indicator of risk, was a late addition to the bill 
that would become RSIA08, not having appeared in either the House or 
Senate bills until the final package was assembled using consultations 
between the committee staffs in lieu of a formal committee of 
conference. Although the statutory construct (Class I rail line with 5 
million gross tons and some PIH materials) adequately defines most of 
the core of the national freight rail system, it is a construct that 
will introduce distortions at both ends of the spectrum of risk.
    On one hand, a line with a maximum speed limit of 25 miles per hour 
ending at a grain elevator that receives a few cars of anhydrous 
ammonia per year is a ``main line'' if it has at least 5 million gross 
tons of traffic (a very low threshold for a Class I railroad). This is 
not a line without risk, particularly if it lacks wayside signals, but 
FRA analysis shows that the potential for a catastrophic release from a 
pressure tank car is very low at an operating speed of 25 miles per 
hour, and the low tonnage is likely associated with relatively 
infrequent train movements--limiting the chance of a collision.
    On the other end of the spectrum, lines with greater risk may go 
unaddressed. For instance, a line carrying perhaps a much higher level 
of train traffic and significant volumes of other hazardous materials 
at higher speeds, without any PIH or passenger traffic, would not be 
equipped. This example is not likely to be present to any significant 
extent under current conditions. However, should the Class I railroads 
raise freight rates making rail transportation prohibitively expensive 
and accordingly eliminating PIH traffic, the issue would be presented 
as a substantial one. Most of the transportation risk--including 
hazards to train crews and roadway workers and exposure to other 
hazardous materials if released--would remain, but not the few carloads 
of PIH. FRA believes that the intent of Congress with respect to 
deployment of PTC might be defeated, even though the minimum 
requirements related to passenger and PIH traffic would be satisfied. 
Other lines carrying very heavy volumes of bulk commodities such as 
coal and intermodal traffic may or may not include PIH traffic. Putting 
aside the risk associated with PIH materials, significant risk exists 
to train crews and persons in the immediate vicinity of the right-of-
way if a collision or other PTC-preventable accident occurs. Any place 
on the national rail system is a potential roadway work zone, but 
special challenges are presented in providing for on-track safety where 
train movements are very frequent or operations are conducted on 
adjacent tracks.
    Risk on the larger Class II and III railroads' lines is also a 
matter of concern, and the presence of significant numbers of Class I 
railroad trains on some of those properties presents the opportunity 
for further risk reduction, since over the coming years virtually all 
Class I railroad locomotives will be equipped with PTC onboard 
apparatus'. Examples include trackage and haulage rights retained over 
Class II and III railroads following asset sales in which the Class I 
railroads divested the subject lines. Other prominent examples involve 
switching and terminal railroads, the largest of which are owned and 
controlled by two or more Class I railroads and function, in effect, as 
extensions of their systems. Conrail Shared Assets, a large regional 
switching railroad that is owned by NS and CSXT and is comprised of 
major segments of the former Conrail, then a Class I railroad, is 
perhaps the classic example.
    FRA notes that there has also been a trend, only recently and 
temporarily abated by the downturn in the economy, toward higher train 
counts on some non-signaled lines of the Class I railroads. On a train-
mile basis, these operations present about twice the risk as similar 
operations on signalized lines. These safety gaps need to be filled; 
and, while most will be filled due to the presence of PIH traffic, FRA 
cannot verify that this is the case in every instance.
    FRA concludes that the mandated deployment of PTC will leave some 
substantial gaps in the Class I route structure, including gaps in some 
major urban areas. FRA believes that these gaps will, over time, be 
``filled in'' by voluntary actions of the Class I railroads as they 
establish the reliability of their PTC systems, verify effective 
interoperability, and begin to enjoy the safety and other business 
benefits from use of these systems. FRA fully understands both the 
desire of the labor stakeholders in the PTC Working Group to see a 
broader build-out of PTC systems than that ``minimally'' required by 
RSIA08 and the concerns of the Class I railroads' representatives who 
noted the extreme challenge associated with equipping tends of 
thousands of wayside units, some 20,000 locomotives, and their 
dispatching centers' back offices within the statutory implementation 
period.
    The Congress recognized that all of these issues are legitimate 
concerns and so mandated the establishment of Risk Reduction Programs 
under the same legislation. Section 103 of RSIA08 specifically 
requires, within the Risk Reduction Program, a Technology 
Implementation Plan to address technology alternatives, including PTC. 
Accordingly, the PTC and Risk Reduction provisions in RSIA08 are 
clearly aligned in purpose; and there are also references in the 
technology plan elements of the Risk Reduction language that address 
installation of PTC by other railroads. Further, FRA has been charged 
with a separate rulemaking under section 406 of RSIA08 regarding risk 
in non-signaled (dark) territory that significantly overlaps the issue 
set in this rulemaking and the Risk Reduction section. Use of 
technologies that are integral to PTC systems constitute the best 
response to hazards associated with non-signaled lines. Switch position 
monitoring systems, track integrity circuits, digital data links and 
other technology used to address dark territory issues should be and, 
as presently conceived, are forward-compatible with PTC. In paragraph 
(b), FRA intends to dovetail these requirements by requiring that each 
Class I railroad include in its PTCIP deployment strategies indicating 
how it will approach the further build-out of full PTC, or partial 
implementation of PTC (e.g., using PTC technology to prevent train-to-
train collisions but perhaps not monitoring all switches in the 
territory; or using PTC to protect movements of the Class I over a

[[Page 2647]]

switching or terminal railroad without initially requiring all 
controlling locomotives of the switching or terminal railroad to be 
equipped). These railroads would then be required to include in the 
technology elements of their initial Risk Reduction plans a 
specification of which lines will be equipped and with what PTC system 
elements. Paragraph (b) makes clear that there would be no expectation 
regarding additional lines being equipped until those mandated by 
subpart I have been addressed. FRA shares the view of the Class I 
railroads and the passenger railroads that the December 31, 2015, 
deadline already presents a substantial challenge for railroads, 
suppliers, and the employees affected.
    One railroad objected to the requirement to describe the strategy 
and plan for complete build out and characterized it as premature, 
unwarranted, and inconsistent with the RSIA08. FRA strongly disagrees 
for the reasons previously set forth and has retained the requirement 
specified in paragraph (b).
    Paragraph (c) codifies in regulation the statutory mandate that FRA 
review the PTCIP and determine, within 90 days upon receipt of the 
plan, whether to provide its approval or disapproval. FRA believes that 
it is also important to provide procedural rules to communicate 
approval or disapproval. Thus, under paragraph (c), any approval or 
disapproval of a PTCIP by FRA will be communicated by written notice. 
In the event that FRA disapproves of the PTCIP, the notice will also 
include a narrative explaining the reasons for disapproval. Once the 
railroad receives notification that its PTCIP has been disapproved by 
FRA, it will have 30 days to resubmit its PTCIP for review and 
approval. While FRA may provide assistance to remedy a faulty PTCIP, it 
is ultimately the railroad's responsibility and burden to develop and 
submit a PTCIP worthy of FRA approval. FRA understands the railroads' 
desire to extend the period of time for corrections of any issues in 
the PTCIP, especially in circumstances that the railroad believes are 
out of its control. However, the 30-day period is a statutory 
requirement. FRA has little leeway in this regard. FRA will try to 
work, within the limits of available FRA resources, with railroads in 
reviewing draft versions of the PTCIP before April 16, 2010. Early 
identification of potential issues should reduce, and possibly 
eliminate, rework that a railroad might need to address during the 30-
day correction period. However, regardless of any early FRA 
participation in the document review cycle, the railroad is expected to 
submit a plan that requires little to no rework.
    A number of comments were submitted objecting to the potential 
assessment of civil penalties based on a railroad's failure to timely 
file a PTCIP. While FRA is unwilling to revise its position on this 
issue, FRA will exercise prosecutorial discretion in the assessment of 
civil penalties.
    APTA submitted comments suggesting that the language in paragraph 
(c) of this section be amended to allow at least 90 days--the time 
allotted for FRA plan review--for railroads to correct deficiencies and 
re-submit their plans. In a similar vein, NYSMTA submitted comments 
asserting that the amount of time allotted to correct deficiencies 
should be based on to the extent of the needed correction. On the other 
hand, NYSMTA proposed that penalties could be involved if railroads 
submit plans deemed to be superfluous. Again, the law requires that 
both the railroads and FRA work quickly to get plans in place. As the 
entity at the receiving end of multiple filings, FRA will no doubt have 
every reason to handle these matters with a spirit of cooperation where 
best efforts have been made to fulfill the statutory requirements.
    As noted previously, subpart I applies to each railroad that has 
been mandated by Congress and FRA to install a PTC system. A railroad 
that is not required to install a PTC system may still do so under its 
own volition. In such a case, it may either seek approval of its system 
under either subpart H or I. Paragraph (d) intends to make this choice 
clear.
    Paragraph (e) responds to comments by labor organizations in the 
PTC Working Group. These employee representatives sought the 
opportunity to comment on major PTC filings. Paragraph (e) provides 
that, upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA will post on 
its public Web site notice of receipt and reference to the public 
docket in which a copy of the filing has been placed. FRA may consider 
any public comment on these documents to the extent practicable within 
the time allowed by law and without delaying implementation of PTC 
systems. The version of any filing initially placed in the public 
docket, for which confidential treatment has been requested in 
accordance with Sec.  209.11, would be the redacted copy as filed by 
the railroad. If FRA later determined that additional material was not 
deserving of confidential treatment, that material would be 
subsequently added to the docket.
    Paragraph (f) has been added to this section in the final rule to 
require railroads to maintain their most recent PTC deployment plans in 
their PTCIPs until all PTC system deployments required under the RSIA08 
have been completed.
Section 236.1013 PTC Development Plan Content Requirements and Type 
Approval
    As noted in the discussion above regarding Sec.  236.1009, each 
PTCSP must be submitted with a Type Approval number identifying a PTC 
system that FRA believes could fulfill the requirements of subpart I. 
Under Sec.  236.1009, a railroad may submit an existing Type Approval 
number in lieu of a PTCDP if the PTC system it intends to implement and 
operate is identical to the one described in that Type Approval's 
associated PTCDP. In the event, however, that a railroad intends to 
install a system for which a Type Approval number has not yet been 
assigned, or to use a system with an assigned Type Approval number that 
may have certain variances to its safety-critical functions, then the 
railroad must submit a PTCDP to obtain a new Type Approval number.
    The PTCDP is the core document that provides the Associate 
Administrator sufficient information to determine whether the PTC 
system proposed for installation by the railroad could meet the 
statutory requirements for PTC systems specified by RSIA08 and the 
regulatory requirements under subpart I. Issuance of a system Type 
Approval number is contingent upon the approval of the PTCDP by the 
Associate Administrator. While filing of a PTCDP is optional in the 
sense that the railroad may proceed directly to submission of the PTCSP 
by the April 16, 2010, deadline (see Sec.  236.1009), FRA encourages 
railroads engaged in joint operations to file a PTCDP. Approval of the 
PTCDP, and issuance of a Type Approval, presents the opportunity for 
other railroads to reduce the effort required to obtain a PTC System 
Certification. If a Type Approval for a PTC system exists, another 
railroad may also use that Type Approval provided there are no 
variances in the system as described in the Type Approval's PTCDP. In 
such cases, the other railroad may avoid submitting its own PTCDP by 
simply incorporating by reference the supporting information in the 
Type Approval's PTCDP and certifying that no variances in the PTC 
system have been made.
    This section describes the contents of the PTCDP required to obtain 
FRA approval in the form of issuance of a Type Approval number. This 
section requires each PTCDP to include all the

[[Page 2648]]

elements and practices listed in this section to provide reasonable 
assurance that the subject PTC system will meet the statutory 
requirements and are developed consistent with generally-accepted 
principles and risk-oriented proof of safety methods surrounding this 
technology. FRA believes that it is necessary to include the provisions 
contained in this section in order to provide reasonable assurance that 
the PTC system, when developed and deployed, will have no adverse 
impact on the safety of railroad employees, the public, and the 
movement of trains.
    FRA recognizes that much of the information required by Sec.  
236.1013 normally resides with the PTC system's developer or supplier 
and not the client railroad. While FRA expects that each railroad and 
its PTC system supplier may jointly draft a PTCDP, the railroad has the 
primary responsibility for the safety of its operations and for 
submitting to FRA the information required under this section. 
Accordingly, each railroad required to submit a PTCDP under subpart I 
should make the necessary arrangements to ensure that the requisite 
information is readily available from the supplier for submission to 
the agency. FRA believes that suppliers and railroads will develop a 
PTCDP for most products that adequately address the requirements of the 
new subpart without substantial additional expense. As part of the 
design and evaluation process, it is essential to ensure that an 
adequate analysis of the features and capabilities is made to minimize 
the possibility of conflicts resulting from any use or feature, 
including a software fault. Since this analysis is a normal cost of 
software engineering development, FRA does not believe this requirement 
imposes any additional significant costs beyond what should already be 
done when developing safety-critical software.
    The passenger and public commuter railroads who submitted comments 
expressed significant concern that the Class I railroads' choice of a 
single vendor or supplier for the onboard components of the PTC 
systems, coupled with the RSIA08 requirement for interoperability, 
creates a de-facto monopoly, with associated adverse impacts on costs 
and schedule. These commenters recommended that FRA take positive steps 
to ensure that sufficient information is made available to allow the 
railroads to source components from multiple vendors or suppliers. The 
suggested actions ranged from disapproving any PTCIP/PTCDP that is not 
based on open standards to expediting Interoperable Train Control (ITC) 
specification documentation.
    FRA appreciates the concerns expressed regarding a de-facto 
monopoly and the possible adverse consequences on system deployments. 
FRA, however, must defer to the Departments of Justice and Commerce 
regarding issues of alleged monopolistic behavior.
    In subparts H and I, FRA has encouraged the use of publicly 
available standards in the design, implementation, and testing of PTC 
systems. FRA does not mandate the use of any particular standard by a 
railroad, vendor, or supplier, but rather has adopted a policy of 
allowing the marketplace to decide what standard(s) should be used, 
provided the end result--a suitable safe product--is obtained. 
Specification of government standards is only appropriate where there 
has been a failure of the marketplace. It has not yet been established 
that such marketplace failure has occurred. Even if such a marketplace 
failure were deemed to have occurred, it is extremely unlikely that FRA 
would be able to complete the development of appropriate standards 
before current industry efforts with the ITC specifications are 
finalized and made publicly available. FRA understands the railroads' 
concerns and will monitor the situation.
    FRA hastens to add that, since the publication of the NPRM, it has 
become clear that ITC standards may not be completed and validated 
prior to the end of 2010. FRA has requested that the ITC railroads 
accelerate this process in the interest of compliance with the law, and 
has added the Notice of Product Intent as a means of bridging to the 
point where standards are available. Looking forward to mid-2010, FRA 
will assess the situation with respect to delivery of open standards 
and their adoption by the AAR. Should it appear that a timely delivery 
will not be made, FRA reserves the right to take further regulatory 
action. That action could include a proposal for adoption of mandatory 
interoperability standards, likely in the form of existing American 
Railway Engineering and Maintenance Association standards that have 
already been developed through the leadership of the major 
international signal suppliers. FRA believes that such action should 
not be necessary and looks forward to the timely completion of ITC 
standards.
    One vendor pointed out that a significant portion of the work 
associated with PTC system is commercially sensitive. FRA is committed 
to appropriate protection of both railroad and vendor intellectual 
property. Its development is recognized as representing the expenditure 
of significant resources by the vendor, the railroad, or both. However, 
interoperability requirements between railroads require some disclosure 
of information between railroads and vendors or suppliers. This should 
not require disclosure of proprietary information, but does require 
disclosure of interface specifications, as well as required functional 
attributes, assigned safety attributes and stimulus/response 
attributes. FRA believes such disclosure of the latter is in the best 
interest of the railroad, vendor, and supplier communities and strongly 
encourages the free exchange of this information.
    In Sec. Sec.  236.1013 and 236.1015, various adjectives precede 
several of the requirements. For instance, certain paragraphs require 
``a complete description,'' ``a detailed description,'' or simply a 
``description.'' These phrases are inherited from subpart H of this 
part. Their inclusion in subpart I are similarly not to imply that any 
description should be more or less detailed or complete than any other 
description required. By contrast, they are included merely for the 
purposes of emphasis.
    Paragraph (a)(1) requires that the PTCDP include system 
specifications that describe the overall product and identify each 
component and its physical relationship in the system. FRA will not 
dictate specific product architectures, but will examine each PTC 
system to fully understand how its various parts interrelate. Safety-
critical functions in particular will be reviewed to determine whether 
they are designed to be fail-safe. FRA would like to emphasize that the 
PTCDP information provided in accordance with the requirements of this 
paragraph should be as railroad independent as possible. This will 
allow the product's PTCDP, and any associated Type Approval, to be 
shared by multiple railroads to the maximum extent possible. FRA 
believes that the PTCDP information provided in accordance with this 
provision will play an important role in FRA's determination as to 
whether safety will be maximized and if regulatory compliance of the 
system is obtainable.
    Paragraph (a)(2) requires a description of the operation where the 
product will be used. Upon receipt of this information within a PTCDP, 
FRA will have better contextual knowledge of the product as it applies 
to the type of operation on which it is designed to be used. Where 
operational behaviors are not applicable to a particular railroad, or 
the product design is not intended to address a particular operational 
behavior, FRA would expect a short

[[Page 2649]]

statement indicating which operational characteristics do not apply and 
why they are not applicable.
    Paragraph (a)(3) requires that the PTCDP include a concept of 
operations, a list of the product's functional characteristics, and a 
description explaining how various components within the system are 
controlled. FRA expects that the information provided under paragraphs 
(a)(2) and (a)(3) will together provide a thorough understanding of the 
PTC system. FRA will review this information--primarily by comparing 
the subject PTC system's functionalities with those underlying 
principles contained in standards for existing signal and train control 
systems--to determine whether the PTC system is designed to account for 
all relevant safety issues. While FRA does not intend to prescribe PTC 
system design standards, FRA does expect that each applicant will 
compare the concepts contained in existing standards to the operational 
concepts, functionalities, and controls contemplated for the PTC system 
in order to determine whether a sufficient level of safety will be 
achieved. For example, existing requirements prescribe that where a 
track relay is de-energized, a switch or derail is improperly lined, a 
rail is removed, or a control circuit is opened, each signal governing 
movements into the subject block occupied by a train, locomotive, or 
car must display its most restrictive aspect for the safety of train 
operations. The principle behind the requirement is that, when a 
condition exists in the operating environment, or with respect to the 
functioning of the system, that entails a potential hazard, the system 
will assume its most restrictive state to protect the safety of train 
operations.
    Paragraph (a)(4) requires that each PTCDP include a document that 
identifies and describes each safety-critical function of the subject 
PTC system. The product architecture includes both hardware and 
software aspects that identify the protection developed against random 
hardware faults and systematic errors. Further, the document should 
identify the extent to which the architecture is fault tolerant. FRA 
intends to use this information to determine whether appropriate safety 
concepts have been incorporated into the proposed PTC system. For 
example, existing regulations require that when a route has been 
cleared for a train movement, it cannot be changed until the governing 
signal has been caused to display its most restrictive indication and a 
predetermined time interval has expired, in those scenarios where time 
locking is used or where a train is in approach to the location where 
approach locking is used. FRA intends to use this information to 
determine whether all the safety-critical functions have been included. 
Where such functionalities are not clearly determined to exist as a 
result of technology development, FRA will expect the reasoning to be 
stated and a justification provided describing how that technology 
provides the required level of safety. Where FRA identifies a void in 
safety-critical functions, FRA may not approve the PTCDP until remedial 
action is taken to rectify the concern.
    FRA recognizes that the information required under paragraph (a)(4) 
may have already been provided pursuant to paragraph (a)(1). In such a 
case, the railroad shall cross reference where both paragraphs (a)(1) 
and (a)(4) have been jointly satisfied in the PTCDP.
    Paragraph (a)(4) requires that each PTCDP address the minimum 
requirements under Sec.  236.1005 for development of safety-critical 
PTC systems. FRA expects the information provided under paragraph 
(a)(4) to cover: identification of all safety requirements that govern 
the operation of a system; evaluation of the total system to identify 
known or potential safety hazards that may arise over the life-cycle of 
the system; identification of all safety issues during the design phase 
of the process; elimination or reduction of the risks posed by the 
hazards identified; resolution of safety issues presented; development 
of a process to track progress; and development of a program of testing 
and analysis to demonstrate that safety requirements are met.
    FRA has considered the railroads' concerns, and agrees that the 
selection of the safety assurance concepts that any particular railroad 
may impose on its vendor or supplier might possibly differ, based on 
the railroad's operational philosophy and tolerance for risk. 
Accordingly, FRA removed proposed paragraph (a)(5) from the final rule 
as an element of the PTCDP, and has made the requirement to describe 
the safety assurance concepts an element of the PTCSP (see Sec.  
236.1015(d)(2)).
    Paragraph (a)(5) requires a submission of a preliminary human 
factors analysis that addresses each applicable human-machine interface 
(HMI) and all proposed product functions to be performed by humans to 
enhance or preserve safety. FRA expects this analysis to place special 
emphasis on proposed human factors responses--and the result of any 
failure to perform such a response--to safety-critical hazards, 
including the consequences of human failure to perform. For each HMI, 
the PTCDP should address the proposed basis of assumptions used for 
selecting each such interface, its potential effect upon safety, and 
all potential hazards associated with each interface. Where more than 
one employee is expected to perform duties dependent upon HMI input or 
output, the analysis must address the consequences of failure by one or 
multiple employees. FRA intends to use this information to determine 
the proposed HMI's effect upon the safety of railroad operations. The 
preliminary human factors analysis must propose how the railroad or its 
PTC system supplier plans to address the HMI criteria listed in 
Appendix E to this part or any alternatives proposed by the railroad 
and deemed acceptable by the Associate Administrator. The design 
criteria for Appendix E were first developed and subsequently adopted 
by FRA as an element of subpart H of this part. As the criteria in 
Appendix E are generally technology neutral, FRA has adopted them with 
minor changes, for use with both subpart H of this part and these 
proceedings.
    Paragraph (a)(5) also requires that the PTCDP explain how the 
proposed HMI will affect interoperability. RSIA08 requires that each 
subject railroad explain how it intends to obtain system 
interoperability. The ability of a train crew member to operate another 
railroad's PTC system significantly depends upon a commonly understood 
HMI. The HMI provides the end user with a method of interacting with 
the underlying system and accessing the PTC functionality. FRA expects 
that each railroad will adopt an HMI standard that will ensure ease of 
use of the PTC system both within, and between, railroads.
    Paragraph (a)(6) requires an analysis regarding how subparts A 
through G of part 236 apply, or no longer apply, to the subject PTC 
system. FRA recognizes that, while a PTC system may be designed in 
accordance with the underlying safety concepts of subparts A through G, 
the specific existing requirements contained in those subparts are not 
necessarily applicable. In any event, the PTCDP must identify each 
pertinent requirement considered to be inapplicable, fully describe the 
alternative method used to fulfill that underlying safety concept, and 
explain how the proposed PTC system supports the underlying safety 
principle. FRA notes that certain sections in subparts A though G of 
this part may always be applicable to PTC systems certified under 
subpart I.
    FRA is concerned about all dimensions of system security. Thus,

[[Page 2650]]

paragraph (a)(7) requires the PTCDP to include a description of the 
security measures necessary to meet the specifications for each PTC 
system and the prioritized restoration and mitigation plan as required 
under Sec.  236.1033. Security is an important element in the design 
and development of PTC systems and covers issues such as developing 
measures to prevent hackers from gaining access to software and to 
preclude sudden system shutdown, mechanisms to provide message 
integrity, and means to authenticate the communicating parties. Safety 
and security are two closely related topics. Both are elements for 
ensuring that a subject is protected and without risk of harm. In the 
industrial marketplace, the goals of safety and security are to create 
an environment protecting assets from hazards or harm. While activities 
to ensure safety usually relate to the possibility of accidental harm, 
activities to ensure security usually relate to protecting a subject 
from intentional malicious acts such as espionage, theft, or attack. 
Since system performance may be affected by either inadvertent or 
deliberate hazards or harms, the safety and security involved in the 
implementation and operation of a PTC system must both be considered.
    Integrated security recognizes that optimum protection comes from 
three mutually supporting elements: Physical security measures, 
operational procedures, and procedural security measures. Today, the 
convergence of information and physical security is being driven by 
several powerful forces, including: interdependency, efficiency and 
organizational simplification, security awareness, regulations, 
directives, standards, and the evolving global communications 
infrastructure. Physical security describes measures that prevent or 
deter attackers from accessing a facility, resource, or information 
stored on physical media and guidance on how to design structures to 
resist various hostile acts. Communications security describes measures 
and controls taken to deny unauthorized persons information derived 
from telecommunications and ensure the authenticity of such 
telecommunications. Because of the integrated nature of security, FRA 
expects that each PTCDP will address security as a holistic concept, 
and not be restricted to limited or specific aspects.
    Paragraph (a)(8) requires documentation of assumptions concerning 
reliability and availability targets of mechanical, electrical, and 
electronic components. When building a PTC system, designers may make 
numerous assumptions that will directly impact specific implementation 
decisions. These fundamental assumptions usually come in the form of 
data (e.g., facts collected as the result of experience, observation or 
experiment, or processes, or premises) that can be randomly sampled. 
FRA does not expect to audit all of the fundamental assumptions on 
which a PTC system has been developed. Instead, FRA envisions sampling 
and reviewing fundamental assumptions prior to product implementation 
and after operation for some time. FRA expects that the data sampled 
may vary, depending upon the PTC system. It is not possible to provide 
a single set of quantitative numbers applicable to all systems, 
especially when systems have yet to be designed and for which the 
fundamental assumptions are yet to be determined. Quantification is 
part of the risk management process for each project. FRA believes that 
the actual performance of the system observed during the pre-
operational testing and post-implementation phases will provide 
indications of the validity of the fundamental assumptions. FRA 
requires that this review process occur for the life of the PTC system 
(i.e., as long as the product is kept in operation). The depth of 
details required will depend upon what FRA observes. The range of 
difference between a PTC system's predicted and actual performance may 
indicate to FRA the validity of the underlying fundamental assumptions. 
Generally, if the actual performance matches the predicted performance, 
FRA believes that it will not have to extensively review the 
fundamental assumptions. If the actual performance does not match 
predicted performance, FRA may need to more extensively review the 
fundamental assumptions.
    FRA expects each subject railroad to confirm the validity of 
initial assumptions by comparing them to actual in-service data. FRA is 
aware that mechanical and electronic component failure rates and times 
to repair are easily quantified data, and usually are kept as part of 
the logistical tracking and maintenance management of a railroad. FRA 
believes that this criterion will enhance the quality of risk 
assessments conducted pursuant to this subpart by forcing PTC system 
designers and users to consider the long-term effects of operation over 
the course of the PTC system's projected life-cycle. If a PTC system 
can be used beyond its design life-cycle, FRA expects that any 
continued use would only occur pursuant to a waiver provided in 
accordance with 49 CFR part 211 or a PTCDP or PTCSP amended in 
accordance with Sec.  236.1021. In its request for waiver or request 
for amendment, the railroad should address any new risks associated 
with the life-cycle extension.
    Paragraph (a)(8) also requires specification of the target safety 
levels. This includes the identity of each potential hazard and how the 
events leading to a hazard will be identified for each safety-critical 
subsystem; the proposed safety integrity level of each safety-critical 
subsystem, and the proposed means that accomplishment of these targets 
will be evaluated. This paragraph also requires identification of the 
proposed backup methods of operation and safety-critical assumptions 
regarding availability of the product. FRA believes this information is 
essential for making determinations about the safety of a product and 
both the immediate and long-term effect of its failure. FRA contends 
that availability is directly related to safety to the extent the 
backup means of controlling operations involves greater risk (either 
inherently or because it is infrequently practiced).
    Paragraph (a)(9) requires a complete description of how the PTC 
system will enforce all pertinent authorities and block signal, cab 
signal, or other signal related indications. FRA appreciates that not 
all PTC system architectures will seek to enforce the speed 
restrictions associated with intermediate signals directly, but 
nevertheless a clear description of these functions is necessary for 
clarity and evaluation.
    Paragraph (a)(10) requires that, if the railroad is seeking to 
deviate from the requirements of section 236.1029 with respect to 
movement of trains with onboard equipment that has failed en route 
using the flexibility provided by paragraph (c) of that section, a 
justification must be provided in the PTCDP. As proposed, paragraph (c) 
of Sec.  236.1029 provided that, in order for a PTC train that operates 
at a speed above 90 miles per hour to deviate from the operating 
limitations contained in paragraph (b) of that section, the deviation 
must be described and justified in the FRA approved PTCDP or PTCSP, or 
by reference to an Order of Particular Applicability, as applicable. 
For instance, if Amtrak wished to continue to operate at up to 125 
miles per hour with cab signals and automatic train control in the case 
of failure of onboard ACSES equipment, Amtrak would request to do so 
based on the applicable language of the Order of Particular 
Applicability that required installation of that system on portions of 
the Northeast Corridor. Similarly, a railroad wishing more liberal

[[Page 2651]]

requirements for a high-speed rail system on a dedicated right-of-way 
could request that latitude by explaining how the safety of all 
affected train movements would be maintained. During the comment period 
and PTC Working Group discussion, Amtrak continued to press its case 
for greater flexibility, noting the long routes prevalent on its 
intercity network and the trip time penalty that could be incurred with 
failed equipment. Paragraph (a)(10) has been revised in the final rule 
to reflect the fact that the development plan would contain 
justification for any requested deviation from the requirements of 
Sec.  236.1029, and that section has been further revised to permit the 
agency to receive and consider specific requests and supporting 
information regarding latitude such as that sought by Amtrak without 
regard to speed. Instead, paragraph (a)(10) requires the railroad to 
include a justification in its PTCDP, if the railroad is seeking to 
deviate from the requirements of Sec.  236.1029 with respect to 
movement of trains with onboard equipment that has failed en route.
    Paragraph (a)(11) requires a complete description of how the PTC 
system will appropriately and timely enforce all hazard detectors that 
are interconnected with the PTC system in accordance with Sec.  
236.1005(c)(3), as may be applicable.
    Paragraph (b) specifies the approval standard that will be employed 
by the Associate Administrator. APTA asserted that the NPRM offered 
minimal guidance on the criteria FRA will use to accept or reject a 
system. Thus, APTA suggested that FRA should draft and vet criteria 
that accomplishes the basic purposes of PTC while allowing for 
innovation in meeting the performance requirements envisioned in the 
regulation.
    The PTCDP is not expected to provide absolute assurance to the 
Associate Administrator that every potential hazard will be eliminated 
with complete certainty. It only needs to establish that the PTC system 
meets the appropriate statutory and regulatory requirements for a PTC 
system required under this subpart, and that there is a reasonable 
chance that once built, it will meet the required safety standards for 
its intended use. FRA emphasizes that approval of a PTCDP and issuance 
of a Type Approval does not constitute final approval to operate the 
product in revenue service. Such approval only comes when the Associate 
Administrator issues an applicable PTC System Certification.
    Paragraph (c) establishes a time limit on the validity of a Type 
Approval. Provided that at least one product is certified within the 5 
year period after issuance of the Type Approval, the Type Approval 
remains valid until final retirement of the system. The main purpose of 
this requirement is to incentivize installation, not just creation, of 
a PTC system. This paragraph would also allow FRA to periodically clean 
out its records relating to Type Approvals and PTCDPs for obsolete PTC 
systems.
    Former paragraphs (d) and (e) in this section have been moved to 
Sec.  236.1015 in the final rule. Therefore, former paragraph (f) has 
been redesignated as paragraph (d) in the final rule. Paragraph (d) 
discusses the Associate Administrator's ability to impose any 
conditions necessary to ensure the safety of the public, train crews, 
and train operations when approving the PTCDP and issuing a Type 
Approval. While FRA expects that adherence to the remainder of this 
section's requirements should justify issuance of a Type Approval, FRA 
also recognizes that there may be situations where other unaccounted 
for variables may reduce the Associate Administrator's confidence in 
the PTC system, its manufacturer, supplier, vendor, or operator.
    The required contents of the NPI are specified in paragraph (e). As 
stated earlier, FRA expects submission of an NPI temporarily in lieu of 
a PTCDP only when the railroad is unable to obtain all of the 
information required for a PTCDP. This will enable railroads to submit 
a PTCIP on or before the statutory deadline of April 16, 2010. FRA 
believes that, given the various options available to the railroads, 
there are few, if any, valid reasons for not meeting the April 16, 
2010, deadline for submission.
    The elements that make up the NPI were carefully chosen to strike a 
balance between the ability of a railroad that is unable to complete a 
full PTCDP and FRA's need to fully understand the railroad's proposed 
system and the reasonableness of the PTCIP contents. FRA believes that 
the NPI information would be required to have been identified by the 
railroad in order to develop requests for proposal from the vendor or 
supplier community. Paragraph (e)(1) requires a description of the 
proposed operating environment. Paragraph (e)(2) requires a description 
of the concept of operations for any PTC system that will be procured 
by the railroad. Paragraph (e)(3) requires a description of the target 
safety levels that the railroad expects the PTC system to meet, while 
paragraphs (e)(4) and (e)(5) require an explanation of how the proposed 
system will integrate with the existing signal and train control 
system.
Section 236.1015 PTC Safety Plan Content Requirements and PTC System 
Certification
    The PTCSP is the core document that provides the Associate 
Administrator the information necessary to certify that the as-built 
PTC system fulfills the required statutory PTC functions and is in 
compliance with the requirements of this subpart. Issuance of a PTC 
System Certification is contingent upon the approval of the PTCSP by 
the Associate Administrator. Under this final rule, the filing and 
approval of the PTCSP and issuance of a PTC System Certification is a 
mandatory prerequisite for PTC system operation in revenue service. 
Each PTCSP is unique to each railroad and must addresses railroad-
specific implementation issues associated with the PTC system 
identified by the submitted Type Approval. Paragraph (a) provides 
language explaining these meanings and limits.
    Paragraph (b), which reflects the contents of proposed paragraphs 
(d) and (e) in proposed Sec.  236.1013, establishes the conditions 
under which a Type Approval may be used by another railroad. Paragraph 
(b)(1) requires the railroad to maintain a continually updated PTC 
Product Vendor List (PTCPVL) pursuant to Sec.  236.1023 to enable the 
railroad and FRA to determine the appropriate vendor to contact in the 
unlikely event of a safety critical failure.
    The safety critical nature of PTC systems imposes strict quality 
control requirements on the design and manufacturer of the system. 
While FRA believes that in the vast majority of cases, the vendor or 
supplier community from whom the railroads will procure PTC system 
components have established the appropriate quality control systems, 
there will be a very small minority who have not. Paragraph (b)(2) is 
intended to mitigate against any such occurrence, to ensure that PTC 
system components meet the same, uniformly high, standards. FRA is 
requiring that the railroad ensure that any vendor from whom they 
purchase PTC system or components has an acceptable quality assurance 
program for both design and manufacturing processes.
    FRA has considered comments submitted by GE, in which GE suggested 
language to further clarify paragraph (b)(2) that the vendor quality 
control processes for PTC systems must include the process for the 
product supplier to promptly report any safety relevant failure and 
previously unidentified

[[Page 2652]]

hazards to each railroad using the product. FRA believes that this 
suggested language clearly specifies the importance of this requirement 
to suppliers who may not already have the appropriate quality control 
processes in place. Accordingly, FRA has added the recommended 
language.
    Paragraph (b)(3) requires the railroad to provide licensing 
information. The list should include all applicable vendors or 
suppliers. Through the requirements set forth in paragraph (b)(3), FRA 
intends to ensure implementation of the proper technology, as opposed 
to implementation of an orphan product that uses similar, yet 
different, technology. When a railroad submits a previously approved 
Type Approval for its PTC system, FRA expects that all the proper 
licensing agreements will provide for continued use and maintenance of 
the PTC system in place. To bolster FRA's confidence in this area, FRA 
will require each Type Approval submission to include the relevant 
licensing information. FRA recognizes that there may be various 
licensing arrangements available relating to the exclusivity and 
sublicensing of manufacturing or vending of a particular PTC system. 
There may be other intellectual property variables that may make 
arrangements even more complex. To adequately capture all applicable 
arrangements, FRA is requiring the submission of ``licensing 
information.'' A more specific request may preclude FRA's ability to 
collect information necessary to fulfill its intent. If any of this 
information were to change, either through any type of sale, transfer, 
or sublicense of any right or ownership, then FRA would expect the 
railroad to submit a request for amendment of its PTCDP in accordance 
with Sec.  236.1021. FRA recognizes that this may be difficult for a 
railroad to accomplish, given the fact that the railroad may not be 
privy to any intellectual property transactions that may occur outside 
its control. In any event, FRA would expect that a railroad will 
ensure, either through contractual obligation or otherwise, that its 
vendor or supplier will provide it with updated licensing information 
on a continuing basis.
    When filing a PTCSP, paragraph (c) requires each railroad to 
include the applicable and approved PTCDP or, if applicable, the FRA 
issued Type Approval. In addition, the railroad must describe any 
changes subsequently made to the PTC system that would require 
amendment of the PTCDP or assure FRA that the PTC system built is the 
same PTC system described in the PTCDP and PTCSP. Some elements of the 
PTCSP are the same elements as the PTCDP (and are described more fully 
in the section-by-section analysis of Sec.  236.1013). If the railroad 
has already submitted, and FRA has already approved, the PTCDP, then 
attachment of the PTCDP to the PTCSP should fulfill this requirement.
    FRA recognizes the possibility that between PTCIP or PTCDP 
approval, and prior to PTCSP submission, there may be changes to the 
former two documents. While such changes may only be made in accordance 
with Sec.  236.1021, documentation of those changes may not be readily 
apparent to the reader of the PTCSP. Further, changes in the PTCIP may 
impact the contents of the PTCDP and vice versa. Accordingly, paragraph 
(c)(1) requires the railroad to submit the approved PTCDP (or Type 
Approval) with the corresponding PTCSP.
    AAR asserted that the main purpose of the PTCIP is to document the 
deployment plan and that the PTCIP will be of little value once the 
implementation is complete. Accordingly, AAR asserts that there is no 
need to include the PTCIP when filing either a PTCDP or PTCSP. The AAR 
also asserted that since the PTCSP justifies that the PTC system was 
built in accordance with the PTCDP, submission of the PTCIP information 
should not be required.
    FRA agrees with AAR that the main purpose of the PTCIP is to 
document the deployment plan and that the PTCIP will essentially become 
a historical document when the railroad has completed its PTC 
implementation. Therefore, until all PTC system installations have been 
completed, FRA will require the PTCIP to be kept current with the 
railroad's deployment plan. However, in response to the AAR's comments, 
FRA has revised paragraph (c) by removing the proposed requirement to 
submit the PTCIP with the PTCDP and PTCSP.
    FRA expects that each PTCSP shall include a clear and complete 
description of any such changes by specifically and rigorously 
documenting each variance. Paragraph (c)(2) also requires that the 
PTCSP include an explanation of each variance's significance. To ensure 
that there are no other existing variances not documented in the PTCSP, 
the railroad must attest that there are no further variances. For the 
same reason, paragraph (c)(3) requires that, if there have been no 
changes to the plans or to the PTC system as intended, the railroad 
must attest that there are no such variances.
    The additional required railroad specific elements are as follows:
    Paragraph (d)(1) requires that the PTCSP include a hazard log 
comprehensively describing all hazards to be addressed during the life-
cycle of the product, including maximum threshold limits for each 
hazard. For unidentified hazards, the threshold shall be exceeded at 
one occurrence. In other words, if the hazard has not been predicted, 
then any single occurrence of that hazard is unacceptable. The hazard 
log addresses safety-relevant hazards, or incidents or failures that 
affect the safety and risk assumptions of the PTC system. Safety 
relevant hazards include events such as false proceed signal 
indications and false restrictive signal indications. If false 
restrictive signal indications occur with any type of frequency, they 
could influence train crew members, roadway workers, dispatchers, or 
other users to develop an apathetic attitude towards complying with 
signal indications or instructions from the PTC system, creating human 
factors problems.
    Incidents in which stop indications are inappropriately displayed 
may also necessitate sudden brake applications that may involve risk of 
derailment due to in-train forces. Other unsafe or wrong-side failures 
that affect the safety of the product will be recorded on the hazard 
log. The intent of this paragraph is to identify all possible safety-
relevant hazards that would have a negative effect on the safety of the 
product. Right-side failures, or product failures that have no adverse 
effect on the safety of the product (i.e., do not result in a hazard) 
would not be required to be recorded on the hazard log.
    Paragraph (d)(2), which has been added to the final rule, requires 
that each railroad identify the PTC system's safety assurance concepts. 
When identifying the safety assurance concepts used, FRA expects the 
information provided pursuant to paragraph (d)(2) will reflect the 
safety requirements that govern the operation of a system; the identify 
of known or potential safety hazards that may arise over the life-cycle 
of the system; safety issues that may arise during the design phase of 
the process; elimination or reduction of the risks posed by the hazards 
identified; resolution of safety issues presented; development of a 
process to track progress; and development of a program of testing and 
analysis to demonstrate that safety requirements are being met.
    In the proposed rule, this information was required as part of the 
PTCDP. One railroad recommended that this information requirement be 
completely eliminated as redundant because it is covered as part of the 
product safety

[[Page 2653]]

requirements. FRA agrees that this information should not be a required 
element of the PTCDP; this information should be provided as an element 
of the railroad specific PTCSP, since individual railroads may elect to 
require different safety assurance concepts from their vendors or 
suppliers. This very same information is an integral element of the 
railroad specific Product Safety Plan required by subpart H of this 
part. Accordingly, FRA has revised this requirement. However, FRA does 
not believe that this information is redundant. The safety assurance 
concepts imposed on the vendor or supplier are procedural requirements 
that drive vendor or supplier system design and mitigation strategies. 
FRA believes that the importance of the safety assurance concepts 
merits clear identification.
    Paragraph (d)(3) requires that a risk assessment be included in the 
PTCSP. FRA will use this information as a basis to confirm compliance 
with the appropriate performance standard. A performance standard 
specifies the outcome required, but leaves the specific measures to 
achieve that outcome up to the discretion of the regulated entity. In 
contrast to a design standard or a technology-based standard that 
specifies exactly how to achieve compliance, a performance standard 
sets a goal and lets each regulated entity decide how to meet that 
goal. An appropriate performance standard should provide reasonable 
assurance of safe and effective performance by making provision for: 
(1) Considering the construction, components, ingredients, and 
properties of the device and its compatibility with other systems and 
connections to such systems; (2) testing of the product on a sample 
basis or, if necessary, on an individual basis; (3) measurement of the 
performance characteristics; and (4) requiring that the results of each 
or of certain of the tests required show that the device is in 
conformity with the portions of the standard for which the test or 
tests were required. Typically, the specific process used to design, 
verify and validate the product is specified in a private or public 
standard. The Associate Administrator may recognize all or part of an 
appropriate standard established by a nationally or internationally 
recognized standard development organization.
    Labor expressed concern during this rulemaking regarding FRA's 
position on the treatment of wrong side failures. Wrong side failures, 
which occur when a PTC system fails to properly identify the track 
occupied by a train, should not be considered an acceptable risk. Such 
failures, which are completely avoidable using current technology, can 
result in unnecessary and risky penalty brake applications.
    FRA agrees that wrong side failures introduce an element of risk in 
the operation of a system. Therefore, the extent of that risk and the 
consequences of the failure must be identified and carefully analyzed. 
It is for that very reason that FRA is requiring that the hazard log 
identify all such potential failures. The hazard mitigation analysis 
required in paragraph (d)(4) must identify how each hazard in the 
hazard log will be mitigated. While FRA agrees the majority of wrong 
side failures can be eliminated through the application of technology, 
FRA believes that the generalization that all wrong side failures can 
be eliminated is not valid.
    Paragraph (d)(4) requires that the PTCSP include a hazard 
mitigation analysis. The hazard mitigation analysis must identify the 
techniques used to investigate the consequences of various hazards and 
list all hazards addressed in the system hardware and software 
including failure mode, possible cause, effect of failure, and remedial 
actions. A safety-critical system must satisfy certain specific safety 
requirements specified by the system designer or procuring entity. To 
determine whether these requirements are satisfied, the safety assessor 
must determine that: (1) Hazards associated with the system have been 
comprehensively identified; (2) hazards have been appropriately 
categorized according to risk (likelihood and severity); (3) 
appropriate techniques for mitigating the hazards have been identified; 
and (4) hazard mitigation techniques have been effectively applied. See 
Leveson, Nancy G., Safeware: System Safety and Computers, (Addison-
Wesley Publishing Company, 1995).
    FRA does not expect that the safety assessment will prove that a 
product is absolutely safe. However, the safety assessment should 
provide evidence that risks associated with the product have been 
carefully considered and that steps have been taken to eliminate or 
mitigate them. Hazards associated with product use need to be 
identified, with particular focus on those hazards found to have 
significant safety effects. The risk assessment provided under 
paragraph (d)(4) must include each hazard that cannot be mitigated by 
system designs (e.g., human over-reliance of the automated systems) no 
matter how low its probability may be. After the risk assessment, the 
designer must take steps to remove them or mitigate their effects. 
Hazard analysis methods are employed to identify, eliminate, and 
mitigate hazards. Under certain circumstances, FRA may require an 
independent third party assessment in accordance with proposed Sec.  
236.1017 to review these methods as a prerequisite to FRA approval.
    Paragraph (d)(5) also requires that the PTCSP address safety 
Verification and Validation procedures as defined under part 236. FRA 
believes that Verification and Validation for safety are vital parts of 
the PTC system development process. Verification and Validation require 
forward planning. Consequently, the PTCSP should identify the testing 
to be performed at each stage of development and the levels of rigor 
applied during the testing process. FRA will use this information to 
ensure that the adequacy and coverage of the tests are appropriate.
    Paragraph (d)(6) requires the railroad to include in its PTCSP the 
training, qualification, and designation program for workers regardless 
of whether those railroad employees will perform inspection, testing, 
and maintenance tasks involving the PTC system. FRA believes many 
benefits accrue from the investment in comprehensive training programs 
and are fundamental to creating a safe workforce. Effective training 
programs can result in fewer instances of human casualties and 
defective equipment, leading to increased operating efficiencies, less 
troubleshooting, and decreased costs. FRA expects any training program 
will include employees, supervisors, and contractors engaged in 
railroad operations, installation, repair, modification, testing, or 
maintenance of equipment and structures associated with the product.
    Paragraph (d)(7) requires the railroad to identify specific 
procedures and test equipment necessary to ensure the safe operation, 
installation, repair, modification and testing of the product in its 
PTCSP. Requirements for operation of the system must be succinct in 
every respect. The procedures must be specific about the methodology to 
be employed for each test to be performed that is required for 
installation, repair, or modification and the results thereof must be 
documented. FRA will review and compare the repair and test procedures 
for adequacy against existing similar requirements prescribed for 
signal and train control systems. FRA intends to use this information 
to ascertain whether the product will be properly installed, 
maintained, tested, and repaired.
    Paragraph (d)(8) requires that each railroad develop a manual 
covering the requirements for the installation, periodic maintenance 
and testing,

[[Page 2654]]

modification, and repair for its PTC system. The railroad's Operations 
and Maintenance Manual must address the issuance of warnings and 
describe the warning labels to be placed on each piece of PTC system 
equipment as necessary. Such warnings include, but are not limited to: 
Means to prevent unauthorized access to the system; warnings of 
electrical shock hazards; cautionary notices about improper usage, 
testing, or operation; and configuration management of memory and 
databases. The PTCSP should provide an explanation justifying each such 
warning and an explanation of why there are no alternatives that would 
mitigate or eliminate the hazard for which the warning will be given.
    Paragraph (d)(9) requires that the PTCSP identify the various 
configurable applications of the product, since this rule mandates use 
of the product only in the manner described in its PTCDP. Given the 
importance of proper configuration management in safety-critical 
systems, FRA believes it is essential that railroads learn of and take 
appropriate configuration control of hardware and software. FRA 
believes that a requirement for configuration management control will 
enhance the safety of these systems and ultimately provide other 
benefits to the railroad as well. Pursuant to this paragraph, railroads 
will be responsible--through its applicable Operations and Maintenance 
Plan and other supporting documentation maintained throughout the 
system's life-cycle--for all changes to configuration of their products 
in use, including both changes resulting from maintenance and 
engineering control changes, which result from manufacturer 
modifications to the product. Since not all railroads may experience 
the same software faults or hardware failures, the configuration 
management and fault reporting tracking system play a crucial role in 
the ability of the railroad and the FRA to determine and fully 
understand the risks and their implications. Without an effective 
configuration management tracking system in place, it is difficult, if 
not impossible, to fairly evaluate risks associated with a product over 
its life-cycle.
    Paragraph (d)(10) requires the railroad to develop comprehensive 
plans and procedures for product implementation. Implementation (field 
validation or cutover) procedures must be prepared in detail and 
identify the processes necessary to verify that the PTC system is 
properly installed and documented, including measures to provide for 
the safety of train operations during installation. FRA will use this 
information to ascertain whether the product will be properly 
installed, maintained, and tested. FRA also believes that configuration 
management should reduce disarrangement issues. Further, configuration 
management will reduce the cost of troubleshooting by reducing the 
number of variables and will be more effective in promoting safety.
    Paragraph (d)(11) requires the railroad to provide a complete 
description of the particulars concerning measures required to assure 
that the PTC system, once implemented, continues to provide the 
expected safety level without degradation or variation over its life-
cycle. The measures specifically provide the prescribed intervals and 
criteria for the following: testing; scheduled preventive maintenance 
requirements; procedures for configuration management; and procedures 
for modifications, repair, replacement and adjustment of equipment. FRA 
intends to use this information, among other data, to monitor the PTC 
system to assure it continually functions as intended.
    Paragraph (d)(12) requires that each PTCSP include a description of 
each record concerning safe operation. Recordkeeping requirements for 
each product are discussed in Sec.  236.1037 of this part.
    Paragraph (d)(13) requires a safety analysis of unintended 
incursions into a work zone. Measuring incursion risks is a key safety 
risk assumption. Failing to identify incursion risk can have the effect 
of making a system seem safer on paper than it actually is. The 
requirements set forth in this paragraph attempt to mandate design 
consideration of incursion protection at an early stage in the system 
development process. The totality of the arrangements made to prevent 
unintended incursions or operation at higher than authorized speed 
within the work zone must be analyzed. That is, in addition to the 
functions of the PTC system, the required actions for dispatchers, 
train crews, and roadway workers in charge must be evaluated. 
Regardless of whether a PTC system has been previously approved or 
recognized, FRA will not accept a system that allows a single point 
human failure to defeat the essential protection intended by the 
Congress. See NTSB Recommendations R-08-05 and R-08-06. FRA believes 
that exposure should be identified because increases in risk due to 
increased exposure could be easily distinguished from increases in risk 
due solely to implementation and use of the proposed PTC system.
    In the past, little attention was given to formalizing incursion 
protection procedures. Training for crews has also not been uniform 
among organizations, and has frequently received inadequate attention. 
As a result, a variety of procedures and techniques evolved based on 
what has been observed or what just seemed correct at the time. This 
lack of structure, standardization, and formal training is inconsistent 
with the goal of increasing safety and regulatory efficiency.
    As proposed, paragraph (d)(14) would have required a more detailed 
description of any alternative arrangements provided under Sec.  
236.1011(a)(10), pertaining to at grade rail-to-rail crossings. APTA 
noted that the reference in this paragraph should be revised, as 
section 236.1011(a)(10) does not exist. The correct reference is Sec.  
236.1005(a)(1)(i).
    As previously mentioned, Sec.  236.1005(a) requires each applicable 
PTC system to be designed to prevent train-to-train collisions. Under 
that section, FRA has established various requirements that would apply 
to at-grade rail-to-rail crossings, also known as diamond crossings. 
While the final rule text includes certain specific technical 
requirements, it also provides the opportunity for each subject 
railroad to submit an alternative arrangement providing an equivalent 
level of safety as specified in an FRA approved PTCSP. Accordingly, 
under paragraph (d)(14), if the railroad intends to utilize alternative 
arrangements providing an equivalent level of safety to that of the 
table provided under Sec.  236.1005(a)(1)(i), each PTCSP must identify 
those alternative arrangements and methods, with any associated risk 
reduction measures, in its PTCSP.
    Paragraph (d)(15) requires a complete description of how the PTC 
system will enforce mandatory directives and signal indications, unless 
already addressed in the PTCDP. Paragraph (d)(16) refers to the 
requirement of Sec.  236.1019(f) that the PTCSP is aligned with the 
PTCIP, including any amendments.
    Under Sec.  236.1007, FRA requires certain limitations on PTC 
trains operating over 90 miles per hour, including compliance with 
Sec.  236.1029(c). Under Sec.  236.1029(c), FRA provides railroads with 
an opportunity to deviate from those limitations if the railroad 
describes and justifies the deviation in its PTCDP, PTCSP, or by 
reference to an Order of Particular Applicability, as applicable. Thus, 
paragraph (d)(17) reminds railroads that this is one of the optional 
elements that may be included in a PTCSP. This need

[[Page 2655]]

may also be addressed through review of the PTCDP.
    Railroads are required under Sec.  236.1005(c) to submit a complete 
description of their compliance regarding hazard detector integration 
and under Sec. Sec.  236.1005(g)-(k) to submit a temporary rerouting 
plan in the event of emergencies and planned maintenance. Sections 
236.1007 and 236.1033 also require the submission of certain documents 
and information. Paragraphs (d)(18), (d)(19), and (d)(20) remind 
railroads that such requirements must be fulfilled with the submission 
of the PTCSP. For example, under paragraph (d)(19), FRA expects each 
temporary rerouting plan to explain the host railroad's procedure 
relating to detouring the applicable traffic. In other words, FRA 
expects that each temporary rerouting plan address how the host 
railroad will choose the track that traffic will be rerouted onto. The 
plan should explain the factors that will be considered in determining 
whether and how the railroad should take advantage of temporary 
rerouting. FRA remains concerned about the unnecessary commingling of 
PTC and non-PTC traffic on the same track and expects each temporary 
rerouting plan to address this possibility. More specifically, each 
plan should describe how the railroad expects to make decisions to 
reroute non-PTC train traffic onto a PTC line, especially where another 
non-PTC line may be available. While FRA recognizes each railroad may 
seek to use the most cost effective route, FRA expects the railroad to 
also consider the level of risk associated with that route.
    In paragraph (e), FRA states the criteria to which FRA will refer 
when evaluating the PTCSP, depending upon the underlying technical 
approach. Whereas in subpart H of this part, the safety case is 
evaluated to determine whether it demonstrates, with a high degree of 
confidence, that relevant risk will be no greater under the new product 
than previously, the statutory mandate for PTC calls for a different 
approach. In crafting this approach, FRA has attempted to limit 
requirements for quantitative risk assessment to those situations where 
the technique is truly needed. Regardless of the type of PTC system, 
the safety case for the system must demonstrate that it will reliably 
execute all of the functions required by this subpart (particularly 
those provided under proposed Sec. Sec.  236.1005 and 236.1007). With 
this foundation, the additional criteria that must be met depend upon 
the type of PTC technology to be employed.
    It is FRA's understanding that PTC systems may be categorized as 
one of the following four system types: non-vital overlay; vital 
overlay; stand-alone; and mixed. Initially, however, all PTC systems 
will have some features that are not fully fail-safe in nature, even if 
onboard processing and certain wayside functions are fully fail-safe. 
Common causes include surveying errors of the track database, errors in 
consist weight or makeup from the railroad information technology 
systems, and the crew input errors of critical operational data. To the 
extent computer-aided dispatching systems are the only check on 
potential dispatcher error in the creation or inappropriate 
cancellation of mandatory directives, some room for undetected wrong-
side failure will continue to exist in this function as well.
    Paragraph (e)(1) specifies the required behavior for non-vital 
overlay systems. Based on previous experience with non-vital systems, 
FRA believes it is well within the technical capability of the 
railroads to reduce the level of risk on any particular track segment 
to a level of risk 80% lower than the level of risk prior to 
installation of PTC on that segment. For subsequent PTC system 
installations on the same track segment, FRA recognizes that requiring 
an additional 80% improvement may not be technically or economically 
practical. Therefore, FRA is only requiring that an entity installing 
or a modifying an existing PTC system demonstrate that the level of 
safety is equal to, and preferably greater than, the level of safety of 
the prior PTC system. The risk that must be reduced is the risk against 
which the PTC functionalities are directed, assuming a high level of 
availability. Note that the required functionalities themselves do not 
call for elimination of all risk of mishaps. It is scope of risk 
reduction that the functionalities describe that becomes the 100% 
universe which is the basis of comparison. Although it is understood 
that the system will endeavor to eliminate 100% of this risk--meaning 
that if the system worked as intended every time and was always 
available, 100% of the target risk would be eliminated--the analysis 
will need to account for cases where wrong side failure of the 
technology is coincident with a human failure potentially induced by 
reliance on the technology. Since, within an appropriate conservative 
engineering analysis (i.e., pro forma analysis), non-vital processing 
has the theoretical potential to result in more failures than will 
typically be experienced, a 20% margin is provided. In preparing the 
PTCSP, the railroad should affirmatively address how training and 
oversight--including programs of operational testing under 49 CFR 
217.9--will reduce the potential for inappropriate reliance by those 
charged with functioning in accordance with the underlying method of 
operation.
    The 80% reduction in risk for PTC preventable accidents must be 
demonstrated by an appropriate risk analysis acceptable to the 
Associate Administrator and must address all intended track segments 
upon which the system will be installed. Again, FRA does not expect, or 
require, that these types of systems will prevent all wrong side 
failures. However, FRA expects that the systems will be designed to be 
robust, all pertinent risk factors (including human factors) will be 
fully addressed, and that no corners will be cut to ``take advantage'' 
of the nominal allowance provided for non-vital approaches. FRA also 
encourages those using non-vital approaches to preserve as much as 
possible the potential for a transition to vital processing.
    The Rail Labor Organizations believe that FRA's position is 
inconsistent with safety. Wrong side failures occur when a PTC system 
fails to properly identify the track occupied by a train. According to 
the RLO, such failures, which are completely avoidable using current 
technology, can result in unnecessary penalty braking applications that 
risk causing train handling derailments due to in-train forces and may 
also cause a PTC system to fail to enforce a necessary stop. As such, 
the RLO believe that wrong side failures should not be considered an 
acceptable risk. Again, FRA is sympathetic in principle to the RLO 
concern. However, no signal or train control system is wholly without 
the potential for a wrong side failure; and the key to limiting their 
occurrence is identifying the potential and crafting mitigations where 
possible. Built on the foundation of existing methods of operation, PTC 
systems will drastically reduce unsafe events by providing a safety net 
for occasional human errors. It would be unwise to defer the promise of 
PTC technologies by demanding perfection and thereby permit accidents 
and casualties to continue.
    Paragraph (e)(2) addresses vital overlays. Unlike a non-vital 
system, the vital system must be designed to address, at a minimum, the 
factors delineated in Appendix C. The railroad and their vendors or 
suppliers are encouraged to carry out a more thorough design analysis 
addressing any other potential product specific hazards. FRA cannot 
overemphasize that vital overlay system designs must be fully designed 
to address the factors contained in

[[Page 2656]]

Appendix C. The associated risk analysis supporting this design 
analysis demonstrating compliance may be accomplished using any of the 
risk analysis approaches in subpart H, including abbreviated risk 
analysis.
    Paragraph (e)(3) addresses stand-alone PTC systems that are used to 
replace existing methods of operations. The PTCSP design and risk 
analysis submitted to the Associate Administrator must show that the 
system does not introduce any new hazards that have not been acceptably 
mitigated, based upon all proposed changes in railroad operation. GE 
proffered the suggestion that when the stand-alone system is created 
using proven principles of vital signaling, assessing the system risk 
is straightforward and not significantly different than with the vital 
overlay system. The importance of system availability and risk under 
operations in contingent mode become more significant factors. FRA 
agrees, but believes that the one of the fundamental issues that the 
agency must reconcile is the value of appropriately capturing these 
principles in new systems and with new technologies without 
artificially restricting their use. FRA must accordingly exercise great 
care when evaluating the safety cases presented to it, regardless of 
the type (overlay, stand-alone, or mixed).
    While FRA believes that a comprehensive safety analysis will be 
required for all systems, since it must provide sufficient information 
to the Associate Administrator to make a decision with a high degree of 
confidence, the required analysis for stand-alone systems is much more 
comprehensive than that required for vital overlay systems because it 
must provide sufficient information to the Associate Administrator to 
make a decision with a high degree of confidence. FRA will therefore 
exercise greater oversight when it uniquely and separately considers 
each request for stand-alone operations, and will render decisions in 
the context of the proposed operation and the associated risks. FRA 
recognizes that application of this standard to a new rail system for 
which there is no clear North American antecedent could present a 
conceptual challenge.
    Paragraph (e)(4) addresses mixed systems (i.e., systems that 
include a combination of the systems identified in paragraphs (e)(1) 
through (e)(3). Because of the inherent complexity of these systems, 
FRA will determine an appropriate approach for demonstrating compliance 
after consultation with the railroad. Any approach will, of course, 
require that the system perform the PTC requirements set forth in 
Sec. Sec.  236.1005 and 236.1007.
    Paragraph (f) discusses the factors that the Associate 
Administrator will consider in reviewing the PTCSP. In general, PTC 
systems will have some features that are not fail-safe in nature. 
Examples include surveys of the track database, errors in consist data 
from the railroad such as weight and makeup, and crew input errors. FRA 
participation in the design and testing of the PTC system product helps 
FRA to better understand the strengths and weaknesses of the product 
for which approval is requested, and facilitates the approval process.
    The railroad must establish through safety analysis that its 
assertions are true. This standard places the burden on the railroad to 
demonstrate that the safety analysis is accurate and sufficiently 
supports certification of the PTC system. The FRA Associate 
Administrator will determine whether the railroad's case has been made. 
As provided in subpart H, FRA believes that final agency determinations 
under this new subpart I should also be made at the technical level, 
rather than the policy level, due to the complex and sometimes esoteric 
subject matters associated with risk analysis and evaluation. This is 
particularly appropriate in light of the RSIA08's designation of the 
Associate Administrator for Railroad Safety as the Chief Safety Officer 
of FRA. When considering the PTC system's compliance with recognized 
standards in product development, FRA will weigh appropriate factors, 
including: the use of recognized standards in system design and safety 
analyses; the acceptable methods in risk estimates; the proven safety 
records for proposed components; and the overall complexity and novelty 
of the product design. In those cases where the submission lacks 
information the Associate Administrator deems necessary to make an 
informed safety decision, FRA will solicit the data from the railroad. 
If the railroad does not provide the requested information, FRA may 
determine that a safety hazard exists. Depending upon the amount and 
scope of the missing data, PTCSP approval, and the subsequent system 
certification, may be denied.
    While paragraph (f) summarizes how FRA intends to evaluate the risk 
analysis, paragraph (g) applies specifically to cases where a PTC 
system has already been installed and the railroad subsequently wants 
to install in a new PTC system. Paragraph (g) re-emphasizes that FRA 
policy regarding the safety of PTC systems is not, and cannot expect to 
be, static. Rather, FRA policy may evolve as railroad operations 
evolve, operating rules are refined, related hazards are addressed 
(e.g., broken rails), and other readily available options for risk 
reduction emerge and become more affordable. FRA embraces the concept 
of progressive improvement and expects that when new systems are 
installed to replace existing systems that actual safety outcomes equal 
or exceed those for the existing systems.
    Finally, paragraph (h) emphasizes the need for the PTCSP to 
carefully document all potential sources of error that can be 
introduced into the system and their corresponding mitigation 
strategies. FRA reserves the right to require quantitative, as opposed 
to qualitative risk assessments, especially in cases where there is 
significant residual risk or changes to the method of operations.
Section 236.1017 Independent Third Party Review of Verification and 
Validation
    As previously noted in the discussion regarding Sec.  236.1009(e), 
FRA may require a railroad to engage in an independent assessment of 
its PTC system. In the event an independent assessment is required, 
this section describes the applicable rules and procedures.
    Paragraph (a) establishes factors considered by FRA when requiring 
a third-party assessment. FRA will attempt to make a determination of 
the necessary level of third party assessment as early as possible in 
the approval process. However, based on issues that may arise during 
the development and testing processes, or during the detailed technical 
reviews of the PTCDP and PTCSP, FRA may deem it necessary to require a 
third party assessment at any time during the review process.
    Paragraph (b) is intended to make it clear that it is FRA that will 
make the determination of the acceptability of the independence of the 
third party to avoid any potential issues downstream regarding the 
acceptability of the assessor's independence. If a third party 
assessment is required, then each railroad is encouraged to identify in 
writing what entity it proposes to utilize as its third party assessor. 
Compliance with paragraph (b) is not mandatory. However, if FRA 
determines that the railroad's choice of a third party does not meet 
the level of independence contemplated under paragraph (c), then the 
railroad will be obligated to have the assessment repeated, at its 
expense, until it has been completed by a third party suitable to FRA.

[[Page 2657]]

    Paragraph (c) provides a definition of the term ``independent third 
party'' as used in this section. It limits independent third parties to 
those that are compensated by the railroad or an association on behalf 
of one or more railroads that is independent of the PTC system 
supplier. FRA believes that requiring the railroad to compensate a 
third party will heighten the railroad's interest in obtaining a 
quality analysis and will avoid ambiguous relationships between 
suppliers and third parties that could indicate possible conflicts of 
interest.
    Paragraph (d) explains that the minimum requirements of a third 
party audit are outlined in Appendix F and that FRA has discretion to 
the limit the extent of the third party assessment. As the criteria in 
Appendix F are, for the most part, technology neutral, FRA has adopted 
them with minor changes, for use with both subparts H and I of this 
part. FRA intends to limit the scope of the assessment to areas of the 
safety Verification and Validation as much as possible, within the 
bounds of FRA's regulatory obligations. This will allow reviewers to 
focus on areas of greatest safety concern and eliminate any unnecessary 
expense to the railroad. In order to limit the number of third-party 
assessments, FRA first strives to inform the railroad as to what 
portions of a submittal could be amended to avoid the necessity and 
expense of a third-party assessment altogether. However, FRA wishes to 
make it clear that Appendix F represents minimum requirements and that, 
if circumstances warrant, FRA may expand upon the Appendix F 
requirements as necessary to enable FRA to render a decision that is in 
the public interest (i.e., if FRA is unable to certify the system 
without the additional information).
Section 236.1019 Main Line Track Exceptions
    The RSIA08 generally defines ``main line'' as ``a segment of 
railroad tracks over which 5,000,000 or more gross tons of railroad 
traffic is transported annually. See 49 U.S.C. 20157(i)(2). However, 
FRA may also define ``main line'' by regulation ``for intercity rail 
passenger transportation or commuter rail passenger transportation 
routes or segments over which limited or no freight railroad operations 
occur.'' See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes 
that there may be circumstances where certain statutory PTC system 
implementation and operation requirements are not practical and provide 
no significant safety benefits. In those circumstances, FRA will 
exercise its statutory discretion provided under 49 U.S.C. 
20157(i)(2)(B).
    In accordance with the authority provided by the statute and with 
carefully considered recommendations from the RSAC, FRA will consider 
requests for designation of track over which rail operations are 
conducted as ``other than main line track'' for passenger and commuter 
railroads, or freight railroads operating jointly with passenger or 
commuter railroads. Such relief may be granted only after request by 
the railroad or railroads filing a PTCIP and approval by the Associate 
Administrator.
    Paragraph (a), therefore, requires the submittal of a main line 
track exclusion addendum (MTEA) to any PTCIP filed by a railroad that 
seeks to have any particular track segment deemed as other than main 
line. Since the statute only provides for such regulatory flexibility 
as it applies to passenger transportation routes or segments where 
limited or no freight railroad operations occur, only a passenger 
railroad may file an MTEA as part of its PTCIP. This may include a 
PTCIP jointly filed by freight and passenger railroads. In fact, FRA 
expects that in the case of joint operations, only one MTEA should be 
agreed upon and submitted by the railroads filing the PTCIP. After 
reviewing a submitted MTEA, FRA may provide full or conditional 
approval for the requested exemptions.
    Each MTEA must clearly identify and define the physical boundaries, 
use, and characterization of the trackage for which exclusion is 
requested. When describing each track's use and characterization, FRA 
expects the requesting railroad or railroads to include copies of the 
applicable track and signal charts. Ultimately, FRA expects each MTEA 
to include information sufficiently specific to enable easy segregation 
between main line track and non-main line track. In the event the 
railroad subsequently requests additional track to be considered for 
exclusion, a well-defined MTEA should reduce the amount of future 
information required to be submitted to FRA. Moreover, if FRA decides 
to grant only certain requests in an MTEA, the portions of track for 
which FRA has determined should remain considered as main line track 
can be easily severed from the MTEA. Otherwise, the entire MTEA, and 
thus its concomitant PTCIP, may be entirely disapproved by FRA, 
increasing the risk of the railroad or railroads not meeting its 
statutory deadline for PTC implementation and operation.
    For each particular track segment, the MTEA must also provide a 
justification for such designation in accordance with paragraphs (b) or 
(c) of this section.
    Paragraph (b) specifically addresses the conditions for relief for 
passenger and commuter railroads with respect to passenger-only 
terminal areas. As noted previously in the analysis of Sec.  
236.1005(b), any track within a yard used exclusively by freight 
operations moving at restricted speed is excepted from the definition 
of main line. In those situations, operations are usually limited to 
preparing trains for transportation and do not usually include actual 
transportation. This automatic exclusion does not extend to yard or 
terminal tracks that include passenger operations. Such operations may 
also include the boarding and disembarking of passengers, heightening 
FRA's sensitivity to safety. Moreover, while FRA could not expend its 
limited resources to review whether a freight-only yard should be 
deemed other than main line track, FRA believes that the relatively 
lower number of passenger yards and terminals would allow for such 
review. Accordingly, FRA believes that it is appropriate to review 
these circumstances on a case-by-case basis.
    During the PTC Working Group discussions, the major passenger 
railroads requested an exception for tracks in passenger terminal areas 
because of the impracticability of installing PTC. These are locations 
where signal systems govern movements over very complex special track 
work divided into short signal blocks. Operating speeds are low (not to 
exceed 20 miles per hour), and locomotive engineers moving in this 
environment expect conflicting traffic and restrictive signals. 
Although low-speed collisions do occasionally occur in these 
environments, the consequences are low; and the rate of occurrence is 
very low in relation to the exposure. It is the nature of current-
generation PTC systems to use conservative braking algorithms. 
Requiring PTC to govern short blocks in congested terminals would add 
to congestion and frustrate efficient passenger service, in the 
judgment of those who operate these railroads. The density of wayside 
infrastructure required to effect PTC functions in these terminal areas 
would also be exceptionally costly in relation to the benefits 
obtained. FRA agrees that technical solutions to address these concerns 
are not presently available. FRA does believe that the appropriate role 
for PTC in this context is to enforce the maximum allowable speed 
(which is presently accomplished in cab signal territory through use of 
automatic speed control, a practice which could continue where already 
in place).

[[Page 2658]]

    If FRA grants relief, the conditions of paragraphs (b)(1), (b)(2), 
or (b)(3), as applicable, as well as conditions attached to the 
approval, must be strictly adhered to.
    Under paragraph (b)(1), relief under paragraph (b) is limited to 
operations that do not exceed 20 miles per hour. The PTC Working Group 
agreed upon the 20 miles per hour limitation, instead of requiring 
restricted speed, because the operations in question will be by signal 
indication in congested and complex terminals with short block lengths 
and numerous turnouts. FRA agrees with the PTC Working Group that the 
use of restricted speed in this environment would unnecessarily 
exacerbate congestion, delay trains, and diminish the quality of rail 
passenger service.
    Moreover, when trains on the excluded track are controlled by a 
locomotive with an operative PTC onboard apparatus that PTC system 
component must enforce the regulatory speed limit or actual maximum 
authorized speed, whichever is less. While the actual track may not be 
outfitted with a PTC system in light of an MTEA approval, FRA believes 
it is nevertheless prudent to require such enforcement when the 
technology is available on the operating locomotives. This can be 
accomplished in cab signal territory using existing automatic train 
stop technology and outside of cab signal territory by mapping the 
terminal and causing the onboard computer to enforce the maximum speed 
allowed.
    FRA also limits relief under paragraph (b)(2) to operations that 
enforce interlocking rules. Under interlocking rules, trains are 
prohibited from moving in reverse directions without dispatcher 
permission on track where there are no signal indications. FRA believes 
that such a restriction will minimize the potential for a head-on 
impact.
    Also, under paragraph (b)(3), such operations are only allowed in 
yard or terminal areas where no freight operations are permitted. While 
the definition of main line may not include yard tracks used solely by 
freight operations, FRA is not extending any relief or exception to 
tracks within yards or terminals shared by freight and passenger 
operations. The collision of a passenger train with a freight consist 
is typically a more severe condition because of the greater mass of the 
freight equipment. However, FRA did receive a comment suggesting some 
latitude within terminals when passenger trains are moving without 
passengers (e.g., to access repair and servicing areas). FRA agrees 
that low-speed operations under those conditions should be acceptable 
as trains are prepared for transportation. FRA has not included a 
request by Amtrak (discussed below) to allow movements within major 
terminals at up to 30 miles per hour in mixed passenger and freight 
service, which appears in FRA's judgment to fall outside of the 
authority to provide exclusions conferred on FRA by the law.
    Paragraph (c) provides the conditions under which joint limited 
passenger and freight operations may occur on defined track segments 
without the requirement for installation of PTC. Under Sec.  236.1003 
(Definitions), ``limited operations'' is defined as ``operations on 
main line track that have limited or no freight operations and are 
approved to be excepted from this subpart's PTC system implementation 
and operation requirements in accordance with Sec.  236.1019(c). This 
paragraph provides five alternative paths to the main line exception, 
three of which were contained in the proposed rule and a fourth and 
fifth that responds to comments on the proposed rule.
    The three alternatives derived from the NPRM are set forth in 
paragraph (c)(1). First, under paragraph (c)(1), an exception may be 
available where both the freight and passenger trains are limited to 
restricted speed. Such operations are feasible only for short 
distances, and FRA will examine the circumstances involved to ensure 
that the exposure is limited and that appropriate operating rules and 
training are in place.
    Second, under paragraph (c)(1)(ii), FRA will consider an exception 
where temporal separation of the freight and passenger operations can 
be ensured. A more complete definition of temporal separation is 
provided in paragraph (e). Temporal separation of passenger and freight 
services reduces risk because the likelihood of a collision is reduced 
(e.g., due to freight cars engaged in switching that are not properly 
secured) and the possibility of a relatively more severe collision 
between a passenger train and much heavier freight consist is obviated.
    Third, under paragraph (c)(1)(iii), FRA will consider commingled 
freight and passenger operations provided that a jointly agreed risk 
analysis is provided by the passenger and freight railroads, and the 
level of safety is the same as that which would be provided under one 
of the two prior options selected as the base case. FRA requested 
comments on whether FRA or the subject railroad should determine the 
appropriate base case, but received none. FRA recognizes that there may 
be situations where temporal separation may not be possible. In such 
situations, FRA may allow commingled operations provided the risk to 
the passenger operation is no greater than if the passenger and freight 
trains were operating under temporal separation or with all trains 
limited to restricted speed. For an exception to be made under 
paragraph (c)(3), FRA requires a risk analysis jointly agreed to and 
submitted by the applicable freight and passenger services. This 
ensures that the risks and consequences to both parties have been fully 
analyzed, understood, and mitigated to the extent practical. FRA would 
expect that the moving party would elect a base case offering the 
greatest clarity and justify the selection.
    Comments on the proposed rule generally supported the 
aforementioned exclusions or were silent.
    In its comments on the NPRM, Amtrak requested further relief 
relating to lines requiring the implementation and operation of a PTC 
system due solely to the presence of light-density passenger traffic. 
According to Amtrak, the defining characteristic of light-density lines 
is the nature of the train traffic; light-density patterns on these 
lines lead to a correspondingly low risk of collision. Amtrak also 
asserted that, due to relatively limited wear and tear from lower 
traffic densities, these lines often have fewer track workers on site, 
further reducing the chance of collisions and incursions into work 
zones. Thus, states Amtrak, one of the principal reasons for installing 
PTC--collision avoidance--is a relatively low risk on many light 
density lines. With only marginal safety benefits anticipated from PTC 
use in such applications, Amtrak believed that there may be minimal 
justification for installing PTC on certain light-density lines.
    Amtrak further noted that FRA itself had concluded that the costs 
of PTC generally exceed its benefits, and Amtrak urged that this may be 
even more so on light-density lines. Amtrak believed that Congress 
understood this issue and thus created the regulatory flexibility for 
the definition of ``main line'' for passenger routes found at 49 U.S.C. 
20157(i)(2)(B) as a means to allow the Secretary to exempt certain 
routes from the PTC mandate. According to Amtrak, this provision 
essentially allows the Secretary to define certain passenger routes 
with limited or no freight traffic as other than ``main line,'' thereby 
effectively exempting such lines from the reach of the PTC mandate 
because the mandate only applies to railroad operations over ``main 
line[s].'' Said another way, urged Amtrak, the provision allows the 
Secretary the freedom to decide in what circumstances such routes 
should be considered ``main lines'' and thus be

[[Page 2659]]

required to install PTC-pursuant to whatever factors the Secretary 
deems appropriate through the rulemaking process.
    Amtrak urged that the Secretary should use this flexibility to 
limit which passenger routes it defines as ``main lines'' to those 
deemed to warrant the use of PTC using the FRA's usual risk-based 
approach to safety regulation and traditional measures of 
reasonableness, costs, and benefits. Amtrak posited that such a risk-
based analysis by FRA would likely lead to the conclusion that PTC is 
simply not needed on many light-density lines over which passenger 
trains currently operate. Amtrak therefore asked that FRA exercise this 
authority by working with Amtrak and the rail industry to exempt 
certain light density freight lines which host passenger traffic from 
the obligation to install PTC where operating and safety conditions do 
not warrant an advanced signal system.
    Should FRA choose not to exempt some of these light density freight 
lines over which passenger trains operate, Amtrak felt that the high 
costs of full PTC systems will be passed on to the passenger and 
freight operators of these routes. According to Amtrak, this obligation 
could threaten the continuation of intercity passenger rail service on 
several routes, including lines in California, Colorado, Kansas, Maine, 
Massachusetts, Michigan, Missouri, New Hampshire, New Mexico, North 
Dakota, Vermont, and Virginia, on what are potentially light density 
lines. Additionally, states Amtrak, this obligation, where it can be 
financed, could force the diversion of significant capital dollars away 
from essential safety investments in track and other infrastructure 
improvements, which are typically the leading safety risks for such 
light-density operations. According to Amtrak, the cost of PTC 
installation on these lines may be so out of proportion to the benefit 
that Amtrak's service will need to be rerouted onto a different line 
(e.g., to a Class I line with PIH materials) if a reroute option 
exists, or eliminated entirely because there is no feasible alternate 
route and no party is willing or able to bear the cost of installing 
PTC on the existing route. The defining characteristic of light-density 
lines is the nature of the train traffic: Low density patterns on these 
lines lead to a correspondingly low risk of collision.
    According to the Amtrak testimony, the ``limited operations 
exception'' in subsection 236.1019(c) of the NPRM did not provide a 
practical solution to the problem created by defining all light-density 
routes and terminal areas with passenger service as ``main lines.'' 
Amtrak stated that this subsection would arguably require installation 
of PTC on most of the trackage and locomotives of the Terminal Railroad 
Association of St. Louis (TRRA) unless: (1) The entire terminal 
operates at restricted speed (which TRRA is unlikely to agree to); (2) 
passenger and freight trains are temporally separated (which would not 
be practical on TRRA, and is unlikely to be practical on any of the 
light-density lines over which Amtrak operates, due to the 24/7 nature 
of railroad operations); or (3) a risk mitigation plan can be effected 
that would achieve a level of safety not less than would pertain if all 
operations on TRRA were at restricted speed or subject to temporal 
separation. Accordingly, Amtrak recommended: (a) That the FRA adopt a 
risk analysis-based definition of ``main line'' passenger routes that 
excludes light-density lines on which the installation of PTC is not 
warranted; and (b) with respect to freight terminal areas in which 
passenger trains operate, that the FRA modify the limited operations 
exception in subsection 236.1019(c) to require that all trains be 
limited to 30 miles per hour rather than to restricted speed, or that 
non-PTC equipped freight terminals be deemed as other than ``main 
lines'' so long as all passenger operations are pursuant to signal 
indication and at speeds not greater than 30 miles per hour (with 
speeds reduced to not greater than restricted speed on unsignaled 
trackage or if the signals should fail).
    FRA believes that Amtrak's request is much broader than 
contemplated by the law. FRA notes that TRRA is a very busy terminal 
operation. FRA does not believe that the ``limited freight operations'' 
concept is in any way applicable under those circumstances. Nor is 
there any indication in law that FRA was expected to fall back to 
traditional cost-benefit principles in relation to PTC and scheduled 
passenger service. However, there are a number of Amtrak routes with 
limited freight operations that will not otherwise be equipped with PTC 
because they are operated by other than Class I railroads. Further, 
there are some Class I lines with less than 5 million gross tons, or no 
PIH, that also warrant individualized review to the extent Amtrak and 
the host railroad might elect to propose it.
    Accordingly, in response to the Amtrak comments, paragraphs (c)(2) 
and (c)(3) have been added to the final rule to provide an option by 
which certain additional types of limited passenger train operations 
may qualify for a main line track exception where freight operations 
are also suitably limited and the circumstances could lead to 
significant hardship and cost that might overwhelm the value of the 
passenger service provided. Paragraph (c)(2) deals with lines where the 
host is not a Class I freight railroad, describing characteristics of 
track segments that might warrant relief from the requirement to 
install PTC. Paragraph (c)(2)(i) pertains to passenger service 
involving up to four regularly scheduled passenger trains during a 
calendar day over a segment of unsignaled track on which less than 15 
million gross tons of freight traffic is transported annually. 
Paragraph (c)(2)(ii) pertains to passenger service involving up to 
twelve regularly scheduled passenger trains during a calendar day over 
a segment of signaled track on which less than 15 million gross tons of 
freight traffic is transported annually. In FRA's experience, four 
trains per day in unsignaled territory and twelve trains per day in 
signaled territory can be expected to be handled safely in combination 
with 15 million gross tons of freight traffic if the operations are 
carefully scrutinized and appropriate mitigation measures are taken to 
accommodate the particular operating environment in question. Paragraph 
(c)(2) derived indirectly from discussions in the RSAC in response to 
comments by Amtrak set forth above. The PTC Working Group proposed an 
exception that might have been available anywhere an intercity or 
commuter railroad operated over a line with 5 million gross tons of 
freight traffic, including Class I lines and the lines of the intercity 
or commuter railroad. This would have opened the potential for a 
considerable exception for lines with very light freight density under 
circumstances not thoroughly explored in the short time available to 
the working group (e.g., on commuter rail branch lines, low density 
track segments on Class I railroads, etc.).
    Subsequent to the RSAC activities, Amtrak notified FRA that its 
conversations with Class II and III railroads, whose lines have been at 
the root of the Amtrak comments, revealed that some of the situations 
involved freight traffic exceeding 5 million gross tons, potentially 
rendering the exception ineffective for this purpose. At the same time, 
FRA noted that the policy rationale behind the proposed additional 
exception was related as much to the inherent difficulty associated 
with PTC installation during the initial period defined by law, given 
that the railroads identified by Amtrak were for the most part very 
small operations with limited technical

[[Page 2660]]

capacity and limited safety exposure. It was clear that in these cases 
care would need to be taken to analyze collision risk and potentially 
require mitigations.\7\ Accordingly, FRA has endeavored to address the 
concern brought forward by Amtrak with a provision that is broad enough 
to permit consideration of actual circumstances, limit this particular 
exception to operations over railroads that would not otherwise need to 
install PTC (e.g., Class II and III freight railroads), provide for a 
thorough review process, and make explicit reference to the potential 
requirement for safety mitigations. In this regard, FRA has chosen 15 
million gross tons as a threshold that should accommodate situations 
where Amtrak trains will, in actuality, face few conflicts with freight 
movements (i.e., requiring trains to clear the main line for meets and 
passes or to wait at junctions) and where mitigations are in place or 
could be put in place to establish a high sense of confidence that 
operations will continue to be conducted safely. FRA believes that less 
than 15 million gross tons represents a fair test of ``limited freight 
operations'' for these purposes, with the further caveat that specific 
operating arrangements will be examined in each case. FRA emphasizes 
that this is not an entitlement, but an exclusion for which the 
affected railroads will need to make a suitable case.
---------------------------------------------------------------------------

    \7\ An example of an existing mitigation, which is provided to 
support service quality but also supports safety, is the practice of 
one Class III Amtrak host and its connecting freight partner to hold 
out fleeted empty coal trains off the Class III property during the 
period that Amtrak is running. While not constituting strict 
``temporal separation,'' it does significantly reduce collision risk 
over the route.
---------------------------------------------------------------------------

    Amtrak also provided to FRA a spreadsheet identifying each of its 
route segments with attributes such as route length, freight tonnage, 
number of Amtrak trains, and numbers of commuter trains. FRA further 
reviewed this information in light of Amtrak's request for main track 
exceptions. FRA noted a number of segments of the Amtrak system on 
Class I railroads where the number of Amtrak trains was low and the 
freight tonnage was also low (less than 15 million gross tons). Each of 
these lines, with the exception of one 33-mile segment, is signalized. 
FRA further noted that, with both Amtrak and Class I railroad 
locomotives equipped for PTC, use of partial PTC technology (e.g., 
monitoring of switches where trains frequently clear) should be 
available as a mitigation for collision risk. Accordingly, in paragraph 
(c)(3), FRA has provided a further narrow exception for Class I lines 
carrying no more than four intercity or commuter passenger trains per 
day and cumulative annual tonnage of less than 15 million gross tons, 
subject to FRA review. The limit of four trains takes into 
consideration that it is much less burdensome to equip the wayside of a 
Class I rail line than to install a full PTC system on a railroad that 
would not otherwise require one. Again, the exception is not automatic, 
and FRA's approval of a particular line segment would be discretionary. 
Any Class I line carrying both 5 million gross tons and PIH traffic 
would, of course, not be eligible for consideration.\8\
---------------------------------------------------------------------------

    \8\ Freight tonnage on Amtrak lines varies from zero on two 
segments to over 150 million gross tons. On a per-mile basis, 15 
million gross tons falls into the twenty-first percentile of Amtrak 
track miles. The candidate lines on the Class I system comprise 
about 6% of Amtrak's route structure.
---------------------------------------------------------------------------

    The new paragraph (d) makes clear that FRA will carefully review 
each proposed main track exception and may require that it be supported 
by appropriate hazard analysis and mitigations. FRA has previously 
vetted through the RSAC a Collision Hazard Analysis Guide that can be 
useful for this purpose. If FRA determines that freight operations are 
not ``limited'' as a matter of safety exposure or that proposed safety 
mitigations are inadequate, FRA will deny the exception.
    Paragraph (e) (formerly paragraph (d) in the proposed rule) 
provides the definition of temporal separation with respect to 
paragraph (c)(2). The temporal separation approach is currently used 
under the FRA-Federal Transit Administration Joint Policy on Shared 
Use, which permits co-existence of light rail passenger services 
(during the day) and local freight service (during the nighttime). See 
Joint Statement of Agency Policy Concerning Shared Use of the Tracks of 
the General Railroad System by Conventional Railroads and Light Rail 
Transit Systems, 65 FR 42,526 (July 10, 2000); FRA Statement of Agency 
Policy Concerning Jurisdiction Over the Safety of Railroad Passenger 
Operations and Waivers Related to Shared Use of the Tracks of the 
General Railroad System by Light Rail and Conventional Equipment, 65 FR 
42,529 (July 10, 2000). Conventional rail technology and secure 
procedures are used to ensure that these services do not commingle. 
Amtrak representatives in the PTC Working Group were confident that 
more refined temporal separation strategies could be employed on 
smaller railroads that carry light freight volumes and few Amtrak 
trains (e.g., one train per day or one train per day in each 
direction). The Passenger Task Force agreed. The UTA also supported the 
temporal separation exception under former paragraph (d), having stated 
that temporal separation is important in the operations of many 
commuter and intercity passenger railroad carriers.
    Paragraph (f) (paragraph (e) in the proposed rule) ensures that by 
the time the railroad submits its PTCSP, no unapproved changes have 
been made to the MTEA and that the PTC system, as implemented, reflects 
the PTCIP and its MTEA. Under this final rule, the PTCSP must reflect 
the PTCIP, including its MTEA, as it was approved or how it has been 
modified in accordance with Sec.  236.1021. FRA believes that it is 
also important that the railroad attest that no other changes to the 
documents or to the PTC system, as implemented, have been made.
    FRA understands that, as a railroad implements its PTC system in 
accordance with its PTCIP or even after it receives PTC System 
Certification, the railroad may decide to modify the scope of which 
tracks it believes to be other than main line. To effectuate such 
changes, paragraph (g) requires FRA review. In the case that the 
railroad believes that such relief is warranted, the railroad may file 
in accordance with Sec.  236.1021 a request for amendment of the PTCIP, 
which will eventually be incorporated into or referenced by the PTCSP 
upon PTCSP submission. Each request, however, must be fully justified 
to and approved by the Associate Administrator before the requested 
change can be made to the PTCIP. If such a RFA is submitted 
simultaneously with the PTCSP, the RFA may not be approved, even if the 
PTCSP is otherwise acceptable. A change made to an MTEA subsequent to 
FRA approval of its associated PTCIP that involves removal or reduction 
in functionality of the PTC system will be treated as a material 
modification. In keeping with traditional signaling principles, such 
requests must be formally submitted for review and approval by FRA.
Section 236.1021 Discontinuances, Material Modifications, and 
Amendments
    FRA recognizes that, after submittal of a plan or implementation of 
a train control system, the subject railroad may have legitimate 
reasons for making changes in the system design and the locations where 
the system is installed. In light of the statutory and regulatory 
mandates, however, FRA believes that the railroad should be required to 
request FRA approval prior to effectuating certain changes. Section 
236.1021 provides the scope and

[[Page 2661]]

procedure for requesting and approving those changes. For example, all 
requests for covered changes must be made in a request for amendment 
(RFA) of the subject PTC system or plan. While Sec.  236.1021 includes 
lengthy descriptions of what changes may, or may not, require FRA 
approval, there are various places elsewhere in subpart I that also 
require the filing of a RFA.
    Paragraph (a) requires FRA approval prior to certain PTC system 
changes. FRA expects that if a railroad wants to make a PTC system 
change covered by subpart I, then any such change would result in 
noncompliance with one of the railroad's plans approved under this 
subpart. For instance, if a railroad seeks to modify the geographical 
limits of its PTC implementation, such changes would not be reflected 
in the PTCIP. Accordingly, under paragraph (a), after a plan is 
approved by FRA and before any change is made to the PTC system's 
development, implementation, or operation, the railroad must file a RFA 
to the subject plan.
    FRA considers an amendment to be a formal or official change made 
to the PTC system or its associated PTCIP, PTCDP, or PTCSP. Amendments 
can add, remove, or update parts of these documents, which may reflect 
proposed changes to the development, implementation, or operation of 
its PTC system. FRA believes that an amending procedure provides a 
simpler and cleaner option than requiring the railroad to file an 
entirely new plan.
    While the railroad may develop a RFA without FRA input or 
involvement, FRA believes that it is more advantageous for the railroad 
to informally confer with FRA before formally submitting its RFA. If 
FRA is not involved in the drafting process, FRA may not have a 
complete understanding of the system, making it difficult for FRA to 
evaluate the impact of the proposed changes on public safety. After RFA 
submission, all applicable correspondence between FRA and the railroad 
must be made formally in the associated docket, as further discussed 
below. In such a situation, FRA's review may take a significantly 
longer time than usual. If FRA continues to not understand the impact, 
it may request a third party audit, which would only further delay a 
decision on the request. Accordingly, FRA believes it is more 
advantageous for the railroad drafting an RFA to informally confer with 
FRA before its formal submission of the change request. The railroad 
would then be provided an opportunity to discuss the details of the 
change and to assure FRA's understanding of what the railroad wishes to 
change and of the change's potential impact.
    Under paragraph (b), once the RFA is approved, the railroad shall 
adopt those changes into the subject plan and immediately ensure that 
its PTC complies with the plan, as amended. FRA expects that each PTC 
system accurately reflects the information in its associated approved 
plans. FRA believes that this requirement will also incentivize 
railroads to make approved changes as quickly as possible. Otherwise, 
if a railroad delays in implementing the changes reflected in an 
approved RFA, FRA may find it difficult to enforce its regulations 
until implementation is completed, since the plans and PTC system do 
not accurately and adequately reflect each other. In such 
circumstances, a railroad may be assessed a civil penalty for violating 
its plan or for falsifying records.
    Any change to a PTCIP, PTCDP, or PTCSP, which may include removal 
or discontinuance of any signal system, may not take effect until after 
FRA has approved the corresponding submitted or amended PTCIP, PTCDP, 
or PTCSP. FRA may provide partial or conditional approval. Until FRA 
has granted appropriate relief or approval, the railroad may not make 
the change, and once a requested change has been made, the railroad 
must comply with requested change.
    FRA recognizes that a railroad may wish to remove an existing train 
control system due to new and appropriate PTC system implementation. 
For train control systems existing prior to promulgation of subpart I, 
any request for a material modification or discontinuance must be made 
pursuant to part 235. Paragraph (c), however, provides the railroads 
with an opportunity to instead request such changes in accordance with 
proposed Sec.  236.1021. FRA believes that this requirement will reduce 
the number of required filings and would otherwise simplify the process 
requesting material modifications or discontinuances.
    Paragraph (d) provides the minimum information required to be 
submitted to FRA when requesting an amendment. While the procedural 
rules here are different than those in part 235, FRA expects that the 
same or similar information be provided. Accordingly, under paragraph 
(d)(1), the RFA must contain the information required in 235.10. 
Paragraph (d)(1) also requires the railroad to submit, upon FRA 
request, certain additional information, including the information 
referenced in Sec.  235.12. Paragraphs (d)(2) through (d)(7) provide 
further examples of such information. While such information may only 
be required upon request, FRA urges each railroad to include this 
information in its RFA to help expedite the review process.
    FRA believes that paragraphs (d)(2) through (d)(6) are self-
explanatory. However, according to paragraph (d)(7), FRA may require 
with each RFA an explanation of whether each change to the PTCSP is 
planned or unplanned. Planned changes are those that the system 
developer and the railroad have included in the safety analysis 
associated with the PTC system, but have not yet implemented. These 
changes provide enhanced functionality to the system, and FRA strongly 
encourages railroads to include PTC system improvements that further 
increase safety. A planned change may require FRA approved regression 
testing to demonstrate that its implementation has not had an adverse 
affect on the system it is augmenting. Each planned change must be 
clearly identified as part of the PTCSP, and the PTCSP safety analysis 
must show the affect that its implementation will have on safety.
    Unplanned changes are those either not foreseen by the railroad or 
developer, but nevertheless necessary to ensure system safety, or are 
unplanned functional enhancements from the original core system. The 
scope of any additional work necessary to ensure safety may depend upon 
when in the development cycle phase the changes are introduced. For 
instance, if the PTCDP has not yet been submitted to FRA, no FRA 
involvement is required. However, if the PTCDP has been submitted to 
FRA, or if the change impacts the safety functionality of the system 
once a Type Approval has been issued, and a PTCSP has not yet been 
submitted, the railroad must submit a RFA requesting and documenting 
that change. Once FRA approves that RFA, FRA expects the subsequently 
filed PTCSP to account for the change in analysis.
    If the change is made after approval of the PTCSP and the system 
has been certified by FRA, a RFA must be submitted to FRA for approval. 
Because this requires significant effort by FRA and the railroad, FRA 
expects that every effort will be made to eliminate the need for 
unplanned changes. If the railroad and the vendor or supplier submit 
unplanned safety related changes that FRA believes are a significant 
amount or inordinately complex, FRA may revoke any approvals previously 
granted and disallow the use of the product until such time the 
railroad demonstrates the product is sufficiently mature.
    Paragraph (e) provides that if a RFA is submitted for a 
discontinuance or a

[[Page 2662]]

material modification to a portion or all of its PTC system, a notice 
of its submission shall be published in the Federal Register. 
Interested parties will be provided an opportunity to comment on the 
RFA, which will be located in an identified docket.
    Paragraph (f) makes it clear that FRA will consider all impacts on 
public safety prior to approval or disapproval of any request for 
discontinuance, modification, or amendment of a PTC system and any 
associated changes in the existing signal system that may have been 
concurrently submitted. While the economic impact to the affected 
parties may be considered by FRA, the primary and final deciding factor 
on any FRA decision is safety. FRA will consider not only how safety is 
affected by installation of the system, but how safety is impacted by 
the failure modes of the system.
    The Southern California Regional Rail Authority submitted comments 
requesting ``easy streamlined approval'' of incremental changes and 
additions to the plans based on procurement and type approval of vendor 
or supplier products. However, FRA would like to point out that, where 
lines change during or subsequent to the railroad's submission of its 
PTCIP, the railroad merely needs to identify its plan for 
implementation on such lines in its RFA. This does not appear to be an 
overly burdensome task.
    The purpose of paragraph (g) is to emphasize the right of FRA to 
unilaterally issue a new Type Approval, with whatever conditions are 
necessary to ensure safety based on the impact of the proposed changes.
    In paragraph (h), FRA makes clear that it considers any implemented 
PTC system to be a safety device. Accordingly, the discontinuance, 
modification, or other change of the implemented system or its 
geographical limits will not be authorized without prior FRA approval. 
While this requirement primarily applies to safety critical changes, 
FRA believes that they should also apply to all changes that will 
affect interoperability. The principles expressed in the paragraph 
parallel those embodied in part 235, which implements 49 U.S.C. 
20502(a). Railroads may need to review Sec.  236.1005(b)(4) and supply 
the required information in an RFA submission.
    That said, FRA recognizes that there are a limited number of 
situations where changes of the PTC system may not have an adverse 
impact upon public safety. Specific situations where prior FRA approval 
is required are provided in paragraphs (h)(1) through (h)(4).
    Paragraph (i) provides the exceptions from the requirement for 
prior approval in cases where the discontinuance of a system or system 
element will be treated as pre-approved, as when a line of railroad is 
abandoned.
    Paragraph (j) provides exceptions for certain lesser changes that 
are not expected to materially affect system risk, such as removal of 
an electric lock from a switch where speed is low and trains are not 
allowed to clear.
    The AAR submitted comment that paragraphs (j)(2) and (j)(3) should 
be revised to recognize the allowance for removal of a signal used in 
lieu of an electric or mechanical lock in the same manner as removal of 
the electric or mechanical lock. These two paragraphs are intended to 
recognize that where train speed over the switch does not exceed 20 
miles per hour, or where trains are not permitted to clear the main 
track at the switch, removal of the devices intended to provide the 
necessary protection should not require the submission of a filing for 
FRA approval.
    The regulation requiring the installation of an electric or 
mechanical lock identifies the allowance for a signal used in lieu 
thereof (see Sec.  236.410). FRA agrees with the AAR that when the 
requirement for an electric or mechanical lock, or a signal used in 
lieu thereof, are eliminated, the removal of any of these devices in 
their entirety without filing for approval is appropriate. FRA has 
therefore revised paragraphs (j)(2) and (j)(3) to clarify these 
allowances.
    Paragraph (k) provides additional exceptions consisting of 
modifications associated with changes in the track structure or 
temporary construction. FRA notes that only temporary removal of the 
PTC system without prior FRA approval is allowed to support highway 
rail separation construction or damage to the PTC system by 
catastrophic events. In both cases, the PTC system must be restored to 
operation no later than 6 months after completion of the event.
    Caltrain submitted comments stating that proposed paragraph (k)(6) 
and Sec.  236.1009(a)(2)(ii)(B) appear to address the installation of 
new track in an inconsistent manner. While proposed paragraph (k)(6) 
states that it will not be necessary to file an RFA for the 
installation of new track, Sec.  236.1009(a)(2)(ii)(B) states that an 
RFA must be filed if railroad intends to add, subtract, or otherwise 
materially modify one or more lines of railroad for which installation 
of a PTC system is required.
    FRA agrees that there appears to have been a conflict between the 
provisions contained in paragraph (k)(6) and Sec.  
236.1009(a)(2)(ii)(B). In light of the fact that FRA considers it 
necessary to file an RFA if the railroad intends to install new track 
for which installation of a PTC system is required, FRA has not 
included proposed paragraph (k)(6) in the final rule.
Section 236.1023 Errors and Malfunctions
    Often it is only after the product has been placed in field service 
for an extended period of time before the accuracy of the assumptions 
regarding errors and malfunctions can be validated. Accordingly, the 
reporting and recording of errors and malfunctions takes on critical 
importance. If the number of errors and malfunctions exceeds those 
originally anticipated in the design, or errors and malfunctions that 
were not predicted are observed to occur, the validity of the system 
design assumptions and the accuracy of the performance predictions 
becomes suspect. The requirements of this section provide the process 
and procedures for tracking, reporting, and correction of errors and 
malfunctions. The final rule reflects the requirements of the NPRM, but 
has been reorganized for greater clarity.
    Paragraph (a) of this section contains the requirement for all 
railroads operating a PTC system to establish and maintain a PTCPVL. 
The PTCPVL list ensures that the railroad can quickly determine the 
vendor of the product that has experienced an error or malfunctioned, 
and then be able to report the occurrence of the error or malfunction 
in a timely and accurate manner to the appropriate entity responsible 
for the design and manufacture of the product. FRA access to the PTCPVL 
of each railroad enables FRA to quickly identify all railroads that may 
potentially be affected by the error malfunction, thereby allowing FRA 
to better understand the implications of the condition on the industry. 
Not all railroads using the same product or processes may experience 
the same software errors or hardware failures, even if the cause of the 
error or failure is systemic to the design, and an individual railroad 
may not have the resources to determine if there are any industry-wide 
implications. The requirement for creating and maintaining the PTCPVL 
was originally proposed in paragraph (c) of the NPRM.
    Paragraph (b)(1) establishes a requirement that the railroad 
specify in its PTCSP all contractual arrangements with their vendors or 
suppliers for immediate notification of safety-critical upgrades made 
to the product by the

[[Page 2663]]

vendors or suppliers. FRA is not interested in the commercial terms of 
any such contractual arrangement, only that the contractual arrangement 
is in place for notification and provision of safety-critical changes 
from a vendor or supplier to the railroad. Paragraph (b)(2) levies the 
requirement on the vendor or supplier to report to all railroads using 
the product any safety-critical failures reported. Paragraph (b)(3) 
levies a requirement on the vendor or supplier to provide accurate and 
adequate information of the circumstances surrounding the reported 
failure to any potentially affected railroad, as well as recommended 
mitigating actions that should be taken until the situation is 
resolved. The text of paragraph (b) has been modified slightly from 
that of the NPRM to more accurately reflect FRA's expectation in this 
regard.
    Paragraph (c)(1) levies the requirement on the railroad to specify 
in its PTCSP the process and procedures the railroad will implement 
when a safety-critical upgrade or failure notification is received from 
the vendor or supplier. This requirement is necessary regardless of 
whether the railroad itself discovers the problem or the vendor or 
supplier notifies the railroad of the problem. Paragraph (c)(2) 
requires the railroads to identify the associated configuration 
management process they will use to identify safety-critical failures 
and mitigations. FRA believes it to be essential, given the potential 
impact on safety of a safety-critical failure, that the railroads have 
the necessary planning and mechanisms in place to promptly address the 
situation. Each railroad's and vendor's or supplier's development 
processes, configuration management programs, and fault reporting 
tracking systems play a crucial role in the ability of both parties and 
the FRA to determine and fully understand the risks and implications. 
Without an effective configuration management tracking system in place, 
it is difficult, if not impossible, to fairly evaluate PTC system risks 
during the system's life-cycle.
    Paragraph (d) requires that the railroad provide to its vendor or 
supplier the railroad's processes and procedures for addressing safety-
critical failure, malfunction, and fault issues. FRA believes that by 
providing this information to the vendor or supplier, the vendor or 
supplier will be able to more efficiently and effectively provide 
notification to the appropriate railroad personnel. The net result FRA 
is seeking is that potential delays in identifying or correcting 
safety-critical faults will be minimized.
    Paragraph (e) requires the railroad to maintain a database of all 
safety-relevant hazards identified in its PTCSP, as well as all safety-
relevant hazards that were not previously identified. FRA believes that 
the requirement to report any safety-relevant hazard that was not 
previously identified in the PTCSP is self evident, in that it clearly 
represents an unknown and unplanned failure mode. Without this 
database, a railroad will be unable to determine if the number of 
particular failures has risen to a level above the thresholds set forth 
in the PTCSP. If the frequency of the safety-relevant hazards exceeds 
the thresholds set forth in the PTCSP, the railroads shall take the 
following specific actions as prescribed in this section: Notify the 
applicable vendor or supplier and the FRA; keep the applicable vendor 
or supplier and the FRA apprised of the status of any and all 
subsequent failures; and, take prompt countermeasures to eliminate or 
reduce the frequency below the threshold identified. Until the 
corrective action is complete, the railroad is required to take 
measures to ensure the safety of train operations, roadway workers, on 
track equipment, and the general public.
    While the preceding paragraphs dealt with the establishment of a 
framework to address errors and malfunctions, paragraphs (f) through 
(g) deal with the actual handling and reporting of errors and 
malfunctions within that framework. Paragraph (f) establishes time 
limits for reporting failures and malfunctions to the product vendor or 
supplier and the FRA as well as minimum reporting requirements. The 
period for notification has been lengthened from that proposed in the 
NPRM to 15 days. FRA wishes to emphasize that it is more interested in 
timely notifications, and accordingly, has not established a specific 
format for the reports. FRA will accept any report format, provided it 
contains at least the minimal information required by this section. FRA 
will accept delivery of these reports by commercial courier, fax, and 
e-mail. However, with respect to information that is not immediately 
available, paragraph (f) has been amended to require railroads to 
submit supplemental reports with the previously unavailable 
information. FRA requires this information to determine the full impact 
of the problem, and to determine if any additional restrictions or 
limitations on the use of the PTC system may be warranted to ensure the 
safety of the general public and the railroad personnel. If the 
correcting or mitigating action were to take a significant amount of 
time, FRA would expect the railroad to provide FRA with periodic 
frequent progress reports.
    Paragraph (g) establishes a reporting requirement for railroads and 
vendors or suppliers to provide to the Associate Administrator on 
request the results of any investigation of an accident or service 
difficulty report that shows the PTC system, subsystem, or component is 
unsafe because of a manufacturing or design defect. In addition, the 
railroad and its vendor or supplier may be required to report on any 
action taken or proposed to correct the defect.
    Paragraph (h) imposes a direct obligation on suppliers to report 
safety-relevant failures or defective conditions, previously 
unidentified hazards, and recommended mitigation actions in their PTC 
system, subsystem, or component to each railroad using its product. 
Each applicable supplier is also required to notify FRA of the safety-
relevant failure, defective condition, or previously unidentified 
hazard discovered by the vendor or supplier and the identity of each 
affected and notified railroad. FRA believes that it should be informed 
to ensure public safety in any case where a commercial dispute (e.g., 
over liability) might disrupt communication between a railroad and 
supplier.
    GE submitted a comment on this section, in which it raised an 
objection to the direct imposition by FRA of a reporting obligation on 
PTC suppliers. GE believes this requirement is unwarranted for three 
reasons. First, the railroad is the primary entity having knowledge of 
such a failure and already has the obligation to report a failure 
within strict guidelines. Second, even if the PTC supplier becomes 
aware of a failure, the PTC supplier may not have sufficient 
understanding of the failure to determine whether it is truly safety-
related in nature without talking to the railroad. Third, there already 
exist sufficient legal incentives for a supplier to quickly resolve any 
safety-related failure that might occur. GE believes that railroads' 
regulatory compliance responsibilities should not be delegated to 
suppliers. Ultimately, GE asserts that this requirement unnecessarily 
complicates the task of deploying PTC and is unwarranted.
    GE proposed alternative language at the RSAC PTC Working Group 
meeting held August 31-September 2, 2009, that removed the supplier's 
obligation to directly report to FRA by deleting proposed paragraphs 
(a) and (f) of this section and adding language to Sec.  
236.1015(b)(2). In this proposed alternative language, GE recommended

[[Page 2664]]

that FRA require suppliers to include a process for promptly reporting 
any safety relevant failure and previously unidentified hazard to each 
railroad using the product in the quality control systems maintained by 
suppliers for PTC system design and manufacturing.
    FRA carefully considered GE's recommendation. In Sec.  236.907(d), 
FRA has previously established for PTC systems that are voluntarily 
implemented by railroads, under the provisions of subpart H of this 
part, a requirement that the vendor/supplier and railroads establish 
mutual reporting relationships for promptly reporting any safety-
relevant failures and previously unidentified hazards. FRA seeks to 
continue this relationship requirement for mandatory PTC system 
installations under the provisions of this subpart.
    As noted in the preamble discussion of Sec.  236.907(d), FRA 
clearly indicated that if there was ``a breakdown in communications 
that could adversely affect public safety'', FRA would take appropriate 
action as necessary. See 70 FR 11,052, 11,074. FRA also noted that the 
language of Sec.  236.907 ``place[d] a direct obligation on suppliers 
to report safety-relevant failures, which would include `wrong-side 
failures' and failures significantly impacting on availability where 
the Product Safety Plan indicates availability to be a material issue 
in the safety performance of the larger railroad system.'' 70 FR 
11,052, 11,074. This provision was necessary to ensure public safety in 
the event where a commercial dispute (e.g., over liability) might 
disrupt communications between a railroad and its supplier.
    FRA believes that the requirement that a product supplier notify 
FRA, in addition to the affected railroads, of safety-relevant failures 
of the PTC product discovered by the supplier does not add to the 
complexity or cost of PTC system deployment. The addition of FRA to the 
list of entities that must be notified in the unlikely event of a 
product failure that has been identified by the product supplier adds 
only marginally to the level of effort required of the product 
supplier. As a condition of providing PTC systems pursuant to subpart H 
of this part, the product supplier must already maintain a list of 
parties that require such notification. As GE noted, even if there were 
no regulatory requirement for a mutual reporting relationship between 
product suppliers and railroads, there are already legal incentives for 
a supplier to quickly resolve any safety related failure. FRA believes 
that these legal incentives should motivate the product supplier to 
promptly notify product users of safety-related issues and, therefore, 
to maintain a list of product users.
    FRA has also considered GE's argument that the railroad is the 
primary entity having knowledge of safety-related failures and already 
has an obligation to report the failure within strict guidelines. Thus, 
even if the PTC supplier becomes aware of the failure, the supplier may 
not have sufficient understanding of the failure to determine whether 
it is safety-related in nature without talking to the railroad. GE's 
assertion that the supplier may not recognize that a failure is safety 
related without talking to the railroad also applies equally to the 
converse situation. A railroad may report a failure to the vendor or 
supplier that the railroad may not recognize as safety critical, and it 
is only the vendor's or supplier's detailed knowledge of the product 
that enables recognition of the failure as safety critical.
    FRA is consequently unmoved by the assertion that the imposition of 
a requirement that a vendor or supplier notify FRA upon discovery of a 
safety critical problem would be unduly burdensome.
    In view of the preceding, FRA has left this paragraph unchanged in 
principle. FRA has, however, made editorial changes to more clearly 
define the responsibilities of the parties involved and to clearly 
indicate the acceptability of incremental reporting as more information 
becomes available.
    RSI made many statements similar to those of GE and also asserts 
that the notification requirement on suppliers would not enhance 
safety, but would create the potential for redundant, premature, 
potentially misleading, and burdensome reports to FRA. RSI cites 
various statutes and regulations, including RSIA08 and the existing 
part 236, that apply ``exclusively'' to ``railroads'' and ``railroad 
carriers.'' However, according to 49 U.S.C. 20103, which continues to 
be referenced in part 236's Authorities section:

    (a) Regulations and orders.--The Secretary of Transportation, as 
necessary, shall prescribe regulations and issue orders for every 
area of railroad safety supplementing laws and regulations in effect 
on October 16, 1970. When prescribing a security regulation or 
issuing a security order that affects the safety of railroad 
operations, the Secretary of Homeland Security shall consult with 
the Secretary.

Thus, FRA has jurisdiction ``for every area of railroad safety.'' 
Subpart I supplements the laws and regulations in effect on October 16, 
1970. Moreover, while the U.S.C. provisions cited by RSI apply to 
railroads and railroad carriers, there is nothing in those provisions 
restricting FRA's jurisdiction over other entities or persons.
    FRA has previously applied its jurisdiction over suppliers. Under 
Sec.  236.907(d), suppliers must perform certain notification 
responsibilities. While that paragraph concerns notification by the 
supplier to the railroad, there is nothing preventing FRA from 
requiring the supplier to also notify FRA. In fact, as a practical 
matter, FRA believes that reporting failures directly to FRA is 
necessary here. Under subpart H, the absence of direct and timely 
access to product notices has continued to be an issue for FRA. This 
concern will only become greater as the subject technology becomes more 
complex.
    RSI also noted that, ``the scope of the signal and train control 
provision at Part 236 explains that this entire part, which will 
include the proposed regulations for Sec.  236.1023, applies only to 
the railroads.'' Indeed, Sec.  236.0(a) currently states, ``Except as 
provided in paragraph (b) of this section, this part applies to all 
railroads.'' While that paragraph indicates that the part applies to 
all railroads, it does not limit application to ``only'' railroads, as 
misstated by RSI. In any event, to avoid confusion, FRA is modifying 
Sec.  236.0(a) to apply to all railroads and persons as indicated in 
this part. For instance, ``person'' is defined in Sec.  236.0(f) when 
referencing 1 U.S.C. 1 (which includes manufacturers and independent 
contractors) and railroad is defined in subpart G of part 236.
    Paragraph (i) addresses situations which are clearly not the result 
of a design or manufacturing issue, and limits unnecessary reporting. 
If the failure, malfunction, or defective condition was the result of 
improper operation of the PTC system outside of the design parameters 
or of non-compliance with the applicable operating instructions, FRA 
believes that compliance with paragraph (e) is not necessary. Instead, 
FRA expects and requires the railroad to engage in more narrow remedial 
measures, including remedial training by the railroad in the proper 
operation of the PTC system. Similarly, once a problem has been 
identified to all stakeholders, FRA does not believe it is necessary 
for a manufacturer to repeatedly submit a formal report in accordance 
with paragraph (h). In either situation, however, FRA expects that all 
users of the equipment will be proactively and timely notified of the 
misuse that occurred and the corrective actions taken.

[[Page 2665]]

    Such reports, however, do not have to be made within fifteen days 
of occurrence, as required for other notifications under paragraph (f), 
but within a reasonable time appropriate to the nature and extent of 
the problem.
    Paragraph (j) has been added to the final rule to require that, 
when any safety-critical PTC system, subsystem, or component fails to 
perform its intended function, the railroad is required to determine 
the cause and perform necessary adjustment, repair, or replacement of 
any faulty product without undue delay. Paragraph (j) also reminds 
railroads that, until corrective action has been completed, a railroad 
is required to take appropriate action to ensure safety and reliability 
as specified within its PTCSP.
    In paragraph (k) of the final rule, FRA intends to make it 
absolutely clear that the reporting requirements of part 233 are not a 
substitute for the reporting requirements of this subpart, nor are the 
reporting requirements of this subpart considered to be a substitute 
for the reporting requirements of part 233. Both sets of reporting 
requirements apply. FRA would like to clarify that both requirements 
apply. In the case of a failure meeting the criteria described in Sec.  
233.7, FRA would not expect the railroad to wait for the frequency of 
such occurrences to exceed the threshold reporting level assigned in 
the hazard log of the PTCSP, but will expect the railroad to report the 
occurrence as required by Sec.  233.7.
Section 236.1027 PTC System Exclusions
    This section retains similarities to, but also establishes 
contrasts with, Sec.  236.911, which deals with exclusions from subpart 
H. In particular, Sec.  236.911(c) offers reassurance that a stand-
alone computer aided dispatching (CAD) system would not be considered a 
safety-critical processor-based system within the purview of subpart H. 
CADs have long been used by large and small railroads to assist 
dispatchers in managing their workload, tracking information required 
to be kept by regulation, and--most importantly--providing a conflict 
checking function designed to alert dispatchers to incipient errors 
before authorities are delivered. Even Sec.  236.911, however, states 
that ``a subsystem or component of an office system must comply with 
the requirements of this subpart if it performs safety-critical 
functions within, or affects the safety performance of, a new or next-
generation train control system.'' FRA continues to work with a vendor 
or supplier on a simple CAD that provides authorities in an automated 
fashion, without the direct involvement of a dispatcher.
    For subpart I, FRA intends to retain the exception referred to in 
Sec.  236.911 for CAD systems not associated with a PTC system. Many 
smaller railroads use CAD systems to good effect, and there is no 
reason to impose additional regulations where dispatchers 
contemporaneously retain the function of issuing mandatory directives. 
However, in the present context, it is necessary to recognize that PTC 
systems utilize CAD systems as the ``front end'' of the logic chain 
that defines authorities enforced by the PTC system, particularly in 
non-signaled territory.
    Accordingly, paragraph (a) provides for the potential exclusion of 
certain office systems technologies from subpart I compliance. These 
existing systems have been implemented voluntarily to enhance 
productivity and have proven to provide a reasonably high level of 
safety, reliability, and functionality. FRA recognizes that full 
application of subpart I to these systems would present the rail 
industry with a tremendous burden. The burdens of subpart I may 
discourage voluntary PTC implementation and operation by the smaller 
railroads.
    However, subpart I applies to those subsystems or components that 
perform safety critical functions or affect the safety performance of 
the associated PTC system. The level and extent of safety analysis and 
review of the office systems will vary depending upon the type of PTC 
system with which the office system interfaces. For example, to prevent 
the issuance of overlapping and inconsistent authorities, FRA expects 
that each PTC system demonstrate sufficient credible evidence that the 
requisite safety-critical, conflict resolution (although not 
necessarily vital) hardware and software functions of the system will 
work as intended. FRA also expects that the applicable PTCDP's and 
PTCSP's risk analysis will identify the associated hazards and describe 
how they have been mitigated. Particularly where mandatory directives 
and work authorities are evaluated for use in a PTC system without 
separate oral transmission from the dispatcher to the train crew or 
employee in charge--with the opportunity for receiving personnel to 
evaluate and confirm the integrity of the directive or authority 
received and the potential for others overhearing the transmission to 
note conflicting actions by the dispatching center--FRA will insist on 
explanations sufficient to provide reasonable confidence that 
additional errors will not be introduced.
    Paragraph (b) provides requirements for modifications of excluded 
PTC systems. At some point when a change results in degradation of 
safety or in a material increase in safety-critical functionality, 
changes to excluded PTC systems or subsystems may be significant enough 
to require application of subpart I's safety assurance processes. FRA 
believes that all modifications caused by unforeseen implementation 
factors will not necessarily cause the product to become subject to 
subpart I. These types of implementation modifications will be minor in 
nature and be the result of site specific physical constraints. 
However, FRA expects that implementation modifications that will result 
in a degradation of safety or a material increase in safety-critical 
functionality, such as a change in executive software, will cause the 
PTC system or subsystem to be subject to subpart I and its 
requirements. FRA is concerned, however, that a series of incremental 
changes, while each individually not meeting the threshold for 
compliance with this subpart, may when aggregated result in a product 
which differs sufficiently so as to be considered a new product. 
Therefore, FRA reserves the right to require products that have been 
incrementally changed in this manner to comply with the requirements of 
this subpart. Prior to FRA making such a determination, the affected 
railroad will be allowed to present detailed technical evidence why 
such a determination should not be made. This provision mirrors 
paragraph (d) of existing Sec.  236.911.
    Paragraph (c) addresses the integration of train control systems 
with other locomotive electronic control systems. The earliest train 
control systems were electro-mechanical systems that were independent 
of the discrete pneumatic and mechanical control systems used by the 
locomotive engineer for normal throttle and braking functions. Examples 
of these train control systems included cab signals and ACS/ATC 
appliances. These systems included a separate antenna for interfacing 
with the track circuit or inductive devices on the wayside. Their power 
supply and control logic were separate from other locomotive functions, 
and the cab signals were displayed from a separate special-purpose 
unit. Penalty brake applications by the train control system bypassed 
the locomotive pneumatic and mechanical control systems to directly 
operate a valve that accomplished a service reduction of brake pipe 
pressure and application of the brakes as well as

[[Page 2666]]

reduction in locomotive tractive power. In keeping with this physical 
and functional separation, train control equipment on board a 
locomotive came under part 236, rather than the locomotive inspection 
requirements of part 229.
    Advances in hardware and software technology have allowed the 
various PTC systems' and components' original equipment manufacturers 
(OEMs) to repackage individual components, eliminating parts and system 
function control points access. Access to control functions became 
increasingly restricted to the processor interfaces using proprietary 
software. While this resulted in significant simplification of the 
previously complex discrete pneumatic and mechanical control train and 
locomotive control systems into fewer, more compact and reliable 
devices, it also creates significant challenges with respect to 
compatibility of the application programs and configuration management.
    FRA encourages such enhancements, and believes that, if properly 
done, they can result in significant safety, as well as operational, 
improvements. Locomotive manufacturers can certainly provide secure 
locomotive and train controls, and it is important that they do so if 
locomotives are to function safely in their normal service environment. 
FRA highly encourages the long-term goal of common platform 
integration. However, when such integration occurs, it must not be done 
at the expense of decreasing the safe and reliable operation of the 
train control system. Accordingly, FRA expects that the complete 
integrated system will be shown to have been designed to fail-safe 
principles, and then demonstrated that the system operates in a fail-
safe mode. Any commingled system must have a manual fail-safe fall back 
up that allows the engineer to be brought to be a safe stop in the 
event of an electronic system failure. This analysis must be provided 
to FRA for approval in the PTCDP and PTCSP as appropriate. This 
provision mirrors the heightened scrutiny called for by Sec.  
236.913(c) of subpart H for commingled systems, but is more explicit 
with respect to FRA's expectations. The provision in general accords 
with the requirements for locomotive systems that are currently under 
development in the RSAC's Locomotive Safety Standards Working Group.
    GE generally agreed with the preceding discussion about separate 
regulatory treatment of PTC and the locomotive control systems. 
However, they strongly disagree with any implication, if the two 
systems were interfaced or commingled, that PTC requirements could be 
extended into the locomotive control system. They assert non-safety-
critical data can be passed between the systems using appropriate 
interfaces without any impact on safety and without triggering a need 
to extend PTC requirements into the control system.
    FRA agrees that there are implementation techniques that allow for 
locomotive control systems to passively receive information from a 
train control system, and the train control and locomotive control 
systems are not tightly coupled. FRA expects that in such situations 
the safety case for the train control system clearly and unequivocally 
demonstrates that the train control system is not tightly coupled with 
the locomotive control system, and that failures in the locomotive 
control system have absolutely no adverse consequences on the safe 
operation of the train control system. Likewise, FRA expects that the 
safety analysis for the locomotive control system clearly and 
unequivocally demonstrates that the train control system is not tightly 
coupled with the locomotive control system, and that failures in the 
train control system have absolutely no adverse consequences on the 
safe operation of the locomotive control system. If the safety analysis 
cannot convincingly demonstrate to FRA that the train control and 
locomotive control systems are loosely coupled, then FRA will require 
that the safety analysis for the PTC system include the applicable 
elements of the locomotive control system, and vice versa.
    Finally, paragraph (d) clarifies the application of subparts A 
through H to products excluded from compliance with subpart I. These 
products are excluded from the requirements of subpart I, but FRA 
expects that the developing activity demonstrates compliance of 
products with subparts A through H. FRA believes that railroads not 
mandated to implement PTC, or that are implementing other non-PTC 
related processor based products, should be given the option to have 
those products approved under subpart H by submitting a PSP and 
otherwise complying with subpart H or by voluntarily complying with 
subpart I. This provision mirrors Sec.  236.911(e) of subpart H.
Section 236.1029 PTC System Use and En Route Failures
    This section provides minimum requirements, in addition to those 
found in the PTC system's plans, for each PTC system with a PTC System 
Certification. Railroads are allowed, and encouraged, to adopt more 
restrictive rules that increase safety.
    Paragraph (a) requires that, in the event of the failure of a 
component essential to the safety of a PTC system to perform as 
intended, the cause be identified and corrective action taken without 
undue delay. The paragraph also states that until the corrective action 
is completed, the railroad is required, at a minimum, to take 
appropriate measures, including those specified in the PTCSP, to ensure 
the safety of train movements, roadway workers, and on-track equipment. 
This requirement mirrors the current requirements of Sec.  236.11, 
which applies to all signal and train control system components. Under 
paragraph (a), FRA intends to apply to PTC systems provided PTC System 
Certification under subpart I the same standard in current Sec.  
236.11.
    Paragraph (b) provides the circumstance where a PTC onboard 
apparatus on a controlling locomotive that is operating in or is to be 
operated within a PTC system fails or is otherwise cut-out while en 
route. Under paragraph (b), the subject train may only continue such 
operations in accordance with specific limitations. An en route failure 
is applicable only in instances after the subject train has departed 
its initial terminal, having had a successful initialization, and 
subsequently rendering it no longer responsive to the PTC system. For 
example, FRA believes that an en route failure may occur when the PTC 
onboard apparatus incurs an onboard fault or is otherwise cut out.
    Under subpart H, existing Sec.  236.567 provides specific 
limitations on each train failing en route in relation to its 
applicable automatic cab signal, train stop, and train control system. 
FRA believes that it would be desirable to impose somewhat more 
restrictive conditions given the statutory mandate and the desire to 
have an appropriate incentive to properly maintain the equipment and to 
timely respond to en route failures. For instance, FRA recognizes that 
the limitations of Sec.  236.567 do not account for the statutory 
mandates of the core PTC safety functions.
    During the PTC Working Group meetings prior to issuance of the 
NPRM, no consensus was reached on how to regulate en route failures on 
PTC territory. However, FRA subsequently received several comments that 
the en route failure requirements and the restrictive operational 
conditions imposed by paragraph (b) are burdensome and overly 
restrictive. When the PTC Working Group was

[[Page 2667]]

reconvened following the Public Hearing and the NPRM comment period, 
the PTC Working Group formed three separate task forces for the purpose 
of discussing and resolving several specific issues. One such task 
force, deemed the Operational Conditions Task Force, was assigned the 
task of resolving the issues associated with operational limitations 
presented in the proposed rule associated with temporary rerouting 
within Sec.  236.1005, unequipped trains operating within a PTC system 
within Sec.  236.1006, and en route failures within Sec.  236.1029.
    The proposed rule provided allowances for deviations from the 
restrictions of operations exceeding 90 miles per hour if such 
deviations were presented and justified in an FRA approved plan. At the 
PTC Working Group meeting, it was recommended that the procedure 
allowing for such deviations equally apply to all other operations, 
regardless of the speed of the operations.
    Upon presentation of these recommended revisions to the PTC Working 
Group, Amtrak and NJ Transit withheld consensus, requesting rather to 
state on the record that they believed the requirement for the 
establishment of an absolute block was overly burdensome and 
unnecessary, and the operational limitations were too restrictive in 
areas where an underlying block signal system and/or cab signal system 
with train stop/train control functions remained in place. They further 
suggested that the operational restrictions for en route failures 
should be solely presented and described within a railroad's PTCDP and 
PTCSP, which would then be applicable to a particular PTC system.
    FRA appreciates the concerns presented. However, FRA remains 
convinced that the rule text must provide a ``baseline'' for 
operational restrictions associated with en route failures within all 
PTC systems, with the recognition of the allowance for a railroad to 
submit a request for deviation from those requirements, with 
justification, within their PTCDP and PTCSP for FRA approval. 
Accordingly, FRA has substantially adopted into paragraphs (b) and (c) 
the text proposed at the PTC Working Group meeting.
    Section 236.1029, and in particular paragraph (b), purposefully 
parallels the limitations contained in Sec.  236.567. In other words, 
FRA intends that Sec.  236.567 and paragraph (b) of this section will 
share the common purpose of maintaining a level of safety generally in 
accord with that expected with the train control system fully 
functional. This is accomplished by requiring supplementary procedures 
to heighten awareness and provide operational control (limiting the 
frequency of unsafe events) and by restricting the speed of the failed 
train (reducing the potential severity of any unsafe event).
    Paragraph (b)(1) allows the subject train to proceed at restricted 
speed--or at medium speed if a block signal system is in operation 
according to signal indication--to the next available point where 
communication of a report can be made to a designated railroad officer 
of the host railroad. The intent of this requirement is to ensure that 
the occurrence of an en route failure may be appropriately recorded and 
that the necessary alternative protection of absolute block is 
established.
    NYSMTA provided comments recommending that paragraph (b)(1) of this 
section cite 40 miles per hour as the maximum permissible speed within 
a failed PTC system where a block signal system is in operation because 
some railroads, such as the LIRR and Metro-North, have defined medium 
speed lower than what the FRA regulation would permit. FRA defines 
medium speed in Sec.  236.811 as ``A speed not exceeding 40 miles per 
hour.'' Thus, we believe the rule is clear in terms of the applicable 
maximum speed limit and consistent with the suggestions made by NYSMTA. 
While a particular railroad may internally define ``medium speed'' 
differently, the definitions contained in part 236 control the meaning 
of the terms used therein.
    After a report is made in accordance with paragraph (b)(1), or made 
electronically and immediately by the PTC system itself, paragraph 
(b)(2) allows the train to continue to a point where an absolute block 
can be established in advance of the train in accordance with the 
limitations that follow in paragraphs (b)(2)(i) and (ii). Paragraph 
(b)(2)(i) requires that where no block signal system is in use, the 
train may proceed at restricted speed. Alternatively, under paragraph 
(b)(2)(ii), the train may proceed at a speed not to exceed medium speed 
where a block signal system is in operation according to signal 
indication.
    Paragraph (b)(3) requires that, upon the subject train reaching the 
location where an absolute block has been established in advance of the 
train, the train may proceed in accordance with the limitations that 
follow in paragraphs (b)(3)(i), (ii), or (iii). Paragraph (b)(3)(i) 
requires that where no block signal system is in use, the train may 
proceed at medium speed; however, if the involved train is a train 
which is that of the criteria requiring the PTC system installation 
(i.e., a passenger train or a train hauling any amount of PIH 
material), it may only proceed at a speed not to exceed 30 miles per 
hour. Paragraph (b)(3)(ii) requires that where a block signal system is 
in use, a passenger train may proceed at a speed not to exceed 59 miles 
per hour and a freight train may proceed at a speed not to exceed 49 
miles per hour. Paragraph (b)(3)(iii) requires that, except as provided 
in paragraph (c), where a cab signal system with an automatic train 
control system is in operation, the train may proceed at a speed not to 
exceed 79 miles per hour.
    The Rail Labor Organizations believe that the rule is too 
permissive for en route failures of a PTC system where an underlying 
signal system is not governing train movements, as they assert that any 
train invisible to the PTC system in PTC territory presents an 
unacceptable risk. Instead, asserts the RLO, treatment of en route 
failures should parallel the restrictions required when a train 
experiences a signal failure, such as a switch position that is unknown 
or when a route is not known to be clear. While the NPRM proposed to 
allow a passenger or PIH PTC train in dark territory to traverse a 
switch in an unknown position at medium speed or 30 miles per hour, the 
RLO asserts that such trains should be limited to restricted speed or 
other methods, such as temporal separation.
    FRA appreciates the RLO's concerns. However, FRA believes that the 
proposal to limit operations to restricted speed, or employ other 
protective methods such as temporal separation, would be too burdensome 
and unwarranted. FRA has elected to keep the language of the NPRM in 
this final rule for several reasons. First, it is expected that 
failures en route addressed by this rule, as well as temporary 
rerouting that could result in its application, will not occur on any 
frequent basis. Experience and requirements of other portions of this 
subpart would preclude this from being the case. Second, the assertion 
that ``any train invisible to the PTC system in PTC territory presents 
an unacceptable risk'' is inaccurate. Such a train would not in fact be 
``invisible'' to the PTC system as there remains in place some type of 
authority for the train's movement, and all authorities of other trains 
that would be PTC-equipped would be enforced by the system. 
Additionally, the maximum speed of 30 miles per hour established by FRA 
for these situations is based on extensive analysis of past accident 
and incidence data, which has shown that train accidents at or below 30 
miles per hour have not resulted in breach or compromise of cars 
carrying hazardous

[[Page 2668]]

materials. FRA has elected to keep this language of the NPRM in this 
final rule.
    Paragraph (c) requires that, in order for a PTC train to deviate 
from the operating limitations contained in paragraph (b) of this 
section, the deviation must be described and justified in the FRA 
approved PTCDP or PTCSP. Amtrak had presented comments regarding the 
NPRM, as well as within the PTC Working Group task force assigned to 
address comments received regarding this section, asserting that the 
operational limitations of failure en route were too restricting and 
unwarranted. Directly in response to those comments, FRA may allow for 
deviation from the identified limitations of the rule if that deviation 
is described and justified in the applicable and FRA approved PTCDP, 
PTCSP, or Order of Particular Applicability. Furthermore, the speed 
threshold of 90 miles per hour proposed in the NPRM has been removed. 
FRA will consider deviation proposals for conventional operations, as 
well as high-speed operations. FRA continues to anticipate that 
existing operations on the Northeast Corridor will not be adversely 
impacted, since failure of one component of the onboard train control 
system will permit the remaining portion to function and provide for a 
reasonable level of safety.
    Paragraph (d) requires that the railroad operate its PTC system 
within the design and operational parameters specified in the PTCDP and 
PTCSP. Railroads will not exceed maximum volumes, speeds, or any other 
parameter provided for in the PTCDP or PTCSP. On the other hand, a 
PTCDP or PTCSP could be based upon speed or volume parameters that are 
broader than the intended initial application, so long as the full 
range of sensitivity analyses is included in the supporting risk 
assessment. FRA feels this requirement will help ensure that 
comprehensive product risk assessments are performed before products 
are implemented.
    Paragraph (e) sets forth the requirement that any testing of the 
PTC system must not interfere with its normal safety-critical 
functioning, unless an exception is obtained pursuant to 49 CFR Sec.  
236.1035, where special conditions have been established to protect the 
safety of the public and the train crew. Otherwise, paragraph (e) 
requires that each railroad ensure that the integrity of the PTC system 
not be compromised, by prohibiting the normal functioning of such 
system to be interfered with by testing or otherwise without first 
taking measures to provide for the safety of train movements, roadway 
workers, and on-track equipment that depend on the normal safety-
critical functioning of the system. This provision parallels current 
Sec.  236.4, which applies to all systems. By requiring this paragraph, 
FRA also intends to clarify that the standard in current Sec.  236.4 
also applies to subpart I PTC systems.
    Paragraph (f) requires that each member of the operating crew has 
appropriate access to the information and functions necessary to 
perform his or her job safely when products are implemented and used in 
revenue service. FRA expects paragraph (f) to automatically require 
each engineer operating the controlling locomotive to have access to 
the PTC display providing such information. Paragraph (f) also applies 
to other crew members assigned duties in the locomotive cab. The rule 
is a performance standard which can be met in several different ways.
    Train crews perform as a team and are required by railroad and FRA 
rules to do so. The importance of having assigned crew members fully 
involved in train operations is also clearly the intent of Congress in 
the RSIA. The Congress mandated the certification of the conductor to 
work in concert with the already federally-certified locomotive 
engineer. For the conductor and engineer to fulfill the expectations of 
Congress, it is necessary for both crewmembers to have sufficient 
information to perform their duties. For the conductor to be able to 
fulfill the assigned obligations, the conductor must have ready access 
to certain information, including the authority information being 
received from the dispatcher. As described below, FRA believes that 
safety would be materially diminished if the conductor in freight 
operations were denied access to the same information in the same 
format as the engineer.
    For instance, under the operating rules or special instructions of 
the major freight railroads, each train crew member in the performance 
of his or her duties receives copies of a fair amount of paperwork that 
includes the train consist, which provides the number, loading, 
locations, and hazardous materials contents of cars, the length and 
weight of the train, General Orders, which provide loose footing 
issues, the safety rules of the day or week, security reminders, 
temporary speed restrictions, and the locations of maintenance of way 
crews performing track repairs. This paperwork provides the train crew 
with the work plan necessary to operate the assigned train during their 
tour of duty. Once the crew is underway, the conductor receives from 
the dispatcher, via radio, updates to the above information (and 
provides acknowledgment back to the dispatcher), transcribes hand 
written copies, and provides those copies to the engineer and other 
crew members (in lieu of stopping if engineer only). Each crew member 
keeps these copies in front of them (usually on a desk) for ready 
reference to approaching speed restrictions and working limits of 
roadway workers. Upon these documents, crew members make hand written 
notes and are required to write ``void'' across superseded or expired 
movement authorities. In case any questions pertaining to crew 
performance arise later, each crewmember keeps these copies. 
Particularly, in a PTC overlay system, which by definition depends upon 
continued performance of all of the safety-related functions of the 
underlying system of operation, all of these functions must continue to 
be performed either as they are now or in an equivalent manner. 
Removing or impairing any of those functions will diminish safety.
    The conductor is responsible for determining the train consist and 
for ensuring compliance with hazardous materials train placement 
requirements. The conductor is also responsible for determining whether 
one or more cars in the train is restricted (e.g., requirement 
regarding appropriate placement in the train or speed restriction 
limiting the train's speed to avoid a derailment hazard).\9\ Conductors 
are regularly disciplined in certain situations, including when the 
limits of authorities are violated or maximum speed limits are 
exceeded.
---------------------------------------------------------------------------

    \9\ Enforcement of a speed restriction associated with a 
particular car is not a mandated PTC function, but is an important 
function that will be provided within the Interoperable Train 
Control architecture for the general freight system.
---------------------------------------------------------------------------

    Moreover, in present cab signal territory, multiple crew members 
rely on the information provided by the cab signal display, typically 
mounted in the center of the cab or other conspicuous location. ACSES 
displays have also been centrally mounted in passenger and freight cabs 
for clear visibility.\10\ Under this final rule, cab signals may 
continue to operate independently of the PTC display of the locomotive 
cab. However, based upon RSAC discussions, FRA is confident that PTC 
displays may (and

[[Page 2669]]

probably will) supplant current cab signal displays and utilize the cab 
signal code as an input to the PTC display.\11\ Section 236.515 has 
long provided that ``The cab signals shall be plainly visible to a 
member or members of the locomotive crew from their stations in the 
cab.'' Positive train control systems will play a role very similar to, 
but in fact even more important than, automatic cab signals have played 
in the territories where installed. In addition to providing current 
displays (or ``targets'') for signal indications, FRA expects that PTC 
will also display in graphic form slow orders and other mandatory 
directives.
---------------------------------------------------------------------------

    \10\ ITCS displays in freight locomotives have not been mounted 
so as to be clearly visible to freight crews. The subject line is 
principally used for passenger service, and the number of freight 
locomotives involved has been very small. ITCS has been permitted to 
operate under waiver, and FRA freely concedes that the issue of 
freight crew display visibility had not been clearly joined to this 
point.
    \11\ In vital applications, reliance on these displays will be 
authorized and required. Although initially in-block signal upgrades 
may not be permitted to be acted upon, except in cab signal 
territory, FRA has no doubt that the ability to upgrade between 
wayside signals will be requested as the technology is proven 
reliable. According to the major railroads involved in the 
Interoperable Train Control effort, most Class I locomotives will 
need to be configured to operate essentially in any territory on the 
system.
---------------------------------------------------------------------------

    FRA recognizes that PTC systems are being designed to move much of 
this information into an electronic format. The intent of utilizing 
electronic transmission of authorities is to reduce human error 
associated with listening, copying, and reading back of updates over 
voice channels while the train crew is en route. Regardless if the 
information is transmitted digitally or verbally, the goal is to 
prevent the train from occupying the main track without authority, to 
prevent most over-speed issues, and to stop short of misaligned 
switches if the crew fails to follow the rules. While FRA supports this 
transition to digital communications, this final rule does not require 
it.
    In the event that a certified PTC system does use digital 
transmissions to provide communications and acknowledgement of 
mandatory directives between the dispatcher and conductor, to allow the 
conductor to electronically input the train consist into the PTC 
system, or otherwise similarly modify a crew member's responsibilities, 
FRA expects under paragraph (f) that the subject crew member will be 
afforded appropriate access to the PTC system display to fulfill those 
responsibilities.
    In its comments, the AAR also indicated that railroads have been 
planning to put a single display in locomotive cabs for the engineer in 
systems which FRA has already approved and that this requirement was 
redundant and excessive, referring to the BNSF ETMS system. The AAR 
questioned the need for a conductor to have access to a PTC display. 
The Class I railroads have attempted to present the case that FRA had 
previously blessed the implementation of PTC technology that would 
permit electronic delivery of mandatory directives while discontinuing 
the delivery of printed or voice transmitted directives. However, that 
is not the case.
    The system to which AAR refers--BNSF's ETMS I configuration--was 
qualified under subpart H, which only requires that the system be at 
least as safe as existing systems and the approval was limited in 
material ways the AAR failed to mention. Subpart I, however, requires 
that non-vital overlay systems reduce the likelihood of PTC preventable 
accidents by at least 80%. Subpart H does not address or require 
interoperability, but subpart I requires interoperability.
    The BNSF ETMS I configuration concept of operations was a pure non-
vital overlay on the existing method of operations. The safety analysis 
for that system assumed that the conductor would continue to receive 
mandatory directives in the normal manner. BNSF, the only railroad to 
obtain authority for use of a first-generation freight PTC system, very 
heavily justified its safety case on the assumption that crewmembers 
would intervene should the PTC system experience a wrong-side failure 
(which could occur due to a software error, hardware malfunction, 
database error, or combination of these factors). This system was 
justified as an ``overlay'' on the existing method of operations; while 
there would be only one PTC display screen, it was contended that most 
wrong-side errors would be caught by crewmembers holding mandatory 
directives in paper form. This type of existing PTC system, which has 
only been deployed by BNSF on a few lines and with very few locomotives 
equipped, precludes one-half of the train crew from having any access 
to the information for which they are held accountable. This has been 
tolerable only because both crew members do have a full set of printed 
or written directives.
    Note that basic interoperability is potentially a concern with 
respect to the human-machine interface and the means by which FRA 
addresses it. To the extent a locomotive from a railroad which uses 
only voice transmission of mandatory directives were to travel on a 
railroad using electronic transmission of mandatory directives, it 
would need to be equipped for the other railroad. Yet none of the major 
freight railroads has conducted a revenue demonstration of a system 
that relies exclusively on electronic transmission of authorities; and, 
after more than two decades of development and demonstrations, the 
major freight railroads have still not issued interoperability 
standards. Even if FRA were able to accept some of the arguments 
proffered in regard to the need for access to PTC information, 
addressing this issue through review of individual railroad plans would 
not be feasible. This issue needs to be settled ``up front'' in order 
to support an orderly implementation.
    The testimony and written filings in this docket reflected a 
serious misunderstanding regard the distinctions noted above and the 
posture of the BNSF Product Safety Plan review. The AAR and CSXT both 
asserted that FRA has approved use of a single screen in the form of 
BNSF ETMS I configuration. More remarkably, BNSF itself testified at 
the public hearing that, ``As approved by FRA, our locomotive cab 
configuration includes one display screen, which is positioned on the 
dashboard of the engineer.'' Comment of BNSF Railway Company, Docket 
FRA-2008-0132.0011.1 (Aug. 19, 2009); Positive Train Control Systems: 
Hearing Before the Fed. Railroad Admin. (Aug. 13, 2009) (statement of 
Mark Schulze, Vice President, BNSF Railway Company).
    In fact, FRA's decision letter for that system stated as follows:
    7. Prior to any further ETMS Configuration I operations, BNSF must 
either comply with 49 CFR Sec.  236.515 (Visibility of cab signals), or 
submit a risk-based justification as to why the requirements of this 
rule should be waived. The justification shall be submitted in 
accordance with the PSP amendment procedures in 49 CFR Sec.  236.913. 
(FRA Docket No. 2006-23687, Document No. 0021.)

The subject approval remains contingent as of the date of preparation 
of this final rule, since the railroad has not submitted the required 
justification.\12\
---------------------------------------------------------------------------

    \12\ Prior to enactment of the RSIA08, FRA had taken significant 
steps to encourage voluntary PTC deployment, including offering the 
inducement of exceptions from traditional train control 
requirements. Had BNSF submitted a detailed justification for the 
single display visible only to the locomotive engineer, it is 
entirely possible that it would have been approved, since the 
performance standard under subpart H presents a very low bar for a 
reasonably competent train control system when applied in non-
signaled or traffic control territory and since under the ETMS PSP 
the conductor would either continue to receive mandatory directives 
in writing or would copy mandatory directives transmitted verbally 
by the dispatcher via radio. 49 CFR 236.909(a). The point here is 
that, if the railroad had indeed conducted adequate human factors 
analysis, it had not been submitted to FRA; and no implications 
should be drawn with respect to this very different context, wherein 
interline operation of locomotives is at stake and several major 
railroads clearly wish to abandon traditional means of delivering 
authorities.

---------------------------------------------------------------------------

[[Page 2670]]

    The AAR also misstates the extent of the Volpe Center's review of 
ETMS. From the Volpe Center's review: ``The purpose of the analysis was 
to assess the extent to which the ETMS system follows accepted human 
factors design guidelines that are likely to catch and correct 
potential human performance problems.'' Volpe did not perform a 
``thorough human factors analysis'' as posited by AAR. Rather, Volpe 
focused on the user interface for locomotive engineers, identifying 
issues within the existing design (which was still under development) 
and within the concept of operations as defined by the railroad.
    Once all of the paperwork is moved into electronic transmissions 
(which has been neither formally requested nor in any way justified 
under existing regulations), in the absence of an available display 
one-half of the train crew would not have the ability to review and 
receive updates while en-route, or keep records of the movement 
authorities and restrictions for future use. PTC is currently an 
imperfect technology fed by databases that can be corrupted. Mandatory 
directives will continue to be issued by dispatchers with limited 
conflict checking using non-vital computer-aided dispatching systems. 
As the point paper orders are no longer provided, and mandatory 
directives are issued electronically en route, there would be no 
general broadcast on the ``road channel'' that could lead to other 
train crews or roadway workers identifying a defective authority (e.g., 
a mandatory directive to traverse a track segment already occupied by 
another train). None of the freight railroads has yet demonstrated how 
the transition to full electronic delivery of mandatory directives will 
be accomplished. FRA believes that the transition will eventually be 
made, but in the initial period it is critical that existing provisions 
for safety--which work very well a very high percentage of the time--
not be prematurely abandoned; these provisions include appropriate 
access to the PTC system display. Although FRA agrees that transmission 
of valid authorities should be more secure, and thus the trade-off is 
likely to be favorable, FRA sees no reason at this time to take a 
second or third crew member out of the loop or to load on the engineer 
the responsibility for both receiving mandatory directives and briefing 
the second or third crew member who will be expected under the 
railroad's rules to comply.
    FRA believes it is important to the risk assessment process that 
the engineer and conductor perform at a level no less safe than they 
would have had there not been a PTC system. The PTC systems proposed 
for freight railroads are overlay systems. In an overlay system, the 
railroad adds a layer of safety to the existing operation. The risk 
assessment then is relatively easy, because it is easy to show that the 
new system adds safety, reducing the risk of certain accidents, while 
not adding any new risk. The key assumption of the risk assessment is 
no degradation of the underlying safety system, and the performance of 
crewmembers is a key element of that safety system.
    It is impossible at present to quantify the additional risk 
associated with adding a task which compromises the safe operation of 
the train by the engineer or conductor, even if only for a short time. 
Engineers and conductors have an excellent record of avoiding 
accidents. PTC seeks to improve upon that excellent record. The 
existing human factors literature leads one to believe that entering 
complex acknowledgements into a PTC system while the train is in motion 
is a very significant risk. To quantify that risk, one would have to 
put it into the context of comparative safety using a human factors 
model far more complex and accurate than any of which FRA is aware. 
Also note that PTC does not address all accident scenarios, many of 
which are often avoided by timely locomotive engineer intervention. The 
timeliness of such intervention is dependent on situational awareness, 
which would be negatively impacted if the engineer were distracted. 
Reading text on a PTC screen appears to be as distracting as reading 
text on a cell phone or PDA and texting in reply. In order for FRA to 
accept the diversion of the engineer's attention which would come from 
having the engineer review and accept the mandatory directives while 
the train is motion, FRA would need a process different from the 
current risk assessment methodology. That in turn would require FRA to 
impose a specification standard, instead of a performance standard. 
Were FRA issuing only a specification standard, FRA would require the 
second display and input unit.
    In short, the rule as it stands relies on comparing system risk, 
which is easy if the engineer is not distracted by the system, but 
impossible if the engineer might be distracted. What we do know with 
certainty is that having the engineer read and respond to lengthy 
written messages on the PTC screen would be a distraction resulting in 
greater risk exposure which would offset to some extent the risk 
reduction resulting from PTC systems.
    AAR argues that the requirement in Sec.  236.1029(f) pertaining to 
distraction of the locomotive engineer should be deleted. The AAR 
claims that FRA does not offer any study showing that safety is 
jeopardized by assigning the engineer PTC-related duties. FRA has 
directly observed engineers exceeding authorities while attempting to 
respond to PTC system requirements on tests of existing PTC systems. In 
those cases, the engineer was attempting to respond to digitally 
transmitted authority while the train was in motion and was plainly 
distracted from safety-critical duties. FRA does not need a study to 
verify the possibility of that which it has observed directly.
    The AAR also raises an issue of accuracy in transmitting and 
receiving mandatory directives, and appears to make the argument that 
because electronic transmission of mandatory directives is likely to be 
much more accurate than voice communication of mandatory directives, 
that all will be safer if mandatory directives are transmitted 
electronically. FRA agrees that the electronic transmission is likely 
to be more accurate, but does not agree that accurate transmission is 
the only safety issue. FRA is concerned with procedures which might 
distract the engineer from his duties. There is no problem if the 
railroad intends to have engineers receive, review, and acknowledge 
mandatory directives, unless the railroad wants the engineer to perform 
that task with the train in motion, and provided the engineer can take 
the time to brief other crew members, who under current railroad 
operating rules would need to copy and retain the orders.
    All systems of which FRA is aware will require the crew to 
acknowledge the mandatory directives. FRA has seen system designs that 
would permit acknowledgement by simply pressing a button. There is no 
reason to believe that simply pressing a button demonstrates 
understanding of a mandatory directive, and FRA does not intend to 
approve such systems because they will not provide an adequate level of 
safety. Simply pressing a button does not provide the evidence of 
comprehension and mutual understanding currently provided by the 
practice of reading mandatory directives back to the dispatcher over 
the radio. Even if this means of acknowledgment is elected and approved 
by FRA, it would be necessary for an engineer receiving such a 
directive to read it and consider its relevance to the current 
situation. This

[[Page 2671]]

could distract the engineer from actions needed to address other 
restrictions or an emerging situation on the railroad (e.g., need to 
warn equipment or personnel unexpectedly fouling the track ahead, 
requirement to manage a train over undulating terrain to avoid 
excessive in-train forces, emergency use of the train horn because of 
vehicle storage on the tracks in a quiet zone).
    FRA believes that simply referencing the default PTC display screen 
will be consistent with good situational awareness and should not 
present a problem. However, excessive engagement with the PTC onboard 
computer while underway can distract a locomotive engineer from current 
duties. While acknowledgment by use of a single soft key may limit the 
distraction associated with manipulation of the device, it does not 
address whether the directive was understood. It is also possible to 
create greater interaction with the onboard computer while causing 
distraction and yet still not ensure that the directive is understood. 
For instance, a system tested by one railroad required an eight digit 
acknowledgment code to confirm receipt of a mandatory directive. In 
prototype testing locomotive engineers attempting to enter the code 
have exceeded their authority, because entering a code is a distraction 
similar to text messaging (a prohibited practice).\13\
---------------------------------------------------------------------------

    \13\ The response to this kind of concern is typically that the 
PTC system will enforce, which was its purpose to start with. 
However, even vital electronics sometimes fail in other than a safe 
mode, and in that case the crew performance is relied upon to 
backstop the system (rather than the opposite)--assuming that the 
crew has information that it needs to do so. Further, if the 
engineer is distracted even for relatively few seconds the danger 
exists that the engineer will not take other necessary actions 
(sounding the horn at a crossing, monitoring the condition of the 
brake pipe and setting the train up for an upcoming slow order to 
avoid excessive in-train forces, etc.).
---------------------------------------------------------------------------

    In those cases where train consist information needs to be adjusted 
and confirmed in the PTC system, having that done by the conductor will 
eliminate a potential source of error. (Provision of input capability 
on the conductor's terminal will also (if so elected) avoid delays in 
train starts associated with multiple crews attempting to work out 
consist information over the radio or a cell phone link to the central 
office.) Having the conductor observe displayed PTC system data should 
also provide an additional opportunity for early identification of 
problems with mandatory directives and displayed information that may 
derive from corrupted databases, computational errors, or erroneous 
mandatory directives.
    The purpose of paragraph (f) is to ensure that those assigned tasks 
in the cab are able to perform those tasks, including constructive 
engagement with the PTC system. Furthermore, while the train is moving, 
the locomotive engineer would be prohibited from performing functions 
related to the PTC system that have the potential to distract the 
locomotive engineer from performance of other safety-critical duties. 
According to the public comments, that would make it impractical for 
certain freight railroads not to equip its locomotives with a second, 
interactive, display.
    AAR says that FRA cannot point to any computer-related activities 
that could result in distraction of the engineer. The 2009 FRA report 
entitled Technology Implications of a Cognitive Task Analysis for 
Locomotive Engineers touches on this. For example, the report states: 
``Sources of new cognitive demands include constraints imposed by the 
PTC braking profile that require locomotive engineers to modify train 
handling strategies; increases in information and alerts provided by 
the in-cab displays that require locomotive engineers to focus more 
attention on in-cab displays versus out the window, and requirements 
for extensive interaction with the PTC systems (e.g., to initialize 
it--to acknowledge messages and alerts) that impose new sources of 
workload.'' This suggests that, unless task sequencing is managed 
wisely, interaction with PTC can distract the engineer from looking 
outside the cab and attending to other duties important in train 
operation safety.
    Over the years, FRA has conducted significant human factors 
research related to supervisory train control systems such as PTC. In 
the course of that research, it has been noted that the human-machine 
interface (HMI) should be configured to avoid task overload and to 
permit the locomotive engineer to attend to the safe movement of the 
train during all times when it is in motion. This may require 
responding to obstacles on the railroad ahead (e.g., vandalism, cars 
stored on grade crossings, unsecured equipment that has rolled out, 
personnel in the foul without prior notice to train crews), without 
regard to risk of collision with other trains. Further, FRA has noted 
from its experience with the initial freight implementations of PTC 
systems that having the second crew member, where applicable, directly 
interact with the PTC system may offer the best likelihood of its safe 
functioning. For instance, train consist information (number of 
locomotives and cars, tonnage, length of train) is provided in ETMS 
from the company's management information system). That information is 
essential to the braking computation onboard. But this is often the 
intended consist, and the actual consist may vary. Having the crew 
member responsible for the accuracy of the consist enter or confirm the 
consist in the PTC system will avoid one opportunity for error each 
time this is accomplished (which, in the case of a road switching 
assignment, may be several times during a duty tour).
    The NPRM proposed, and the final rule requires, that the onboard 
apparatus be arranged so that each crew member assigned to perform 
duties in the locomotive cab could view a PTC display and execute any 
functions necessary to that crew member's duties. This provision does 
not require multiple screens, per se, nor does it require that more 
than one employee must be assigned to a crew. In fact, the proposed and 
final rules are technology neutral.
    FRA is aware of multiple ways that paragraph (f) may be satisfied 
in the event multiple crew members are in the cab and need access to 
the information provided by the PTC system. Each alternative has its 
own advantages and difficulties. FRA is ultimately concerned that the 
crew members receive the same information displayed in the same manner. 
I.e., if an engineer is looking at a graphic on a screen, a conductor 
in the same cab should be looking at the same graphic on whatever 
device the conductor is using.
    For instance, there can be a single large display placed in a 
location within the cab making it accessible to all crew members in the 
cab (as is done by Amtrak in the ACSES system used on the Northeast 
Corridor). A single display (similar to traditional cab signals) could 
be used if sufficiently large to provide adequate resolution of 
details. If the railroad opts to use a PTC system that includes the 
added functionality of digital transmissions for these purposes, a 
single screen placed between the crew members may be appropriate.
    A configuration may also include two fixed screens; one for the 
locomotive engineer and another for other crew members. In providing 
cost estimates for this rulemaking, the Class I railroads have assumed 
that this approach would be employed and that the display would be 
associated with an interactive terminal. FRA does not question the 
rationale in this manner and has approached costs estimates in the 
Regulatory Impact Analysis with this assumption.

[[Page 2672]]

    The railroads have also discussed the possibility that, where the 
locomotive engineer may have his or her own fixed screen, the other 
crew members could make use of individual ``heads-up'' displays or 
personal hand-held or portable wired or wireless devices with train 
control software, which could be set up as an interactive terminal. 
Through its Office of Research and Development, FRA has developed 
personal digital assistant (PDA) software for management of roadway 
worker authorities at a reasonable cost (at approximately one-quarter 
of the cost of a second dash-mounted display), and doing the same for a 
crew remote terminal should be just as practical. The vendor for the 
on-board portion of the ITC system already provides a router port, and 
routers are inexpensive. FRA assumes that there would be some 
additional costs related to replacement of misplaced or damaged devices 
and changing of batteries, but those costs should be reasonable. Under 
paragraph (f), hand-held or portable devices could be implemented and 
would have the same advantages as a fixed terminal. FRA does not 
require that the display be permanently affixed to the locomotive. The 
advantage of this approach would be a lesser initial cost, likely about 
one-fourth of the fixed terminal. Disadvantages include logistics of 
handling (loss, damage).
    The major freight railroads point to passenger service as evidence 
that a ``second display'' is not required, but their arguments are 
inapposite. Crew responsibilities and interactions on passenger trains 
are historically different than is the case with freight crews, and 
thus crew resource management will not be undercut by use of a single 
display. For instance, in the case of a passenger train with a single 
locomotive engineer, the engineer will have the opportunity to 
initialize the system at the point of departure by making a relatively 
easy selection for class of train (if this is not done automatically). 
Moreover, unlike in freight operations, crew members for passenger 
operations do not need to enter or confirm detailed consist information 
for a heavy train that may have a wide variety of loaded and empty 
cars. If it is necessary for the locomotive engineer to take a 
mandatory directive through the PTC terminal, that can be done with the 
train stopped at a passenger station, as is the case today using the 
voice radio. Passenger railroads will almost certainly elect to use 
vital on-board processing, so the relative chance of an on-board 
computer error will be less.
    For all of the systems proposed thus far, crewmembers must actively 
review and acknowledge mandatory directives in order for the system to 
provide the required level of safety. Where mandatory directives are 
transmitted by voice over the radio, which is the current practice for 
freight railroads, the conductor would typically be able to copy and 
acknowledge the transmission while the train is in motion. Passenger 
train engineers would have to be stopped (e.g., at a station) in order 
to copy and acknowledge the mandatory directive. See 49 CFR 
220.61(b)(2).
    FRA is aware of three ways to receive, safely review, and 
acknowledge mandatory directives. First, the engineer could receive, 
review, and acknowledge authorities while the train is stopped. Second, 
the conductor could receive, review, and acknowledge voice 
transmissions of mandatory directives, whether or not the train is 
moving. Third, the conductor could receive, review, and acknowledge 
authorities through a device which combines display and data entry 
capabilities, whether or not the train is moving. The first option is 
likely how passenger railroads will comply with the requirements. Such 
railroads have only one crewmember in most cabs. This is likely not to 
be extremely burdensome on most passenger trains, as the engineer can 
receive, review, and acknowledge mandatory directives at passenger 
station stops. Thus, FRA is not being illogical, as AAR asserts, by 
permitting passenger operations with a single cab occupant. What would 
be illogical would be to require a second display where only one 
crewmember is present. Freight locomotives with only one crewmember 
present would also be likely to use the first option, although the cab 
may be equipped with a second display. The second option would only 
require a display be within a conductor's view, but would be much lower 
cost. The third option, which FRA believes may be the norm for freight 
locomotives, may require the aforementioned second fixed screen, heads-
up display, or handheld or portable device. FRA does not believe it 
would be practical for one terminal to serve both crewmembers if both 
may be required to enter or access data.
    It should be noted that employing a fourth option, implied in 
railroad testimony, would be problematic on many fronts. That option 
would presumably involve a single display in front of the locomotive 
engineer. The train would receive electronic authorities exclusively 
through that device, and the engineer would acknowledge receipt using a 
simple procedure (e.g., pressing a single soft key) that was designed 
to hasten the task and limit distraction. The problem with such a 
procedure is that (i) there is no assurance that the engineer would 
understand what was being received, (ii) there is little chance that 
the engineer would identify any authority or slow order that was not 
appropriate to the situation, and (iii) there would be no reasonable 
way to convey the mandatory directive to the other crew member without 
stopping the train and copying it off the screen. This would be a 
perfect prescription for exclusive reliance on technology, which is 
ill-advised and which the railroads claim will not be done (i.e., these 
are said to be ``overlay'' systems that cannot detract from the 
underlying methods of operation).
    Again, the railroads are perhaps correct that safety might still be 
improved under this fourth option, at least as to the operations under 
PTC control, but that is not the question here. The question is whether 
technology will be employed that primarily protects against human error 
on board, or whether technology will be employed that protects most of 
the time but induces human error on other occasions. Every day in the 
United States there are thousands of train starts and hundreds of 
thousands of opportunities for human error in train operations. Yet 
well-trained crews rise to these challenges, and as a result each year 
there are approximately 50 to 60 train collisions on the main lines, a 
small number of overspeed derailments and work zone violations, and a 
handful of movements through misaligned main track switches. 
Accordingly, a relatively small number of wrong-side errors in the 
operation of the PTC system accompanied by any diminishing of vigilance 
on the part of train crew members could easily cause results from PTC 
implementation to fall short of the risk reduction identified in FRA's 
analysis. With time and refinement of technology and databases, there 
may be significant adjustments that can be made in current operating 
rules and procedures. But existing PTC technology for the general 
freight system has not yet been proven at that level, and it will be 
some years before that will be the case. In the meantime, it will be 
crucial that informed and well coordinated crews maintain engagement in 
the management of mandatory directives and compliance with wayside or 
cab-displayed signal indications.
    Accordingly, FRA remains convinced that each crew member should 
have access to, and engagement with, information and requirements 
pertinent

[[Page 2673]]

to the operations for which they are responsible. This third option, 
combined with electronic transmission of mandatory directives, would 
pay for itself in a very short time. Assuming that a train has to be 
stopped twice each day for the engineer to acknowledge a directive, and 
that such a stop results in a cost of at least, and probably a lot more 
than, $80 to account for additional braking and trip time as well as 
missed opportunity for meets and passes, the cost of implementing this 
option would surpass the cost of installing a second terminal in just 
50 days of service as the controlling locomotive. Assuming the 
locomotive is in the lead one-fourth of the time it is in service, the 
avoided cost of stopping would be $8,000, the cost of an additional 
terminal, in 200 days. In other words, the device will return its cost 
in much less than a year.
    Of course, the business benefits of a second terminal are not as 
great if the railroad does not adopt electronic transmission of 
mandatory directives. However, FRA believes that railroads will adopt 
electronic transmission of mandatory directives as rapidly as possible. 
They would benefit from being able to give roadway workers much more 
rapid access to track, as well as by being able to reduce the 
dispatchers' workload. Further, the business benefits envisioned in 
Appendix A require more efficient dispatching, which would rely on 
electronic transmission of mandatory directives, as well as managerial 
directives related to train pacing and meet-pass planning.
    The railroads have made no convincing argument that providing a 
second display would be harmful, as such. Rather, they argue that the 
cost is excessive in relation to any expected benefits. The AAR and 
several Class I freight railroads commented that the cost to install a 
second display in the locomotive would be approximately $8,000 per 
locomotive. According to AAR estimates, 29,461 locomotives would need 
to be equipped. This would translate into an initial installation cost 
of $235,688,000. However, AAR overestimated the number of locomotives, 
based on the document it cites. In that document, FRA estimated that 
27,598 freight locomotives would be equipped with VTMS technology only, 
and an additional 100 freight locomotives would be equipped with both 
VTMS and ACSES technology, for a total of 27,698 locomotives, which, at 
a unit cost of $8,000 per terminal type display, implies a total cost 
of $221,584,000. AAR did not include the locomotives which would have 
both VTMS and ACSES installed, and included passenger locomotives that 
will likely not require additional hardware to meet the requirement due 
to the nature of their operations. FRA does not disagree with the AAR 
and railroad unit cost estimates, as long as what AAR refers to is the 
type of unit that has input capabilities. FRA recognizes that the cost 
is actually for an additional ``terminal'' versus simply a display and 
that it must be made rugged for the locomotive cab operating 
environment. The AAR and other railroads objecting to these 
requirements maintain that there will be little safety benefit to the 
requirements, and that the benefits would be far less than the costs. 
However, in the long run, FRA believes that the additional cost for 
installing a second terminal would be justified by the aforementioned 
business benefits as well as the safety assurance.
    FRA is not altering the cost estimates for PTC from those in the 
analysis of the NPRM, because the costs of the second terminal were 
already reflected.
    FRA notes that estimated cost of the second display will be about 
4% of the total initial costs of PTC deployment. FRA has narrowly 
construed the PTC mandate to avoid separate monitoring of switches in 
signal territory, to avoid significant costs and potential delay 
related to following train collisions at low speed, and to provide 
generous exceptions where allowed by law (restricted speed in yards and 
terminals, passenger exceptions, Class II/III locomotives in limited 
operations on PTC lines, etc.)--actions that will save one or more 
billions of dollars during this initial implementation. If FRA believed 
a deviation from historic train control practice was warranted here to 
save 4% of the initial cost, we would happily provide it. We do not. 
FRA believes that the PTC systems contemplated today will, at some 
point in the future, all accept electronic transmission of mandatory 
directives. The cost of providing a terminal to the second crewmember, 
where applicable, reflects that reality. Were railroads not planning to 
have conductors acknowledge mandatory directives, the railroad could 
provide the conductor with a screen without input devices, or a clearer 
view of the engineer's screen, which have a much lower unit cost.
    FRA has placed in the docket of this rulemaking a document prepared 
by FRA's Office of Research and Development, referencing available 
human factors literature. Although FRA has addressed this issue from 
the point of view of whether the cost is justified, FRA wishes to 
emphasize that, at bottom, it is most crucial whether it would be 
possible to responsibly implement PTC on the national rail system 
without engaging the participation of each assigned crew member. We 
conclude that no such possibility has been demonstrated. Further, based 
upon FRA's knowledge of railroad operations and experience with 
oversight of existing and emerging train control technologies, FRA 
determines that it is essential for safety that each assigned crew 
member be provided the information and access to system inputs required 
to fulfill the crew member's respective duties.
    AAR again raises the issue of single occupant cabs as an issue of 
``crew resource management'' best left to the railroads. FRA maintains 
that these operators will only be authorized to receive, review, and 
acknowledge mandatory directives or similarly interact with the PTC 
systems when their trains are not in motion.
    In the NPRM, FRA noted:

    [T]he principles of crew resource management and current crew 
briefing practices in the railroad industry require that all members 
of a functioning team (e.g., engineer, conductor, dispatcher, 
roadway worker in charge) have all relevant information available to 
facilitate constructive interactions and permit incipient errors to 
be caught and corrected. Retaining and reinforcing this level of 
cooperation will be particularly crucial during the early PTC 
implementation as errors in train consist information, errors 
generated in onboard processing, delays in delivery of safety 
warnings due to radio frequency congestion, and occasional errors in 
dispatching challenge the integrity of PTC systems even as the 
normal reliability of day-to-day functioning supports reductions in 
vigilance. Loss of crew cooperation could easily spill over to other 
functions, including switching operations and management of 
emergency situations.

    Commenters generally made scant reference to this point. The AAR 
did include an attachment to its testimony captioned with reference to 
this point, but it begins with a summary task analysis to the effect 
that ``the conductor is responsible for assisting in the operation.'' 
How the conductor will assist without a copy of the requisite orders 
available, when the duty to copy mandatory directives is eliminated (as 
the AAR assumes it will be), is left unexplained.
    This is a ``far cry'' from section 402 of the RSIA08, which 
requires that FRA adopt regulations for the certification of train 
conductors. In FRA's experience as the agency responsible for oversight 
of railroad operating rules and practices, the conductor plays a key 
role in rail freight over-the-road operations by, inter alia, 
determining the train consist, ensuring compliance with hazardous 
materials placement and documentation

[[Page 2674]]

requirement, calling or acknowledging signals, receiving mandatory 
directives, conducting frequent briefings with the locomotive engineer 
to ensure compliance with movement restrictions, and intervening 
through use of the conductor's brake valve if the engineer is 
unresponsive or incapacitated. A conductor may be disciplined with the 
locomotive engineer if a signal is violated or if a slow order or other 
mandatory directive is disobeyed, and this regularly occurs. The 
conductor plays the determinative role in switching operations, issuing 
the directions for operation of the locomotive(s) so as to accomplish 
safely the placement or pick-up of rail cars at customer locations, the 
making up and breaking up of trains, and the conduct of brake tests 
when mechanical personnel are not available.
    Again, the major freight railroads have said that their PTC systems 
will ``overlay'' existing methods of operations. Those existing methods 
are defined in their books of rules, timetables and special 
instructions. The General Code of Operating Rules, applicable to most 
railroad operations in the western U.S., provides at section 1.47 that 
``The conductor and engineer are responsible for the safety and 
protection of their train and observance of the rules.'' It further 
provides that ``The conductor supervises the operation and 
administration of the train.'' ``The conductor must remind the engineer 
that the train is approaching an area restricted by:
     Limits of authority.
     Track warrant.
     Track bulletin.
 or
     Radio speed restriction.''

The rule continues: ``To ensure the train is operated safely and rules 
are observed, all crew members must act responsibly to prevent 
accidents or rule violations. Crew members in the engine control 
compartment must communicate to each other any restrictions or other 
known conditions that affect the safety operation of their train 
sufficiently in advance of such condition to allow the engineer to take 
proper action.'' The rule further requires communication of signals and 
enjoins crew members to ``take action to ensure safety, using the 
emergency brake valve to stop the train, if necessary.''
    The NORAC Operating Rules, applicable to a number of eastern U.S. 
railroads, provides at Rule 94 for general crew responsibilities 
similar to those quoted above. In addition, Rule 941 provides that 
``Conductors have general charge of the train to which they are 
assigned, and all persons employed thereon are subject to their 
instructions.''
    Each railroad is free, within the constraints of the Railway Labor 
Act as to staffing, and subject to oversight by FRA with respect to 
safety, to determine its operating rules and assignment of 
responsibilities to its personnel. Nevertheless, FRA remains concerned 
that railroad operating crews function as a team, discharging their 
responsibilities on the basis of adequate information and using their 
knowledge of the operating situation to identify safety concerns and 
resolve them. Within this framework, each crew member must remain able 
to respectfully and helpfully question a judgment by another crew 
member. This general approach is known as ``crew resource management'' 
(CRM), a concept perfected in aviation and urgently pressed on the 
railroad industry by the National Transportation Safety Board and the 
FRA. See NTSB Recommendation R-99-13 (July 29, 1999). Major railroads 
have included CRM in their training programs.
    The fear with respect to a diminution of crew integrity and 
efficiency associated with asymmetrical distribution of current 
operational data is that, not only may opportunities be lost to correct 
errors within PTC operations, but also that the conductor's lack of 
engagement will transfer to operations on lines not equipped with PTC. 
Further, any reduction in ability to function as a team could transfer, 
as well, to road and yard switching operations. Should this occur, the 
price paid for PTC would include additional casualties and property 
damage where PTC is not available as a safety net. A substantial 
portion of the Class I freight network, and much of the switching and 
terminal railroad mileage over which Class I crews also operate, will 
not be equipped under the current mandate and perhaps not for many 
years. How crews are conditioned to function together will influence 
their behavior both within and outside of the PTC-equipped network. In 
summary, FRA believes that maintaining the involvement of all assigned 
crew members in operating and responding to the PTC system is necessary 
to achieve the desired risk reduction expected of PTC systems and is 
also necessary to avoid degrading crew performance outside of PTC 
territory and during switching operations.
    NYSMTA requested clarification that in a multiple unit passenger 
train consist: (a) A second PTC display in every train operator 
compartment is not required inasmuch as only the train operator 
occupies the compartment, and; (b) the PTC operator displays in train 
operator compartments in a consist, other than those from which the 
train is operated from, are not to display PTC information while the 
train is en route. The MTA railroads have been repeatedly reassured on 
this point, and we are pleased to do so once again here.
    As previously noted, on September 25, 2009, FRA entered into the 
docket to this rulemaking a compendium of human factors literature 
relevant to the HMI regulations and compiled by FRA's Office of 
Research and Development. AAR then submitted late-filed supplemental 
comments--which posted to the docket on October 20, 2009, approximately 
two months after the closing of the comment period and three weeks 
after FRA entered the compendium into the docket--addressing various 
portions of the compendium. FRA believes that this final rule already 
addresses each one of AAR's substantial concerns in its supplemental 
comments. AAR also states that it ``has been deprived of the 
opportunity to consider its comments in a deliberative fashion.'' 
Supplemental Comment of the Association of American Railroads, Docket 
FRA-2008-0132-0055.1, at 3 (Oct. 20, 2009). However, contrary to AAR's 
suggestion, the Administrative Procedure Act (APA) does not require 
that FRA provide additional time to comment on the compendium. See, 
e.g., Credit Union Nat. Ass'n v. National Credit Union Admin., 57 
F.Supp.2d 294, 302 (E.D. Va. 1995) (agency complied with the APA's 
notice and comment requirements, despite not disclosing certain data 
related to the rulemaking, because the agency had provided a reasonable 
opportunity to participate in the rulemaking process); see also 
Appalachian Power Co. v. E.P.A., 579 F.2d 846, 853 (4th Cir. 1978) 
(despite agency's failure to provide notice of certain data in advance 
of public hearings, interested parties were sufficiently advised of the 
scope and basis of the rulemaking to enable them to comment 
intelligently and meaningfully). Instead, the APA simply states that an 
agency must publish ``the terms or substance of the proposed rule or a 
description of the subjects or issues involved.'' 5 U.S.C. 553(b)(3). 
To meet the requirements of section 553, an agency ``must provide 
sufficient factual detail and rationale for the rule to permit 
interested parties to comment meaningfully.'' Florida Power & Light Co. 
v. United States, 846 F.2d 765, 771 (DC Cir. 1988), cert. denied, 490 
U.S. 1045 (1989).

[[Page 2675]]

    FRA has provided that opportunity in this proceeding. The research 
recited in the compendium simply provided for the benefit of interested 
parties additional information that had previously been made public, 
FRA's views on the import of the research were aired during RSAC 
meetings and are expressed at various points in the NPRM, and the 
railroads obviously had sufficient time to prepare 16 pages of comments 
on the compendium itself. Clearly, the commenters were not prejudiced 
by the inclusion of the compendium in the docket.
Section 236.1031 Previously Approved PTC Systems
    FRA recognizes that substantial effort has been voluntarily 
undertaken by the railroads to develop, test, and deploy PTC systems 
prior to the passage of the RSIA08, and that some of the PTC systems 
have accumulated a significant history of safe and reliable operations. 
In order to facilitate the ability of the railroads to leverage the 
results of PTC design, development, and implementation efforts that 
have been previously approved or recognized by FRA prior to the 
adoption of this subpart, FRA is proposing an expedited certification 
process in this section.
    Under paragraph (a), each railroad that has a PTC system that may 
qualify for expedited treatment would have to submit a Request for 
Expedited Certification (REC) letter. Products that have not received 
approval under the subpart H, or have that have not been previously 
recognized by FRA, would be ineligible. The REC letter may be jointly 
submitted by PTC railroads and suppliers as long as there is at least 
one PTC railroad. A PTC system may qualify for expedited certification 
if it fulfills at least one of the descriptions proposed in paragraphs 
(a)(1) through (a)(3). While these descriptions are objective in 
nature, FRA intends them to cover ETMS, ITCS, and ACSES, respectively. 
The versions or configurations recognized would depend upon the status 
at the time of the request.
    Paragraph (a)(1) applies to systems that have been recognized or 
approved by FRA after submission of a PSP in accordance with subpart H. 
Subpart I generally reflects the same criteria required for a PSP under 
subpart H. Thus, FRA believes that most of the PTCDP and PTCSP 
requirements in subpart I can be fulfilled with the submission of the 
existing and approved PSP. However, FRA notes that the subject railroad 
will also need to submit the information required in a PTCDP and PTCSP 
that is not in the current PSP.
    FRA also recognizes that certain PTC systems may currently operate 
in revenue service with FRA approval through the issuance of a waiver 
or order. Paragraphs (a)(2) and (a)(3) intend to cover those systems.
    If a PTC system complying with paragraph (a)(1) is provided 
expedited certification, the system plans should ultimately match the 
criteria required for each PTCDP and PTCSP. As previously noted, a 
railroad may seek to use a PTC system that has already received a Type 
Approval. To extend this benefit as it applies to previously used 
systems for which expedited certification is provided, paragraph (b) 
gives the Associate Administrator the ability to provide a Type 
Approval to systems receiving expedited certification in accordance 
with paragraph (a)(1).
    FRA recognizes that certain systems eligible for expedited 
certification may not entirely comply with the subsequently issued 
statutory mandate. Accordingly, under paragraph (c), FRA is compelled 
to require that before any Type Approval or expedited certification may 
be provided, the PTC system must be shown to reliably execute the same 
functionalities of every other PTC system required by subpart I. 
Nothing in this abbreviated process should be construed as implying the 
automatic granting by FRA of a Type Approval or PTC System 
Certification. Each expedited request for a Type Approval or PTC System 
Certification must be submitted by the railroad under this abbreviated 
process and, as required under subpart I, must demonstrate that the 
system reliably enforces positive train separation and prevents 
overspeed derailments, incursions into roadway worker zones, and 
movements through misaligned switches.
    Under paragraph (d), FRA encourages railroads, to the maximum 
extent possible, to use proven service history data to support their 
requests for Type Approval and PTC System Certification. While proven 
service history cannot be considered a complete replacement for an 
engineering analysis of the risks and mitigations associated with a PTC 
product, it provides great creditability for the accuracy of the 
engineering analysis. Testing and operation can only show the absence 
or mitigation of a particular failure mode, and FRA believes that there 
will always be some failure modes that may only be determined through 
analysis. Due to this inherent limitation associated with testing and 
operation, FRA also strongly encourages the railroads to also submit 
any available analysis or information.
    Paragraph (e) requires that, to the extent that the PTC system 
proposed for implementation under this subpart is different in 
significant detail from the system previously approved or recognized, 
the changes shall be fully analyzed in the PTCDP or PTCSP as would be 
the case absent prior approval or recognition. FRA understands that the 
PTC product for which expedited Type Approval and PTC System 
Certification is sought may differ in terms of functionality or 
implementation from the PTC product previously approved or recognized 
by FRA. In such a case, the service history and analysis may not align 
directly with the new variant of the product. Similarly, the available 
service history and analysis associated with a PTC product may be 
inconclusive about the reliability of a particular function. It is 
because of these possible situations that FRA can not unequivocally 
promise that all requests for expedited Type Approval and PTC System 
Certification submitted by a railroad under this subpart will be 
automatically granted. FRA will, however, apply the available service 
history and analytical data as credible evidence to the maximum extent 
possible. FRA believes that this still greatly simplifies each 
railroad's task in making its safety case, since the additional testing 
and analysis required need only address those areas for which credible 
evidence is insufficient. To reduce the overall level of financial 
resources and effort necessary to obtain sufficient credible evidence 
to support the claims being made for the safety performance of the 
product, FRA also encourages each railroad to share with other 
railroads a system's service history and the results of any analysis, 
even in the case where the shared information does not fully support a 
particular railroad's safety analysis.
    Paragraph (f) defines terms used only in this section. ``Approved'' 
refers to approval of a PSP under subpart H. As this final rule was 
being prepared, only BNSF ETMS I configuration had been so approved, 
but other systems were under development. ``Recognized'' refers to 
official action permitting a system to be implemented for control of 
train operations under an order or waiver, after review of safety case 
documentation for the implementation. As this NPRM was being prepared, 
only ACSES I had been recognized under an order of particular 
applicability, and ACSES II was under review for potential approval. 
Only one system, the ITCS in place on Amtrak's Michigan line, had been 
approved for unrestricted revenue service under waiver.

[[Page 2676]]

    FRA was unable to fashion an outright ``grandfathering'' of 
equipment previously used in transit and foreign service. FRA does not 
have the same degree of direct access to the service history of these 
systems. Transit systems--except those that are connected to the 
general railroad system--are not directly regulated by FRA. FRA has had 
limited positive experience eliciting safety documentation from foreign 
authorities, particularly given the influence of national industrial 
policies.
    However, FRA believes that, while complete exclusion may not be 
available in those circumstances, procedural simplification may be 
possible. FRA is considering a procedure under which the railroad and 
supplier could establish safety performance at the highest level of 
analysis for the particular product, relying in part on experience in 
the other service environments and showing why similar performance 
should be expected in the U.S. environment. Foreign signal suppliers 
should be in a good position to marshal service histories for these 
products and present them as part of the railroad's PTCSP. For any 
change, the applicant must provide additional information that will 
enable FRA to make an informed decision regarding the potential impact 
of the change on safety. This information must include, but is not 
limited to, the following: (1) A detailed description of the change; 
(2) a detailed description of the hardware and software impacted by the 
change; (3) a detailed description of any new functional data flows 
resulting from the change; (4) the results of the analysis used to 
verify that the change did not introduce any new safety risks or, if 
the change did introduce any new safety risks, a detailed description 
of the new safety risks and the associated risk mitigation actions 
taken; (5) the results of the tests used to verify and validate the 
correct functionality of the product after the change has been made; 
(6) a detailed description of any required modifications in the 
railroad training plan that are necessary for continued safe operation 
of the product after the change; and (7) a detailed description of any 
new test equipment and maintenance procedures required for the 
continued safe operation of the product.
    In the same vein, paragraph (g) encourages re-use of safety case 
documentation previously reviewed, whether under subpart H or subpart 
I.
Section 236.1033 Communications and Security Requirements
    Subpart I provides specific communications security requirements 
for PTC system messages. Section 236.1033 originated from the radio and 
communications task force within the PTC Working Group. The objectives 
of the requirements are to ensure data integrity and authentication for 
communications with and within a PTC system.
    In data communications, ``cleartext'' is a message or data in a 
form that is immediately comprehensible to a human being without 
additional processing. In particular, it implies that this message is 
transferred or stored without cryptographic protection. It is related 
to, but not entirely equivalent to, the term ``plaintext.'' Formally, 
plaintext is information that is fed as an input to a cryptographic 
process, while ``ciphertext'' is what comes out of that process. 
Plaintext might be compressed, encrypted, or otherwise manipulated 
before the cryptographic process is applied, so it is quite common to 
find plaintext that is not cleartext. Cleartext material is sometimes 
in plain text form, meaning a sequence of characters without 
formatting, but this is not strictly required. The security 
requirements are consistent with the Department of Homeland Security 
(DHS) guidance for SCADA systems and the National Institute of 
Standards and Technology guidance. FRA has coordinated this final rule 
with DHS.
    Paragraph (a) establishes the requirement for message integrity and 
authentication. Integrity is the assurance that data is consistent and 
correct. Generally speaking, in cryptography and information security, 
integrity refers to the validity of data. Integrity can be compromised 
through malicious altering--such as an attacker altering an account 
number in a bank transaction, or forgery of an identity document--or 
accidental altering--such as a transmission error, or a hard disk 
crash. A level of data integrity can be achieved by mechanisms such as 
parity bits and cyclic redundancy codes. Such techniques, however, are 
designed only to detect some proportion of accidental bit errors; they 
are powerless to thwart deliberate data manipulation by a determined 
adversary whose goal is to modify the content of the data for his or 
her own gain. To protect data against this sort of attack, 
cryptographic techniques are required. Thus, appropriate algorithms and 
keys must be employed and commonly understood between the entity 
wanting to provide data integrity and the entity wanting to be assured 
of data integrity.
    Authentication is the act of establishing or confirming something 
(or someone) as authentic. Various systems have been invented to 
provide a means for readers to reliably authenticate the sender. In any 
event, the communication must be properly protected; otherwise, an 
eavesdropper can simply copy the relevant data and later replay it, 
thereby successfully masquerading as the original, legitimate entity.
    Sender authentication typically finds application in two primary 
contexts. Entity identification serves simply to identify the specific 
entity involved, essentially in isolation from any other activity that 
the entity might want to perform. The second context is data origin 
identification, which identifies a specific entity as the source or 
origin of a given piece of data. This is not entity identification in 
isolation, nor is it entity identification for the explicit purpose of 
enabling some other activity. Rather, this is identification with the 
intent of statically and irrevocably binding the identified entity to 
some particular data, regardless of any subsequent activities in which 
the entity might engage. Cryptographically based signatures provide 
nearly irrefutable evidence that can be used subsequently to prove to a 
third party that this entity did originate--or at least possess--the 
data.
    Paragraph (b)(1) requires that cryptographic algorithms and keys 
used to establish integrity and authenticity be approved by either the 
National Institute of Standards & Technology (NIST) or a similar 
standards organization acceptable to FRA. As a practical matter, 
cryptographic algorithms can be believed secure by competent, 
experienced, and practicing cryptographers. This requires that the 
algorithms be publicly known and have been seriously studied by working 
cryptographers. Algorithms that have been approved by NIST (or similar 
standards bodies) can be assured of being both publicly known and 
seriously studied.
    Paragraph (b)(2) allows the use of either manual or automated means 
to distribute keys. Key distribution is the most important component in 
secure transmissions. The general key distribution problem refers to 
the task of distributing keys between communicating parties to provide 
the required security properties. Frequent key changes are usually 
desirable to limit the amount of data compromised if an attacker learns 
the key. Therefore, the strength of any cryptographic system

[[Page 2677]]

results with the key distribution technique, a term that refers to the 
means of delivering a key to two parties that wish to exchange data 
without allowing others to see the key. Key distribution can be 
achieved in a number of ways. There are various combinations by which a 
key can be selected manually or in automation amongst one or multiple 
parties.
    Paragraph (b)(3) establishes the conditions under which 
cryptographic keys must be revoked. Paragraph (b)(3)(i) addresses the 
situation when a key has actually been found to have been compromised 
and when the possibility of key compromise exists. Cryptographic 
algorithms are part of the foundations of the security house, and any 
house with weak foundations will collapse. Adequate procedures should 
be foreseen to take an algorithm out of service or to upgrade an 
algorithm which has been used beyond its lifetime.
    Paragraph (d) addresses physical protection as applied to 
cryptographic equipment. Compliance does not necessitate locking 
devices within mechanical safes or enclosing their electronics within 
thick steel or concrete shields (i.e., making them tamper-proof). 
Compliance does, however, involve using sound design practices to 
construct a system capable of attack detection by a comprehensive range 
of sensors (i.e., tamper resistant). The level of physical security 
suggested should be such that unauthorized attempts at access or use 
will either be unsuccessful or will have a high probability of being 
detected during or after the event. Additionally, the cryptographic 
equipment should be prominently situated in operation so that its 
condition (outward appearance, indicators, controls, etc.) is easily 
visible to minimize the possibility of undetected penetration. In any 
system containing detection and destruction methods as described here, 
there is naturally a cost penalty for providing very high levels of 
tamper resistance, due to construction and test requirements by the 
manufacturer. It is naturally important to analyze the risks of key 
disclosure against cost of protection and specify a suitable 
implementation.
    Confidentiality has been defined by the International Organization 
for Standardization (ISO) as ``ensuring that information is accessible 
only to those authorized to have access.'' Confidentiality, integrity, 
and authentication all rely on the same basic cryptographic 
primitives--algorithms with basic cryptographic properties--and their 
relationship to other cryptographic problems. These primitives provide 
fundamental properties, which guarantee one or more of the high-level 
security properties. In paragraph (e)(1), FRA makes it clear that while 
providing for confidentiality of message data is not a regulatory 
requirement, if confidentiality is elected to be implemented by a 
railroad, that the same protection mechanisms applicable to the 
cryptographic primitives that support integrity and authentication must 
also be provided for the cryptographic primitives that support 
confidentiality.
    It is only the difficulty of obtaining the key that determines 
security of the system, provided that there is no analytic attack 
(i.e., a ``structural weakness'' in the algorithms or protocols used), 
and assuming that the key is not otherwise available (such as via 
theft, extortion, or compromise of computer systems). A key should 
therefore be large enough that a brute force attack (possible against 
any encryption algorithm) is infeasible, whereas the attack would take 
too long to execute. Under information theory, to achieve perfect 
secrecy, it is necessary for the key length to be at least as large as 
the message to be transmitted and only used once (this algorithm is 
called the one-time pad). In light of this, and the practical 
difficulty of managing such long keys, modern cryptographic practice 
has discarded the notion of perfect secrecy as a requirement for 
encryption, and instead focuses on computational security. Under this 
definition, the computational requirements of breaking an encrypted 
text must be infeasible for an attacker. Paragraph (e)(2) requires that 
in the event that a railroad elects to implement confidentiality, the 
chosen key length should provide the appropriate level of computational 
complexity to protect the information being protected, and that this 
information be included in the PTCSP. Both academic and private 
organizations provide recommendations and mathematical formulas to 
approximate the minimum key size requirement for security based on 
mathematic attacks; they generally do not take algorithmic attacks, 
hardware flaws, or other such issues into account. Paragraph (e)(2) has 
been revised in the final rule to correct an erroneous cross-reference 
to the security requirements set forth in Sec.  236.1013(a)(7).
    Key management--the process of handling and controlling 
cryptographic keys and associated material during their life cycle in a 
cryptographic system--includes ordering, generating, distributing, 
storing, loading, escrowing, archiving, auditing, and destroying the 
different types of material. Paragraph (e) requires that cleartext 
stored cryptographic keys be protected from unauthorized disclosure, 
modification, or substitution. During key management, however, it may 
be necessary to validate the accuracy of the key being entered, 
especially in cases where the key management process is being done 
manually. During the key entry process, keys not encrypted to protect 
against disclosures may be temporarily displayed to allow visual 
verification. However, if the key has been encrypted to protect against 
disclosure, then the cleartext version of the key may not be displayed. 
This does not, however, preclude the display of the encrypted version 
of the key.
    In paragraph (f), FRA requires that each railroad implement a 
service restoration and mitigation plan to address restoral of 
communications services in the event of their loss or disruption and to 
make this plan available to FRA. Loss of communications services 
reduces or eliminates the effectiveness of a PTC system and FRA 
requires that these critical safety systems, once implemented, are 
restored to operation as soon as practical. FRA believes that the 
restoration plan must include testing and validating the plan, 
communicating the plan, and validating backup and restoration 
operations.
    To ensure that these or any other procedures work in the railroad's 
operational environment, the railroad must validate each procedure 
intended for implementation. The backup and restoration plan should 
clearly describe who is to implement procedures and how they are to do 
it. The primary information to be communicated includes: The team or 
person (specified as an individual or a role) that is responsible for 
determining when restoration of service is required and the procedures 
to be used to restore service, as well as the team or person 
responsible for implementing procedures for each restoration scenario; 
the criteria for determining which restoration procedures are most 
appropriate for a specific situation; the time estimates for 
restoration of service in each restoration scenario; the restoration 
procedures to be used, including the tools required to complete each 
procedure; and the information required to restore data and settings.
    Finally, paragraph (g) makes clear that railroads are permitted to 
implement more restrictive security requirements provided the 
requirements do not adversely impact the interoperability.

[[Page 2678]]

    FRA has received no comments on Sec.  236.1033 and has adopted it 
as proposed.
Section 236.1035 Field Testing Requirements
    Initial field or subsequent regression testing of a PTC product on 
the general rail system is often required before the product has been 
certified in order to obtain data to support the safety case presented 
in the PTCSP. To ensure the safety of the public and train crews, prior 
FRA approval is required to conduct test operations on the general rail 
system. This paragraph provides an alternative to the waiver process 
when only part 236 regulations are involved. When regulations 
concerning track safety grade crossing safety or when operational rules 
are involved, however, this process would not be available. Such 
testing may also implicate other safety issues, including adequacy of 
warning at highway-rail crossings (including part 234 compliance), 
qualification of passenger equipment (part 238), sufficiency of the 
track structure to support higher speeds or unbalance (part 213), and a 
variety of other safety issues, not all of which can be anticipated in 
any special approval procedure. Approval under this part for testing 
does not grant relief from other parts of this title and the railroads 
must still apply for relief from the non-part 236 regulations under the 
discrete special approval sections of those regulations, the provisions 
of part 211 related to waivers, or both.
    The information required for this filing is described in paragraphs 
236.1035(a)(1) through (a)(7). This information is necessary in order 
for FRA to make informed decisions regarding the safety of testing 
operations. FRA would prefer that the informational filings to test 
under this part be accompanied by any requests for relief from non-part 
236 regulations so that they may be considered as a whole.
    Paragraph (b) provides notification that FRA may--based on the 
results of the review of the information provided in paragraph (a) and 
in order to provide additional oversight to ensure the safety of rail 
operations--impose special conditions on the execution of the testing, 
including the appointment of an FRA test monitor. When a test monitor 
is appointed, he or she has the authority to stop testing if unsafe 
conditions arise, require additional tests as necessary to demonstrate 
the safe operation of the system, or have tests rerun when the results 
are in question.
    Paragraph (c) reemphasizes the earlier discussion that either 
temporary or permanent requests for relief for other than requirements 
of part 236 must be submitted in accordance with the waiver processes 
specified by part 211.
    FRA has received no comments on Sec.  236.1035 and has adopted it 
as proposed.
Sections 236.1037 Through 236.1049
    In subpart H, Sec. Sec.  236.917 through 236.929 contain various 
requirements that involve PSPs. FRA believes that these requirements 
should apply equally to PTC systems governed by subpart I. FRA has 
included Sec. Sec.  236.1037 to 236.1049 to inform interested parties 
how these elements would apply. FRA intends that the meanings of those 
sections in subpart H, as described in the preamble to its proposed and 
final rules, would also apply equally in the context of this final 
rule. While FRA has considered amending these sections in subpart H to 
incorporate references to subpart I, FRA believes such an attempt and 
its results would be cumbersome and awkward. Thus, FRA has included the 
provisions in subpart I for clarity.
    The Rail Labor Organizations have expressed support for the 
training and qualification provisions in Sec. Sec.  236.1041, 236.1045, 
236.1047, and 236.1049 and support an expansion of PTC personnel 
training requirements, as necessary, based upon experience gained and 
any training deficiencies identified during operations of these 
systems. The RLO states that training on the PTC system is essential 
for all employees who will interface with this technology. While the 
RLO supports the requirement that employees must maintain the skill 
level necessary to safely operate trains, they urge FRA to consider 
that the ``4 hour work period'' of manual operation of a train should 
be conducted not less often than once in any given tour of duty. 
Considering that the maximum workday (except in extreme emergencies) is 
12 hours, the locomotive engineer will then be manually operating the 
train at least 33% of the time. FRA has considered this suggestion for 
a change in the approach from subpart H. However, FRA believes that 
this is an issue that should be more specifically addressed in the 
PTCSP for the system, should automatic operation ever be proposed.
Appendix A to Part 236--Civil Penalties
    Appendix A to part 236 contains a schedule of civil penalties for 
use in connection with this part. FRA is revising this schedule of 
civil penalties through issuance of the final rule to reflect the 
addition of subpart I to this part.
Appendix B to Part 236--Risk Assessment Criteria
    FRA hereby modifies Appendix B of part 236 to enhance the language 
for risk assessment criteria in light of the experience gained during 
the initial stage of PTC system implementation under subpart H and to 
accommodate the requirements of subpart I regulating the use of 
mandatory PTC systems. As modified, Appendix B includes certain 
headings and new language in paragraphs (a) through (h).
    Paragraph (a) reflects the change in the required length of time 
over which the system's risk must be computed. FRA replaces the 
requirement to assess risk for the system ``over the life-cycle of 25 
years or greater'' with the requirement to assess risk ``over the 
designed life-cycle of the product.'' FRA believes that the language is 
consistent with the preamble discussion of the subpart H final rule 
inasmuch that they do not specify the length of a system's life cycle, 
thereby providing flexibility for new processor-based systems to have a 
life cycle other than 25 years.
    FRA hereby modifies paragraph (b) only to clarify FRA's intent.
    FRA hereby modifies the heading and content of paragraph (c) to 
better identify the main purpose of this requirement and to ensure its 
consistency with the associated requirements of Sec. Sec.  236.909(c) 
and (d). FRA believes that previous paragraph (c) and its heading did 
not fully support or clarify the main intent of subpart H, which 
requires that the total cost of hazardous events should be the risk 
measure for a full risk assessment and that the mean time to hazardous 
event (MTTHE) calculations for all hazardous events should be the risk 
measure for the abbreviated risk assessment. The existing subpart H 
text asks for both the base case and the proposed case to be expressed 
in the same metrics. Paragraph (c) of this appendix, as written prior 
to the issuance of this final rule, did not fully reflect FRA's intent 
that the same risk metric is to be used in the risk assessment for both 
the previous and current conditions (see Sec.  236.913(g)(2)(vii)). FRA 
believes that the revised title of this paragraph poses the right 
question and that its new language provides better guidance on how to 
perform risk assessment for previous and current conditions.
    FRA hereby modifies the heading and text of paragraph (d) to create 
a comprehensive and detailed list of system characteristics that must 
be included in the risk assessment for each proposed PTC system subject 
to requirements of subpart H or subpart I,

[[Page 2679]]

or both, as applicable. FRA believes that the extended description of 
system characteristics better suits the risk assessment requirements of 
subpart H and subpart I. For example, the revisions clarify that the 
risk assessment must account for the total volume of traffic, the type 
of transported freight materials (PIH, TIH), and any additional 
requirements for PTC systems with trains operating at certain speeds.
    FRA hereby modifies paragraph (e) to clarify its intent and reflect 
the industry's experience in risk assessment techniques gained during 
the initial stage of PTC system implementation under subpart H. In the 
language of paragraph (e), FRA provides more specific guidance on how 
to derive the main risk characteristics, MTTHE, and what role 
reliability and availability parameters, such as mean time to failure 
(MTTF) or mean time between failures (MTBF), for different system 
components can play while assessing risk for vital and non-vital 
hardware or software components of the system. FRA emphasizes that it 
is critical that each railroad and its vendors or suppliers include the 
software failure rates into risk assessments for the system. FRA also 
finds it necessary to advise each railroad and its vendors or suppliers 
to include reliability and availability characteristics, such as MTTF 
or MTBF, into its risk assessment to account for potential system 
exposure to hazards during system failures or malfunctioning when the 
system operates in its fall back mode--the back-up operation, as 
described in the PTCSP, when the PTC system fails to operate.
    FRA believes that the modifications to paragraph (e) more 
accurately address the industry's need for clarity in interpretation 
and execution of the requirements related to risk assessment. FRA 
received comments from HCRQ/CGI noting that the phrases ``frequency of 
hazardous events'' and ``failure frequency'', which were contained in 
paragraph (e) of the proposed rule, are equivalent. HCRQ/CGI therefore 
recommended that FRA revise the second sentence in paragraph (e) to 
read as follows: ``The MTTHE is to be derived for both fail-safe and 
non-fail-safe subsystems or components.'' FRA agrees with this 
recommendation and has therefore revised the second sentence of 
paragraph (e) accordingly.
    Several commenters questioned whether additional guidance on 
acceptable methods for calculating MTTHE values for processor-based 
subsystems and components can be given by FRA. FRA believes it is 
inappropriate to provide this guidance in the text of the final rule, 
especially counting the fact that FRA is not to be involved in all 
aspects of the design and engineering associated with a product. Any 
guidance that FRA could provide would not reflect the level of 
understanding that the vendor(s) or supplier(s) and system integrators 
of the product should have gained throughout the design and 
implementation process that would enable them to specify, evaluate and 
determine such critical measures as MTTF, MTBF, and MTTHE. There is a 
large body of publicly available work from the research and engineering 
community that addresses various perspectives on determination of 
appropriate methods of determining MTTHE and other related parameters. 
Upon receipt of the risk assessment documentation in the PTCSP, FRA 
will provide feedback on the appropriateness of a vendor, supplier, or 
railroad selected methodology for determining MTTHE and the 
acceptability of the results of calculations based on that methodology 
with respect to regulatory acceptability. However FRA views the 
specification and determination of appropriate MTTHE and other design 
parameters as a fundamental responsibility of the system integrator, 
vendor, or supplier that neither can nor should be abrogated.
    FRA received comments on the last sentence in paragraph (f)(1) from 
HCRQ/CGI, in which HCRQ/CGI asserted that ``permanent'' faults would 
result in an MTTHE of zero. In addition, HCRQ/CGI asserted that 
``transient'' by definition is something that comes and then goes away, 
which may never be detected. Thus, HCRQ/CGI questioned how one could 
determine the rate of its occurrence. In order to address these 
concerns, HCRQ/CGI recommended that FRA revise the last sentence in 
paragraph (f)(1) to read as follows: ``The MTTHE calculation must 
consider the rates of failures caused by contributory faults accounting 
for the fault coverage of the integrated hardware/software subsystem or 
component, phased interval maintenance, and restoration of the detected 
failures.''
    In response to this comment, FRA would like to reiterate that the 
main intent of the requirement specified in paragraph (f)(1) was to 
request that the statistics on subsystem or component failures 
available for MTTHE calculation must be used in its entirety. This 
means that all types of failures (faults) observed during subsystem or 
component operation should be accounted for, regardless of the types of 
failures by their appearance to the observer (permanent, transient or 
intermittent), and regardless of whether the failure was caused by the 
fault of the subsystem or component itself or by errors of the 
operating agent (human factor associated with operation, maintenance or 
restoration of the subsystem). FRA feels that replacing the enumerated 
in the original text types of faults ``permanent, transient, and 
intermittent'' with the term ``contributory faults'' will not assure 
that all types of faults will be accounted for. FRA also notes that the 
derivation of MTTHE for the operating system, subsystem or component 
for which the risk assessment is to be performed is a complex process 
which may require the use of Fault Tree Analysis or other relevant 
techniques. These techniques will use the probabilities of single point 
component failures identified for the system. This process cannot lead 
to MTTHE of zero value. Neither can this process result in MTTHE being 
equal to infinity. The calculated probability of accidents (the inverse 
value of MTTHE) may be infinitely small to the extent that the safety 
requirement of this Part is met (i.e., during the entire life time of 
the system it is very unlikely for the accident to occur), but rarely 
will the probability of such events be zero in a practical world. Based 
on this reasoning, FRA retains the text in proposed paragraph (f)(1).
    FRA hereby modifies paragraph (f)(2) to reflect FRA's understanding 
that a software failure analysis may not necessarily be based on MTTHE 
``Verification and Validation'' processes and that MTTHE 
characteristics cannot be easily obtained for the system software 
components. The modification intends to outline the significance of 
detailed software fault/failure analysis and software testing to 
demonstrate repeatable predictive results that all software defects are 
identified and corrected.
    FRA received comments from HCRQ/CGI on paragraph (f)(2), in which 
HCRQ/CGI asserted that ``proper'' assessment is open to interpretation, 
while Real Time Operating System (RTOS) ``evaluation'' is possible. 
HCRQ/CGI also asserted that the assessment of device driver software 
would require the source code, which is usually proprietary. Thus, 
HCRQ/CGI recommended that the assessment should include Commercial Off-
The-Shelf (COTS) software, if incorporated, other than the operating 
system. HCRQ/CGI asserted that FRA could make this change by revising 
the first sentence in paragraph (f)(2) to read as follows: ``Software 
fault/failure analysis must be based on the assessment of the design 
and implementation of the application code, an evaluation of the 
operating/

[[Page 2680]]

executive program and other COTS software components.'' HCRQ/CGI also 
commented that it is not possible to demonstrate that all software 
defects have been identified with a high degree of confidence. HCRQ/CGI 
quotes a famous statement made years ago (author unknown): ``It is 
common in industry to find a piece of software, which has been 
subjected to a thorough and disciplined testing regime, has serious 
flaws.'' HCRQ/CGI asserted that it is not clear what ``high degree of 
confidence'' implies. Therefore, HCRQ/CGI recommended that the last 
sentence in paragraph (f)(2) be revised to read as follows: ``The 
software assessment process must demonstrate, through repeatable 
predictive results, that the software operates as specified without 
error.''
    In response to this comment, FRA revises paragraph (f)(2) to 
replace the phrase ``proper assessment'' with the word ``assessment,'' 
and to specify that ``all safety-related software'' should be included 
in the software fault/failure analysis including COTS software.
    However, FRA disagrees with the commenter that, in the requirement 
for the software defects to be identified and corrected with the ``high 
degree of confidence,'' the term ``high degree of confidence'' requires 
further clarification. The definition of this term is already given in 
the preamble discussion for Sec.  236.903 in subpart H of this part. 
See 70 FR 11,052, 11,067 (Mar. 7, 2005). This term is widely issued in 
sections of this part related to safety and risk assessment. Therefore, 
FRA leaves the last sentence of paragraph (f)(2) unchanged.
    FRA hereby modifies paragraph (g) to clarify that MMTHE 
calculations should account for the restoration time after system or 
component failure and that the system design must be assessed for 
adequacy through the Verification and Validation process.
    HCRQ/CG, in reference to paragraph (g)(1), repeated its comment 
given for the last sentence in paragraph (f)(1) that relates to the 
types of faults (permanent, transient).
    FRA notes that the explanations provided in FRA's response to this 
comment for paragraph (f)(1) are also applicable for this paragraph and 
therefore includes the text of proposed (g)(1) in the final rule.
    FRA hereby modifies paragraph (h) to emphasize the need to document 
all assumptions made during the risk assessment process. FRA believes 
that the assumptions should be documented while deriving the total cost 
of potential accident consequences for full risk assessment or MTTHE 
values for abbreviated risk assessment, rather than only documenting 
assumptions for other intermediate parameters, such as MTTF and Mean 
Time To Repair (MTTR), as currently required. These two referenced 
parameters may or may not be relevant for the risk assessment.
    FRA received comments from HCRQ/CGI on paragraph (h)(1), in which 
HCRQ/CGI asserted that the first sentence should be its own paragraph. 
However, HCRQ/CGI also asserted that the proposed rule text was unclear 
as to how the railroad would be expected to comply with this 
requirement.
    FRA disagrees with the commenter that the paragraph (h)(1) should 
be restructured and that further clarification is required for the 
process of documenting all assumptions made while deriving the risk 
metrics that are to be used in the risk assessment for the product. In 
order for FRA to assess the validity of risk assessment done by 
railroads for their particular products, all assumptions made by the 
railroad in regards of deriving chosen risk metrics shall be presented 
along with the risk assessment. This is critical for the further 
confirmation that the assumptions made were correct based on the 
following in-service experience. Documenting assumptions made in the 
process of risk analysis is rather common procedure recommended by 
various studies in safety and reliability engineering.
    In its comments, HCRQ/CGI also asserted that there is no need to 
specify an ``automated'' process for comparing risk assessment 
assumptions with actual experience. This comment also was made for the 
similar text in paragraph (h)(3). Thus, HCRQ/CGI recommended that FRA 
revise the last sentence of paragraph (h)(1) to read as follows: ``The 
railroad shall document these assumptions in such a form as to permit 
later comparisons with in-service experience.'' FRA agrees with this 
comment and has therefore revised the last sentences of paragraphs 
(h)(1) and (h)(3) accordingly.
    HCRQ/CGI also submitted comments on paragraph (h)(4), asserting 
that the language in this paragraph seems to imply that a detailed 
document, separate from the fault trees themselves, is required, which 
would be very costly. Therefore, HCGI/CGI recommended that FRA revise 
paragraph (h)(4) to read as follows: ``The railroad shall document all 
of the identified safety critical fault paths to a mishap.''
    FRA does not see the need to eliminate the clause in the first 
sentence ``as predicted by the safety analysis methodology,'' but finds 
it necessary to clarify that no additional tool to that chosen by the 
railroad for the risk assessment is required by this paragraph.
Appendix C to Part 236--Safety Assurance Criteria and Processes
    FRA hereby modifies Appendix C to part 236 to enhance and clarify 
its language, reorganize the existing list of safe system design 
principles in accordance with the well established models of system 
safety engineering, and augment the list of safe system design 
principles with the principles related to safe system software design. 
A safe state is a system state that the system defaults to in the event 
of a fault or failure or when unacceptable or dangerous conditions are 
detected. The safe state is a state when the hazardous event cannot 
occur. This final rule revises proposed paragraph (a) to reflect the 
main purpose of this appendix in clear, accurate, and consistent 
language that will be repeatedly used throughout the appendix. It also 
outlines that the requirements of this appendix will be applicable to 
each railroad's PTCIP and PTCSP, as required by subpart I.
    This final rule modifies and restructures paragraph (b) to 
consistently present a complete list of safety assurance principles 
properly classified or categorized in accordance with well established 
system safety engineering principles that need to be followed by the 
designer of the system to assure that all system components perform 
safely under normal operating conditions and under failures, accounting 
for human factor impacts, external influencing, and procedures and 
policies related to maintenance, repair, and modification of the 
system. FRA also adds language indicating that these principles must 
also be applicable to PTC systems designed and implemented under the 
requirements of subpart I. FRA's intent in initially promulgating 
Appendix C was to ensure that safety principles are followed during the 
design stage and that Verification and Validation methods are used to 
assure that the product meets the safety criteria established in Sec.  
236.909. The heading of this paragraph and its subparagraphs are 
changed to more adequately and precisely capture this paragraph's 
purpose. For instance, FRA hereby modifies the heading of paragraph 
(b)(1) to better suit the chosen base of classification for all safety 
principles under paragraph (b).
    HCRQ/CGI submitted comments asserting that the third sentence of 
paragraph (b)(1) implies that the system will operate safely in the 
presence of human error. Questioning whether this

[[Page 2681]]

would be possible, HCRQ/CGI recommended deletion of this sentence.
    In order to avoid ambiguity in interpreting the important 
requirement spelled out in the third sentence of this paragraph, FRA 
revises it to read as follows: ``The system shall operate safely even 
in the absence of prescribed operator actions or procedures.''
    With respect to the fifth sentence in paragraph (b)(1), HCRQ/CGI 
asserted that it is a rare situation when hazards can be 
``eliminated.'' Therefore, HCRQ/CGI recommended that FRA revise the 
fifth and sixth sentences of proposed paragraph (b)(1) to read as 
follows: ``The safety order of precedence is to eliminate hazards 
categorized as unacceptable or undesirable. If this is not possible or 
practical, these hazards should be mitigated to acceptable levels as 
required by this part.''
    FRA agrees with the commenter that the last clause in this 
paragraph discussing elimination of unacceptable and undesirable 
hazards requires modification and revises this clause by adding extra 
clarifying sentence in the final rule for the entire clause to read as 
follows: ``Hazards categorized as unacceptable, which is determined by 
hazard analysis, must be eliminated by design. Best effort must be made 
by the designer to also eliminate by design the hazards categorized as 
undesirable. Those undesirable hazards that cannot be eliminated should 
be mitigated to the acceptable level as required by this part.''
    HCRQ/CGI submitted comments on the first and second sentences of 
paragraph (b)(2)(ii), asserting that it is not possible to implement a 
system that would continue to operate safely in the presence of 
multiple hardware failures. Therefore, HCRQ/CGI recommended that FRA 
revise the first and second sentences of paragraph (b)(2)(ii) to read 
as follows: ``The product must be shown to operate safely under 
conditions of random hardware failure. This includes single failures 
and multiple hardware failures where one or more failures.''
    FRA agrees with the commenter that the paragraph requires 
modification and revises the first two sentences to read as follows: 
``The product must be shown to operate safely under conditions of 
random hardware failures. This includes single hardware failures as 
well as multiple hardware failures that may occur at different times 
but remain undetected (latent) and react in combination with a 
subsequent failure as a later time to cause an unsafe operating 
situation.''
    HCRQ/CGI asserted that the meaning of each of the last sentences in 
paragraphs (b)(2)(iii) and (b)(2)(iv) was unclear. In order to address 
this concern, HCRQ/CGI recommended that the last sentence in paragraph 
(b)(2)(iii) be revised to read as follows: ``Occurrence of credible 
single point failures that can result in hazards must be detected and 
the product must achieve a known safe state before inadvertently 
activating any physical appliance.'' Similarly, HCRQ/CGI recommended 
that the last sentence in paragraph (b)(2)(iv) be revised to read as 
follows: ``If one non-self-revealing failure combined with a second 
failure can cause a hazard that is categorized as unacceptable or 
undesirable, then the second failure must be detected and the product 
must achieve a known safe state before inadvertently activating any 
physical appliance.''
    FRA agrees with the commenter and revises the referenced sentences 
in paragraphs (b)(2)(iii) and (b)(2)(iv) for the sentences to end with 
the following clause: ``* * * the product must achieve a known safe 
state that eliminates the possibility of false activation of any 
physical appliance.''
    Under paragraph (b)(3), FRA amends the definition of Closed Loop 
Principle to reflect its industry accepted definition provided by the 
AREMA Manual. FRA believes that the previous definition was too general 
and did not reflect the essence of the most significant principles of 
safe signaling system design.
    HCRQ/CGI submitted comments on the last sentence of paragraph 
(b)(3), asserting that the sentence is confusing because all system 
operation is a product of actions and decisions. In order to provide 
clarification, HCRQ/CGI recommended that FRA revise the last sentence 
of paragraph (b)(3) to read as follows: ``In addition, closed loop 
design requires that failure to perform a single logical operation, or 
absence of a single logical input, output or decision shall not cause 
an unsafe condition, i.e. system safety does not depend upon the 
occurrence of a single action or logical decision.''
    FRA has made an effort to perfect the definition of close loop 
principle in the NPRM and found it satisfactory to adopt the definition 
given in the 2009 issue of AREMA Communication and Signal Manual of 
Recommended Practices. FRA does not see the need for further 
enhancement of this definition.
    Under paragraph (b)(4), FRA adds a list of Safety Assurance 
Concepts that the designer may consider for implementation to assure 
sail-safe system design and operation. These principles are 
predominantly applicable for the safe system software design and quoted 
from the IEEE-1483 standard. Based on this amendment, FRA also 
renumbers some of the remaining subparagraphs of paragraph (b) to 
follow the chosen scheme for the proper classification and sequence of 
safety principles.
    GE asserts that more detail is required for the Human Factor 
Engineering Principle in paragraph (b)(5), which is part of the section 
on ``safety principles during product development.'' There are two 
components to applied Human Factor engineering in system safety: The 
component of ergonomic design and the system risk contribution of the 
human interaction with the system, along with the degree of dependency 
on the operator for safety coverage. According to GE, the latter is 
missing from the discussion and is most relevant to the safety 
principles section.
    In response to this comment, FRA would like to emphasize that the 
main purpose of Appendix C is to provide safety criteria and processes 
for design of safe systems, or fail-safe, or vital signaling systems 
that by definition must exclude any hazards associated with human 
errors. The ``reliance factor'' or, in other words, the possibility of 
hazards arising due to overreliance of the operator on the proper 
functioning of the system itself, which the commenter is referring to, 
is an issue solely relevant to the non-vital overlays complementing 
existing method of operation. For non-vital signaling systems the 
designer must adhere to the safety principles of Appendix C only to the 
extent necessary to satisfy the safety requirements of this part. 
Therefore FRA does not see a need for further modification of paragraph 
(b)(5).
    This final rule amends paragraph (c) to reflect the changes in 
recommended standards. For instance, the standard ``EN50126: 1999, 
Railway Applications: Specification and Demonstration of Reliability, 
Availability, Maintainability and Safety'' (RAMS) is superseded by the 
standard IEC62278: 2002 under the same title. The standard ``EN50128 
(May 2001), Railway Applications: Software for Railway Control and 
Protection Systems'' is superseded by the Standard IEC62279: 2002 under 
the same title.
    HCRQ/CGI submitted comments asserting that the U.S. Department of 
Defense Military Standard (MIL-STD) 882C, ``System Safety Program 
Requirements'' (January 19, 1993) has been superseded by U.S. 
Department of Defense Military Standard (MIL-STD) 882C, ``System Safety 
Program Requirements'', Notice 1 (January 19, 1996)''.
    In the NPRM, FRA suggested that railroads follow recommendations of 
MIL-STD-882C of January 19, 1993

[[Page 2682]]

issuance specifically. The notice issued on January 19, 1996 does not 
contain material necessary for the risk analysis, verification and 
validation processes. Therefore FRA retains the former reference to 
MIL-STD-882C of January 19, 1993.
    Under paragraph (c)(3)(i), FRA references additional IEEE standards 
that have become available and will support the designs of PTC systems 
that are widely using communications as their main component. In 
addition to existing reference under paragraph (c)(3)(i)(A) for IEEE-
1483 Standard, the following standards are added to paragraph 
(c)(3)(i): IEEE 1474.2-2003, Standard for user interface requirements 
in communications based train control (CBTC) systems; and IEEE 1474.1-
2004, Standard for Communications-Based Train Control (CBTC) 
Performance and Functional Requirements.
    After an analysis of the current applicability of ATCS 
Specification 130 and 140, FRA believes that they are not being used. 
Thus, FRA hereby removes these standards from the list of referenced 
standards. However, FRA also adds the ATCS 200, Data Communication 
standard that remains relevant for communication segment of PTC system 
designs.
    FRA also considers it necessary to reference several additional 
sections of the current AREMA 2009 Communications and Signal Manual of 
Recommended Practices. In addition to Section 17 of this manual 
referenced in a previous version of Appendix C, FRA hereby adds to the 
list of references Section 16 Vital Circuit and Software Design; 
Section 21 Data Transmission; and Section 23 Communication-Based 
Signaling.
Appendix D to Part 236--Independent Review of Verification and 
Validation
    There has been no change in the underlying engineering principles 
associated with Appendix D. The changes made in this final rule are 
cosmetic, simply updating the Appendix so that it is applicable to both 
subpart H and I, and reducing the workload on the vendor or supplier, 
the railroad, and FRA. FRA determined that it would have been more 
burdensome to refer to different Appendices that are functionally 
identical, and whose only practical difference would be that one 
referred only to subpart H, and the other to subpart I of this part.
    Paragraph (a) discusses the purpose of an independent third-party 
assessment of product Verification and Validation. FRA's position that 
the requirement for an independent third-party assessment is reasonably 
common in the field of safety-critical systems remains unchanged. FRA's 
recent experience confirms that this approach can enhance the quality 
of decision making by railroads and FRA. The potential for undergoing a 
third party audit provides incentives to those who design and produce 
safety-critical systems to more rigorously create and maintain safety 
documentation for their systems. FRA acknowledges that documentation, 
by itself, will not ensure a safe system. However, the absence of 
documentation will make it virtually impossible to ensure the safety of 
the system throughout its life-cycle. The third party also brings a 
level of technical expertise, and a perspective that may not be 
available on the staff of the railroad (or FRA)--effectively permitting 
the railroad (and thus FRA) to look behind claims of the vendor or 
supplier to actual engineering practice. This may be especially 
appropriate where the system in question utilizes a novel architecture 
or relies heavily on COTS hardware and software.
    Paragraph (b) establishes the requirements for independence of the 
third-party auditor. The text associated with the underlying principle 
of independence has simply been clarified to indicate that there must 
be independence at all levels of the product design and manufacture. 
This situation has arisen where a third party wished to provide 
independent safety assessments of the system, but also provide 
technical support for the design of a component that would be used in 
the system being reviewed. FRA maintains that such practices, even if 
the entity in question attempts to firewall the parts of the 
organization doing the respective tasks, represents a conflict of 
interest and is unacceptable.
    Paragraphs (c) through (f) discuss the substance of the third-party 
assessment. This assessment should be performed on the system as it is 
finally configured, before revenue operations commence. The assessor 
should review the supplier's processes as set forth in the applicable 
documentation and provide comments to the supplier. The reviewer should 
be able to determine vulnerabilities in the supplier's processes and 
the adequacy of the safety analysis (be it in an RSPP and PSP or in a 
PTCDP and PTCSP) as they apply to the product. ``Acceptable 
methodology'' is intended to mean standard industry practice, for 
example, as contained in MIL-STD-882C. FRA is aware of many other 
acceptable industry standards, but usage of a less common one in an 
analysis would most likely require a higher level of FRA scrutiny. In 
addition, the reviewer considers the completeness and adequacy of the 
required safety documents.
    Paragraph (d) discusses the reviewer's tasks at the functional 
level. Here, the reviewer will analyze the supplier's methods to 
establish that they are complete and correct. First, a Preliminary 
Safety Analysis is performed in the design stage of a product. In 
addition to describing system requirements within the context of the 
concept of operations, it attempts, in an early stage, to classify the 
severity of the hazards and to assign an integrity level requirement to 
each major function (in conventional terms, a preliminary hazard 
analysis). Again there are many practices widely accepted within 
industry such as: Hazard Analysis (HA), Fault Tree Analysis (FTA), 
Failure Mode and Effects Analysis (FMEA), and Failure Modes, Effects, 
and Criticality Analysis (FMECA). Other simulation methods may also be 
used in conjunction with the preceding methods, or by themselves when 
appropriate. Commonly practiced techniques and methods include fault 
injection, a technique that evaluates performance by injecting known 
faults at random times during a simulation period; Markov modeling, a 
modeling technique that consists of states and transitions that control 
events; Monte Carlo model, a simulation technique based on randomly-
occurring events; and Petri-net, an abstract, formal model of 
information flow that shows static and dynamic properties of a system.
    Paragraphs (e) and (f) address what must be performed at the 
implementation level. At this stage, the product is beginning to take 
form. The reviewer typically evaluates the software and, if appropriate 
or required, the hardware. In the case of software, the software will 
most likely be in modular form, such that software modules are produced 
in accordance to a particular function. In the case of hardware, this 
may be at the component or line replaceable unit level. The reviewer 
must select a significant number of modules to be able to establish 
that the product is being developed in a safe manner.
    Paragraph (g) discusses the reviewer's tasks at closure. The 
reviewer's primary task at this stage is to prepare a final report 
where all product deficiencies are noted in detail. This final report 
may include material previously presented to the supplier during 
earlier development stages.
    FRA received several comments on Appendix D related to the proper 
documentation to be reviewed by the third-party reviewer according to

[[Page 2683]]

paragraph (d)(1), the scope of hazard analysis required to be reviewed 
by paragraph (d)(2), and the methods of software development techniques 
to be reviewed according to paragraph (f)(2)(vii). These comments are 
the same as those submitted by the commenter on the text of Appendix F. 
Due to the wider applicability of these comments to the material 
presented in Appendix F, FRA has provided a response to these comments 
in the section-by-section analysis for Appendix F.
Appendix E to Part 236--Human-Machine Interface (HMI) Design
    Appendix E provides human factors design criteria. Paragraphs (a) 
through (f) cover the same material as was previously contained in 
Appendix E. See 70 FR 11,107 (March 7, 2005). However, Appendix E has 
been reformatted to support its use for subparts H and I of this part 
and, with a few exceptions, is textually the same. This Appendix still 
addresses the basic human factors principles for the design and 
operation of displays, controls, supporting software functions, and 
other components in processor-based signal or train control systems and 
subsystems regardless if they are voluntarily implemented (as is the 
case with systems qualified under subpart H of this part) or 
mandatorily implemented (as is the case with systems developed under 
subpart I of this part). The HMI requirements in this Appendix attempt 
to capture the lessons learned from the research, design, and 
implementation of similar technology in other modes of transportation 
and other industries. The rationale for each of the requirements 
associated with paragraphs (a) through (f) remains the same as was 
presented in the former version of Appendix E. See 70 FR 11,107, 
11,090-11,091 (Mar. 7, 2005).
    FRA has noted that products implemented under the requirements of 
subpart H of this part, or proposed products that will be developed 
under subpart I of this part, all have been capable of generating 
electromagnetic radiation. Such emissions are strictly regulated by the 
Federal Communications Commission for public safety and health, as well 
as to ensure that the limited electromagnetic spectrum is optimally 
utilized. FRA is therefore adding a new paragraph (h) to Appendix E, 
which requires that as part of the HMI design process, the designer 
must ensure that the product has the appropriate FCC Equipment 
Authorization, and that the product meets FCC requirements for Maximum 
Permissible Exposure limits for field strength and power density. 
Paragraph (g) does not levy any new regulatory requirements. The 
requirements cited are mandatory FCC requirements for any device that 
emits electromagnetic radiation that the system designer must comply 
with. FRA is simply identifying these requirements, as not all railroad 
product developers may be aware of them.
Appendix F to Part 236--Minimum Requirements of FRA Directed 
Independent Third-Party Assessment of PTC System Safety Verification 
and Validation
    FRA has revised the title of Appendix F in response to comments 
submitted by GE, in which GE noted that, while FRA may require a 
railroad to engage in an independent assessment of its PTC system based 
on the criteria set forth in Sec.  236.913, FRA is not requiring an 
independent assessment of every PTCSP.
    FRA received several comments from HCRQ/CGI on paragraphs (d), (e), 
(f), and (i) of Appendix F.
    The commenter asserted that the term ``acceptable methodology'' 
used in the second sentence of paragraph (d) is not clear and suggested 
that it be replaced with the term ``methodologies typical to safety-
critical systems.'' If revised in accordance with this recommendation, 
the second sentence of paragraph (d) would read as follows: ``At a 
minimum, the reviewer shall compare the supplier processes with 
methodologies typical of safety-critical systems and employ any other 
such tests or comparisons if they have been agreed to previously with 
FRA.'' In response to this comment, FRA notes that the term 
``acceptable methodologies,'' by its very nature, includes 
methodologies typical of safety-critical systems. FRA believes that the 
proposed modification may artificially limit the use of the atypical 
analysis methodologies that may provide an equivalent, or better, 
analytical results. Therefore, FRA did not incorporate the proposed 
change. However, in the interest of providing clarification to reflect 
the main intent of this paragraph, FRA has modified the second and 
third sentences in paragraph (d) to read as follows: ``At a minimum, 
the reviewer shall evaluate the supplier design and development process 
regarding the use of an appropriate design methodology. The reviewer 
may use the comparison processes and test procedures that have been 
previously agreed to with FRA.''
    The commenter also asserted that, with respect to paragraph (e), 
the reviewer will be required to analyze a ``Hazard Log,'' as opposed 
to a ``Preliminary Hazard Analysis'' document, since the Hazard Log 
will supersede the Preliminary Hazard Analysis on the final stage of 
the system development process.
    FRA agrees with the commenter that the Hazard Log more accurately 
reflects the perceived risk in the as-built condition and, therefore, 
has modified paragraph (e) to read as follows: ``The reviewer shall 
analyze the Hazard Log and/or any other hazard analysis documents for 
comprehensiveness and compliance with applicable railroad, vendor, 
supplier, industry, national, and international standards.'' The 
commenter also suggested that this comment is equally applicable to 
former paragraph (d)(1) in the prior version of Appendix D. FRA agrees 
and has modified the various applicable phrases in Appendices D and F 
accordingly. The commenter further suggested that in paragraph (f) the 
reviewer should be required to analyze samples of the hazard analyses 
``for completeness, correctness, and compliance with industry, 
national, or international standards,'' as opposed to the proposed 
requirement to analyze ``all'' hazard analyses such as Fault Tree 
Analyses (FTA), Failure Mode and Effects Criticality Analysis (FMECA). 
The commenter asserted that it will be ``difficult and prohibitive'' 
for both the supplier and the reviewer to analyze ``all'' of these 
documents in their entire length. The commenter also noted that these 
comments are applicable to existing Appendix D, paragraph (d)(2).
    In response to this comment, FRA notes that there does not appear 
to be a need for additional clarification on the depth of the quoted 
documents analysis by the reviewer. As FRA has already indicated in the 
section-by-section analysis of Sec.  236.1017, ``FRA has the discretion 
to limit the extent of the third party assessment.'' Moreover, the 
section-by-section analysis of Sec.  236.1017 goes on to state that 
``Appendix F represents minimum requirements and that if circumstances 
warrant, FRA may expand upon the Appendix F requirements as necessary 
to render a decision that is in the public interest.'' FRA will, if 
appropriate, limit the scope of analysis. FRA notes the comment, and 
will execute its regulatory discretion in this matter.
    With respect to paragraph (i)(7), HCRQ/CGI points out that the text 
of NPRM, while discussing methods of safety-critical software 
development by the manufacturer, enumerates examples that, according to 
the commenter, are not particular to the safety-critical systems, which 
appears to be contrary to the intent of this paragraph. The commenter 
recommends that FRA

[[Page 2684]]

include in the text of the final rule an extended list of examples for 
methods of software development instead of those cited in NPRM, for 
example, such methods as ``system requirement analysis, requirements 
traceability to functional and derived safety requirements, design 
analysis, documented peer review,'' etc. The commenter also noted that 
this comment is equally applicable to Appendix D, paragraph 
(f)(2)(vii).
    FRA understands the commenter's concern. FRA believes that the 
review should include any documentation associated with the software 
development that may reflect on, or address, the safety of the system. 
To address the commenter's concern and to more accurately reflect FRA's 
position, paragraph (i)(7) has been revised by deleting the list of 
examples of methods of software development previously proposed in the 
NPRM. FRA modifies the text of this paragraph to emphasize that the 
review on any documentation that may reflect on the safety of software 
design is required. As with the preceding comment, FRA will exercise 
its regulatory discretion with regards to the specific documentation 
based on the system in question and public safety. FRA has also 
modified paragraph (i)(7) in Appendix D that discusses the same issue.

VIII. Regulatory Impact and Notices

A. Executive Order 12866 and DOT Regulatory Policies and Procedures

    This final rule has been evaluated in accordance with existing 
policies and procedures, and determined to be significant under both 
Executive Order 12866 and DOT policies and procedures. 44 FR 11,034 
(Feb. 26, 1979). We have prepared and placed in the docket a regulatory 
impact analysis (RIA) addressing the economic impact of this final 
rule.
    The costs anticipated to accrue from adopting this final rule would 
include: (1) Costs associated with developing implementation plans and 
administrative functions related to the implementation and operation of 
PTC systems, including the information technology and communication 
systems that make up the central office; (2) hardware costs for onboard 
locomotive system components, including installation; (3) hardware 
costs for wayside system components, including installation; and (4) 
maintenance costs for all system components.
    Two types of benefits are expected to result from the 
implementation of this final rule--benefits from railroad accident 
reduction and business benefits from efficiency gains. The first type 
would include safety benefits or savings expected to accrue from the 
reduction in the number and severity of casualties arising from train 
accidents that would occur on lines equipped with PTC systems. Casualty 
mitigation estimates are based on a value of statistical life of $6 
million. In addition, benefits related to accident preventions would 
accrue from a decrease in damages to property such as: Locomotives, 
railroad cars, and track; equipment cleanup; environmental damage; 
train delay resulting from track closures; road closures; emergency 
response; and evacuations. Benefits more difficult to monetize--such as 
the avoidance of hazmat accident related costs incurred by federal, 
state, and local governments and impacts to local businesses--will also 
result. FRA also expects that once PTC systems are refined, there would 
likely be substantial additional business benefits resulting from more 
efficient transportation service; however, such benefits are not 
included because of significant uncertainties regarding whether and 
when individual elements will be achieved and given the complicating 
factor that some benefits might, absent deployment of PTC, be captured 
using alternative technologies at lower cost. In the NPRM, FRA 
requested comments on whether the proposed regulation exercised the 
appropriate level of discretion and flexibility to comply with RSIA08 
in the most cost effective and beneficial manner. The FRA received 
comments, discussed above in the section-by-section analysis, that FRA 
had exceeded its discretion, in general, in not creating a de minimis 
exception, in Sec.  236.1005, by designating that the railroad base its 
system designation on 2008 base year traffic patterns; in Sec.  
236.1029, by requiring that each crewmember assigned to a cab have 
access to a display adequate to perform assigned duties safely, which 
the railroads claimed meant that they have to install a second display; 
and in Sec.  236.1006 (b)(4) in permitting Class II and Class III 
railroads to operate locomotives unequipped with PTC on Class I 
railroad lines under certain conditions. FRA believes that the agency 
interpreted RSIA08 correctly in not granting AAR's very broad request 
for a de minimis exception (however, FRA did craft a new de minimis 
exception in Sec.  236.1006(b)(4)(ii), discussed above in the section-
by-section analysis), in using the 2008 traffic patterns as a basis for 
designating the system and in requiring that each crewmember in the 
locomotive cab have access to a display adequate to perform assigned 
safety-related duties. FRA also believes that it acted with an 
appropriate level of discretion and flexibility in permitting some 
operations of unequipped locomotives on PTC equipped routes. All of 
these responses are discussed in detail above, in the Section-by-
Section analysis.
    The RIA presents a 20-year analysis of the costs and benefits 
associated with this rule, using both 7 percent and 3 percent discount 
rates, and two types of sensitivity analyses. The first is associated 
with varying cost assumptions used for estimating PTC implementation 
costs. The second takes into account potential business benefits from 
realizing service efficiencies and related additional societal benefits 
from attainment of environmental goals and an overall reduction in 
transportation risk from modal diversion.
    The 20-year total cost estimates are $9.55 billion (PV, 7%) and 
$13.21 billion (PV, 3%). Annualized costs are $0.87 billion (PV, 7%) 
and $0.88 billion (PV, 3%). Using high-cost assumptions, the 20-year 
total cost estimates would be $16.25 billion (PV, 7%) and $22.54 
billion (PV, 3%). Using low-cost assumptions, the 20-year cost 
estimates would be $6.73 billion (PV, 7%) and $9.34 billion (PV, 3%). 
The later the expenditures are made, the lower the discounted cost 
impact, which in any event is a very small portion of the total PTC 
costs. This estimate is lower than the cost estimate presented in the 
NPRM. It reflects the low freight traffic volume exception for 
passenger train routes and the de minimis exception for freight 
railroads. These exceptions result in lower wayside costs than 
estimated in the NPRM RIA. FRA has not revised its locomotive cost 
estimates to reflect reduced burden resulting from the additional 
flexibility granted because the magnitude of the reduction is very 
small relative to the overall system cost.
    Twenty-year railroad safety (railroad accident reduction) benefit 
estimates associated with implementation of the rule are $440 million 
(PV, 7%) and $674 million (PV, 3%). Annualized benefits are $42 million 
(PV, 7%), and $45 million (PV, 3%). This estimate is lower than that 
estimated at the NPRM stage of the rulemaking. The estimate was lowered 
as a result of revisions made to a study performed by Volpe Center 
regarding the cost of PTC-preventable accidents. Some forecasts predict 
significant growth of both passenger and freight transportation 
demands, and it is thus possible that greater activity on the system 
could present the potential for

[[Page 2685]]

larger safety benefits than estimated in this analysis. The presence of 
a very large PTC-equipped freight locomotive fleet also supports the 
opportunity for introduction of new passenger services of higher 
quality at less cost to the sponsor of that service. Information is not 
currently available to quantify that benefit.
    The table below presents cost and benefit estimates by element 
using a 3% discount rate as well as a 7% discount rate.

         Total 20-Year Discounted Costs and Discounted Benefits
                             [At 3% and 7%]
------------------------------------------------------------------------
          Discount rate                  3.00%               7.00%
------------------------------------------------------------------------
Costs by Category:
    Central Office and                  $283,025,904        $263,232,675
     Development................
    Wayside Equipment...........      2,902, 751,825       2,414,794,033
    On-Board Equipment..........       1,613,568,678       1,390,618,364
    Maintenance.................       8,406,267,684       5,478,877,649
                                 ---------------------------------------
        Total...................      13,205,614,091       9,547,522,721
                                 =======================================
Benefits by Category:
    Fatalities..................         268,999,278         175,541,848
    Injuries....................         203,984,196         133,114,717
    Train Delay.................          24,530,630          16,008,043
    Property Damage.............         159,149,846         103,857,000
    Emergency Response..........             431,143             281,353
    Equipment Clean Up..........           2,509,576           1,637,683
    Road Closure................             580,664             378,926
    Environmental Cleanup.......           6,486,888           4,233,172
    Evacuations.................           7,129,699           4,652,654
                                 ---------------------------------------
        Total Railroad Safety            673,801,919         439,705,397
         Benefits...............
------------------------------------------------------------------------

    The Port Authority Trans Hudson (PATH), a commuter railroad, is 
apparently considering the system used by the New York City Transit 
Authority on the Canarsie line. This system, which is known as 
Communication-Based Train Control, is not similar in concept to any of 
the other PTC systems (including the CSX CBTC, with which its name 
might easily be confused), and would not be suitable, as FRA 
understands the system, except on a railroad with operating 
characteristics similar to a heavy rail mass transit system. FRA 
believes that, in absence of the statutory mandate or this rulemaking, 
PATH would have adopted PTC for business reasons.
    Although costs associated with implementation of the final rule are 
significant and such costs would far exceed the benefits, FRA is 
constrained by the requirements of RSIA08, which do not provide 
latitude for implementing PTC differently. Nevertheless, FRA has taken 
several steps to avoid triggering unnecessary costs in the proposed 
rule. For instance, FRA is not requiring use of separate monitoring of 
switch position in signal territory or that the system be designed to 
determine the position of the end of the train. FRA has also minimized 
costs, such as by requiring the monitoring of derails protecting the 
mainline, but limiting it to derails connected to the signal system; 
and by requiring the monitoring of hazard detectors protecting the 
mainline, but limiting it to hazard detectors connected to the signal 
system. FRA has also minimized costs related to diamond crossings, 
where a PTC equipped railroad crosses a non-PTC equipped railroad at 
grade; included exceptions to main track for passenger train 
operations, and provisions that would permit some Class III railroad 
operation of trains not equipped with PTC over Class I railroad freight 
lines equipped with PTC. FRA has also added provisions to the final 
rule which will permit passenger railroads to exclude up to roughly 
1,900 miles of track from the requirements to install PTC. Finally, FRA 
has provided for de minimis exceptions for Class I freight lines with 
not passenger service and negligible risk, avoiding any expenses for 
right-of-way modifications on about 300 miles, saving about $15 
million, and reducing costs by about 80% on about 3,200 additional 
miles, saving about $127 million.
    RSIA08 requires the railroads to have all mandatory PTC systems 
operational on or before December 31, 2015. Members of the PTC Working 
Group, especially railroad and supplier representatives, said that the 
timeframe was very tight, and that the scheduled implementation dates 
would be difficult to meet. In general, the faster a government agency 
requires a regulated entity to adopt new equipment of procedures, the 
more expensive compliance becomes. In part, this is due to supply 
elasticity being less over shorter time periods.
    FRA is unable to estimate the potential savings if Congress 
provided a longer implementation schedule or provided incentives, 
rather than mandates, for PTC system installation. In order to estimate 
the likely reduction in costs in such situations, FRA would need to 
develop some other schedule for implementation. The element least 
sensitive to an implementation's schedule appears to be onboard costs. 
Each PTC system's onboard equipment seems similar and is not very 
different from existing onboard systems. Further, the 2015 deadline is 
not so restrictive that it would cause railroads to pull locomotives 
out of service just to install on board PTC equipment. Locomotives must 
be inspected thoroughly every 90 and more extensively every 360 days. 
The inspections can last from one to several days. Railroads usually 
bring locomotives into their shops to perform these inspections, during 
which time a skilled and experienced team could install the on board 
equipment for PTC. System development is much less certain, and more 
time would enable vendors or suppliers to develop, test, and implement 
the software at a more reasonable cost. Wayside costs are also 
sensitive to the installation timetable, as the wayside must be mapped 
and

[[Page 2686]]

measured, and then the railroads must install wayside interface units 
(WIUs). Wayside mapping and measurement takes a highly skilled 
workforce. A larger workforce is necessary to timely implement the 
required PTC systems in a shorter amount of time. WIU installation is 
likely similar to existing signal or communication systems 
installation, and is likely to involve use of existing railroad skilled 
workers. The shorter the installation time period, the more work will 
be done at overtime rates, which are, of course, higher.
    FRA believes that lower costs could result from a longer 
installation period, but FRA also believes that the differences in 
costs would be within the range of the low costs provided in the main 
analysis of the proposed rule. The 2004 report included some lower cost 
estimates, but, in light of current discussions with railroads, the 
cost estimates in the 1998 report seem more accurate. The lower 
estimates FRA received in preparing the 2004 report were both overly 
optimistic, and excluded installation costs, as well as higher costs 
which stem from meeting the performance standards.
    Some of the costs of PTC implementation, operation, and maintenance 
may be offset by business benefits, especially in the long run, 
although there is uncertainty regarding the timing and level of those 
benefits. Economic and technical feasibility of the necessary system 
refinements and modifications to yield the potential business benefits 
has not yet been demonstrated. FRA analyzed business benefits 
associated with PTC system implementation and presented its findings in 
the 2004 Report. Due to the aggressive implementation schedule for PTC 
and the resulting need to issue a rule promptly, FRA has not formally 
updated this study. Nevertheless, FRA believes that there is 
opportunity for significant business benefits to accrue several years 
after implementation once the systems have been refined to the degree 
necessary. Thus, FRA conducted a sensitivity analysis of potential 
business benefits based on the 2004 Report.
    The 2004 Report included business benefits from improved or 
enhanced locomotive diagnostics, fuel savings attributable to train 
pacing, precision dispatching, and capacity enhancement. Although 
railroads are enhancing locomotive diagnostics using other 
technologies, FRA believes that PTC could provide the basis for 
significant gains in the other three areas.
    In the years since the 2004 Report, developing technology and 
rising fuel costs have caused the rail supply industry and the 
railroads to focus on additional means of conserving diesel fuel while 
minimizing in-train forces that can lead to derailments and delays from 
train separations (usually broken coupler knuckles). Software programs 
exist that can translate information concerning throttle position and 
brake use, together with consist information and route characteristics, 
to produce advice for prospective manipulation of the locomotive 
controls to limit in-train forces. Programs are also being conceived 
that project arrival at meet points and other locations on the 
railroad. These types of tools can be consolidated into programs that 
either coach the locomotive engineer regarding how to handle the train 
or even take over the controls of the locomotive under the engineer's 
supervision. The ultimate purpose of integrating this technology is to 
conserve fuel use while handling the train properly and arriving at a 
designated location ``just in time'' (e.g., to meet or pass a train or 
enter a terminal area in sequence ahead of or behind other traffic). 
Further integrating this technology with PTC communications platforms 
and traffic planning capabilities could permit transmittal of ``train 
pacing'' information to the locomotive cab in order to conserve fuel. 
Like the communications backbone, survey data concerning route 
characteristics can be shared by both systems. The cost of diesel fuel 
for road operations to the Class I railroads is approximately $3.5 
billion annually and is gradually rising. If PTC technology helps to 
spur the growth and effective use of train pacing, fuel savings of 5% 
($175,000,000 annually) or greater could very likely be achieved. 
Clearly, if the railroads are able to conserve use of fuel, they will 
also reduce emissions and contribute to attainment of environmental 
goals, even before modal diversion occurs.
    The improvements in dispatch and capacity have further 
implications. With those improvements, railroads could improve the 
reliability of shipment arrival time and, thus, dramatically increase 
the value of rail transportation to shippers, who in turn would divert 
certain shipments from highway to rail. Such diversion would yield 
greater overall transportation safety benefits, since railroads have 
much lower accident risk than highways, on a point-to-point ton-mile 
basis. The total societal benefits of PTC system implementation and 
operation, following the analysis, would be much greater than total 
societal costs, although the costs would fall disproportionately more 
heavily on the railroads.
    At present, the PTC systems contemplated by the railroads, with the 
possible exception of PATH, would not increase capacity, at least not 
for some time. If the locomotive braking algorithms need to be made 
more conservative in order to ensure that each train does not exceed 
the limits of its authority, PTC system operation may actually decrease 
rail capacity where applied in the early years. Further investment 
would be required to bring about the synergy that would result in 
capacity gains. A more significant business benefit of PTC system 
operation would be derived from precision dispatching, which decreases 
the variance of arrival times of delivered freight. To avoid the risk 
of running out of stock, shippers often overstock their inventory at an 
annual cost of approximately 25% of its inventory value, regardless of 
the material being stored. This estimate accounts for shrinkage, 
borrowing costs, and storage costs. Of course, freight with more value 
per unit of mass or volume tends to have greater storage costs per 
unit. At present, no rail precision dispatch system exists. However, if 
a shipper would take advantage of precision dispatching, thus 
increasing freight arrival time accuracy, then it could reduce its 
overstock inventory. Accurate train data is a necessary, but not a 
sufficient condition, for precision dispatch. At least two of the Class 
I railroads have unsuccessfully attempted to develop precision dispatch 
systems. The mandatory installation of PTC systems is likely to divert 
any resources that might have been devoted to precision dispatch, so 
these benefits are unlikely during the first several years of this 
rule.
    Applying current factors to the variables used in the 2004 Report 
to Congress, the resulting analysis indicates that diversion could 
result in highway annual safety benefits of $744 million by 2022, and 
$1,148 million by 2032. Of course, these benefits require that the 
productivity enhancing systems be added to PTC, and are heavily 
dependent on the underlying assumptions of the 2004 model.
    Modal diversion would also yield environmental benefits. The 2004 
Report estimated that reduced air pollution costs would have been 
between $68 million and $132 million in 2010 (assuming PTC would be 
implemented by 2010), and between $103 million and $198 million in 
2020. This benefit would have accrued to the general public. FRA has 
not broken out the pollution cost benefit of the current

[[Page 2687]]

rule, but offers the estimates from the 2004 Report as a guide to the 
order of magnitude of such benefits.
    While railroads argued that many of the benefits identified in 
FRA's 2004 report were exaggerated, shortly after the publication of 
the report, several railroads began developing strategies for PTC 
system development and implementation. This investment by the railroads 
would seem to illustrate that they believe that there is some potential 
for PTC to provide a boost to railroad profits, beyond providing any of 
the aforementioned societal benefits.
    Modal diversion is highly sensitive to service quality. Problems 
with terminal congestion and lengthy dwell times might overwhelm the 
benefits of PTC or other initiatives which the railroads have been 
pursuing (reconfiguration of yards, pre-blocking of trains, shared 
power arrangements, car scheduling, Automatic Equipment Identification, 
etc.) that might actually work in synergy with PTC. It should also be 
noted that, in the years since the 2004 Report was developed, the Class 
I railroads have shown an increased ability to retain operating revenue 
as profit, rather than surrendering it in the form of reduced rates. 
This was particularly true during the period prior to the current 
recession, when strained highway capacity favored the growth of rail 
traffic. The sensitivity analysis performed by FRA indicates that 
realization of business benefits could yield benefits sufficient to 
close the gap between PTC implementation costs and rail accident 
reduction benefits within the first 18 years of the rule, applying a 3% 
discount rate, and by year 24 of the rule, applying a discount rate of 
7%. Accordingly, the precise partition of business and societal 
benefits cannot be estimated with any certainty.
    FRA recognizes that the likelihood of business benefits is 
uncertain and that the cost-to-benefit comparison of this rule, 
excluding any business benefits, is not favorable. However, FRA has 
taken measures to minimize the rule's adverse impacts and to provide as 
much flexibility as FRA is authorized to grant under RSIA08.

B. Regulatory Flexibility Act and Executive Order 13272

    To ensure potential impacts of rules on small entities are properly 
considered, we developed this rule in accordance with Executive Order 
13272 (``Proper Consideration of Small Entities in Agency Rulemaking'') 
and DOT's procedures and policies to promote compliance with the 
Regulatory Flexibility Act (5 U.S.C. 601 et seq.).
    The Regulatory Flexibility Act requires an agency to review 
regulations to assess their impact on small entities. An agency must 
conduct a Final Regulatory Flexibility Analysis (FRFA) unless it 
determines and certifies that a rule is not expected to have a 
significant impact on a substantial number of small entities.
    In the NPRM, we published an Initial Regulatory Flexibility 
Assessment (IRFA) to aid the public in commenting on the potential 
small business impacts of the proposals. FRA has considered all 
comments submitted to the docket and at public hearings in response to 
the NPRM. FRA also worked with the PTC Working Group and its task 
forces in developing many of the facets of the final rule. We 
appreciate the information provided by the various parties. The 
proposed rule, and consequently the IRFA, included as part of the NPRM, 
have been modified as a result, as described above. Due to the 
uncertainties associated with new product development and deployment, 
FRA has prepared a FRFA and will issue a Small Entity Guidance document 
soon.
    In accordance with the Regulatory Flexibility Act, a FRFA must 
contain:
    (1) A succinct statement of the need for, and objectives of the 
rule;
    (2) A summary of the significant issues raised by the public 
comments in response to the IRFA, a summary of the assessment of the 
agency of such issues, and a statement of any changes made in the 
proposed rule as a result of such comments.
    (3) A description and an estimate of the number of small entities 
to which the rule will apply or an explanation of why no such estimate 
is available;
    (4) A description of the projected reporting, recordkeeping and 
other compliance requirements of the final rule, including an estimate 
of the classes of small entities that will be subject to the 
requirement and the type of professional skills necessary for 
preparation of the report or record; and
    (5) A description of the steps the agency has taken to minimize the 
significant adverse economic impact on small entities consistent with 
the stated objectives of applicable statutes, including a statement of 
the factual, policy, and legal reasons for selecting the alternative 
adopted in the final rule and why each of the other significant 
alternatives to the rule considered by the agency was rejected. 5 
U.S.C. 604(a)(1)-(5).
1. Need for, and Objectives of the Rule
    PTC systems will be designed to prevent train-to-train collisions, 
overspeed derailments, incursions into established work zone limits, 
and the movement of a train through a switch left in the wrong 
position.
    As discussed in more detail in section I of the preamble, the 
RSIA08 mandates that widespread implementation of PTC across a major 
portion of the U.S. rail industry be accomplished by December 31, 2015. 
RSIA08 requires each Class I carrier and each entity providing 
regularly scheduled intercity or commuter rail passenger transportation 
to develop a plan for implementing PTC by April 16, 2010. The Secretary 
of Transportation is responsible for reviewing and approving or 
disapproving such plans. The Secretary has delegated this 
responsibility to FRA. This final rule details the process and 
procedure for obtaining FRA approval of the plans.
    As discussed earlier in the preamble, FRA is issuing this final 
rule to provide regulatory guidance and performance standards for the 
development, testing, implementation, and use of Positive Train Control 
(PTC) systems for railroads mandated by the Rail Safety Improvement Act 
of 2008 Sec.  104, Public Law 110-432, 122 Stat. 4848, 4856, (Oct. 16, 
2008) (codified at 49 U.S.C. 20157).
2. Significant Issues Raised by Public Comment in Response to the IRFA
    The only comment which directly referred to the IRFA was a comment 
from Class I railroad representatives noting that the IRFA implied that 
Class I railroads would pay for installation of split point derails at 
railroad-railroad crossings where a PTC equipped line crosses a line 
not equipped with PTC. FRA agrees with commenters that costs will be 
borne according to preexisting agreements and any other laws or 
regulations that might affect which party is responsible for the costs 
incurred and has modified its analysis accordingly.
    Other comments which affect the IRFA related to definition of main 
track for intercity and commuter operations where freight densities are 
relatively low. These comments, primarily from Amtrak, not a small 
entity, directly referred to the proposed rule, and not to the IRFA. In 
response, FRA provided significant relief to Amtrak for operations over 
Class II and Class III railroads, thus indirectly providing relief to 
some of the Class II and III railroads, potentially allowing one or 
more to avoid PTC system installation. The RSIA08 generally defines 
``main line'' as ``a segment of railroad tracks over which 5,000,000 or 
more gross tons of railroad traffic is transported

[[Page 2688]]

annually. See 49 U.S.C. 20157(i)(2). However, FRA may also define 
``main line'' by regulation ``for intercity rail passenger 
transportation or commuter rail passenger transportation routes or 
segments over which limited or no freight railroad operations occur.'' 
See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes that 
there may be circumstances where certain statutory PTC system 
implementation and operation requirements are not practical and provide 
no significant safety benefits. In those circumstances, FRA will 
exercise its statutory discretion provided under 49 U.S.C. 
20157(i)(2)(B).
    In accordance with the authority provided by the statute and with 
carefully considered recommendations from the RSAC, FRA will consider 
requests for designation of track over which rail operations are 
conducted as ``other than main line track'' for passenger and commuter 
railroads, or freight railroads operating jointly with passenger or 
commuter railroads. Such relief may be granted only after request by 
the railroad or railroads filing a PTCIP and approval by the Associate 
Administrator.
    In Sec.  236.1019(a), FRA requires the submittal of a main line 
track exclusion addendum (MTEA) to any PTCIP filed by a railroad that 
seeks to have any particular track segment deemed as other than main 
line. Since the statute only provides for such regulatory flexibility 
as it applies to passenger transportation routes or segments over which 
limited or no freight railroad operations occur, only a passenger 
railroad may file an MTEA as part of its PTCIP. This may include a 
PTCIP jointly filed by freight and passenger railroads. In fact, FRA 
expects that, in the case of joint operations, only one MTEA should be 
agreed upon and submitted by the railroads filing the PTCIP. After 
reviewing a submitted MTEA, FRA may provide full or conditional 
approval for the requested exemptions.
    Each MTEA must clearly identify and define the physical boundaries, 
use, and characterization of the trackage for which exclusion is 
requested. When describing each track's use and characterization, FRA 
expects the requesting railroad or railroads to include copies of the 
applicable track and signal charts. Ultimately, FRA expects each MTEA 
to include information sufficiently specific to enable easy segregation 
between main line track and non-main line track. In the event the 
railroad subsequently requests additional track to be considered for 
exclusion, a well-defined MTEA should reduce the amount of future 
information required to be submitted to FRA. Moreover, if FRA decides 
to grant only certain requests in an MTEA, the portions of track for 
which FRA has determined should remain considered as main line track 
can be easily severed from the MTEA. Otherwise, the entire MTEA, and 
thus its concomitant PTCIP, may be entirely disapproved by FRA, 
increasing the risk of the railroad or railroads not meeting its 
statutory deadline for PTC implementation and operation.
    For each particular track segment, the MTEA must also provide a 
justification for such designation in accordance with paragraphs (b) or 
(c) of this section.
    In Sec.  236.1019(b), FRA specifically addresses the conditions for 
relief for passenger and commuter railroads with respect to passenger-
only terminal areas. As noted previously in the analysis of Sec.  
236.1005(b), any track within a yard used exclusively by freight 
operations moving at restricted speed is excepted from the definition 
of main line. In those situations, operations are usually limited to 
preparing trains for transportation and do not usually include actual 
transportation. This automatic exclusion does not extend to yard or 
terminal tracks that include passenger operations. Such operations may 
also include the boarding and disembarking of passengers, heightening 
FRA's sensitivity to safety. Moreover, while FRA could not expend its 
resources to review whether a freight-only yard should be deemed other 
than main line track, FRA believes that the relatively lower number of 
passenger yards and terminals would allow for such review. Accordingly, 
FRA believes that it is appropriate to review these circumstances on a 
case-by-case basis.
    During the PTC Working Group discussions, the major passenger 
railroads requested an exception for tracks in passenger terminal areas 
because of the impracticability of installing PTC. These are locations 
where signal systems govern movements over very complex special track 
work divided into short signal blocks. Operating speeds are low (not to 
exceed 20 miles per hour), and locomotive engineers moving in this 
environment expect conflicting traffic and restrictive signals. 
Although low-speed collisions do occasionally occur in these 
environments, the consequences are low; and the rate of occurrence is 
very low in relation to the exposure. It is the nature of current-
generation PTC systems that they use conservative braking algorithms. 
Requiring PTC to short blocks in congested terminals would add to 
congestion and frustrate efficient passenger service, in the judgment 
of those who operate these railroads. The density of wayside 
infrastructure required to effect PTC functions in these terminal areas 
would also be exceptionally costly in relation to the benefits 
obtained. FRA agrees that technical solutions to address these concerns 
are not presently available. FRA does believe that the appropriate role 
for PTC in this context is to enforce the maximum allowable speed 
(which is presently accomplished in cab signal territory through use of 
automatic speed control, a practice which could continue where already 
in place).
    If FRA grants relief, the conditions of paragraphs (b)(1), (b)(2), 
or (b)(3), as applicable, as well as conditions attached to the 
approval, must be strictly adhered to.
    In Sec.  236.1019(b)(1), FRA specifies that relief under paragraph 
(b) is limited to operations that do not exceed 20 miles per hour. The 
PTC Working Group agreed upon the 20 miles per hour limitation, instead 
of requiring restricted speed, because the operations in question will 
be by signal indication in congested and complex terminals with short 
block lengths and numerous turnouts. FRA agrees with the PTC Working 
Group that the use of restricted speed in this environment would 
unnecessarily exacerbate congestion, delay trains, and diminish the 
quality of rail passenger service.
    Moreover, when trains on the excluded track are controlled by a 
locomotive with an operative PTC onboard apparatus that PTC system 
component must enforce the regulatory speed limit or actual maximum 
authorized speed, whichever is less. While the actual track may not be 
outfitted with a PTC system in light of a MTEA approval, FRA believes 
it is nevertheless prudent to require such enforcement when the 
technology is available on the operating locomotives. This can be 
accomplished in cab signal territory using existing automatic train 
stop technology and outside of cab signal territory by mapping the 
terminal and causing the onboard computer to enforce the maximum speed 
allowed.
    FRA also limits relief under Sec.  236.1019(b)(2) to operations 
that enforce interlocking rules. Under interlocking rules, trains are 
prohibited from moving in reverse directions without dispatcher 
permission on track where there are no signal indications. FRA believes 
that such a restriction will minimize the potential for a head-on 
impact.
    Also, under Sec.  236.1019(b)(3), such operations are only allowed 
in yard or terminal areas where no freight

[[Page 2689]]

operations are permitted. While the definition of main line may not 
include yard tracks used solely by freight operations, FRA is not 
extending any relief or exception to tracks within yards or terminals 
shared by freight and passenger operations. The collision of a 
passenger train with a freight consist is typically a more severe 
condition because of the greater mass of the freight equipment. 
However, FRA did receive a comment suggesting some latitude within 
terminals when passenger trains are moving without passengers (e.g., to 
access repair and servicing areas). FRA agrees that low-speed 
operations under those conditions should be acceptable as trains are 
prepared for transportation. FRA has not included a request by Amtrak 
(discussed below) to allow movements within major terminals at up to 30 
miles per hour in mixed passenger and freight service, which appears in 
FRA's judgment to fall outside of the authority to provide exclusions 
conferred on FRA by the law.
    In Sec.  236.1019(c), FRA provides the conditions under which joint 
limited passenger and freight operations may occur on defined track 
segments without the requirement for installation of PTC. Under Sec.  
236.1003 (Definitions), ``limited operations'' is defined as 
``operations on main line track that have limited or no freight 
operations and are approved to be excepted from this subpart's PTC 
system implementation and operation requirements in accordance with 
Sec.  236.1019(c).'' This paragraph provides five alternative paths to 
the main line exception, three of which were contained in the proposed 
rule and a fourth and fifth that respond to comments on the proposed 
rule.
    The three alternatives derived from the NPRM are set forth in Sec.  
236.1019(c)(1). First, an exception may be available where both the 
freight and passenger trains are limited to restricted speed. Such 
operations are feasible only for short distances, and FRA will examine 
the circumstances involved to ensure that the exposure is limited and 
that appropriate operating rules and training are in place.
    Second, under Sec.  236.1019(c)(1)(ii), FRA notes that it will 
consider an exception where temporal separation of the freight and 
passenger operations can be ensured. A more complete definition of 
temporal separation is provided in Sec.  236.1019(e). Temporal 
separation of passenger and freight services reduces risk because the 
likelihood of a collision is reduced (e.g., due to freight cars engaged 
in switching that are not properly secured) and the possibility of a 
relatively more severe collision between a passenger train and much 
heavier freight consist is obviated.
    Third, under Sec.  236.1019(c)(1)(iii), FRA notes that it will 
consider commingled freight and passenger operations provided that a 
jointly agreed risk analysis is provided by the passenger and freight 
railroads, and the level of safety is the same as that which would be 
provided under one of the two prior options selected as the base case. 
FRA requested comments on whether FRA or the subject railroad should 
determine the appropriate base case, but received none. FRA recognizes 
that there may be situations where temporal separation may not be 
possible. In such situations, FRA may allow commingled operations 
provided the risk to the passenger operation is no greater than if the 
passenger and freight trains were operating under temporal separation 
or with all trains limited to restricted speed. For an exception to be 
made under Sec.  236.1019(c)(3), FRA requires a risk analysis jointly 
agreed to and submitted by the applicable freight and passenger 
services. This ensures that the risks and consequences to both parties 
have been fully analyzed, understood, and mitigated to the extent 
practical. FRA would expect that the moving party would elect a base 
case offering the greatest clarity and justify the selection.
    Comments on the proposed rule generally supported the 
aforementioned exclusions or were silent.
    In its comments on the NPRM, Amtrak requested further relief 
relating to lines requiring the implementation and operation of a PTC 
system due solely to the presence of light-density passenger traffic. 
According to Amtrak, the defining characteristic of light-density lines 
is the nature of the train traffic; low-density patterns on these lines 
lead to a correspondingly low risk of collision. Amtrak also asserted 
that, due to relatively limited wear and tear from lower traffic 
densities, these lines often have fewer track workers on site, further 
reducing the chance of collisions and incursions into work zones. Thus, 
states Amtrak, one of the principal reasons for installing PTC--
collision avoidance--is a relatively low risk on many light density 
lines. With only marginal safety benefits anticipated from PTC use in 
such applications, Amtrak believed that there may be minimal 
justification for installing PTC on certain light-density lines.
    Amtrak further noted that FRA itself had concluded that the costs 
of PTC generally exceed its benefits, and Amtrak urged that this may be 
even more so on light-density lines. Amtrak believed that Congress 
understood this issue and thus created the regulatory flexibility for 
the definition of ``main line'' for passenger routes found at 49 U.S.C. 
20157(i)(2)(B) as a means to allow the Secretary to exempt certain 
routes from the PTC mandate. According to Amtrak, this provision 
essentially allows the Secretary to define certain passenger routes 
with limited or no freight traffic as other than ``main line,'' thereby 
effectively exempting such lines from the reach of the PTC mandate 
because the mandate only applies to railroad operations over ``main 
line[s].'' Said another way, urged Amtrak, the provision allows the 
Secretary the freedom to decide in what circumstances such routes 
should be considered ``main lines'' and thus be required to install 
PTC--pursuant to whatever factors the Secretary deems appropriate 
through the rulemaking process.
    Amtrak urged that the Secretary should use this flexibility to 
limit which passenger routes it defines as ``main lines'' to those 
deemed to warrant the use of PTC using the FRA's usual risk-based 
approach to safety regulation and traditional measures of 
reasonableness, costs, and benefits. Amtrak posited that such a risk-
based analysis by FRA would likely lead to the conclusion that PTC is 
simply not needed on many light-density lines over which passenger 
trains currently operate. Amtrak therefore asked that FRA exercise this 
authority by working with Amtrak and the rail industry to exempt 
certain light density freight lines which host passenger traffic from 
the obligation to install PTC where operating and safety conditions do 
not warrant an advanced signal system.
    Should FRA choose not to exempt some of these light density freight 
lines over which passenger trains operate, Amtrak felt that the high 
costs of full PTC systems will be passed on to the passenger and 
freight operators of these routes. According to Amtrak, this obligation 
could threaten the continuation of intercity passenger rail service on 
several routes, including lines in California, Colorado, Kansas, Maine, 
Massachusetts, Michigan, Missouri, New Hampshire, New Mexico, North 
Dakota, Vermont, and Virginia, on what are potentially light density 
lines. Additionally, states Amtrak, this obligation, where it can be 
financed, could force the diversion of significant capital dollars away 
from essential safety investments in track and other infrastructure 
improvements, which are typically the leading safety risks for such 
light-density operations. According to Amtrak, the cost of PTC 
installation on these lines may be so out

[[Page 2690]]

of proportion to the benefit that Amtrak's service will need to be 
rerouted onto a different line (e.g., to a Class I line with PIH 
materials) if a reroute option exists, or eliminated entirely because 
there is no feasible alternate route and no party is willing or able to 
bear the cost of installing PTC on the existing route. The defining 
characteristic of light-density lines is the nature of the train 
traffic: low density patterns on these lines lead to a correspondingly 
low risk of collision. In its filing, Amtrak noted that it was 
currently assembling the details (e.g., annual freight tonnage, 
frequency of freight train operations) ``for those lines that it 
believes may qualify as light-density, and will submit as a supplement 
to these Comments a recommendation as to what criteria the FRA should 
adopt in determining what light-density lines are other than `main 
lines.' '' Amtrak did subsequently file data referred to below, but did 
not propose criteria.
    According to the Amtrak testimony, the ``limited operations 
exception'' in subsection 236.1019(c) of the NPRM did not provide a 
practical solution to the problem created by defining all light-density 
routes and terminal areas with passenger service as ``main lines.'' 
Amtrak stated that this subsection would arguably require installation 
of PTC on most of the trackage and locomotives of the Terminal Railroad 
Association of St Louis (TRRA) unless: (1) The entire terminal operates 
at restricted speed (which TRRA is unlikely to agree to), (2) passenger 
and freight trains are temporally separated (which would not be 
practical on TRRA, and is unlikely to be practical on any of the light-
density lines over which Amtrak operates, due to the 24/7 nature of 
railroad operations), or (3) a risk mitigation plan can be effected 
that would achieve a level of safety not less than would pertain if all 
operations on TRRA were at restricted speed or subject to temporal 
separation. Accordingly, Amtrak recommended: (a) That the FRA adopt a 
risk analysis-based definition of ``main line'' passenger routes that 
excludes light-density lines on which the installation of PTC is not 
warranted; and (b) with respect to freight terminal areas in which 
passenger trains operate, that FRA modify the limited operations 
exception in subsection 236.1019(c) to require that all trains be 
limited to 30 miles per hour rather than to restricted speed, or that 
non-PTC equipped freight terminals be deemed as other than ``main 
lines'' so long as all passenger operations are pursuant to signal 
indication and at speeds not greater than 30 miles per hour (with 
speeds reduced to not greater than restricted speed on unsignaled 
trackage or if the signals should fail).
    FRA believes that Amtrak's request is much broader than 
contemplated by the law. FRA notes that TRRA is a very busy terminal 
operation. FRA does not believe that the ``limited freight operations'' 
concept is in any way applicable under those circumstances. Nor is 
there any indication in law that FRA was expected to fall back to 
traditional cost-benefit principles in relation to PTC and scheduled 
passenger service. However, there are a number of Amtrak routes with 
limited freight operations that will not otherwise be equipped with PTC 
because they are operated by other than Class I railroads. Further, 
there are some Class I lines with less than 5 million gross tons, or no 
PIH, that also warrant individualized review to the extent Amtrak and 
the host railroad might elect to propose it.
    Accordingly, in response to the Amtrak comments, Sec. Sec.  
236.1019(c)(2) and (c)(3) have been added to the final rule to provide 
an option by which certain additional types of limited passenger train 
operations may qualify for a main line track exception where freight 
operations are also suitably limited and the circumstances could lead 
to significant hardship and cost that might overwhelm the value of the 
passenger service provided. In Sec.  236.1019(c)(2), FRA addresses 
lines where the host is not a Class I freight railroad, describing 
characteristics of line segments that might warrant relief from PTC. In 
Sec.  236.1019(c)(2)(i), FRA addresses passenger service involving up 
to four regularly scheduled passenger trains during a calendar day over 
a segment of unsignaled track on which less than 15 million gross tons 
of freight traffic is transported annually. In Sec.  
236.1019(c)(2)(ii), FRA addresses passenger service involving up to 12 
regularly scheduled passenger trains during a calendar day over a 
segment of signaled track on which less than 15 million gross tons of 
freight traffic is transported annually. FRA derived Sec.  
236.1019(c)(2) indirectly from discussions in the RSAC in response to 
comments by Amtrak set forth above. The PTC Working Group proposed an 
exception that might have been available anywhere an intercity or 
commuter railroad operated over a line with 5 million gross tons of 
freight traffic, including Class I lines and the lines of the intercity 
or commuter railroad. This would have opened the potential for a 
considerable exception for lines with very light freight density under 
circumstances not thoroughly explored in the short time available to 
the working group (e.g., on commuter rail branch lines, low density 
track segments on Class I railroads, etc.).
    Subsequent to the RSAC activities, Amtrak notified FRA that its 
conversations with Class II and III railroads whose lines had been at 
the root of the Amtrak comments revealed that some of the situations 
involved freight traffic exceeding 5 million gross tons, potentially 
rendering the exception ineffective for this purpose. At the same time, 
FRA noted that the policy rationale behind the proposed additional 
exception was related as much to the inherent difficulty associated 
with PTC installation during the initial period defined by law, given 
that the railroads identified by Amtrak were for the most part very 
small operations with limited technical capacity, as well as limited 
safety exposure. It was clear that in these cases care would need to be 
taken to analyze collision risk and potentially require 
mitigations.\14\ Accordingly, FRA has endeavored to address the concern 
brought forward by Amtrak with a provision that is broad enough to 
permit consideration of actual circumstances, limit this particular 
exception to operations over railroads that would not otherwise need to 
install PTC (e.g., Class II and III freight railroads), provide for a 
thorough review process, and make explicit reference to the potential 
requirement for safety mitigations. In this regard, FRA has chosen 15 
million gross tons as a threshold that should accommodate situations 
where Amtrak trains will, in actuality, face few conflicts with freight 
movements (i.e., requiring trains to clear the main line for meets and 
passes or to wait at junctions) and where mitigations are in place or 
could be put in place to establish a high sense of confidence that 
operations will continue to be conducted safely. FRA believes that less 
than 15 million gross tons represents a fair test of ``limited freight 
operations'' for these purposes, with the further caveat that specific 
operating arrangements will be examined in each case.\15\ FRA 
emphasizes that this is not

[[Page 2691]]

an entitlement, but an exclusion for which the affected railroads will 
need to make a suitable case.
---------------------------------------------------------------------------

    \14\ An example of an existing mitigation, which is provided to 
support service quality but also supports safety, is the practice of 
one Class III Amtrak host and its connecting freight partner to hold 
out fleeted empty coal trains off the Class III property during the 
period that Amtrak is running. While not constituting strict 
``temporal separation,'' it does significantly reduce collision risk 
over the route.
    \15\ Freight tonnage on Amtrak lines varies from zero on two 
segments to over 150 million gross tons. On a per-mile basis, 15 
million gross tons falls into the twenty first percentile of Amtrak 
track miles. The candidate lines on the Class I system comprise 
about 6.8% of Amtrak's route structure.
---------------------------------------------------------------------------

    Amtrak also provided to FRA a spreadsheet identifying each of its 
route segments with attributes such as route length, freight tonnage, 
number of Amtrak trains, and numbers of commuter trains. FRA further 
reviewed this information in light of Amtrak's request for main track 
exceptions. FRA noted a number of segments of the Amtrak system on 
Class I railroads where the number of Amtrak trains was low and the 
freight tonnage was also low (less than 15 million gross tons). Each of 
these lines, with the exception of one 33-mile segment, is signalized. 
FRA further noted that, with both Amtrak and Class I railroad 
locomotives equipped for PTC, use of partial PTC technology (e.g., 
monitoring of switches where trains frequently clear) should be 
available as a mitigation for collision risk. Accordingly, in Sec.  
236.1019(c)(3) FRA has provided a further narrow exception for Class I 
lines carrying no more than four intercity or commuter passenger trains 
per day and cumulative annual tonnage of less than 15 million gross 
tons, subject to FRA review. The limit of four trains takes into 
consideration that it is much less burdensome to equip the wayside of a 
Class I rail line than to install a full PTC system on a railroad that 
would not otherwise require one. Again, the exception is not automatic, 
and FRA's approval of a particular line segment would be discretionary.
    The new Sec.  236.1019(d), FRA makes clear that it will carefully 
review each proposed main track exception and may require that it be 
supported by appropriate hazard analysis and mitigations. FRA has 
previously vetted through the RSAC a Collision Hazard Analysis Guide 
that can be useful for this purpose. If FRA determines that freight 
operations are not ``limited'' as a matter of safety exposure or that 
proposed safety mitigations are inadequate, FRA will deny the 
exception.
3. Description and Estimate of Small Entities Affected
    ``Small entity'' is defined in 5 U.S.C. 601. Section 601(3) defines 
a ``small entity'' as having the same meaning as ``small business 
concern'' under section 3 of the Small Business Act. This includes any 
small business concern that is independently owned and operated, and is 
not dominant in its field of operation. Section 601(4) includes not-
for-profit enterprises that are independently owned and operated, and 
are not dominant in their field of operations within the definition of 
``small entities.'' Additionally, section 601(5) defines as ``small 
entities'' governments of cities, counties, towns, townships, villages, 
school districts, or special districts with populations less than 
50,000.
    The U.S. Small Business Administration (SBA) stipulates ``size 
standards'' for small entities. It provides that the largest a for-
profit railroad business firm may be (and still classify as a ``small 
entity'') is 1,500 employees for ``Line-Haul Operating'' railroads, and 
500 employees for ``Short-Line Operating'' railroads. See ``Table of 
Size Standards,'' U.S. Small Business Administration, January 31, 1996, 
13 CFR part 121; see also NAICS Codes 482111 and 482112.
    SBA size standards may be altered by Federal agencies in 
consultation with SBA, and in conjunction with public comment. Pursuant 
to the authority provided to it by SBA, FRA has published a final 
policy, which formally establishes small entities as railroads that 
meet the line haulage revenue requirements of a Class III railroad. See 
68 FR 24,891 (May 9, 2003). Currently, the revenue requirements are $20 
million or less in annual operating revenue, adjusted annually for 
inflation. The $20 million limit (adjusted annually for inflation) is 
based on the Surface Transportation Board's threshold of a Class III 
railroad carrier, which is adjusted by applying the railroad revenue 
deflator adjustment. See also 49 CFR part 1201. The same dollar limit 
on revenues is established to determine whether a railroad shipper or 
contractor is a small entity. FRA uses this definition for this 
rulemaking.
    The FRA's ``universe'' of considered entities generally includes 
only those small entities that can reasonably be expected to be 
directly regulated by the final rule. One type of small entity is 
potentially affected by this final rule: railroads. The level of impact 
on small railroads will vary from railroad to railroad. Class III 
railroads will be impacted for one or more of the following reasons: 
(1) They operate on Class I railroad lines that carry PIH materials and 
are required to have PTC, in which case they will need to equip the 
portion of their locomotive fleet that operates on such lines; (2) they 
operate on Amtrak or commuter rail lines, including freight railroad 
lines that host such service; (3) they host regularly scheduled 
intercity or commuter rail transportation; or (4) they have at-grade 
railroad crossings over lines required by RSIA08 to have PTC.
    The final rule will apply to small railroads' tracks over which a 
passenger railroad conducts intercity or commuter operations and 
locomotives operating on main lines of Class I freight railroads 
required to have PTC and on railroads conducting intercity passenger or 
commuter operations. The impact on Class III railroads that operate on 
Class I railroad lines required to be equipped with PTC will depend on 
the nature of such operations. Class III railroads often make short 
moves on Class I railroad lines for interchange purposes. To the extent 
that their moves do not exceed four per day or 20 miles in length of 
haul (one way), Class III railroads will be exempt from the requirement 
to equip the locomotives. However, some Class III railroads operate 
much more extensively on Class I railroad lines that will be required 
to have PTC and will have to equip some of their locomotives. It is 
likely that Class III railroads will dedicate certain locomotives to 
such service, if they have not done so already. FRA estimates that 
approximately 55 small railroads will have to equip locomotives with 
PTC system components because they have trackage rights on Class I 
freight railroad PIH lines that will be required to have PTC and will 
not be able to qualify for any of the operational exceptions discussed.
    FRA further estimates that 10 small railroads have trackage rights 
on intercity passenger or commuter railroads or other freight railroads 
hosting such operations, and will need to equip some locomotives with 
PTC systems. Half of these will need to equip locomotives anyway, 
because they also have trackage rights on Class I railroads that haul 
PIH and would otherwise be required to have PTC.
    Thus, a total of 60 railroads will need to equip locomotives. FRA 
estimates that the average small railroad will need to equip four 
locomotives, at a per railroad cost of $55,000 each, totaling $220,000, 
and that the total cost for all 60 small railroads which will need to 
equip locomotives will be $13,200,000. FRA further estimates that the 
annual maintenance cost will be 15% of that total, equaling $33,000 per 
railroad or $1,980,000 total for all small railroads.
    In addition, 15 small railroads host commuter or intercity 
passenger operations on what might be defined as main line track under 
the accompanying rulemaking; however, only five of these railroads are 
neither terminal nor port railroads, which tend to be owned and 
operated by large railroads or port authorities, or subsidiaries of 
large short

[[Page 2692]]

line holding companies with the expertise and resources across the 
disciplines comparable to larger railroads. Of those five railroads, 
only one has trackage exceeding 3.8 miles. The other four railroads may 
request that FRA define such track as other than main line after 
ensuring that all trains will be limited to restricted speed. The cost 
burden on the remaining railroad will likely be reduced by restricting 
speed, temporally separating passenger train operations, or by passing 
the cost to the passenger railroad. Thus, the expected burden to small 
entities hosting passenger operations is minimal. This impact will 
further be reduced by exclusion of track from the main track under 
Sec.  236.1019.
    At rail-to-rail crossings where at least one of the intersecting 
tracks allows operating speeds in excess of 40 miles per hour, the 
approaching non-PTC line must have a permanent maximum speed limit of 
20 miles per hour and either have some type of positive stop 
enforcement or a split-point derail incorporated into the signal system 
on the non-PTC route. In the IRFA, FRA incorrectly assumed that the 
cost of the derail would be borne by the PTC-equipped railroad, and 
that slowing to 20 miles per hour reflects current practice at most 
diamond crossings. In response to comments from Class I railroad 
representatives, FRA has revised its assumption and estimates that 
roughly half of the cost of derails will be borne by small entities. 
FRA estimates that five small railroads have rail-to-rail crossings, 
with two such crossings each, where the newly burdened small railroad 
will be slowing to 20 miles per hour from a higher track speed. FRA 
estimates that the average traffic on the newly burdened route is two 
trains per day, and that the cost to slow from a higher track speed is 
$30 per train, for a total cost of $60 per crossing per day, a per 
railroad cost of $120 per day, and a total national cost for all ten 
small railroads of $600 per day and an annual cost of $43,800 per 
railroad and a total for all small railroads of $219,000 per year. FRA 
further estimates that small railroads will pay for derails at five of 
the ten impacted crossings, at a price per crossing of $80,000, for two 
sets of derails, one on each side of the crossings, and a total cost of 
$400,000, with annual maintenance costs of $60,000 (15% of installation 
cost) total. The initial investment will therefore be $400,000 and the 
total annual cost will be $279,000. FRA estimates that only five Class 
III railroads will be affected by this provision, and that they will be 
railroads not affected by the requirement to equip locomotives, because 
railroads with equipped locomotives could simply use the PTC system and 
avoid the requirement to slow down.
    This analysis yields a total of 65 affected small entities that may 
be impacted by implementation of the final rule. FRA requested comments 
regarding this estimate of small entities potentially impacted, and the 
only comment was that Class I railroads would not necessarily bear the 
cost of equipping rail-to-rail crossings with derails.
4. Description of Reporting, Recordkeeping, and Other Compliance 
Requirements and Impacts on Small Entities Resulting From Specific 
Requirements
    Class III railroads that host intercity or commuter rail service 
will need to file implementation plans, whether or not they directly 
procure or manage installation of the PTC system. FRA believes that, 
although the implementation plan must be jointly filed by the small 
host railroad and passenger tenant railroad, the cost of these plans 
will be borne by the passenger railroads, because under typical 
trackage rights agreements, the passenger railroads are responsible for 
any costs that would not exist in the absence of the passenger 
operations. Clearly, the Class III railroads would not be required to 
install PTC in the absence of passenger traffic, so any costs the Class 
III railroads bear initially will eventually be passed on to the 
passenger railroads operating on the Class III railroads' lines. FRA 
believes that only one small entity, as described above, is likely to 
have PTC installed on its lines. The implementation plan is likely to 
be an extension of the passenger railroad's plan, and the marginal cost 
will be the cost of tailoring the plan to the host railroad, which will 
be borne by the passenger railroad, and maintaining copies of the plan 
at the host railroad, which FRA estimates to be approximately $1,000 
per year.
    The total cost to small entities will include the initial cost of 
equipping locomotives, $13,200,000, and $400,000 to equip diamond 
crossings; annual costs of $1,980,000 for maintenance of locomotive 
systems; $219,000 due to operating speed restrictions at diamond 
crossings; $60,000 to maintain diamond crossings; and $1,000 to 
maintain a copy of the PTC implementation plan. The total annual costs 
to small entities after initial acquisition will be $2,260,000 
($1,980,000 + $219,000 + $60,000 + $1,000). Individual railroads 
affected will either face an initial cost of $220,000 to equip 
locomotives, and an annual cost of $33,000 to maintain the PTC systems 
on those locomotives, or will face a per railroad cost of $80,000 to 
equip a diamond crossing, $12,000 per year to maintain a diamond 
crossing, and $43,800 per year to slow at diamond crossings. No 
railroad will face both sets of costs, because if its locomotives are 
equipped, they will not need to slow down at diamond crossings, nor 
would the crossings need to be equipped with derails.
5. Steps the Agency Has Taken To Minimize Adverse Economic Impact on 
Small Entities
    FRA is unaware of any significant alternatives that would meet the 
intent of RSIA08 and that would minimize the economic impact on small 
entities. FRA is exercising its discretion to provide the greatest 
flexibility for small entities available under RSIA08 by allowing 
operations of unequipped trains operated by small entities on the main 
lines of Class I railroads, and by defining main track on passenger 
railroads to avoid imposing undue burdens on small entities. The 
definition of passenger main track was adopted based on PTC Working 
Group recommendations that were backed strongly by representatives of 
small railroads. FRA added further, more expansive exclusions from main 
track for passenger railroads in the final rule. The provisions 
permitting operations of unequipped trains of Class I railroads 
exceeded the maximum flexibility for which the PTC Working Group could 
reach a consensus. FRA requested comments on this finding of no 
significant alternative related to small entities, but received no such 
comments.
    The process by which this final rule was developed provided 
outreach to small entities. As noted earlier in the preamble, this 
notice was developed in consultation with industry representatives via 
the RSAC, which includes small railroad representatives. From January 
to April 2009, FRA met with the entire PTC Working Group five times 
over the course of twelve days. This PTC Working Group established a 
task force to focus on issues specific to short line and regional 
railroads. The discussions yielded many insights and this final rule 
takes into account the concerns expressed by small railroads during the 
deliberations. The PTC Working Group had further discussions after 
publication of the NPRM, on August 31, 2009, and September 1 and 2, 
2009, related to the impact on small entities and on passenger 
railroads

[[Page 2693]]

(small entities may be affected under the final rule by their 
operations on passenger railroads or as hosts of passenger operations) 
and added new exclusions from main track to the RSAC recommendations. 
FRA extended these exclusions further, based on Amtrak comments, to the 
benefit of small entities.

C. Paperwork Reduction Act

    The information collection requirements in this proposed rule have 
been submitted for approval to the Office of Management and Budget 
(OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. 
The sections that contain the new information collection requirements 
and the estimated time to fulfill each requirement are as follows:

----------------------------------------------------------------------------------------------------------------
                                      Respondent         Total annual      Average time per      Total annual
           CFR section                 universe            responses           response          burden hours
----------------------------------------------------------------------------------------------------------------
234.275--Processor-Based          20 Railroads......  25 letters........  4 hours...........  100 hours.
 Systems--Deviations from
 Product Safety Plan (PSP)--
 Letters.
236.18--Software Mgmt. Control    184 Railroads.....  184 plans.........  2,150 hours.......  395,600 hours.
 Plan.
    --Updates to Software Mgmt.   90 Railroads......  20 updates........  1.50 hours........  30 hours.
     Control Plan.
236.905--Updates to RSPP........  78 Railroads......  6 plans...........  135 hours.........  810 hours.
    --Response to Request for     78 Railroads......  1 updated doc.....  400 hours.........  400 hours.
     Additional Info.
    --Request for FRA Approval    78 Railroads......  1 request/modified  400 hours.........  400 hours.
     of RSPP Modification.                             RSPP.
236.907--Product Safety Plan      5 Railroads.......  5 plans...........  6,400 hours.......  32,000 hours.
 (PSP)--Dev.
236.909--Minimum Performance
 Standard
    --Petitions for Review and    5 Railroads.......  2 petitions/PSP...  19,200 hours......  38,400 hours.
     Approval.
    --Supporting Sensitivity      5 Railroads.......  5 analyses........  160 hours.........  800 hours.
     Analysis.
236.913--Notification/Submission  6 Railroads.......  1 joint plan......  25,600 hours......  25,600 hours.
 to FRA of Joint Product Safety
 Plan (PSP).
    --Petitions for Approval/     6 Railroads.......  6 petitions.......  1,928 hours.......  11,568 hours.
     Informational Filings.
    --Responses to FRA Request    6 Railroads.......  2 documents.......  800 hours.........  1,600 hours.
     for Further Info. After
     Informational Filing.
    --Responses to FRA Request    6 Railroads.......  6 documents.......  16 hours..........  96 hours.
     for Further Info. After
     Agency Receipt of Notice of
     Product Development.
    --Consultations.............  6 Railroads.......  6 consults........  120 hours.........  720 hours.
    --Petitions for Final         6 Railroads.......  6 petitions.......  16 hours..........  96 hours.
     Approval.
    --Comments to FRA by          Public/RRs........  7 comments........  240 hours.........  1,680 hours.
     Interested Parties.
    --Third Party Assessments of  6 Railroads.......  1 assessment......  104,000 hours.....  104,000 hours.
     PSP.
    --Amendments to PSP.........  6 Railroads.......  15 amendments.....  160 hours.........  2,400 hours.
    --Field Testing of Product--  6 Railroads.......  6 documents.......  3,200 hours.......  19,200 hours.
     Info. Filings.
236.917--Retention of Records.
    --Results of tests/           6 Railroads.......  3 documents/        160,000 hrs.;       360,000 hours.
     inspections specified in                          records.            160,000 hrs.;
     PSP.                                                                  40,000 hrs.
    --Report to FRA of            6 Railroads.......  1 report..........  104 hours.........  104 hours.
     Inconsistencies with
     frequency of safety-
     relevant hazards in PSP.
236.919--Operations &
 Maintenance Man.
    --Updates to O & M Manual...  6 Railroads.......  6 updated docs....  40 hours..........  240 hours.
    --Plans for Proper            6 Railroads.......  6 plans...........  53,335 hours......  320,010 hours.
     Maintenance, Repair,
     Inspection of Safety-
     Critical Products.
    --Hardware/Software/Firmware  6 Railroads.......  6 revisions.......  6,440 hours.......  38,640 hours.
     Revisions.
236.921--Training Programs:       6 Railroads.......  6 Tr. Programs....  400 hours.........  2,400 hours.
 Development.
    --Training of Signalmen &     6 Railroads.......  300 signalmen; 20   40 hours; 20 hours  12,400 hours.
     Dispatchers.                                      dispatchers.
236.923--Task Analysis/Basic      6 Railroads.......  6 documents.......  720 hours.........  4,320 hours.
 Requirements: Necessary
 Documents.
    --Records...................  6 Railroads.......  350 records.......  10 minutes........  58 hours.
 
   SUBPART I--NEW REQUIREMENTS
 
236.1001--RR Development of More  30 Railroads......  3 rules...........  80 hours..........  240 hours.
 Stringent Rules Re: PTC
 Performance Stds.
236.1005--Requirements for PTC
 Systems.
    --Temporary Rerouting:        30 Railroads......  50 requests.......  8 hours...........  400 hours.
     Emergency Requests.
    --Written/Telephonic          30 Railroads......  50 notifications..  2 hours...........  100 hours.
     Notification to FRA
     Regional Administrator.
    --Temporary Rerouting         30 Railroads......  760 requests......  8 hours...........  6,080 hours.
     Requests Due to Track
     Maintenance.
    --Temporary Rerouting         30 Railroads......  380 requests......  8 hours...........  3,040 hours.
     Requests That Exceed 30
     Days.
236.1006--Requirements for
 Equipping Locomotives Operating
 in PTC Territory.

[[Page 2694]]

 
    --Reports of Movements in     30 Railroads......  45 reports + 45     8 hours + 170.....  8,010 hours.
     Excess of 20 Miles/RR                             reports.
     Progress on PTC Locomotives.
    --PTC Progress Reports......  35 Railroads......  35 reports........  16 hours..........  560 hours.
236.1007--Additional
 Requirements for High Speed
 Service.
    --Required HSR--125           30 Railroads......  11 documents......  3,200 hours.......  35,200 hours.
     Documents with approved
     PTCSP.
    --Requests to Use Foreign     30 Railroads......  2 requests........  8,000 hours.......  16,000 hours.
     Service Data.
    --PTC Railroads Conducting    30 Railroads......  4 documents.......  3,200 hours.......  12,800 hours.
     Operations at More than 150
     MPH with HSR-125 Documents.
    --Requests for PTC Waiver...  30 Railroads......  1 request.........  1,000 hours.......  1,000 hours.
236.1009--Procedural
 Requirements.
    --PTC Implementation Plans    30 Railroads......  25 plans..........  535 hours.........  13,375 hours.
     (PTCIP).
    --Host Railroads Filing       30 Railroads......  1 PCTIP; 15 RFAs..  535 hours; 320      5,335 hours.
     PTCIP or Request for                                                  hours.
     Amendment (RFAs).
    --Jointly Submitted PTCIPs..  30 Railroads......  5 PTCIPs..........  267 hours.........  1,335 hours.
    --Notification of Failure to  30 Railroads......  25 notifications..  32 hours..........  800 hours.
     File Joint PTCIP.
    --Comprehensive List of       30 Railroads......  25 lists..........  80 hours..........  2,000 hours.
     Issues Causing Non-
     Agreement.
    --Conferences to Develop      25 Railroads......  3 conf. calls.....  60 minutes........  3 hours.
     Mutually Acceptable PCTIP.
    --Type Approval.............  30 Railroads......  10 Type Appr......  8 hours...........  80 hours.
    --PTC Development Plans       30 Railroads......  20 Ltr. + 20 App;   8 hrs/1,600 hrs.;   96,160 hours.
     Requesting Type Approval.                         10 Plans.           6,400 hours.
    --Notice of Product Intent w/ 30 Railroads......  24 NPI; 24 IPs....  1,070 + 535 hrs...  38,520 hours.
     PTCIPs (IPs).
    --PTCDPs with PTCIPs (DPs +   30 Railroads......  6 DPs; 6 IPs......  2,135 + 535 hrs...  16,020 hours.
     IPs).
    --Updated PTCIPs w/PTCDPs     30 Railroads......  24 IPs; 24 DPs....  535 + 2,135 hrs...  64,080 hours.
     (IPs + DPs).
    --Disapproved/Resubmitted     30 Railroads......  6 IPs + 6 NPIs....  135 + 270 hrs.....  2,430 hours.
     PTCIPs/NPIs.
    --Revoked Approvals--         30 Railroads......  6 IPs + 6 DPs.....  135 + 535 hrs.....  4,020 hours.
     Provisional IPs/DP.
    --PTCIPs/PTCDPs Still         30 Railroads......  2 IPs + 2 DPs.....  135 + 535 hrs.....  1,340 hours.
     Needing Rework.
    --PTCIP/PTCDP/PTCSP Plan      30 Railroads......  1 document........  8,000 hours.......  8,000 hours.
     Contents--Documents
     Translated into English.
    --Requests for                30 Railroads......  30 ltrs; 30 docs..  8 hrs.; 800 hrs...  24,240 hours.
     Confidentiality.
    --Field Test Plans/           30 Railroads......  150 field tests; 2  800 hours.........  121,600 hours.
     Independent Assessments--                         assessments.
     Req. by FRA.
    --FRA Access: Interviews      30 Railroads......  60 interviews.....  30 minutes........  30 hours.
     with PTC Wrkrs.
    --FRA Requests for Further    30 Railroads......  5 documents.......  400 hours.........  2,000 hours.
     Information.
236.1011--PTCIP Requirements--    7 Interested        21 rev.; 60 com...  143 + 8 hrs.......  3,483 hours.
 Comment.                          Groups.
236.1015--PTCSP Content
 Requirements & PTC System
 Certification.
    --Non-Vital Overlay.........  30 Railroads......  2 PTCSPs..........  16,000 hours......  32,000 hours.
    --Vital Overlay.............  30 Railroads......  16 PTCSPs.........  22,400 hours......  358,400 hours.
    --Stand Alone...............  30 Railroads......  10 PTCSPs.........  32,000 hours......  320,000 hours.
    --Mixed Systems--Conference   30 Railroads......  3 conferences.....  32 hours..........  96 hours.
     with FRA regarding Case/
     Analysis.
    --Mixed Sys. PTCSPs (incl.    30 Railroads......  2 PTCSPs..........  28,800 hours......  57,600 hours.
     safety case).
    --FRA Request for Additional  30 Railroads......  15 documents......  3,200 hours.......  48,000 hours.
     PTCSP Data.
    --PTCSPs Applying to Replace  30 Railroads......  15 PTCSPs.........  3,200 hours.......  48,000 hours.
     Existing Certified PTC
     Systems.
    --Non-Quantitative Risk       30 Railroads......  15 assessments....  3,200 hours.......  48,000 hours.
     Assessments Supplied to FRA.
236.1017--PTCSP Supported by      30 Railroads......  1 assessment......  8,000 hours.......  8,000 hours.
 Independent Third Party
 Assessment.
    --Written Requests to FRA to  30 Railroads......  1 request.........  8 hours...........  8 hours.
     Confirm Entity Independence.
    --Provision of Additional     30 Railroads......  1 document........  160 hours.........  160 hours.
     Information After FRA
     Request.
    --Independent Third Party     30 Railroads......  1 request.........  160 hours.........  160 hours.
     Assessment: Waiver Requests.

[[Page 2695]]

 
    --RR Request for FRA to       30 Railroads......  1 request.........  32 hours..........  32 hours.
     Accept Foreign Railroad
     Regulator Certified Info.
236.1019--Main Line Track
 Exceptions.
    --Submission of Main Line     30 Railroads......  30 MTEAs..........  160 hours.........  4,800 hours.
     Track Exclusion Addendums
     (MTEAs).
    --Passenger Terminal          30 Railroads......  23 MTEAs..........  160 hours.........  3,680 hours.
     Exception--MTEAs.
    --Limited Operation           30 Railroads......  23 plans..........  160 hours.........  3,680 hours.
     Exception--Risk Mit.
    --Ltd. Exception--Collision   30 Railroads......  12 analyses.......  1,600 hours.......  19,200 hours.
     Hazard Anal.
    --Temporal Separation         30 Railroads......  11 procedures.....  160 hours.........  1,760 hours.
     Procedures.
236.1021--Discontinuances,        30 Railroads......  15 RFAs...........  160 hours.........  2,400 hours.
 Material Modifications,
 Amendments--Requests to Amend
 (RFA) PTCIP, PTCDP or PTCSP.
    --Review and Public Comment   7 Interested        7 reviews + 20      3 hours; 16 hours.  341 hours.
     on RFA.                       Groups.             comments.
236.1023--PTC Product Vendor      30 Railroads......  30 lists..........  8 hours...........  240 hours.
 Lists.
    --RR Procedures Upon          30 Railroads......  30 procedures.....  16 hours..........  480 hours.
     Notification of PTC System
     Safety-Critical Upgrades,
     Rev., Etc.
    --RR Notifications of PTC     30 Railroads......  150 notifications.  16 hours..........  2,400 hours.
     Safety Hazards.
    --RR Notification Updates...  30 Railroads......  150 updates.......  16 hours..........  2,400 hours.
    --Manufacturer's Report of    5 System Suppliers  5 reports.........  400 hours.........  2,000 hours.
     Investigation of PTC Defect.
    --PTC Supplier Reports of     5 System Suppliers  150 reports + 150   16 hours + 8 hours  3,600 hours.
     Safety Relevant Failures or                       rpt. copies.
     Defective Conditions.
236.1029--Report of On-Board      30 Railroads......  960 reports.......  96 hours..........  92,160 hours.
 Lead Locomotive PTC Device
 Failure.
236.1031--Previously Approved
 PTC Systems.
    --Request for Expedited       30 Railroads......  3 REC Letters.....  160 hours.........  480 hours.
     Certification (REC) for PTC
     System.
    --Requests for                30 Railroads......  3 requests........  1,600 hours.......  4,800 hours.
     Grandfathering on PTCSPs.
236.1035--Field Testing           30 Railroads......  150 field test      800 hours.........  120,000 hours.
 Requirements.                                         plans.
    --Relief Requests from        30 Railroads......  50 requests.......  320 hours.........  16,000 hours.
     Regulations Necessary to
     Support Field Testing.
236.1037--Records Retention.
    --Results of Tests in PTCSP   30 Railroads......  960 records.......  4 hours...........  3,840 hours.
     and PTCDP.
    --PTC Service Contractors     30 Railroads......  9,000 records.....  30 minutes........  4,500 hours.
     Training Records.
    --Reports of Safety Relevant  30 Railroads......  4 reports.........  8 hours...........  32 hours.
     Hazards Exceeding Those in
     PTCSP and PTCDP.
    --Final Report of Resolution  30 Railroads......  4 final reports...  160 hours.........  640 hours.
     of Inconsistency.
236.1039--Operations &            30 Railroads......  30 manuals........  250 hours.........  7,500 hours.
 Maintenance Manual (OMM):
 Development.
    --Positive Identification of  30 Railroads......  75,000 i.d.         1 hour............  75,000 hours.
     Safety-critical components.                       components.
    --Designated RR Officers in   30 Railroads......  60 designations...  2 hours...........  120 hours.
     OMM regarding PTC issues.
236.1041--PTC Training Programs.  30 Railroads......  30 programs.......  400 hours.........  12,000 hours.
236.1043--Task Analysis/Basic     30 Railroads......  30 evaluations....  720 hours.........  21,600 hours.
 Requirements: Training
 Evaluations.
    --Training Records..........  30 Railroads......  350 records.......  10 minutes........  58 hours.
236.1045--Training Specific to    30 Railroads......  20 trained          20 hours..........  400 hours.
 Office Control Personnel.                             employees.
236.1047--Training Specific to
 Loc. Engineers & Other
 Operating Personnel.
    --PTC Conductor Training....  30 Railroads......  5,000 trained       3 hours...........  15,000 hours.
                                                       conductors.
----------------------------------------------------------------------------------------------------------------

    All estimates include the time for reviewing instructions; 
searching existing data sources; gathering or maintaining the needed 
data; and reviewing the information.
    Organizations and individuals desiring to submit comments on the 
collection of information requirements should direct them to the Office 
of Management and Budget, Office of Information and Regulatory Affairs, 
Washington, DC 20503, Attention: FRA Desk Officer. Comments may also be 
sent via e-mail to the Office of Management and Budget at the following 
address: [email protected].

[[Page 2696]]

    OMB is required to make a decision concerning the collection of 
information requirements contained in this direct final rule between 30 
and 60 days after publication of this document in the Federal Register. 
Therefore, a comment to OMB is best assured of having its full effect 
if OMB receives it within 30 days of publication.
    FRA cannot impose a penalty on persons for violating information 
collection requirements which do not display a current OMB control 
number, if required. FRA intends to obtain current OMB control numbers 
for any new information collection requirements resulting from this 
rulemaking action prior to the effective date of this direct final 
rule. The OMB control number, when assigned, will be announced by 
separate notice in the Federal Register.

D. Federalism Implications

    This final rule has been analyzed in accordance with the principles 
and criteria contained in Executive Order 13132, ``Federalism.'' See 64 
FR 43,255 (Aug. 4, 1999).
    As discussed earlier in the preamble, this final rule would provide 
regulatory guidance and performance standards for the development, 
testing, implementation, and use of Positive Train Control (PTC) 
systems for railroads mandated by the Rail Safety Improvement Act of 
2008.
    Executive Order 13132 requires FRA to develop an accountable 
process to ensure ``meaningful and timely input by State and local 
officials in the development of regulatory policies that have 
federalism implications.'' Policies that have ``federalism 
implications'' are defined in the Executive Order to include 
regulations that have ``substantial direct effects on the States, on 
the relationship between the national government and the States, or on 
the distribution of power and responsibilities among the various levels 
of government.'' Under Executive Order 13132, the agency may not issue 
a regulation with Federalism implications that imposes substantial 
direct compliance costs and that is not required by statute, unless the 
Federal government provides the funds necessary to pay the direct 
compliance costs incurred by State and local governments, or the agency 
consults with State and local government officials early in the process 
of developing the regulation. Where a regulation has Federalism 
implications and preempts State law, the agency seeks to consult with 
State and local officials in the process of developing the regulation.
    FRA has determined that this final rule would not have substantial 
direct effects on the states, on the relationship between the national 
government and the states, nor on the distribution of power and 
responsibilities among the various levels of government. In addition, 
FRA has determined that this final rule, which is required by the Rail 
Safety Improvement Act of 2008, would not impose any direct compliance 
costs on state and local governments. Therefore, the consultation and 
funding requirements of Executive Order 13132 do not apply.
    However, this final rule will have preemptive effect. Section 20106 
of Title 49 of the United States Code provides that States may not 
adopt or continue in effect any law, regulation, or order related to 
railroad safety or security that covers the subject matter of a 
regulation prescribed or order issued by the Secretary of 
Transportation (with respect to railroad safety matters) or the 
Secretary of Homeland Security (with respect to railroad security 
matters), except when the State law, regulation, or order qualifies 
under the local safety or security exception to Sec.  20106. The intent 
of Sec.  20106 is to promote national uniformity in railroad safety and 
security standards. 49 U.S.C. 20106(a)(1). Thus, subject to a limited 
exception for essentially local safety or security hazards, this final 
rule would establish a uniform federal safety standard that must be 
met, and state requirements covering the same subject matter would be 
displaced, whether those state requirements are in the form of a state 
law, regulation, order, or common law. Part 236 establishes federal 
standards of care which preempt state standards of care, but this part 
does not preempt an action under state law seeking damages for personal 
injury, death, or property damage alleging that a party has failed to 
comply with the federal standard of care established by this part, 
including a plan or program required by this part. Provisions of a plan 
or program which exceed the requirements of this part are not included 
in the federal standard of care. The Locomotive Boiler Inspection Act 
(49 U.S.C. 20701-20703) has been held by the U.S. Supreme Court to 
preempt the entire field of locomotive safety; therefore, this part 
preempts any state law, including common law, covering the design, 
construction, or material of any part of or appurtenance to a 
locomotive.
    In sum, FRA has analyzed this final rule in accordance with the 
principles and criteria contained in Executive Order 13132. As 
explained above, FRA has determined that this final rule has no 
federalism implications, other than the preemption of state laws 
covering the subject matter of this final rule, which occurs by 
operation of law under 49 U.S.C. 20106 whenever FRA issues a rule or 
order. Accordingly, FRA has determined that preparation of a federalism 
summary impact statement for this proposed rule is not required.

E. Environmental Impact

    FRA has evaluated this final rule in accordance with its 
``Procedures for Considering Environmental Impacts'' (``FRA's 
Procedures'') (64 FR 28,545 (May 26, 1999)) as required by the National 
Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental 
statutes, Executive Orders, and related regulatory requirements. FRA 
has determined that this final rule is not a major FRA action 
(requiring the preparation of an environmental impact statement or 
environmental assessment) because it is categorically excluded from 
detailed environmental review pursuant to section 4(c)(20) of FRA's 
Procedures. In accordance with section 4(c) and (e) of FRA's 
Procedures, the agency has further concluded that no extraordinary 
circumstances exist with respect to this regulation that might trigger 
the need for a more detailed environmental review. As a result, FRA 
finds that this final rule is not a major federal action significantly 
affecting the quality of the human environment.

F. Unfunded Mandates Reform Act of 1995

    The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, 2 U.S.C. 
1531) (UMRA) requires agencies to prepare a written assessment of the 
costs, benefits, and other effects of proposed or final rules that 
include a federal mandate likely to result in the expenditures by 
state, local or tribal governments, in the aggregate, or by the private 
sector, of $100 million (adjusted annually for inflation with base year 
of 1995) or more in any one year. The value equivalent of $100 million 
in CY 1995, adjusted annual for inflation to CY 2008 levels by the 
Consumer Price Index for All Urban Consumers (CPI-U) is $141.3 million. 
The assessment may be included in conjunction with other assessments, 
as it is in this rulemaking.
    FRA is issuing this final rule to provide regulatory guidance and 
performance standards for the development, testing, implementation, and 
use of PTC systems for railroads mandated by the Rail Safety 
Improvement Act of 2008 Sec.  104, Public Law 110-432, 122 Stat. 4854 
(Oct. 16, 2008) (codified at 9 U.S.C. 20157), to

[[Page 2697]]

implement PTC systems. The RIA provides a detailed analysis of the 
costs of implementing PTC systems. This analysis is the basis for 
determining that, other than to the extent that this regulation 
incorporates requirements specifically set forth in RSIA08, this rule 
will not result in total expenditures by state, local or tribal 
governments, in the aggregate, or by the private sector of $141.3 
million or more in any one year. The vast bulk of costs associated with 
this final rule are directly attributable to the statutory mandate. The 
only unfunded mandate attributable to this final rule that does not 
incorporate the requirements specifically set forth in RSIA08 is the 
cost pertaining to the filing of paperwork to prove compliance with 
RSIA08. The effects are discussed above and in the Regulatory Impact 
Analysis, which has been placed in the docket for this rulemaking.
    FRA received comments asserting that the rule extends beyond the 
congressional mandates communicated in RSIA08. Even if this assertion 
was correct, the final rule alone would not create an unfunded mandate 
in excess of the threshold amount. For instance, some railroads believe 
that Sec.  236.1029(f)--which requires PTC screen access to every 
person in the locomotive cab--exceeds the statutory requirements. 
Certain freight railroads have said that this provision requires a 
second display unit, which will cost $8,000. AAR estimates that 
approximately 29,461 second display units would require installation, 
resulting in a cost of $235,688,000. FRA, however, believes that only 
27,598 screens would require installation, totaling $220,784,000.
    Certain railroads have also contested Sec.  236.1005(b)(2), which 
governs the baseline information necessary to determine whether a Class 
I railroad's track segment shall be equipped with a PTC system. Under 
that provision, initial PTC territory shall be determined based on 2008 
traffic levels. CSXT asserts that this provision will cause it to 
install PTC on 844 miles of track which will no longer meet the PIH 
materials threshold or will no longer meet the 5 million gross tons 
threshold in 2010. According to CSXT, the installation will cost 
$45,000 per mile (the RIA uses an estimate of $50,000 per mile) for a 
CSXT estimated cost of almost $38,000,000.
    As noted above, FRA believes that these requirements respond 
directly to the requirements set forth in RSIA08. For instance, to 
effectuate Congress' intent to prevent incursions into roadway worker 
zones, it is necessary to require PTC screen access to all crew members 
in the locomotive cab so that they may perform their respective duties. 
Sometimes, this may require installation of a second display unit. In 
its analysis of Sec.  236.1005(b), FRA provides sufficient 
justification for the baseline level based on the language in the 
statute, the context of the legislative process, and Congress' intent. 
If anything, FRA has reduced railroad expenditures by, inter alia, 
providing a number of exceptions from the installation requirements and 
opportunities for plan amendments.
    In any event, the aforementioned costs borne by the railroads will 
not exceed $141.3 million or more in any one year. The costs indicated 
above--totaling between $258,784,000 and $273,688,000, depending upon 
whether one relies on AAR's or FRA's second screen estimates--would be 
incurred over a period of several years. Even if FRA were to add the 
costs of paperwork filings, which FRA estimates to each have a one time 
cost of approximately $20,000, the annual monetary threshold will 
likely not be met.

G. Energy Impact

    Executive Order 13211 requires Federal agencies to prepare a 
Statement of Energy Effects for any ``significant energy action.'' 66 
FR 28,355 (May 22, 2001). Under the Executive Order, a ``significant 
energy action'' is defined as any action by an agency (normally 
published in the Federal Register) that promulgates or is expected to 
lead to the promulgation of a final rule or regulation, including 
notices of inquiry, advance notices of proposed rulemaking, and notices 
of proposed rulemaking: (1)(i) That is a significant regulatory action 
under Executive Order 12866 or any successor order, and (ii) is likely 
to have a significant adverse effect on the supply, distribution, or 
use of energy; or (2) that is designated by the Administrator of the 
Office of Information and Regulatory Affairs as a significant energy 
action. FRA has evaluated this final rule in accordance with Executive 
Order 13211. FRA has determined that this final rule is not likely to 
have a significant adverse effect on the supply, distribution, or use 
of energy. Consequently, FRA has determined that this regulatory action 
is not a ``significant regulatory action'' within the meaning of 
Executive Order 13211.

H. Privacy Act

    FRA wishes to inform all interested parties that anyone is able to 
search the electronic form of any written communications and comments 
received into any of our dockets by the name of the individual 
submitting the document (or signing the document), if submitted on 
behalf of an association, business, labor union, etc.). Interested 
parties may also review DOT's complete Privacy Act Statement in the 
Federal Register published on April 11, 2000 (65 FR 19,477) or visit 
http://www.regulations.gov.

List of Subjects

49 CFR Part 229

    Event recorders, Locomotives, Railroad safety.

49 CFR Part 234

    Highway safety, Penalties, Railroad safety, Reporting and 
recordkeeping requirements.

49 CFR Part 235

    Administrative practice and procedure, Penalties, Railroad safety, 
Reporting and recordkeeping requirements.

49 CFR Part 236

    Penalties, Positive Train Control, Railroad safety, Reporting and 
recordkeeping requirements.

IX. The Rule

0
In consideration of the foregoing, FRA amends chapter II, subtitle B of 
title 49, Code of Federal Regulations as follows:

PART 229--[AMENDED]

0
1. The authority citation for part 229 continues to read as follows:

    Authority: 49 U.S.C. 20103, 20107, 20133, 20137-38, 20143, 
20701-03, 21301-02, 21304; 28 U.S.C. 2401, note; and 49 CFR 1.49(c), 
(m).


0
2. Section 229.135 is amended by revising paragraphs (b)(3)(xxv) and 
(b)(4)(xxi) to read as follows:


Sec.  229.135  Event recorders.

* * * * *
    (b) * * *
    (3) * * *
    (xxv) Safety-critical train control data routed to the locomotive 
engineer's display with which the engineer is required to comply, 
specifically including text messages conveying mandatory directives and 
maximum authorized speed. The format, content, and proposed duration 
for retention of such data shall be specified in the Product Safety 
Plan or PTC Safety Plan submitted for the train control system under 
subparts H or I, respectively, of part 236 of this chapter, subject to 
FRA approval under this paragraph. If it can be calibrated against 
other data required by this part, such train control data may, at the 
election of the railroad, be

[[Page 2698]]

retained in a separate certified crashworthy memory module.
    (4) * * *
    (xxi) Safety-critical train control data routed to the locomotive 
engineer's display with which the engineer is required to comply, 
specifically including text messages conveying mandatory directives and 
maximum authorized speed. The format, content, and proposed duration 
for retention of such data shall be specified in the Product Safety 
Plan or PTC Safety Plan submitted for the train control system under 
subparts H or I, respectively, of part 236 of this chapter, subject to 
FRA approval under this paragraph. If it can be calibrated against 
other data required by this part, such train control data may, at the 
election of the railroad, be retained in a separate certified 
crashworthy memory module.
* * * * *

PART 234--[AMENDED]

0
3. The authority citation for part 234 continues to read as follows:

    Authority:  49 U.S.C. 20103, 20107; 28 U.S.C. 2461, note; and 49 
CFR 1.49.


0
4. In Sec.  234.275 revise paragraphs (b)(1), (b)(2), (c), and (f) to 
read as follows:


Sec.  234.275  Processor-based systems.

* * * * *
    (b) Use of performance standard authorized or required. (1) In lieu 
of compliance with the requirements of this subpart, a railroad may 
elect to qualify an existing processor-based product under part 236, 
subparts H or I, of this chapter.
    (2) Highway-rail grade crossing warning systems, subsystems, or 
components that are processor-based and that are first placed in 
service after June 6, 2005, which contain new or novel technology, or 
which provide safety-critical data to a railroad signal or train 
control system that is governed by part 236, subpart H or I, of this 
chapter, shall also comply with those requirements. New or novel 
technology refers to a technology not previously recognized for use as 
of March 7, 2005.
* * * * *
    (c) Plan justifications. The Product Safety Plan in accordance with 
49 CFR 236.907--or a PTC Development Plan and PTC Safety Plan required 
to be filed in accordance with 49 CFR 236.1013 and 236.1015--must 
explain how the performance objective sought to be addressed by each of 
the particular requirements of this subpart is met by the product, why 
the objective is not relevant to the product's design, or how the 
safety requirements are satisfied using alternative means. Deviation 
from those particular requirements is authorized if an adequate 
explanation is provided, making reference to relevant elements of the 
applicable plan, and if the product satisfies the performance standard 
set forth in Sec.  236.909 of this chapter. (See Sec.  236.907(a)(14) 
of this chapter.)
* * * * *
    (f) Software management control for certain systems not subject to 
a performance standard. Any processor-based system, subsystem, or 
component subject to this part, which is not subject to the 
requirements of part 236, subpart H or I, of this chapter but which 
provides safety-critical data to a signal or train control system shall 
be included in the software management control plan requirements as 
specified in Sec.  236.18 of this chapter.

PART 235--[AMENDED]

0
5. The authority citation for part 235 continues to read as follows:

    Authority: 49 U.S.C. 20103, 20107; 28 U.S.C. 2461, note; and 49 
CFR 1.49.


0
6. In Sec.  235.7, revise paragraph (a)(4), add paragraph (a)(5), and 
revise paragraphs (b)(2), (b)(3), and (c)(25) to read as follows:


Sec.  235.7  Changes not requiring filing of application.

    (a) * * *
    (4) Removal from service not to exceed 6 months of block signal 
system, interlocking, or traffic control system necessitated by 
catastrophic occurrence such as derailment, flood, fire, or hurricane; 
or
    (5) Removal of an intermittent automatic train stop system in 
conjunction with the implementation of a positive train control system 
approved by FRA under subpart I of part 236 of this chapter.
    (b) * * *
    (2) Removal of electric or mechanical lock, or signal used in lieu 
thereof, from hand-operated switch in automatic block signal or traffic 
control territory where train speed over the switch does not exceed 20 
miles per hour; or
    (3) Removal of electric or mechanical lock, or signal used in lieu 
thereof, from hand-operated switch in automatic block signal or traffic 
control territory where trains are not permitted to clear the main 
track at such switch.
    (c) * * *
    (25) The temporary or permanent arrangement of existing systems 
necessitated by highway-rail grade crossing separation construction. 
Temporary arrangements shall be removed within 6 months following 
completion of construction.

PART 236--[AMENDED]

0
7. The authority citation for part 236 is revised to read as follows:

    Authority: 49 U.S.C. 20102-20103, 20107, 20133, 20141, 20157, 
20301-20303, 20306, 20501-20505, 20701-20703, 21301-21302, 21304; 28 
U.S.C. 2461, note; and 49 CFR 1.49.

0
8. Section 236.0 is amended by revising paragraphs (a) and (c) through 
(e) and by adding paragraph (i) to read as follows:


Sec.  236.0  Applicability, minimum requirements, and penalties.

    (a) Except as provided in paragraph (b) of this section, this part 
applies to all railroads and any person as defined in paragraph (f) of 
this section.
* * * * *
    (c)(1) Prior to January 17, 2012, where a passenger train is 
operated at a speed of 60 or more miles per hour, or a freight train is 
operated at a speed of 50 or more miles per hour--
    (i) A block signal system complying with the provisions of this 
part shall be installed; or
    (ii) A manual block system shall be placed permanently in effect 
that shall conform to the following conditions:
    (A) A passenger train shall not be admitted to a block occupied by 
another train except when absolutely necessary and then only by 
operating at restricted speed;
    (B) No train shall be admitted to a block occupied by a passenger 
train except when absolutely necessary and then only by operating at 
restricted speed;
    (C) No train shall be admitted to a block occupied by an opposing 
train except when absolutely necessary and then only while one train is 
stopped and the other is operating at restricted speed; and
    (D) A freight train, including a work train, may be authorized to 
follow a freight train, including a work train, into a block and then 
only when the following train is operating at restricted speed.
    (2) On and after January 17, 2012, where a passenger train is 
permitted to operate at a speed of 60 or more miles per hour, or a 
freight train is permitted to operate at a speed of 50 or more miles 
per hour, a block signal system complying with the provisions of this 
part shall be installed, unless an FRA approved PTC system meeting the 
requirements of this part for the subject speed and other operating 
conditions is installed.

[[Page 2699]]

    (d)(1) Prior to December 31, 2015, where any train is permitted to 
operate at a speed of 80 or more miles per hour, an automatic cab 
signal, automatic train stop, or automatic train control system 
complying with the provisions of this part shall be installed, unless 
an FRA approved PTC system meeting the requirements of this part for 
the subject speed and other operating conditions, is installed.
    (2) On and after December 31, 2015, where any train is permitted to 
operate at a speed of 80 or more miles per hour, a PTC system complying 
with the provisions of subpart I shall be installed and operational, 
unless FRA approval to continue to operate with an automatic cab 
signal, automatic train stop, or automatic train control system 
complying with the provisions of this part has been justified to, and 
approved by, the Associate Administrator.
    (3) Subpart H of this part sets forth requirements for voluntary 
installation of PTC systems, and subpart I of this part sets forth 
requirements for mandated installation of PTC systems, each under 
conditions specified in their respective subpart.
    (e) Nothing in this section authorizes the discontinuance of a 
block signal system, interlocking, traffic control system, automatic 
cab signal, automatic train stop or automatic train control system, or 
PTC system, without approval by the FRA under part 235 of this title. 
However, a railroad may apply for approval of discontinuance or 
material modification of a signal or train control system in connection 
with a request for approval of a Positive Train Control Development 
Plan (PTCDP) or Positive Train Control Safety Plan (PTCSP) as provided 
in subpart I of this part.
* * * * *
    (i) Preemptive effect. (1) Under 49 U.S.C. 20106, issuance of these 
regulations preempts any state law, regulation, or order covering the 
same subject matter, except an additional or more stringent law, 
regulation, or order that is necessary to eliminate or reduce an 
essentially local safety or security hazard; is not incompatible with a 
law, regulation, or order of the United States Government; and that 
does not impose an unreasonable burden on interstate commerce.
    (2) This part establishes federal standards of care for railroad 
signal and train control systems. This part does not preempt an action 
under state law seeking damages for personal injury, death, or property 
damage alleging that a party has failed to comply with the federal 
standard of care established by this part, including a plan or program 
required by this part. Provisions of a plan or program which exceed the 
requirements of this part are not included in the federal standard of 
care.
    (3) Under 49 U.S.C. 20701-20703, issuance of these regulations 
preempts the field of locomotive safety, extending to the design, the 
construction, and the material of every part of the locomotive and 
tender and all appurtenances thereof.

0
9. Section 236.410 is amended by removing the Note following paragraph 
(b), and republishing paragraphs (b) and (c), to read as follows:


Sec.  236.410  Locking, hand-operated switch; requirements.

* * * * *
    (b) Approach or time locking shall be provided and locking may be 
released either automatically, or by the control operator, but only 
after the control circuits of signals governing movement in either 
direction over the switch and which display aspects with indications 
more favorable than ``proceed at restricted speed'' have been opened 
directly or by shunting of track circuit.
    (c) Where a signal is used in lieu of electric or mechanical lock 
to govern movements from auxiliary track to signaled track, the signal 
shall not display an aspect to proceed until after the control circuits 
of signals governing movement on main track in either direction over 
the switch have been opened, and either the approach locking circuits 
to the switch are unoccupied or a predetermined time interval has 
expired.
* * * * *

0
10. Section 236.909 is amended by adding four new sentences directly 
after the first sentence of paragraph (e)(1) and by revising paragraph 
(e)(2)(i) to read as follows:


Sec.  236.909  Minimum performance standards.

* * * * *
    (e) * * *
    (1) * * * The total risk assessment must have a supporting 
sensitivity analysis. The analysis must confirm that the risk metrics 
of the system are not negatively affected by sensitivity analysis input 
parameters including, for example, component failure rates, human 
factor error rates, and variations in train traffic affecting exposure. 
In this context, ``negatively affected'' means that the final residual 
risk metric does not exceed that of the base case or that which has 
been otherwise established through MTTHE target. The sensitivity 
analysis must document the sensitivity to worst case failure scenarios. 
* * *
    (2) * * *
    (i) In all cases exposure must be expressed as total train miles 
traveled per year over the relevant railroad infrastructure. 
Consequences must identify the total cost, including fatalities, 
injuries, property damage, and other incidental costs, such as 
potential consequences of hazardous materials involvement, resulting 
from preventable accidents associated with the function(s) performed by 
the system.
* * * * *

0
11. Add a new subpart I to part 236 to read as follows:
Subpart I--Positive Train Control Systems
Sec.
236.1001 Purpose and scope.
236.1003 Definitions.
236.1005 Requirements for Positive Train Control systems.
236.1006 Equipping locomotives operating in PTC territory.
236.1007 Additional requirements for high-speed service.
236.1009 Procedural requirements.
236.1011 PTC Implementation Plan content requirements.
236.1013 PTC Development Plan and Notice of Product Intent content 
requirements and Type Approval.
236.1015 PTC Safety Plan content requirements and PTC System 
Certification.
236.1017 Independent third party Verification and Validation.
236.1019 Main line track exceptions.
236.1021 Discontinuances, material modifications, and amendments.
236.1023 Errors and malfunctions.
236.1025 [Reserved]
236.1027 PTC system exclusions.
236.1029 PTC system use and en route failures.
236.1031 Previously approved PTC systems.
236.1033 Communications and security requirements.
236.1035 Field testing requirements.
236.1037 Records retention.
236.1039 Operations and Maintenance Manual.
236.1041 Training and qualification program, general.
236.1043 Task analysis and basic requirements.
236.1045 Training specific to office control personnel.
236.1047 Training specific to locomotive engineers and other 
operating personnel.
236.1049 Training specific to roadway workers.

Subpart I--Positive Train Control Systems


Sec.  236.1001  Purpose and scope.

    (a) This subpart prescribes minimum, performance-based safety 
standards for PTC systems required by 49 U.S.C. 20157, this subpart, or 
an FRA order, including requirements to ensure that the development, 
functionality,

[[Page 2700]]

architecture, installation, implementation, inspection, testing, 
operation, maintenance, repair, and modification of those PTC systems 
will achieve and maintain an acceptable level of safety. This subpart 
also prescribes standards to ensure that personnel working with, and 
affected by, safety-critical PTC system related products receive 
appropriate training and testing.
    (b) Each railroad may prescribe additional or more stringent rules, 
and other special instructions, that are not inconsistent with this 
subpart.
    (c) This subpart does not exempt a railroad from compliance with 
any requirement of subparts A through H of this part or parts 233, 234, 
and 235 of this chapter, unless:
    (1) It is otherwise explicitly excepted by this subpart; or
    (2) The applicable PTCSP, as defined under Sec.  236.1003 and 
approved by FRA under Sec.  236.1015, provides for such an exception 
per Sec.  236.1013.


Sec.  236.1003  Definitions.

    (a) Definitions contained in subparts G and H of this part apply 
equally to this subpart.
    (b) The following definitions apply to terms used only in this 
subpart unless otherwise stated:
    After-arrival mandatory directive means an authority to occupy a 
track which is issued to a train that is not effective and not to be 
acted upon until after the arrival and passing of a train, or trains, 
specifically identified in the authority.
    Associate Administrator means the FRA Associate Administrator for 
Railroad Safety/Chief Safety Officer.
    Class I railroad means a railroad which in the last year for which 
revenues were reported exceeded the threshold established under 
regulations of the Surface Transportation Board (49 CFR part 1201.1-1 
(2008)).
    Cleartext means the un-encrypted text in its original, human 
readable, form. It is the input of an encryption or encipher process, 
and the output of an decryption or decipher process.
    Controlling locomotive means Locomotive, controlling, as defined in 
Sec.  232.5 of this chapter.
    Host railroad means a railroad that has effective operating control 
over a segment of track.
    Interoperability means the ability of a controlling locomotive to 
communicate with and respond to the PTC railroad's positive train 
control system, including uninterrupted movements over property 
boundaries.
    Limited operations means operations on main line track that have 
limited or no freight operations and are approved to be excluded from 
this subpart's PTC system implementation and operation requirements in 
accordance with Sec.  236.1019(c);
    Main line means, except as provided in Sec.  236.1019 or where all 
trains are limited to restricted speed within a yard or terminal area 
or on auxiliary or industry tracks, a segment or route of railroad 
tracks:
    (1) Of a Class I railroad, as documented in current timetables 
filed by the Class I railroad with the FRA under Sec.  217.7 of this 
title, over which 5,000,000 or more gross tons of railroad traffic is 
transported annually; or
    (2) Used for regularly scheduled intercity or commuter rail 
passenger service, as defined in 49 U.S.C. 24102, or both. Tourist, 
scenic, historic, or excursion operations as defined in part 238 of 
this chapter are not considered intercity or commuter passenger service 
for purposes of this part.
    Main line track exclusion addendum (``MTEA'') means the document 
submitted under Sec. Sec.  236.1011 and 236.1019 requesting to 
designate track as other than main line.
    Medium speed means, Speed, medium, as defined in subpart G of this 
part.
    NPI means a Notice of Product Intent (``NPI'') as further described 
in Sec.  236.1013.
    PTC means positive train control as further described in Sec.  
236.1005.
    PTCDP means a PTC Development Plan as further described in Sec.  
236.1013.
    PTCIP means a PTC Implementation Plan as required under 49 U.S.C. 
20157 and further described in Sec.  236.1011.
    PTCPVL means a PTC Product Vendor List as further described in 
Sec.  236.1023.
    PTCSP means a PTC Safety Plan as further described in Sec.  
236.1015.
    PTC railroad means each Class I railroad and each entity providing 
regularly scheduled intercity or commuter rail passenger transportation 
required to implement or operate a PTC system.
    PTC System Certification means certification as required under 49 
U.S.C. 20157 and further described in Sec. Sec.  236.1009 and 236.1015.
    Request for Amendment (``RFA'') means a request for an amendment of 
a plan or system made by a PTC railroad in accordance with Sec.  
236.1021.
    Request for Expedited Certification (``REC'') means, as further 
described in Sec.  236.1031, a request by a railroad to receive 
expedited consideration for PTC System Certification.
    Restricted speed means, Speed, restricted, as defined in subpart G 
of this part.
    Safe State means a system state that, when the system fails, cannot 
cause death, injury, occupational illness, or damage to or loss of 
equipment or property, or damage to the environment.
    Segment of track means any part of the railroad where a train 
operates.
    Temporal separation means that passenger and freight operations do 
not operate on any segment of shared track during the same period and 
as further defined under Sec.  236.1019 and the process or processes in 
place to assure that result.
    Tenant railroad means a railroad, other than a host railroad, 
operating on track upon which a PTC system is required.
    Track segment means segment of track.
    Type Approval means a number assigned to a particular PTC system 
indicating FRA agreement that the PTC system could fulfill the 
requirements of this subpart.
    Train means one or more locomotives, coupled with or without cars.


Sec.  236.1005  Requirements for Positive Train Control systems.

    (a) PTC system requirements. Each PTC system required to be 
installed under this subpart shall:
    (1) Reliably and functionally prevent:
    (i) Train-to-train collisions--including collisions between trains 
operating over rail-to-rail at-grade crossings in accordance with the 
following risk-based table or alternative arrangements providing an 
equivalent level of safety as specified in an FRA approved PTCSP:

------------------------------------------------------------------------
         Crossing type             Max speed *      Protection required
------------------------------------------------------------------------
(A) Interlocking--one or more   <= 40 miles per    Interlocking signal
 PTC routes intersecting with    hour.              arrangement in
 one or more non-PTC routes.                        accordance with the
                                                    requirements of
                                                    subparts A-G of this
                                                    part and PTC
                                                    enforced stop on PTC
                                                    routes.

[[Page 2701]]

 
(B) Interlocking--one or more   > 40 miles per     Interlocking signal
 PTC routes intersecting with    hour.              arrangement in
 one or more non-PTC routes.                        accordance with the
                                                    requirements of
                                                    subparts A-G of this
                                                    part, PTC enforced
                                                    stop on all PTC
                                                    routes, and either
                                                    the use of other
                                                    than full PTC
                                                    technology that
                                                    provides positive
                                                    stop enforcement or
                                                    a split-point derail
                                                    incorporated into
                                                    the signal system
                                                    accompanied by 20
                                                    miles per hour
                                                    maximum allowable
                                                    speed on the
                                                    approach of any
                                                    intersecting non-PTC
                                                    route.
(C) Interlocking--all PTC       Any speed........  Interlocking signal
 routes intersecting.                               arrangements in
                                                    accordance with the
                                                    requirements of
                                                    subparts A-G of this
                                                    part, and PTC
                                                    enforced stop on all
                                                    routes.
------------------------------------------------------------------------

     (ii) Overspeed derailments, including derailments related to 
railroad civil engineering speed restrictions, slow orders, and 
excessive speeds over switches and through turnouts;
    (iii) Incursions into established work zone limits without first 
receiving appropriate authority and verification from the dispatcher or 
roadway worker in charge, as applicable and in accordance with part 214 
of this chapter; and
    (iv) The movement of a train through a main line switch in the 
improper position as further described in paragraph (e) of this 
section.
    (2) Include safety-critical integration of all authorities and 
indications of a wayside or cab signal system, or other similar 
appliance, method, device, or system of equivalent safety, in a manner 
by which the PTC system shall provide associated warning and 
enforcement to the extent, and except as, described and justified in 
the FRA approved PTCDP or PTCSP, as applicable;
    (3) As applicable, perform the additional functions specified in 
this subpart;
    (4) Provide an appropriate warning or enforcement when:
    (i) A derail or switch protecting access to the main line required 
by Sec.  236.1007, or otherwise provided for in the applicable PTCSP, 
is not in its derailing or protecting position, respectively;
    (ii) A mandatory directive is issued associated with a highway-rail 
grade crossing warning system malfunction as required by Sec. Sec.  
234.105, 234.106, or 234.107;
    (iii) An after-arrival mandatory directive has been issued and the 
train or trains to be waited on has not yet passed the location of the 
receiving train;
    (iv) Any movable bridge within the route ahead is not in a position 
to allow permissive indication for a train movement pursuant to Sec.  
236.312; and
    (v) A hazard detector integrated into the PTC system that is 
required by paragraph (c) of this section, or otherwise provided for in 
the applicable PTCSP, detects an unsafe condition or transmits an 
alarm; and
    (5) Limit the speed of passenger and freight trains to 59 miles per 
hour and 49 miles per hour, respectively, in areas without broken rail 
detection or equivalent safeguards.
    (b) PTC system installation. (1) Lines required to be equipped. 
Except as otherwise provided in this subpart, each Class I railroad and 
each railroad providing or hosting intercity or commuter passenger 
service shall progressively equip its lines as provided in its approved 
PTCIP such that, on and after December 31, 2015, a PTC system certified 
under Sec.  236.1015 is installed and operated by the host railroad on 
each:
    (i) Main line over which is transported any quantity of material 
poisonous by inhalation (PIH), including anhydrous ammonia, as defined 
in Sec. Sec.  171.8, 173.115 and 173.132 of this title;
    (ii) Main line used for regularly provided intercity or commuter 
passenger service, except as provided in Sec.  236.1019; and
    (iii) Additional line of railroad as required by the applicable FRA 
approved PTCIP, this subpart, or an FRA order requiring installation of 
a PTC system by that date.
    (2) Initial baseline identification of lines. For the purposes of 
paragraph (b)(1)(i) of this section, the baseline information necessary 
to determine whether a Class I railroad's track segment shall be 
equipped with a PTC system shall be determined and reported as follows:
    (i) The traffic density threshold of 5 million gross tons shall be 
based upon calendar year 2008 gross tonnage, except to the extent that 
traffic may fall below 5 million gross tons for two consecutive 
calendar years and a PTCIP or an RFA reflecting this change is filed 
and approved under paragraph (b)(4) of this section and, if applicable, 
Sec.  236.1021.
    (ii) The presence or absence of any quantity of PIH hazardous 
materials shall be determined by whether one or more cars containing 
such product(s) was transported over the track segment in calendar year 
2008 or prior to the filing of the PTCIP, except to the extent that the 
PTCIP or RFA justifies, under paragraph (b)(4) of this section, removal 
of the subject track segment from the PTCIP listing of lines to be 
equipped.
    (3) Addition of track segments. To the extent increases in freight 
rail traffic occur subsequent to calendar year 2008 that might affect 
the requirement to install a PTC system on any line not yet equipped, 
the railroad shall seek to amend its PTCIP by promptly filing an RFA in 
accordance with Sec.  236.1021. The following criteria apply:
    (i) If rail traffic exceeds 5 million gross tons in any year after 
2008, the tonnage shall be calculated for the preceding two calendar 
years and if the total tonnage for those two calendar years exceeds 10 
million gross tons, a PTCIP or its amendment is required.
    (ii) If PIH traffic is carried on a track segment as a result of a 
request for rail service or rerouting warranted under part 172 of this 
title, and if the line carries in excess of 5 million gross tons of 
rail traffic as determined under this paragraph, a PTCIP or its 
amendment is required. This does not apply when temporary rerouting is 
authorized in accordance with paragraph (g) of this section.
    (iii) Once a railroad is notified by FRA that its RFA filed in 
accordance with this paragraph has been approved, the railroad shall 
equip the line with the applicable PTC system by December 31, 2015, or 
within 24 months, whichever is later.
    (4) Exclusion or removal of track segments from PTC baseline.
    (i) Routing changes. In a PTCIP or an RFA, a railroad may request 
review of the requirement to install PTC on a track segment where a PTC 
system is otherwise required by this section, but has not yet been 
installed, based upon changes in rail traffic such as reductions in 
total traffic volume or cessation of passenger or PIH service. Any such 
request shall be accompanied by estimated traffic projections for the 
next 5 years (e.g., as a result of planned rerouting, coordinations, or 
location of new business on the line). Where the request involves prior 
or planned rerouting of PIH traffic, the railroad must provide a 
supporting analysis that takes into consideration the requirements of 
subpart I, part 172 of

[[Page 2702]]

this title, assuming the subject route and each practicable alternative 
route to be PTC-equipped, and including any interline routing impacts.
    (A) FRA will approve the exclusion if, based upon data in the 
docket of the proceeding, FRA finds that it would be consistent with 
safety as further provided in this paragraph.
    (1) In the case of a requested exclusion based on cessation of 
passenger service or a decline in gross tonnage below 5 million gross 
tons as computed over a 2-year period, the removal will be approved 
absent special circumstances as set forth in writing (e.g., because of 
anticipated traffic growth in the near future).
    (2) In the case of cessation of PIH traffic over a track segment, 
and absent special circumstances set forth in writing, FRA will approve 
an exclusion of a line from the PTCIP (determined on the basis of 2008 
traffic levels) upon a showing by the railroad that:
    (i) There is no remaining local PIH traffic expected on the track 
segment;
    (ii) Either any rerouting of PIH traffic from the subject track 
segment is justified based upon the route analysis submitted, which 
shall assume that each alternative route will be equipped with PTC and 
shall take into consideration any significant interline routing 
impacts; or the next preferred alternative route in the analysis 
conducted as set forth in this paragraph is shown to be substantially 
as safe and secure as the route employing the track segment in question 
and demonstrated considerations of practicability indicate 
consolidation of the traffic on that next preferred alternative route; 
and
    (iii) After cessation of PIH traffic on the line, the remaining 
risk associated with PTC-preventable accidents per route mile on the 
track segment will not exceed the average comparable risk per route 
mile on Class I lines in the United States required to be equipped with 
PTC because of gross tonnage and the presence of PIH traffic (which 
base case will be estimated as of a time prior to installation of PTC). 
If the subject risk is greater than the average risk on those PIH 
lines, and if the railroad making the application for removal of the 
track segment from the PTCIP offers no compensating extension of PTC or 
PTC technologies from the minimum required to be equipped, FRA may deny 
the request.
    (B) [Reserved]
    (ii) Lines with de minimis PIH risk. (A) In a PTCIP or RFA, a 
railroad may request review of the requirement to install PTC on a low 
density track segment where a PTC system is otherwise required by this 
section, but has not yet been installed, based upon the presence of a 
minimal quantity of PIH hazardous materials (less than 100 cars per 
year, loaded and residue). Any such request shall be accompanied by 
estimated traffic projections for the next 5 years (e.g., as a result 
of planned rerouting, coordinations, or location of new business on the 
line). Where the request involves prior or planned rerouting of PIH 
traffic, the railroad must provide the information and analysis 
identified in paragraph (b)(4)(i) of this section. The submission shall 
also include a full description of potential safety hazards on the 
segment of track and fully describe train operations over the line. 
This provision is not applicable to lines segments used by intercity or 
commuter passenger service.
    (B) Absent special circumstances related to specific hazards 
presented by operations on the line segment, FRA will approve a request 
for relief under this paragraph for a rail line segment:
    (1) Consisting exclusively of Class 1 or 2 track as described in 
part 213 of this title;
    (2) That carries less than 15 million gross tons annually;
    (3) Has a ruling grade of less than 1 percent; and
    (4) On which any train transporting a car containing PIH materials 
(including a residue car) is operated under conditions of temporal 
separation from other trains using the line segment as documented by a 
temporal separation plan accompanying the request. As used in this 
paragraph, ``temporal separation'' has the same meaning given by Sec.  
236.1019(e), except that the separation addressed is the separation of 
a train carrying any number of cars containing PIH materials from other 
freight trains.
    (C) FRA will also consider, and may approve, requests for relief 
under this paragraph for additional line segments where each such 
segment carries less than 15 million gross tons annually and where it 
is established to the satisfaction of the Associate Administrator that 
risk mitigations will be applied that will ensure that risk of a 
release of PIH materials is negligible.
    (D) Failure to submit sufficient information will result in the 
denial of any request under this paragraph (b)(4)(ii). If the request 
is granted, on and after the date the line would have otherwise been 
required to be equipped under the schedule contained in the PTCIP and 
approved by FRA, operations on the line shall be conducted in 
accordance with any conditions attached to the grant, including 
implementation of proposed mitigations as applicable.
    (5) Line sales. FRA does not approve removal of a line from the 
PTCIP exclusively based upon a representation that a track segment will 
be abandoned or sold to another railroad. In the event a track segment 
is approved for abandonment or transfer by the Surface Transportation 
Board, FRA will review at the request of the transferring and acquiring 
railroads whether the requirement to install PTC on the line should be 
removed given all of the circumstances, including expected traffic and 
hazardous materials levels, reservation of trackage or haulage rights 
by the transferring railroad, routing analysis under part 172 of this 
chapter, commercial and real property arrangements affecting the 
transferring and acquiring railroads post-transfer, and such other 
factors as may be relevant to continue safe operations on the line. If 
FRA denies the request, the acquiring railroad shall install the PTC 
system on the schedule provided in the transferring railroad's PTCIP, 
without regard to whether it is a Class I railroad.
    (6) New rail passenger service. No new intercity or commuter rail 
passenger service shall commence after December 31, 2015, until a PTC 
system certified under this subpart has been installed and made 
operative.
    (c) Hazard detectors. (1) All hazard detectors integrated into a 
signal or train control system on or after October 16, 2008, shall be 
integrated into PTC systems required by this subpart; and their 
warnings shall be appropriately and timely enforced as described in the 
applicable PTCSP.
    (2) The applicable PTCSP must provide for receipt and presentation 
to the locomotive engineer and other train crew members of warnings 
from any additional hazard detectors using the PTC data network, 
onboard displays, and audible alerts. If the PTCSP so provides, the 
action to be taken by the system and by the crew members shall be 
specified.
    (3) The PTCDP (as applicable) and PTCSP for any new service 
described in Sec.  236.1007 to be conducted above 90 miles per hour 
shall include a hazard analysis describing the hazards relevant to the 
specific route(s) in question (e.g., potential for track obstruction 
due to events such as falling rock or undermining of the track 
structure due to high water or displacement of a bridge over navigable 
waters), the basis for decisions concerning hazard detectors provided, 
and the manner in which such additional hazard detectors will be 
interfaced with the PTC system.
    (d) Event recorders. (1) Each lead locomotive, as defined in part 
229, of a train equipped and operating with a

[[Page 2703]]

PTC system required by this subpart must be equipped with an operative 
event recorder, which shall:
    (i) Record safety-critical train control data routed to the 
locomotive engineer's display that the engineer is required to comply 
with;
    (ii) Specifically include text messages conveying mandatory 
directives, maximum authorized speeds, PTC system brake warnings, PTC 
system brake enforcements, and the state of the PTC system (e.g., cut 
in, cut out, active, or failed); and
    (iii) Include examples of how the captured data will be displayed 
during playback along with the format, content, and data retention 
duration requirements specified in the PTCSP submitted and approved 
pursuant to this paragraph. If such train control data can be 
calibrated against other data required by this part, it may, at the 
election of the railroad, be retained in a separate memory module.
    (2) Each lead locomotive, as defined in part 229, manufactured and 
in service after October 1, 2009, that is equipped and operating with a 
PTC system required by this subpart, shall be equipped with an event 
recorder memory module meeting the crash hardening requirements of 
Sec.  229.135 of this chapter.
    (3) Nothing in this subpart excepts compliance with any of the 
event recorder requirements contained in Sec.  229.135 of this chapter.
    (e) Switch position. The following requirements apply with respect 
to determining proper switch position under this section. When a main 
line switch position is unknown or improperly aligned for a train's 
route in advance of the train's movement, the PTC system will provide 
warning of the condition associated with the following enforcement:
    (1) A PTC system shall enforce restricted speed over any switch:
    (i) Where train movements are made with the benefit of the 
indications of a wayside or cab signal system or other similar 
appliance, method, device, or system of equivalent safety proposed to 
FRA and approved by the Associate Administrator in accordance with this 
part; and
    (ii) Where wayside or cab signal system or other similar appliance, 
method, device, or system of equivalent safety, requires the train to 
be operated at restricted speed.
    (2) A PTC system shall enforce a positive stop short of any main 
line switch, and any switch on a siding where the allowable speed is in 
excess of 20 miles per hour, if movement of the train over the switch:
    (i) Is made without the benefit of the indications of a wayside or 
cab signal system or other similar appliance, method, device, or system 
of equivalent safety proposed to FRA and approved by the Associate 
Administrator in accordance with this part; or
    (ii) Would create an unacceptable risk. Unacceptable risk includes 
conditions when traversing the switch, even at low speeds, could result 
in direct conflict with the movement of another train (including a 
hand-operated crossover between main tracks, a hand-operated crossover 
between a main track and an adjoining siding or auxiliary track, or a 
hand-operated switch providing access to another subdivision or branch 
line, etc.).
    (3) A PTC system required by this subpart shall be designed, 
installed, and maintained to perform the switch position detection and 
enforcement described in paragraphs (e)(1) and (e)(2) of this section, 
except as provided for and justified in the applicable, FRA approved 
PTCDP or PTCSP.
    (4) The control circuit or electronic equivalent for all movement 
authorities over any switches, movable-point frogs, or derails shall be 
selected through circuit controller or functionally equivalent device 
operated directly by the switch points, derail, or by switch locking 
mechanism, or through relay or electronic device controlled by such 
circuit controller or functionally equivalent device, for each switch, 
movable-point frog, or derail in the route governed. Circuits or 
electronic equivalent shall be arranged so that any movement 
authorities less restrictive than those prescribed in paragraphs (e)(1) 
and (e)(2) of this section can only be provided when each switch, 
movable-point frog, or derail in the route governed is in proper 
position, and shall be in accordance with subparts A through G of this 
part, unless it is otherwise provided in a PTCSP approved under this 
subpart.
    (f) Train-to-train collision. A PTC system shall be considered to 
be configured to prevent train-to-train collisions within the meaning 
of paragraph (a) of this section if trains are required to be operated 
at restricted speed and if the onboard PTC equipment enforces the upper 
limits of the railroad's restricted speed rule (15 or 20 miles per 
hour). This application applies to:
    (1) Operating conditions under which trains are required by signal 
indication or operating rule to:
    (i) Stop before continuing; or
    (ii) Reduce speed to restricted speed and continue at restricted 
speed until encountering a more favorable indication or as provided by 
operating rule.
    (2) Operation of trains within the limits of a joint mandatory 
directive.
    (g) Temporary rerouting. A train equipped with a PTC system as 
required by this subpart may be temporarily rerouted onto a track not 
equipped with a PTC system and a train not equipped with a PTC system 
may be temporarily rerouted onto a track equipped with a PTC system as 
required by this subpart in the following circumstances:
    (1) Emergencies. In the event of an emergency--including conditions 
such as derailment, flood, fire, tornado, hurricane, earthquake, or 
other similar circumstance outside of the railroad's control--that 
would prevent usage of the regularly used track if:
    (i) The rerouting is applicable only until the emergency condition 
ceases to exist and for no more than 14 consecutive calendar days, 
unless otherwise extended by approval of the Associate Administrator;
    (ii) The railroad provides written or telephonic notification to 
the applicable Regional Administrator of the information listed in 
paragraph (i) of this section within one business day of the beginning 
of the rerouting made in accordance with this paragraph; and
    (iii) The conditions contained in paragraph (j) of this section are 
followed.
    (2) Planned maintenance. In the event of planned maintenance that 
would prevent usage of the regularly used track if:
    (i) The maintenance period does not exceed 30 days;
    (ii) A request is filed with the applicable Regional Administrator 
in accordance with paragraph (i) of this section no less than 10 
business days prior to the planned rerouting; and
    (iii) The conditions contained in paragraph (j) of this section are 
followed.
    (h) Rerouting requests. (1) For the purposes of paragraph (g)(2) of 
this section, the rerouting request shall be self-executing unless the 
applicable Regional Administrator responds with a notice disapproving 
of the rerouting or providing instructions to allow rerouting. Such 
instructions may include providing additional information to the 
Regional Administrator or Associate Administrator prior to the 
commencement of rerouting. Once the Regional Administrator responds 
with a notice under this paragraph, no rerouting may occur until the 
Regional Administrator or Associate Administrator provides his or her 
approval.

[[Page 2704]]

    (2) In the event the temporary rerouting described in paragraph 
(g)(2) of this section is to exceed 30 consecutive calendar days:
    (i) The railroad shall provide a request in accordance with 
paragraphs (i) and (j) of this section with the Associate Administrator 
no less than 10 business days prior to the planned rerouting; and
    (ii) The rerouting shall not commence until receipt of approval 
from the Associate Administrator.
    (i) Content of rerouting request. Each notice or request referenced 
in paragraph (g) and (h) of this section must indicate:
    (1) The dates that such temporary rerouting will occur;
    (2) The number and types of trains that will be rerouted;
    (3) The location of the affected tracks; and
    (4) A description of the necessity for the temporary rerouting.
    (j) Rerouting conditions. Rerouting of operations under paragraph 
(g) of this section may occur under the following conditions:
    (1) Where a train not equipped with a PTC system is rerouted onto a 
track equipped with a PTC system, or a train not equipped with a PTC 
system that is compatible and functionally responsive to the PTC system 
utilized on the line to which the train is being rerouted, the train 
shall be operated in accordance with Sec.  236.1029; or
    (2) Where any train is rerouted onto a track not equipped with a 
PTC system, the train shall be operated in accordance with the 
operating rules applicable to the line on which the train is rerouted.
    (k) Rerouting cessation. The applicable Regional Administrator may 
order a railroad to cease any rerouting provided under paragraph (g) or 
(h) of this section.


Sec.  236.1006  Equipping locomotives operating in PTC territory.

    (a) Except as provided in paragraph (b) of this section, each train 
operating on any track segment equipped with a PTC system shall be 
controlled by a locomotive equipped with an onboard PTC apparatus that 
is fully operative and functioning in accordance with the applicable 
PTCSP approved under this subpart.
    (b) Exceptions. (1) Prior to December 31, 2015, each railroad 
required to install PTC shall include in its PTCIP specific goals for 
progressive implementation of onboard systems and deployment of PTC-
equipped locomotives such that the safety benefits of PTC are achieved 
through incremental growth in the percentage of controlling locomotives 
operating on PTC lines that are equipped with operative PTC onboard 
equipment. The PTCIP shall include a brief but sufficient explanation 
of how those goals will be achieved, including assignment of 
responsibilities within the organization. The goals shall be expressed 
as the percentage of trains operating on PTC-equipped lines that are 
equipped with operative onboard PTC apparatus responsive to the 
wayside, expressed as an annualized (calendar year) percentage for the 
railroad as a whole.
    (2) Each railroad shall adhere to its PTCIP and shall report, on 
April 16, of 2011, 2012, 2013, and 2014, its progress toward achieving 
the goals set under paragraph (b)(1) of this section. In the event any 
annual goal is not achieved, the railroad shall further report the 
actions it is taking to ensure achievement of subsequent annual goals.
    (3) On and after December 31, 2015, a train controlled by a 
locomotive with an onboard PTC apparatus that has failed en route is 
permitted to operate in accordance with Sec.  236.1029.
    (4) A train operated by a Class II or Class III railroad, including 
a tourist or excursion railroad, and controlled by a locomotive not 
equipped with an onboard PTC apparatus is permitted to operate on a 
PTC-operated track segment:
    (i) That either:
    (A) Has no regularly scheduled intercity or commuter passenger rail 
traffic; or
    (B) Has regularly scheduled intercity or commuter passenger rail 
traffic and the applicable PTCIP permits the operation of a train 
operated by a Class II or III railroad and controlled by a locomotive 
not equipped with an onboard PTC apparatus;
    (ii) Where operations are restricted to four or less such 
unequipped trains per day, whereas a train conducting a ``turn'' 
operation (e.g., moving to a point of interchange to drop off or pick 
up cars and returning to the track owned by a Class II or III railroad) 
is considered two trains for this purpose; and
    (iii) Where each movement shall either:
    (A) Not exceed 20 miles in length; or
    (B) To the extent any movement exceeds 20 miles in length, such 
movement is not permitted without the controlling locomotive being 
equipped with an onboard PTC system after December 31, 2020, and each 
applicable Class II or III railroad shall report to FRA its progress in 
equipping each necessary locomotive with an onboard PTC apparatus to 
facilitate continuation of the movement. The progress reports shall be 
filed not later than December 31, 2017 and, if all necessary 
locomotives are not yet equipped, on December 31, 2019.
    (c) When a train movement is conducted under the exceptions 
described in paragraph (b)(4) of this section, that movement shall be 
made in accordance with Sec.  236.1029.


Sec.  236.1007  Additional requirements for high-speed service.

    (a) A PTC railroad that conducts a passenger operation at or 
greater than 60 miles per hour or a freight operation at or greater 
than 50 miles per hour shall have installed a PTC system including or 
working in concert with technology that includes all of the safety-
critical functional attributes of a block signal system meeting the 
requirements of this part, including appropriate fouling circuits and 
broken rail detection (or equivalent safeguards).
    (b) In addition to the requirements of paragraph (a) of this 
section, a host railroad that conducts a freight or passenger operation 
at more than 90 miles per hour shall:
    (1) Have an approved PTCSP establishing that the system was 
designed and will be operated to meet the fail-safe operation criteria 
described in Appendix C to this part; and
    (2) Prevent unauthorized or unintended entry onto the main line 
from any track not equipped with a PTC system compliant with this 
subpart by placement of split-point derails or equivalent means 
integrated into the PTC system; and
    (3) Comply with Sec.  236.1029(c).
    (c) In addition to the requirements of paragraphs (a) and (b) of 
this section, a host railroad that conducts a freight or passenger 
operation at more than 125 miles per hour shall have an approved PTCSP 
accompanied by a document (``HSR-125'') establishing that the system:
    (1) Will be operated at a level of safety comparable to that 
achieved over the 5 year period prior to the submission of the PTCSP by 
other train control systems that perform PTC functions required by this 
subpart, and which have been utilized on high-speed rail systems with 
similar technical and operational characteristics in the United States 
or in foreign service, provided that the use of foreign service data 
must be approved by the Associate Administrator before submittal of the 
PTCSP; and
    (2) Has been designed to detect incursions into the right-of-way, 
including incidents involving motor vehicles diverting from adjacent 
roads and bridges, where conditions warrant.

[[Page 2705]]

    (d) In addition to the requirements of paragraphs (a) through (c) 
of this section, a host railroad that conducts a freight or passenger 
operation at more than 150 miles per hour, which is governed by a Rule 
of Particular Applicability, shall have an approved PTCSP accompanied 
by a HSR-125 developed as part of an overall system safety plan 
approved by the Associate Administrator.
    (e) A railroad providing existing high-speed passenger service may 
request in its PTCSP that the Associate Administrator excuse compliance 
with one or more requirements of this section upon a showing that the 
subject service has been conducted with a high level of safety.


Sec.  236.1009  Procedural requirements.

    (a) PTC Implementation Plan (PTCIP). (1) By April 16, 2010, each 
host railroad that is required to implement and operate a PTC system in 
accordance with Sec.  236.1005(b) shall develop and submit in 
accordance with Sec.  236.1011(a) a PTCIP for implementing a PTC system 
required under Sec.  236.1005. Filing of the PTCIP shall not exempt the 
required filings of an NPI, PTCSP, PTCDP, or Type Approval.
    (2) After April 16, 2010, a host railroad shall file:
    (i) A PTCIP if it becomes a host railroad of a main line track 
segment for which it is required to implement and operate a PTC system 
in accordance with Sec.  236.1005(b); or
    (ii) A request for amendment (``RFA'') of its current and approved 
PTCIP in accordance with Sec.  236.1021 if it intends to:
    (A) Initiate a new category of service (i.e., passenger or 
freight); or
    (B) Add, subtract, or otherwise materially modify one or more lines 
of railroad for which installation of a PTC system is required.
    (3) The host and tenant railroad(s) shall jointly file a PTCIP that 
addresses shared track:
    (i) If the host railroad is required to install and operate a PTC 
system on a segment of its track; and
    (ii) If the tenant railroad that shares the same track segment 
would have been required to install a PTC system if the host railroad 
had not otherwise been required to do so.
    (4) If railroads required to file a joint PTCIP are unable to 
jointly file a PTCIP in accordance with paragraphs (a)(1) and (a)(3) of 
this section, then each railroad shall:
    (i) Separately file a PTCIP in accordance with paragraph (a)(1);
    (ii) Notify the Associate Administrator that the subject railroads 
were unable to agree on a PTCIP to be jointly filed;
    (iii) Provide the Associate Administrator with a comprehensive list 
of all issues not in agreement between the railroads that would prevent 
the subject railroads from jointly filing the PTCIP; and
    (iv) Confer with the Associate Administrator to develop and submit 
a PTCIP mutually acceptable to all subject railroads.
    (b) Type Approval. Each host railroad, individually or jointly with 
others such as a tenant railroad or system supplier, shall file prior 
to or simultaneously with the filing made in accordance with paragraph 
(a) of this section:
    (1) An unmodified Type Approval previously issued by the Associate 
Administrator in accordance with Sec.  236.1013 or Sec.  236.1031(b) 
with its associated docket number;
    (2) A PTCDP requesting a Type Approval for:
    (i) A PTC system that does not have a Type Approval; or
    (ii) A PTC system with a previously issued Type Approval that 
requires one or more variances;
    (3) A PTCSP subject to the conditions set forth in paragraph (c) of 
this section, with or without a Type Approval; or
    (4) A document attesting that a Type Approval is not necessary 
since the host railroad has no territory for which a PTC system is 
required under this subpart.
    (c) Notice of Product Intent (NPI). A railroad may, in lieu of 
submitting a PTCDP, or referencing an already issued Type Approval, 
submit an NPI describing the functions of the proposed PTC system. If a 
railroad elects to file an NPI in lieu of a PTCDP or referencing an 
existing Type Approval with the PTCIP, and the PTCIP is otherwise 
acceptable to the Associate Administrator, the Associate Administrator 
may grant provisional approval of the PTCIP.
    (1) A provisional approval of a PTCIP, unless otherwise extended by 
the Associate Administrator, is valid for a period of 270 days from the 
date of approval by the Associate Administrator.
    (2) The railroad must submit an updated PTCIP with either a 
complete PTCDP as defined in Sec.  236.1013(a), an updated PTCIP 
referencing an already approved Type Approval, or a full PTCSP within 
270 days after the ``Provisional Approval.''
    (i) Within 90 days of receipt of an updated PTCIP that was 
submitted with an NPI, the Associate Administrator will approve or 
disapprove of the updated PTCIP and notify in writing the affected 
railroad. If the updated PTCIP is not approved, the notification will 
include the plan's deficiencies. Within 30 days of receipt of that 
notification, the railroad or other entity that submitted the plan 
shall correct all deficiencies and resubmit the plan in accordance with 
this section and Sec.  236.1011, as applicable.
    (ii) If an update to a ``Provisionally Approved'' PTCIP is not 
received by the Associate Administrator by the end of the period 
indicated in this paragraph, the ``Provisional Approval'' given to the 
PTCIP is automatically revoked. The revocation is retroactive to the 
date the original PTCIP and NPI were first submitted to the Associate 
Administrator.
    (d) PTCSP and PTC System Certification. The following apply to each 
PTCSP and PTC System Certification.
    (1) A PTC System Certification for a PTC system may be obtained by 
submitting an acceptable PTCSP. If the PTC system is the subject of a 
Type Approval, the safety case elements contained in the PTCDP may be 
incorporated by reference into the PTCSP, subject to finalization of 
the human factors analysis contained in the PTCDP.
    (2) Each PTCSP requirement under Sec.  236.1015 shall be supported 
by information and analysis sufficient to establish that the 
requirements of this subpart have been satisfied.
    (3) If the Associate Administrator finds that the PTCSP and 
supporting documentation support a finding that the system complies 
with this part, the Associate Administrator may approve the PTCSP. If 
the Associate Administrator approves the PTCSP, the railroad shall 
receive PTC System Certification for the subject PTC system and shall 
implement the PTC system according to the PTCSP.
    (4) A required PTC system shall not:
    (i) Be used in service until it receives from FRA a PTC System 
Certification; and
    (ii) Receive a PTC System Certification unless FRA receives and 
approves an applicable:
    (A) PTCSP; or
    (B) Request for Expedited Certification (REC) as defined by Sec.  
236.1031(a).
    (e) Plan contents. (1) No PTCIP shall receive approval unless it 
complies with Sec.  236.1011. No railroad shall receive a Type Approval 
or PTC System Certification unless the applicable PTCDP or PTCSP, 
respectively, comply with Sec. Sec.  236.1013 and 236.1015, 
respectively.
    (2) All materials filed in accordance with this subpart must be in 
the English language, or have been translated into English and attested 
as true and correct.

[[Page 2706]]

    (3) Each filing referenced in this section may include a request 
for full or partial confidentiality in accordance with Sec.  209.11 of 
this chapter. If confidentiality is requested as to a portion of any 
applicable document, then in addition to the filing requirements under 
Sec.  209.11 of this chapter, the person filing the document shall also 
file a copy of the original unredacted document, marked to indicate 
which portions are redacted in the document's confidential version 
without obscuring the original document's contents.
    (f) Supporting documentation and information. (1) Issuance of a 
Type Approval or PTC System Certification is contingent upon FRA's 
confidence in the implementation and operation of the subject PTC 
system. This confidence may be based on FRA-monitored field testing or 
an independent assessment performed in accordance with Sec.  236.1035 
or Sec.  236.1017, respectively.
    (2) Upon request by FRA, the railroad requesting a Type Approval or 
PTC System Certification must engage in field testing or independent 
assessment performed in accordance with Sec.  236.1035 or Sec.  
236.1017, respectively, to support the assertions made in any of the 
plans submitted under this subpart. These assertions include any of the 
plans' content requirements under this subpart.
    (g) FRA conditions, reconsiderations, and modifications. (1) As 
necessary to ensure safety, FRA may attach special conditions to 
approving a PTCIP or issuing a Type Approval or PTC System 
Certification.
    (2) After granting a Type Approval or PTC System Certification, FRA 
may reconsider the Type Approval or PTC System Certification upon 
revelation of any of the following factors concerning the contents of 
the PTCDP or PTCSP:
    (i) Potential error or fraud;
    (ii) Potentially invalidated assumptions determined as a result of 
in-service experience or one or more unsafe events calling into 
question the safety analysis supporting the approval.
    (3) During FRA's reconsideration in accordance with this paragraph, 
the PTC system may remain in use if otherwise consistent with the 
applicable law and regulations and FRA may impose special conditions 
for use of the PTC system.
    (4) After FRA's reconsideration in accordance with this paragraph, 
FRA may:
    (i) Dismiss its reconsideration and continue to recognize the 
existing FRA approved Type Approval or PTC System Certification;
    (ii) Allow continued operations under such conditions the Associate 
Administrator deems necessary to ensure safety; or
    (iii) Revoke the Type Approval or PTC System Certification and 
direct the railroad to cease operations where PTC systems are required 
under this subpart.
    (h) FRA access. The Associate Administrator, or that person's 
designated representatives, shall be afforded reasonable access to 
monitor, test, and inspect processes, procedures, facilities, 
documents, records, design and testing materials, artifacts, training 
materials and programs, and any other information used in the design, 
development, manufacture, test, implementation, and operation of the 
system, as well as interview any personnel:
    (1) Associated with a PTC system for which a Type Approval or PTC 
System Certification has been requested or provided; or
    (2) To determine whether a railroad has been in compliance with 
this subpart.
    (i) Foreign regulatory entity verification. Information that has 
been certified under the auspices of a foreign regulatory entity 
recognized by the Associate Administrator may, at the Associate 
Administrator's sole discretion, be accepted as independently Verified 
and Validated and used to support each railroad's development of the 
PTCSP.
    (j) Processing times for PTCDP and PTCSP.
    (1) Within 30 days of receipt of a PTCDP or PTCSP, the Associate 
Administrator will either acknowledge receipt or acknowledge receipt 
and request more information.
    (2) To the extent practicable, considering the scope, complexity, 
and novelty of the product or change:
    (i) FRA will approve, approve with conditions, or deny the PTCDP 
within 60 days of the date on which the PTCDP was filed;
    (ii) FRA will approve, approve with conditions, or deny the PTCSP 
within 180 days of the date on which the PTCSP was filed;
    (iii) If FRA has not approved, approved with conditions, or denied 
the PTCDP or PTCSP within the 60-day or 180-day window, as applicable, 
FRA will provide the submitting party with a statement of reasons as to 
why the submission has not yet been acted upon and a projected deadline 
by which an approval or denial will be issued and any further 
consultations or inquiries will be resolved.


Sec.  236.1011  PTC Implementation Plan content requirements.

    (a) Contents. A PTCIP filed pursuant to this subpart shall, at a 
minimum, describe:
    (1) The functional requirements that the proposed system must meet;
    (2) How the PTC railroad intends to comply with Sec. Sec.  
236.1009(c) and (d);
    (3) How the PTC system will provide for interoperability of the 
system between the host and all tenant railroads on the track segments 
required to be equipped with PTC systems under this subpart and:
    (i) Include relevant provisions of agreements, executed by all 
applicable railroads, in place to achieve interoperability;
    (ii) List all methods used to obtain interoperability; and
    (iii) Identify any railroads with respect to which interoperability 
agreements have not been achieved as of the time the plan is filed, the 
practical obstacles that were encountered that prevented resolution, 
and the further steps planned to overcome those obstacles;
    (4) How, to the extent practical, the PTC system will be 
implemented to address areas of greater risk to the public and railroad 
employees before areas of lesser risk;
    (5) The sequence and schedule in which track segments will be 
equipped and the basis for those decisions, and shall at a minimum 
address the following risk factors by track segment:
    (i) Segment traffic characteristics such as typical annual 
passenger and freight train volume and volume of poison- or toxic-by-
inhalation (PIH or TIH) shipments (loads, residue);
    (ii) Segment operational characteristics such as current method of 
operation (including presence or absence of a block signal system), 
number of tracks, and maximum allowable train speeds, including planned 
modifications; and
    (iii) Route attributes bearing on risk, including ruling grades and 
extreme curvature;
    (6) The following information relating to rolling stock:
    (i) What rolling stock will be equipped with PTC technology;
    (ii) The schedule to equip that rolling stock by December 31, 2015;
    (iii) All documents and information required by Sec.  236.1006; and
    (iv) Unless the tenant railroad is filing its own PTCIP, the host 
railroad's PTCIP shall:
    (A) Attest that the host railroad has made a formal written request 
to each tenant railroad requesting identification of each item of 
rolling stock to be PTC

[[Page 2707]]

system equipped and the date each will be equipped; and
    (B) Include each tenant railroad's response to the host railroad's 
written request made in accordance with paragraph (a)(6)(iii)(A) of 
this section;
    (7) The number of wayside devices required for each track segment 
and the installation schedule to complete wayside equipment 
installation by December 31, 2015;
    (8) Identification of each track segment on the railroad as 
mainline or non-mainline track. If the PTCIP includes an MTEA, as 
defined by Sec.  236.1019, the PTCIP should identify the tracks 
included in the MTEA as main line track with a reference to the MTEA;
    (9) To the extent the railroad determines that risk-based 
prioritization required by paragraph (a)(4) of this section is not 
practical, the basis for this determination; and
    (10) The dates the associated PTCDP and PTCSP, as applicable, will 
be submitted to FRA in accordance with Sec.  236.1009.
    (b) Additional Class I railroad PTCIP requirements. Each Class I 
railroad shall include:
    (1) In its PTCIP a strategy for full deployment of its PTC system, 
describing the criteria that it will apply in identifying additional 
rail lines on its own network, and rail lines of entities that it 
controls or engages in joint operations with, for which full or partial 
deployment of PTC technologies is appropriate, beyond those required to 
be equipped under this subpart. Such criteria shall include 
consideration of the policies established by 49 U.S.C. 20156 (railroad 
safety risk reduction program), and regulations issued thereunder, as 
well as non-safety business benefits that may accrue.
    (2) In the Technology Implementation Plan of its Risk Reduction 
Program, when first required to be filed in accordance with 49 U.S.C. 
20156 and any regulation promulgated thereunder, a specification of 
rail lines selected for full or partial deployment of PTC under the 
criteria identified in its PTCIP.
    (3) Nothing in this paragraph shall be construed to create an 
expectation or requirement that additional rail lines beyond those 
required to be equipped by this subpart must be equipped or that such 
lines will be equipped during the period of primary implementation 
ending December 31, 2015.
    (4) As used in this paragraph, ``partial implementation'' of a PTC 
system refers to use, pursuant to subpart H of this part, of technology 
embedded in PTC systems that does not employ all of the functionalities 
required by this subpart.
    (c) FRA review. Within 90 days of receipt of a PTCIP, the Associate 
Administrator will approve or disapprove of the plan and notify in 
writing the affected railroad or other entity. If the PTCIP is not 
approved, the notification will include the plan's deficiencies. Within 
30 days of receipt of that notification, the railroad or other entity 
that submitted the plan shall correct all deficiencies and resubmit the 
plan in accordance with Sec.  236.1009 and paragraph (a) of this 
section, as applicable.
    (d) Subpart H. A railroad that elects to install a PTC system when 
not required to do so may elect to proceed under this subpart or under 
subpart H of this part.
    (e) Upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA posts on its 
public web site notice of receipt and reference to the public docket in 
which a copy of the filing has been placed. FRA may consider any public 
comment on each document to the extent practicable within the time 
allowed by law and without delaying implementation of PTC systems.
    (f) The PTCIP shall be maintained to reflect the railroad's most 
recent PTC deployment plans until all PTC system deployments required 
under this subpart are complete.


Sec.  236.1013  PTC Development Plan and Notice of Product Intent 
content requirements and Type Approval.

    (a) For a PTC system to obtain a Type Approval from FRA, the PTCDP 
shall be filed in accordance with Sec.  236.1009 and shall include:
    (1) A complete description of the PTC system, including a list of 
all PTC system components and their physical relationships in the 
subsystem or system;
    (2) A description of the railroad operation or categories of 
operations on which the PTC system is designed to be used, including 
train movement density (passenger, freight), operating speeds 
(including a thorough explanation of intended compliance with Sec.  
236.1007), track characteristics, and railroad operating rules;
    (3) An operational concepts document, including a list with 
complete descriptions of all functions which the PTC system will 
perform to enhance or preserve safety;
    (4) A document describing the manner in which the PTC system 
architecture satisfies safety requirements;
    (5) A preliminary human factors analysis, including a complete 
description of all human-machine interfaces and the impact of 
interoperability requirements on the same;
    (6) An analysis of the applicability to the PTC system of the 
requirements of subparts A through G of this part that may no longer 
apply or are satisfied by the PTC system using an alternative method, 
and a complete explanation of the manner in which those requirements 
are otherwise fulfilled;
    (7) A prioritized service restoration and mitigation plan and a 
description of the necessary security measures for the system;
    (8) A description of target safety levels (e.g., MTTHE for major 
subsystems as defined in subpart H of this part), including 
requirements for system availability and a description of all backup 
methods of operation and any critical assumptions associated with the 
target levels;
    (9) A complete description of how the PTC system will enforce 
authorities and signal indications;
    (10) A description of the deviation which may be proposed under 
Sec.  236.1029(c), if applicable; and
    (11) A complete description of how the PTC system will 
appropriately and timely enforce all integrated hazard detectors in 
accordance with Sec.  236.1005(c)(3), if applicable.
    (b) If the Associate Administrator finds that the system described 
in the PTCDP would satisfy the requirements for PTC systems under this 
subpart and that the applicant has made a reasonable showing that a 
system built to the stated requirements would achieve the level of 
safety mandated for such a system under Sec.  236.1015, the Associate 
Administrator may grant a numbered Type Approval for the system.
    (c) Each Type Approval shall be valid for a period of 5 years, 
subject to automatic and indefinite extension provided that at least 
one PTC System Certification using the subject PTC system has been 
issued within that period and not revoked.
    (d) The Associate Administrator may prescribe special conditions, 
amendments, and restrictions to any Type Approval as necessary for 
safety.
    (e) If submitted, an NPI must contain the following information:
    (1) A description of the railroad operation or categories of 
operations on which the proposed PTC system is designed to be used, 
including train movement density (passenger, freight), operating speeds 
(including a thorough explanation of intended compliance with Sec.  
236.1007), track characteristics, and railroad operating rules;
    (2) An operational concepts document, including a list with 
complete descriptions of all functions

[[Page 2708]]

that the proposed PTC system will perform to enhance or preserve 
safety;
    (3) A description of target safety levels (e.g., MTTHE for major 
subsystems as defined in subpart H of this part), including 
requirements for system availability and a description of all backup 
methods of operation and any critical assumptions associated with the 
target levels;
    (4) A complete description of how the proposed PTC system will 
enforce authorities and signal indications; and
    (5) A complete description of how the proposed PTC system will 
appropriately and timely enforce all integrated hazard detectors in 
accordance with Sec.  236.1005(c)(3), if applicable.


Sec.  236.1015  PTC Safety Plan content requirements and PTC System 
Certification.

    (a) Before placing a PTC system required under this part in 
service, the host railroad must submit to FRA a PTCSP and receive a PTC 
System Certification. If the Associate Administrator finds that the 
PTCSP and supporting documentation support a finding that the system 
complies with this part, the Associate Administrator approves the PTCSP 
and issues a PTC System Certification. Receipt of a PTC System 
Certification affirms that the PTC system has been reviewed and 
approved by FRA in accordance with, and meets the requirements of, this 
part.
    (b) A PTCSP submitted under this subpart may reference and utilize 
in accordance with this subpart any Type Approval previously issued by 
the Associate Administrator to any railroad, provided that the 
railroad:
    (1) Maintains a continually updated PTCPVL pursuant to Sec.  
236.1023;
    (2) Shows that the supplier from which they are procuring the PTC 
system has established and can maintain a quality control system for 
PTC system design and manufacturing acceptable to the Associate 
Administrator. The quality control system must include the process for 
the product supplier or vendor to promptly and thoroughly report any 
safety-relevant failure and previously unidentified hazards to each 
railroad using the product; and
    (3) Provides the applicable licensing information.
    (c) A PTCSP submitted in accordance with this subpart shall:
    (1) Include the FRA approved PTCDP or, if applicable, the FRA 
issued Type Approval;
    (2)(i) Specifically and rigorously document each variance, 
including the significance of each variance between the PTC system and 
its applicable operating conditions as described in the applicable 
PTCDP from that as described in the PTCSP, and attest that there are no 
other such variances; or
    (ii) Attest that there are no variances between the PTC system and 
its applicable operating conditions as described in the applicable 
PTCDP from that as described in the PTCSP; and
    (3) Attest that the system was otherwise built in accordance with 
the applicable PTCDP and PTCSP and achieves the level of safety 
represented therein.
    (d) A PTCSP shall include the same information required for a PTCDP 
under Sec.  236.1013(a). If a PTCDP has been filed and approved prior 
to filing of the PTCSP, the PTCSP may incorporate the PTCDP by 
reference, with the exception that a final human factors analysis shall 
be provided. The PTCSP shall contain the following additional elements:
    (1) A hazard log consisting of a comprehensive description of all 
safety-relevant hazards not previously addressed by the vendor or 
supplier to be addressed during the life-cycle of the PTC system, 
including maximum threshold limits for each hazard (for unidentified 
hazards, the threshold shall be exceeded at one occurrence);
    (2) A description of the safety assurance concepts that are to be 
used for system development, including an explanation of the design 
principles and assumptions;
    (3) A risk assessment of the as-built PTC system described;
    (4) A hazard mitigation analysis, including a complete and 
comprehensive description of each hazard and the mitigation techniques 
used;
    (5) A complete description of the safety assessment and 
Verification and Validation processes applied to the PTC system, their 
results, and whether these processes address the safety principles 
described in Appendix C to this part directly, using other safety 
criteria, or not at all;
    (6) A complete description of the railroad's training plan for 
railroad and contractor employees and supervisors necessary to ensure 
safe and proper installation, implementation, operation, maintenance, 
repair, inspection, testing, and modification of the PTC system;
    (7) A complete description of the specific procedures and test 
equipment necessary to ensure the safe and proper installation, 
implementation, operation, maintenance, repair, inspection, testing, 
and modification of the PTC system on the railroad and establish 
safety-critical hazards are appropriately mitigated. These procedures, 
including calibration requirements, shall be consistent with or explain 
deviations from the equipment manufacturer's recommendations;
    (8) A complete description of any additional warning to be placed 
in the Operations and Maintenance Manual in the same manner specified 
in Sec.  236.919 and all warning labels to be placed on equipment as 
necessary to ensure safety;
    (9) A complete description of the configuration or revision control 
measures designed to ensure that the railroad or its contractor does 
not adversely affect the safety-functional requirements and that 
safety-critical hazard mitigation processes are not compromised as a 
result of any such change;
    (10) A complete description of all initial implementation testing 
procedures necessary to establish that safety-functional requirements 
are met and safety-critical hazards are appropriately mitigated;
    (11) A complete description of all post-implementation testing 
(validation) and monitoring procedures, including the intervals 
necessary to establish that safety-functional requirements, safety-
critical hazard mitigation processes, and safety-critical tolerances 
are not compromised over time, through use, or after maintenance 
(adjustment, repair, or replacement) is performed;
    (12) A complete description of each record necessary to ensure the 
safety of the system that is associated with periodic maintenance, 
inspections, tests, adjustments, repairs, or replacements, and the 
system's resulting conditions, including records of component failures 
resulting in safety-relevant hazards (see Sec.  236.1037);
    (13) A safety analysis to determine whether, when the system is in 
operation, any risk remains of an unintended incursion into a roadway 
work zone due to human error. If the analysis reveals any such risk, 
the PTCDP and PTCSP shall describe how that risk will be mitigated;
    (14) A more detailed description of any alternative arrangements as 
already provided under Sec.  236.1005(a)(1)(i).
    (15) A complete description of how the PTC system will enforce 
authorities and signal indications, unless already completely provided 
for in the PTCDP;
    (16) A description of how the PTCSP complies with Sec.  
236.1019(f), if applicable;
    (17) A description of any deviation in operational requirements for 
en route failures as specified under Sec.  236.1029(c), if applicable 
and unless already completely provided for in the PTCDP;
    (18) A complete description of how the PTC system will 
appropriately and

[[Page 2709]]

timely enforce all integrated hazard detectors in accordance with Sec.  
236.1005;
    (19) An emergency and planned maintenance temporary rerouting plan 
indicating how operations on the subject PTC system will take advantage 
of the benefits provided under Sec.  236.1005(g) through (k); and
    (20) The documents and information required under Sec.  236.1007 
and Sec.  236.1033.
    (e) The following additional requirements apply to:
    (1) Non-vital overlay. A PTC system proposed as an overlay on the 
existing method of operation and not built in accordance with the 
safety assurance principles set forth in Appendix C of this part must, 
to the satisfaction of the Associate Administrator, be shown to:
    (i) Reliably execute the functions set forth in Sec.  236.1005;
    (ii) Obtain at least 80 percent reduction of the risk associated 
with accidents preventable by the functions set forth in Sec.  
236.1005, when all effects of the change associated with the PTC system 
are taken into account. The supporting risk assessment shall evaluate 
all intended changes in railroad operations coincident with the 
introduction of the new system; and
    (iii) Maintain a level of safety for each subsequent system 
modification that is equal to or greater than the level of safety for 
the previous PTC systems.
    (2) Vital overlay. A PTC system proposed on a newly constructed 
track or as an overlay on the existing method of operation and built in 
accordance with the safety assurance principles set forth in Appendix C 
of this part must, to the satisfaction of the Associate Administrator, 
be shown to:
    (i) Reliably execute the functions set forth in Sec.  236.1005; and
    (ii) Have sufficient documentation to demonstrate that the PTC 
system, as built, fulfills the safety assurance principles set forth in 
Appendix C of this part. The supporting risk assessment may be 
abbreviated as that term is used in subpart H of this part.
    (3) Stand-alone. A PTC system proposed on a newly constructed 
track, an existing track for which no signal system exists, as a 
replacement for an existing signal or train control system, or 
otherwise to replace or materially modify the existing method of 
operation, shall:
    (i) Reliably execute the functions required by Sec.  236.1005 and 
be demonstrated to do so to FRA's satisfaction; and
    (ii) Have a PTCSP establishing, with a high degree of confidence, 
that the system will not introduce new hazards that have not been 
mitigated. The supporting risk assessment shall evaluate all intended 
changes in railroad operations in relation to the introduction of the 
new system and shall examine in detail the direct and indirect effects 
of all changes in the method of operations.
    (4) Mixed systems. If a PTC system combining overlay, stand-alone, 
vital, or non-vital characteristics is proposed, the railroad shall 
confer with the Associate Administrator regarding appropriate 
structuring of the safety case and analysis.
    (f) When determining whether the PTCSP fulfills the requirements 
under paragraph (d) of this section, the Associate Administrator may 
consider all available evidence concerning the reliability and 
availability of the proposed system and any and all safety consequences 
of the proposed changes. In any case where the PTCSP lacks adequate 
data regarding safety impacts of the proposed changes, the Associate 
Administrator may request the necessary data from the applicant. If the 
requested data is not provided, the Associate Administrator may find 
that potential hazards could or will arise.
    (g) If a PTCSP applies to a system designed to replace an existing 
certified PTC system, the PTCSP will be approved provided that the 
PTCSP establishes with a high degree of confidence that the new system 
will provide a level of safety not less than the level of safety 
provided by the system to be replaced.
    (h) When reviewing the issue of the potential data errors (for 
example, errors arising from data supplied from other business systems 
needed to execute the braking algorithm, survey data needed for 
location determination, or mandatory directives issued through the 
computer-aided dispatching system), the PTCSP must include a careful 
identification of each of the risks and a discussion of each applicable 
mitigation. In an appropriate case, such as a case in which the 
residual risk after mitigation is substantial or the underlying method 
of operation will be significantly altered, the Associate Administrator 
may require submission of a quantitative risk assessment addressing 
these potential errors.


Sec.  236.1017  Independent third party Verification and Validation.

    (a) The PTCSP must be supported by an independent third-party 
assessment when the Associate Administrator concludes that it is 
necessary based upon the criteria set forth in Sec.  236.913, with the 
exception that consideration of the methodology used in the risk 
assessment (Sec.  236.913(g)(2)(vii)) shall apply only to the extent 
that a comparative risk assessment was required. To the extent 
practicable, FRA makes this determination not later than review of the 
PTCIP and the accompanying PTCDP or PTCSP. If an independent assessment 
is required, the assessment may apply to the entire system or a 
designated portion of the system.
    (b) If a PTC system is to undergo an independent assessment in 
accordance with this section, the host railroad may submit to the 
Associate Administrator a written request that FRA confirm whether a 
particular entity would be considered an independent third party 
pursuant to this section. The request should include supporting 
information identified in paragraph (c) of this section. FRA may 
request further information to make a determination or provide its 
determination in writing.
    (c) As used in this section, ``independent third party'' means a 
technically competent entity responsible to and compensated by the 
railroad (or an association on behalf of one or more railroads) that is 
independent of the PTC system supplier and vendor. An entity that is 
owned or controlled by the supplier or vendor, that is under common 
ownership or control with the supplier or vendor, or that is otherwise 
involved in the development of the PTC system is not considered 
``independent'' within the meaning of this section.
    (d) The independent third-party assessment shall, at a minimum, 
consist of the activities and result in the production of documentation 
meeting the requirements of Appendix F to this part, unless excepted by 
this part or by FRA order or waiver.
    (e) Information provided that has been certified under the auspices 
of a foreign railroad regulatory entity recognized by the Associate 
Administrator may, at the Associate Administrator's discretion, be 
accepted as having been independently verified.


Sec.  236.1019  Main line track exceptions.

    (a) Scope and procedure. This section pertains exclusively to 
exceptions from the rule that trackage over which scheduled intercity 
and commuter passenger service is provided is considered main line 
track requiring installation of a PTC system. One or more intercity or 
commuter passenger railroads, or freight railroads conducting joint 
passenger and freight operation over the same segment of track may file 
a main line track exclusion addendum (``MTEA'') to its PTCIP requesting 
to designate track as not main line subject to the conditions set forth 
in paragraphs

[[Page 2710]]

(b) or (c) of this section. No track shall be designated as yard or 
terminal unless it is identified in an MTEA that is part of an FRA 
approved PTCIP.
    (b) Passenger terminal exception. FRA will consider an exception in 
the case of trackage used exclusively as yard or terminal tracks by or 
in support of regularly scheduled intercity or commuter passenger 
service where the MTEA describes in detail the physical boundaries of 
the trackage in question, its use and characteristics (including track 
and signal charts) and all of the following apply:
    (1) The maximum authorized speed for all movements is not greater 
than 20 miles per hour, and that maximum is enforced by any available 
onboard PTC equipment within the confines of the yard or terminal;
    (2) Interlocking rules are in effect prohibiting reverse movements 
other than on signal indications without dispatcher permission; and
    (3) Either of the following conditions exists:
    (i) No freight operations are permitted; or
    (ii) Freight operations are permitted but no passengers will be 
aboard passenger trains within the defined limits.
    (c) Limited operations exception. FRA will consider an exception in 
the case of a track segment used for limited operations (at speeds not 
exceeding those permitted under Sec.  236.0 of this part) under one of 
the following sets of conditions:
    (1) The trackage is used for limited operations by at least one 
passenger railroad subject to at least one of the following conditions:
    (i) All trains are limited to restricted speed;
    (ii) Temporal separation of passenger and other trains is 
maintained as provided in paragraph (e) of this section; or
    (iii) Passenger service is operated under a risk mitigation plan 
submitted by all railroads involved in the joint operation and approved 
by FRA. The risk mitigation plan must be supported by a risk assessment 
establishing that the proposed mitigations will achieve a level of 
safety not less than the level of safety that would obtain if the 
operations were conducted under paragraph (c)(1) or (c)(2) of this 
section.
    (2) Passenger service is operated on a segment of track of a 
freight railroad that is not a Class I railroad on which less than 15 
million gross tons of freight traffic is transported annually and on 
which one of the following conditions applies:
    (i) If the segment is unsignaled and no more than four regularly 
scheduled passenger trains are operated during a calendar day, or
    (ii) If the segment is signaled (e.g., equipped with a traffic 
control system, automatic block signal system, or cab signal system) 
and no more than 12 regularly scheduled passenger trains are operated 
during a calendar day.
    (3) Not more than four passenger trains per day are operated on a 
segment of track of a Class I freight railroad on which less than 15 
million gross tons of freight traffic is transported annually.
    (d) A limited operations exception under paragraph (c) is subject 
to FRA review and approval. FRA may require a collision hazard analysis 
to identify hazards and may require that specific mitigations be 
undertaken. Operations under any such exception shall be conducted 
subject to the terms and conditions of the approval. Any main line 
track exclusion is subject to periodic review.
    (e) Temporal separation. As used in this section, temporal 
separation means that limited passenger and freight operations do not 
operate on any segment of shared track during the same period and also 
refers to the processes or physical arrangements, or both, in place to 
ensure that temporal separation is established and maintained at all 
times. The use of exclusive authorities under mandatory directives is 
not, by itself, sufficient to establish that temporal separation is 
achieved. Procedures to ensure temporal separation shall include 
verification checks between passenger and freight operations and 
effective physical means to positively ensure segregation of passenger 
and freight operations in accordance with this paragraph.
    (f) PTCSP requirement. No PTCSP--filed after the approval of a 
PTCIP with an MTEA--shall be approved by FRA unless it attests that no 
changes, except for those included in an FRA approved RFA, have been 
made to the information in the PTCIP and MTEA required by paragraph (b) 
or (c) of this section.
    (g) Designation modifications. If subsequent to approval of its 
PTCIP or PTCSP the railroad seeks to modify which track or tracks 
should be designated as main line or not main line, it shall request 
modification of its PTCIP or PTCSP, as applicable, in accordance with 
Sec.  236.1021.


Sec.  236.1021  Discontinuances, material modifications, and 
amendments.

    (a) No changes, as defined by this section, to a PTC system, PTCIP, 
PTCDP, or PTCSP, shall be made unless:
    (1) The railroad files a request for amendment (``RFA'') to the 
applicable PTCIP, PTCDP, or PTCSP with the Associate Administrator; and
    (2) The Associate Administrator approves the RFA.
    (b) After approval of an RFA in accordance with paragraph (a) of 
this section, the railroad shall immediately adopt and comply with the 
amendment.
    (c) In lieu of a separate filing under part 235 of this chapter, a 
railroad may request approval of a discontinuance or material 
modification of a signal or train control system by filing an RFA to 
its PTCIP, PTCDP, or PTCSP with the Associate Administrator.
    (d) An RFA made in accordance with this section will not be 
approved by FRA unless the request includes:
    (1) The information listed in Sec.  235.10 of this chapter and the 
railroad provides FRA upon request any additional information necessary 
to evaluate the RFA (see Sec.  235.12), including:
    (2) The proposed modifications;
    (3) The reasons for each modification;
    (4) The changes to the PTCIP, PTCDP, or PTCSP, as applicable;
    (5) Each modification's effect on PTC system safety;
    (6) An approximate timetable for filing of the PTCDP, PTCSP, or 
both, if the amendment pertains to a PTCIP; and
    (7) An explanation of whether each change to the PTCSP is planned 
or unplanned.
    (i) Unplanned changes that affect the Type Approval's PTCDP require 
submission and approval in accordance with Sec.  236.1013 of a new 
PTCDP, followed by submission and approval in accordance with Sec.  
236.1015 of a new PTCSP for the PTC system.
    (ii) Unplanned changes that do not affect the Type Approval's PTCDP 
require submission and approval of a new PTCSP.
    (iii) Unplanned changes are changes affecting system safety that 
have not been documented in the PTCSP. The impact of unplanned changes 
on PTC system safety has not yet been determined.
    (iv) Planned changes may be implemented after they have undergone 
suitable regression testing to demonstrate, to the satisfaction of the 
Associate Administrator, they have been correctly implemented and their 
implementation does not degrade safety.
    (v) Planned changes are changes affecting system safety in the 
PTCSP and have been included in all required analysis under Sec.  
236.1015. The impact of these changes on the PTC system's safety has 
been incorporated as an integral part of the approved PTCSP safety 
analysis.

[[Page 2711]]

    (e) If the RFA includes a request for approval of a discontinuance 
or material modification of a signal or train control system, FRA will 
publish a notice in the Federal Register of the application and will 
invite public comment in accordance with part 211 of this chapter.
    (f) When considering the RFA, FRA will review the issue of the 
discontinuance or material modification and determine whether granting 
the request is in the public interest and consistent with railroad 
safety, taking into consideration all changes in the method of 
operation and system functionalities, both within normal PTC system 
availability and in the case of a system failed state (unavailable), 
contemplated in conjunction with installation of the PTC system. The 
railroad submitting the RFA must, at FRA's request, perform field 
testing in accordance with Sec.  236.1035 or engage in Verification and 
Validation in accordance with Sec.  236.1017.
    (g) FRA may issue at its discretion a new Type Approval number for 
a PTC system modified under this section.
    (h) Changes requiring filing of an RFA. Except as provided by 
paragraph (i), an RFA shall be filed to request the following:
    (1) Discontinuance of a PTC system, or other similar appliance or 
device;
    (2) Decrease of the PTC system's limits (e.g., exclusion or removal 
of a PTC system on a track segment);
    (3) Modification of a safety critical element of a PTC system; or
    (4) Modification of a PTC system that affects the safety critical 
functionality of any other PTC system with which it interoperates.
    (i) Discontinuances not requiring the filing of an RFA. It is not 
necessary to file an RFA for the following discontinuances:
    (1) Removal of a PTC system from track approved for abandonment by 
formal proceeding;
    (2) Removal of PTC devices used to provide protection against 
unusual contingencies such as landslide, burned bridge, high water, 
high and wide load, or tunnel protection when the unusual contingency 
no longer exists;
    (3) Removal of the PTC devices that are used on a movable bridge 
that has been permanently closed by the formal approval of another 
government agency and is mechanically secured in the closed position 
for rail traffic; or
    (4) Removal of the PTC system from service for a period not to 
exceed 6 months that is necessitated by catastrophic occurrence such as 
derailment, flood, fire, or hurricane, or earthquake.
    (j) Changes not requiring the filing of an RFA. When the resultant 
change to the PTC system will comply with an approved PTCSP of this 
part, it is not necessary to file for approval to decrease the limits 
of a system when it involves the:
    (1) Decrease of the limits of a PTC system when interlocked 
switches, derails, or movable-point frogs are not involved;
    (2) Removal of an electric or mechanical lock, or signal used in 
lieu thereof, from hand-operated switch in a PTC system where train 
speed over such switch does not exceed 20 miles per hour, and use of 
those devices has not been part of the considerations for approval of a 
PTCSP; or
    (3) Removal of an electric or mechanical lock, or signal used in 
lieu thereof, from a hand-operated switch in a PTC system where trains 
are not permitted to clear the main track at such switch and use of 
those devices has not been a part of the considerations for approval of 
a PTCSP.
    (k) Modifications not requiring the filing of an RFA. When the 
resultant arrangement will comply with an approved PTCSP of this part, 
it is not necessary to file an application for approval of the 
following modifications:
    (1) A modification that is required to comply with an order of the 
Federal Railroad Administration or any section of part 236 of this 
title;
    (2) Installation of devices used to provide protection against 
unusual contingencies such as landslide, burned bridges, high water, 
high and wide loads, or dragging equipment;
    (3) Elimination of existing track other than a second main track;
    (4) Extension or shortening of a passing siding; or
    (5) The temporary or permanent arrangement of existing systems 
necessitated by highway-rail grade separation construction. Temporary 
arrangements shall be removed within six months following completion of 
construction.


Sec.  236.1023  Errors and malfunctions.

    (a) Each railroad implementing a PTC system on its property shall 
establish and continually update a PTC Product Vendor List (PTCPVL) 
that includes all vendors and suppliers of each PTC system, subsystem, 
component, and associated product, and process in use system-wide. The 
PTCPVL shall be made available to FRA upon request.
    (b)(1) The railroad shall specify within its PTCSP all contractual 
arrangements with hardware and software suppliers or vendors for 
immediate notification between the parties of any and all safety-
critical software failures, upgrades, patches, or revisions, as well as 
any hardware repairs, replacements, or modifications for their PTC 
system, subsystems, or components.
    (2) A vendor or supplier, on receipt of a report of any safety-
critical failure to their product, shall promptly notify all other 
railroads that are using that product, whether or not the other 
railroads have experienced the reported failure of that safety-critical 
system, subsystem, or component.
    (3) The notification from a supplier to any railroad shall include 
explanation from the supplier of the reasons for such notification, the 
circumstances associated with the failure, and any recommended 
mitigation actions to be taken pending determination of the root cause 
and final corrective actions.
    (c) The railroad shall:
    (1) Specify the railroad's process and procedures in its PTCSP for 
action upon their receipt of notification of safety-critical failure, 
as well as receipt of a safety-critical upgrade, patch, revision, 
repair, replacement, or modification.
    (2) Identify configuration/revision control measures in its PTCSP 
that are designed to ensure the safety-functional requirements and the 
safety-critical hazard mitigation processes are not compromised as a 
result of any change and that such a change can be audited.
    (d) The railroad shall provide to the applicable vendor or supplier 
the railroad's procedures for action upon notification of a safety-
critical failure, upgrade, patch, or revision for the PTC system, 
subsystem, component, product, or process, and actions to be taken 
until the faulty system, subsystem, or component has been adjusted, 
repaired or replaced.
    (e) After the product is placed in service, the railroad shall 
maintain a database of all safety-relevant hazards as set forth in the 
PTCSP and those that had not previously been identified in the PTCSP. 
If the frequency of the safety-relevant hazard exceeds the thresholds 
set forth in the PTCSP, or has not been previously identified in the 
appropriate risk analysis, the railroad shall:
    (1) Notify the applicable vendor or supplier and FRA of the 
failure, malfunction, or defective condition that decreased or 
eliminated the safety functionality;
    (2) Keep the applicable vendor or supplier and FRA apprised on a 
continual basis of the status of any and all subsequent failures; and
    (3) Take prompt counter measures to reduce or eliminate the 
frequency of the

[[Page 2712]]

safety-relevant hazards below the threshold identified in the PTCSP.
    (f) Each notification to FRA required by this section shall:
    (1) Be made within 15 days after the vendor, supplier, or railroad 
discovers the failure, malfunction, or defective condition. However, a 
report that is due on a Saturday or a Sunday may be delivered on the 
following Monday and one that is due on a holiday may be delivered on 
the next business day;
    (2) Be transmitted in a manner and form acceptable to the Associate 
Administrator and by the most expeditious method available; and
    (3) Include as much available and applicable information as 
possible, including:
    (i) PTC system name and model;
    (ii) Identification of the part, component, or system involved, 
including the part number as applicable;
    (iii) Nature of the failure, malfunctions, or defective condition;
    (iv) Mitigation taken to ensure the safety of train operation, 
railroad employees, and the public; and
    (v) The estimated time to correct the failure.
    (4) In the event that all information required by paragraph (f)(3) 
of this section is not immediately available, the non-available 
information shall be forwarded to the Associate Administrator as soon 
as practicable in supplemental reports.
    (g) Whenever any investigation of an accident or service difficulty 
report shows that a PTC system or product is unsafe because of a 
manufacturing or design defect, the railroad and its vendor or supplier 
shall, upon request of the Associate Administrator, report to the 
Associate Administrator the results of its investigation and any action 
taken or proposed to correct that defect.
    (h) PTC system and product suppliers and vendors shall:
    (1) Promptly report any safety-relevant failures or defective 
conditions, previously unidentified hazards, and recommended mitigation 
actions in their PTC system, subsystem, or component to each railroad 
using the product; and
    (2) Notify FRA of any safety-relevant failure, defective condition, 
or previously unidentified hazard discovered by the vendor or supplier 
and the identity of each affected and notified railroad.
    (i) The requirements of this section do not apply to failures, 
malfunctions, or defective conditions that:
    (1) Are caused by improper maintenance or improper usage; or
    (2) Have been previously identified to the FRA, vendor or supplier, 
and applicable user railroads.
    (j) When any safety-critical PTC system, subsystem, or component 
fails to perform its intended function, the cause shall be determined 
and the faulty product adjusted, repaired, or replaced without undue 
delay. Until corrective action is completed, a railroad shall take 
appropriate action to ensure safety and reliability as specified within 
its PTCSP.
    (k) Any railroad experiencing a failure of a system resulting in a 
more favorable aspect than intended or other condition hazardous to the 
movement of a train shall comply with the reporting requirements, 
including the making of a telephonic report of an accident or incident 
involving such failure, under part 233 of this chapter. Filing of one 
or more reports under part 233 of this chapter does not exempt a 
railroad, vendor, or supplier from the reporting requirements contained 
in this section.


Sec.  236.1025  [Reserved]


Sec.  236.1027  PTC system exclusions.

    (a) The requirements of this subpart apply to each office 
automation system that performs safety-critical functions within, or 
affects the safety performance of, the PTC system. For purposes of this 
section, ``office automation system'' means any centralized or 
distributed computer-based system that directly or indirectly controls 
the active movement of trains in a rail network.
    (b) Changes or modifications to PTC systems otherwise excluded from 
the requirements of this subpart by this section do not exclude those 
PTC systems from the requirements of this subpart if the changes or 
modifications result in a degradation of safety or a material decrease 
in safety-critical functionality.
    (c) Primary train control systems cannot be integrated with 
locomotive electronic systems unless the complete integrated systems:
    (1) Have been shown to be designed on fail-safe principles;
    (2) Have demonstrated to operate in a fail-safe mode;
    (3) Have a manual fail-safe fallback and override to allow the 
locomotive to be brought to a safe stop in the event of any loss of 
electronic control; and
    (4) Are included in the approved and applicable PTCDP and PTCSP.
    (d) PTC systems excluded by this section from the requirements of 
this subpart remain subject to subparts A through H of this part as 
applicable.


Sec.  236.1029  PTC system use and en route failures.

    (a) When any safety-critical PTC system component fails to perform 
its intended function, the cause must be determined and the faulty 
component adjusted, repaired, or replaced without undue delay. Until 
repair of such essential components are completed, a railroad shall 
take appropriate action as specified in its PTCSP.
    (b) Where a PTC onboard apparatus on a controlling locomotive that 
is operating in or is to be operated within a PTC system fails or is 
otherwise cut-out while en route (i.e, after the train has departed its 
initial terminal), the train may only continue in accordance with the 
following:
    (1) The train may proceed at restricted speed, or if a block signal 
system is in operation according to signal indication at medium speed, 
to the next available point where communication of a report can be made 
to a designated railroad officer of the host railroad;
    (2) Upon completion and communication of the report required in 
paragraph (b)(1) of this section, or where immediate electronic report 
of said condition is appropriately provided by the PTC system itself, a 
train may continue to a point where an absolute block can be 
established in advance of the train in accordance with the following:
    (i) Where no block signal system is in use, the train may proceed 
at restricted speed, or
    (ii) Where a block signal system is in operation according to 
signal indication, the train may proceed at a speed not to exceed 
medium speed.
    (3) Upon reaching the location where an absolute block has been 
established in advance of the train, as referenced in paragraph (b)(2) 
of this section, the train may proceed in accordance with the 
following:
    (i) Where no block signal system is in use, the train may proceed 
at medium speed; however, if the involved train is a passenger train or 
a train hauling any amount of PIH material, it may only proceed at a 
speed not to exceed 30 miles per hour.
    (ii) Where a block signal system is in use, a passenger train may 
proceed at a speed not to exceed 59 miles per hour and a freight train 
may proceed at a speed not to exceed 49 miles per hour.
    (iii) Except as provided in paragraph (c), where a cab signal 
system with an automatic train control system is in operation, the 
train may proceed at a speed not to exceed 79 miles per hour.
    (c) In order for a train equipped with PTC traversing a track 
segment equipped with PTC to deviate from the operating limitations 
contained in paragraph (b) of this section, the deviation must be 
described and justified in the FRA approved PTCDP or PTCSP, or the 
Order of Particular Applicability, as applicable.

[[Page 2713]]

    (d) Each railroad shall comply with all provisions in the 
applicable PTCDP and PTCSP for each PTC system it uses and shall 
operate within the scope of initial operational assumptions and 
predefined changes identified.
    (e) The normal functioning of any safety-critical PTC system must 
not be interfered with in testing or otherwise without first taking 
measures to provide for the safe movement of trains, locomotives, 
roadway workers, and on-track equipment that depend on the normal 
functioning of the system.
    (f) The PTC system's onboard apparatus shall be so arranged that 
each member of the crew assigned to perform duties in the locomotive 
can receive the same PTC information displayed in the same manner and 
execute any functions necessary to that crew member's duties. The 
locomotive engineer shall not be required to perform functions related 
to the PTC system while the train is moving that have the potential to 
distract the locomotive engineer from performance of other safety-
critical duties.


Sec.  236.1031  Previously approved PTC systems.

    (a) Any PTC system fully implemented and operational prior to March 
16, 2010, may receive PTC System Certification if the applicable PTC 
railroad, or one or more system suppliers and one or more PTC 
railroads, submits a Request for Expedited Certification (REC) letter 
to the Associate Administrator. The REC letter must do one of the 
following:
    (1) Reference a product safety plan (PSP) approved by FRA under 
subpart H of this part and include a document fulfilling the 
requirements under Sec. Sec.  236.1011 and 236.1013 not already 
included in the PSP;
    (2) Attest that the PTC system has been approved by FRA and in 
operation for at least 5 years and has already received an assessment 
of Verification and Validation from an independent third party under 
part 236 or a waiver supporting such operation; or
    (3) Attest that the PTC system is recognized under an Order issued 
prior to March 16, 2010.
    (b) If an REC letter conforms to paragraph (a)(1) of this section, 
the Associate Administrator, at his or her sole discretion, may also 
issue a new Type Approval for the PTC system.
    (c) In order to receive a Type Approval or PTC System Certification 
under paragraph (a) or (b) of this section, the PTC system must be 
shown to reliably execute the functionalities required by Sec. Sec.  
236.1005 and 236.1007 and otherwise conform to this subpart.
    (d) Previous approval or recognition of a train control system, 
together with an established service history, may, at the request of 
the PTC railroad, and consistent with available safety data, be 
credited toward satisfaction of the safety case requirements set forth 
in this part for the PTCSP with respect to all functionalities and 
implementations contemplated by the approval or recognition.
    (e) To the extent that the PTC system proposed for implementation 
under this subpart is different in significant detail from the system 
previously approved or recognized, the changes shall be fully analyzed 
in the PTCDP or PTCSP as would be the case absent prior approval or 
recognition.
    (f) As used in this section--
    (1) Approved refers to approval of a Product Safety Plan under 
subpart H of this part.
    (2) Recognized refers to official action permitting a system to be 
implemented for control of train operations under an FRA order or 
waiver, after review of safety case documentation for the 
implementation.
    (g) Upon receipt of an REC, FRA will consider all safety case 
information to the extent feasible and appropriate, given the specific 
facts before the agency. Nothing in this section limits re-use of any 
applicable safety case information by a party other than the party 
receiving:
    (1) A prior approval or recognition referred to in this section; or
    (2) A Type Approval or PTC System Certification under this subpart.


Sec.  236.1033  Communications and security requirements.

    (a) All wireless communications between the office, wayside, and 
onboard components in a PTC system shall provide cryptographic message 
integrity and authentication.
    (b) Cryptographic keys required under paragraph (a) of this section 
shall:
    (1) Use an algorithm approved by the National Institute of 
Standards (NIST) or a similarly recognized and FRA approved standards 
body;
    (2) Be distributed using manual or automated methods, or a 
combination of both; and
    (3) Be revoked:
    (i) If compromised by unauthorized disclosure of the cleartext key; 
or
    (ii) When the key algorithm reaches its lifespan as defined by the 
standards body responsible for approval of the algorithm.
    (c) The cleartext form of the cryptographic keys shall be protected 
from unauthorized disclosure, modification, or substitution, except 
during key entry when the cleartext keys and key components may be 
temporarily displayed to allow visual verification. When encrypted keys 
or key components are entered, the cryptographically protected 
cleartext key or key components shall not be displayed.
    (d) Access to cleartext keys shall be protected by a tamper 
resistant mechanism.
    (e) Each railroad electing to also provide cryptographic message 
confidentiality shall:
    (1) Comply with the same requirements for message integrity and 
authentication under this section; and
    (2) Only use keys meeting or exceeding the security strength 
required to protect the data as defined in the railroad's PTCSP and 
required under Sec.  236.1013(a)(7).
    (f) Each railroad, or its vendor or supplier, shall have a 
prioritized service restoration and mitigation plan for scheduled and 
unscheduled interruptions of service. This plan shall be included in 
the PTCDP or PTCSP as required by Sec. Sec.  236.1013 or 236.1015, as 
applicable, and made available to FRA upon request, without undue 
delay, for restoration of communication services that support PTC 
system services.
    (g) Each railroad may elect to impose more restrictive requirements 
than those in this section, consistent with interoperability 
requirements specified in the PTCSP for the system.


Sec.  236.1035  Field testing requirements.

    (a) Before any field testing of an uncertified PTC system, or a 
product of an uncertified PTC system, or any regression testing of a 
certified PTC system is conducted on the general rail system, the 
railroad requesting the testing must provide:
    (1) A complete description of the PTC system;
    (2) An operational concepts document;
    (3) A complete description of the specific test procedures, 
including the measures that will be taken to protect trains and on-
track equipment;
    (4) An analysis of the applicability of the requirements of 
subparts A through G of this part to the PTC system that will not apply 
during testing;
    (5) The date the proposed testing shall begin;
    (6) The test locations; and
    (7) The effect on the current method of operation the PTC system 
will or may have under test.
    (b) FRA may impose additional testing conditions that it believes 
may be necessary for the safety of train operations.

[[Page 2714]]

    (c) Relief from regulations other than from subparts A through G of 
this part that the railroad believes are necessary to support the field 
testing, must be requested in accordance with part 211 of this title.


Sec.  236.1037  Records retention.

    (a) Each railroad with a PTC system required to be installed under 
this subpart shall maintain at a designated office on the railroad:
    (1) A current copy of each FRA approved Type Approval, if any, 
PTCDP, and PTCSP that it holds;
    (2) Adequate documentation to demonstrate that the PTCSP and PTCDP 
meet the safety requirements of this subpart, including the risk 
assessment;
    (3) An Operations and Maintenance Manual, pursuant to Sec.  
236.1039; and
    (4) Training and testing records pursuant to Sec.  236.1043(b).
    (b) Results of inspections and tests specified in the PTCSP and 
PTCDP must be recorded pursuant to Sec.  236.110.
    (c) Each contractor providing services relating to the testing, 
maintenance, or operation of a PTC system required to be installed 
under this subpart shall maintain at a designated office training 
records required under Sec.  236.1039(b).
    (d) After the PTC system is placed in service, the railroad shall 
maintain a database of all safety-relevant hazards as set forth in the 
PTCSP and PTCDP and those that had not been previously identified in 
either document. If the frequency of the safety-relevant hazards 
exceeds the threshold set forth in either of these documents, then the 
railroad shall:
    (1) Report the inconsistency in writing by mail, facsimile, e-mail, 
or hand delivery to the Director, Office of Safety Assurance and 
Compliance, FRA, 1200 New Jersey Ave, SE, Mail Stop 25, Washington, DC 
20590, within 15 days of discovery. Documents that are hand delivered 
must not be enclosed in an envelope;
    (2) Take prompt countermeasures to reduce the frequency of each 
safety-relevant hazard to below the threshold set forth in the PTCSP 
and PTCDP; and
    (3) Provide a final report when the inconsistency is resolved to 
the FRA Director, Office of Safety Assurance and Compliance, on the 
results of the analysis and countermeasures taken to reduce the 
frequency of the safety-relevant hazard(s) below the threshold set 
forth in the PTCSP and PTCDP.


Sec.  236.1039  Operations and Maintenance Manual.

    (a) The railroad shall catalog and maintain all documents as 
specified in the PTCDP and PTCSP for the installation, maintenance, 
repair, modification, inspection, and testing of the PTC system and 
have them in one Operations and Maintenance Manual, readily available 
to persons required to perform such tasks and for inspection by FRA and 
FRA-certified state inspectors.
    (b) Plans required for proper maintenance, repair, inspection, and 
testing of safety-critical PTC systems must be adequate in detail and 
must be made available for inspection by FRA and FRA-certified state 
inspectors where such PTC systems are deployed or maintained. They must 
identify all software versions, revisions, and revision dates. Plans 
must be legible and correct.
    (c) Hardware, software, and firmware revisions must be documented 
in the Operations and Maintenance Manual according to the railroad's 
configuration management control plan and any additional configuration/
revision control measures specified in the PTCDP and PTCSP.
    (d) Safety-critical components, including spare equipment, must be 
positively identified, handled, replaced, and repaired in accordance 
with the procedures specified in the PTCDP and PTCSP.
    (e) Each railroad shall designate in its Operations and Maintenance 
Manual an appropriate railroad officer responsible for issues relating 
to scheduled interruptions of service contemplated by Sec.  236.1029.


Sec.  236.1041  Training and qualification program, general.

    (a) Training program for PTC personnel. Employers shall establish 
and implement training and qualification programs for PTC systems 
subject to this subpart. These programs must meet the minimum 
requirements set forth in the PTCDP and PTCSP in Sec. Sec.  236.1039 
through 236.1045, as appropriate, for the following personnel:
    (1) Persons whose duties include installing, maintaining, 
repairing, modifying, inspecting, and testing safety-critical elements 
of the railroad's PTC systems, including central office, wayside, or 
onboard subsystems;
    (2) Persons who dispatch train operations (issue or communicate any 
mandatory directive that is executed or enforced, or is intended to be 
executed or enforced, by a train control system subject to this 
subpart);
    (3) Persons who operate trains or serve as a train or engine crew 
member subject to instruction and testing under part 217 of this 
chapter, on a train operating in territory where a train control system 
subject to this subpart is in use;
    (4) Roadway workers whose duties require them to know and 
understand how a train control system affects their safety and how to 
avoid interfering with its proper functioning; and
    (5) The direct supervisors of persons listed in paragraphs (a)(1) 
through (a)(4) of this section.
    (b) Competencies. The employer's program must provide training for 
persons who perform the functions described in paragraph (a) of this 
section to ensure that they have the necessary knowledge and skills to 
effectively complete their duties related to operation and maintenance 
of the PTC system.


Sec.  236.1043  Task analysis and basic requirements.

    (a) Training structure and delivery. As part of the program 
required by Sec.  236.1041, the employer shall, at a minimum:
    (1) Identify the specific goals of the training program with regard 
to the target population (craft, experience level, scope of work, 
etc.), task(s), and desired success rate;
    (2) Based on a formal task analysis, identify the installation, 
maintenance, repair, modification, inspection, testing, and operating 
tasks that must be performed on a railroad's PTC systems. This includes 
the development of failure scenarios and the actions expected under 
such scenarios;
    (3) Develop written procedures for the performance of the tasks 
identified;
    (4) Identify the additional knowledge, skills, and abilities above 
those required for basic job performance necessary to perform each 
task;
    (5) Develop a training and evaluation curriculum that includes 
classroom, simulator, computer-based, hands-on, or other formally 
structured training designed to impart the knowledge, skills, and 
abilities identified as necessary to perform each task;
    (6) Prior to assignment of related tasks, require all persons 
mentioned in Sec.  236.1041(a) to successfully complete a training 
curriculum and pass an examination that covers the PTC system and 
appropriate rules and tasks for which they are responsible (however, 
such persons may perform such tasks under the direct onsite supervision 
of a qualified person prior to completing such training and passing the 
examination);
    (7) Require periodic refresher training and evaluation at intervals 
specified in the PTCDP and PTCSP that includes classroom, simulator, 
computer-based, hands-on, or other formally structured

[[Page 2715]]

training and testing, except with respect to basic skills for which 
proficiency is known to remain high as a result of frequent repetition 
of the task; and
    (8) Conduct regular and periodic evaluations of the effectiveness 
of the training program specified in Sec.  236.1041(a)(1) verifying the 
adequacy of the training material and its validity with respect to 
current railroads PTC systems and operations.
    (b) Training records. Employers shall retain records which 
designate persons who are qualified under this section until new 
designations are recorded or for at least one year after such persons 
leave applicable service. These records shall be kept in a designated 
location and be available for inspection and replication by FRA and 
FRA-certified State inspectors


Sec.  236.1045  Training specific to office control personnel.

    (a) Any person responsible for issuing or communicating mandatory 
directives in territory where PTC systems are or will be in use shall 
be trained in the following areas, as applicable:
    (1) Instructions concerning the interface between the computer-
aided dispatching system and the train control system, with respect to 
the safe movement of trains and other on-track equipment;
    (2) Railroad operating rules applicable to the train control 
system, including provision for movement and protection of roadway 
workers, unequipped trains, trains with failed or cut-out train control 
onboard systems, and other on-track equipment; and
    (3) Instructions concerning control of trains and other on-track 
equipment in case the train control system fails, including periodic 
practical exercises or simulations, and operational testing under part 
217 of this chapter to ensure the continued capability of the personnel 
to provide for safe operations under the alternative method of 
operation.
    (b) [Reserved]


Sec.  236.1047  Training specific to locomotive engineers and other 
operating personnel.

    (a) Operating personnel. Training provided under this subpart for 
any locomotive engineer or other person who participates in the 
operation of a train in train control territory shall be defined in the 
PTCDP as well as the PTCSP. The following elements shall be addressed:
    (1) Familiarization with train control equipment onboard the 
locomotive and the functioning of that equipment as part of the system 
and in relation to other onboard systems under that person's control;
    (2) Any actions required of the onboard personnel to enable, or 
enter data to, the system, such as consist data, and the role of that 
function in the safe operation of the train;
    (3) Sequencing of interventions by the system, including pre-
enforcement notification, enforcement notification, penalty application 
initiation and post-penalty application procedures;
    (4) Railroad operating rules and testing (part 217) applicable to 
the train control system, including provisions for movement and 
protection of any unequipped trains, or trains with failed or cut-out 
train control onboard systems and other on-track equipment;
    (5) Means to detect deviations from proper functioning of onboard 
train control equipment and instructions regarding the actions to be 
taken with respect to control of the train and notification of 
designated railroad personnel; and
    (6) Information needed to prevent unintentional interference with 
the proper functioning of onboard train control equipment.
    (b) Locomotive engineer training. Training required under this 
subpart for a locomotive engineer, together with required records, 
shall be integrated into the program of training required by part 240 
of this chapter.
    (c) Full automatic operation. The following special requirements 
apply in the event a train control system is used to effect full 
automatic operation of the train:
    (1) The PTCDP and PTCSP shall identify all safety hazards to be 
mitigated by the locomotive engineer.
    (2) The PTCDP and PTCSP shall address and describe the training 
required with provisions for the maintenance of skills proficiency. As 
a minimum, the training program must:
    (i) As described in Sec.  236.1043(a)(2), develop failure scenarios 
which incorporate the safety hazards identified in the PTCDP and PTCSP 
including the return of train operations to a fully manual mode;
    (ii) Provide training, consistent with Sec.  236.1047(a), for safe 
train operations under all failure scenarios and identified safety 
hazards that affect train operations;
    (iii) Provide training, consistent with Sec.  236.1047(a), for safe 
train operations under manual control; and
    (iv) Consistent with Sec.  236.1047(a), ensure maintenance of 
manual train operating skills by requiring manual starting and stopping 
of the train for an appropriate number of trips and by one or more of 
the following methods:
    (A) Manual operation of a train for a 4-hour work period;
    (B) Simulated manual operation of a train for a minimum of 4 hours 
in a Type I simulator as required; or
    (C) Other means as determined following consultation between the 
railroad and designated representatives of the affected employees and 
approved by FRA. The PTCDP and PTCSP shall designate the appropriate 
frequency when manual operation, starting, and stopping must be 
conducted, and the appropriate frequency of simulated manual operation.
    (d) Conductor training. Training required under this subpart for a 
conductor, together with required records, shall be integrated into the 
program of training required under this chapter.


Sec.  236.1049  Training specific to roadway workers.

    (a) Roadway worker training. Training required under this subpart 
for a roadway worker shall be integrated into the program of 
instruction required under part 214, subpart C of this chapter 
(``Roadway Worker Protection''), consistent with task analysis 
requirements of Sec.  236.1043. This training shall provide instruction 
for roadway workers who provide protection for themselves or roadway 
work groups.
    (b) Training subject areas. (1) Instruction for roadway workers 
shall ensure an understanding of the role of processor-based signal and 
train control equipment in establishing protection for roadway workers 
and their equipment.
    (2) Instruction for all roadway workers working in territories 
where PTC is required under this subpart shall ensure recognition of 
processor-based signal and train control equipment on the wayside and 
an understanding of how to avoid interference with its proper 
functioning.
    (3) Instructions concerning the recognition of system failures and 
the provision of alternative methods of on-track safety in case the 
train control system fails, including periodic practical exercises or 
simulations and operational testing under part 217 of this chapter to 
ensure the continued capability of roadway workers to be free from the 
danger of being struck by a moving train or other on-track equipment.


0
12. Amend Appendix A to part 236 by adding entries for subpart I as 
follows:

Appendix A to Part 236--Civil Penalties \1\
---------------------------------------------------------------------------

    \1\ The Administrator reserves the right to assess a civil 
penalty of up to $100,000 per day for any violation where 
circumstances warrant. See 459 CFR part 209, Appendix A.

[[Page 2716]]



------------------------------------------------------------------------
                                                              Willful
                 Section                     Violation       violation
------------------------------------------------------------------------
 
                              * * * * * * *
------------------------------------------------------------------------
                Subpart I--Positive Train Control Systems
------------------------------------------------------------------------
236.1005 Positive Train Control System
 Requirements:
    Failure to complete PTC system                16,000          25,000
     installation on track segment where
     PTC is required prior to 12/31/2015
    Commencement of revenue service               16,000          25,000
     prior to obtaining PTC System
     Certification......................
    Failure of the PTC system to perform           5,000           7,500
     a safety-critical function required
     by this section....................
    Failure to provide notice, obtain              5,000           7,500
     approval, or follow a condition for
     temporary rerouting when required..
    Exceeding the allowed percentage of            5,000           7,500
     controlling locomotives operating
     out of an initial terminal after
     receiving a failed initialization..
236.1006 Equipping locomotives operating
 in PTC territory:
    Operating in PTC territory a                  15,000          25,000
     controlling locomotive without a
     required and operative PTC onboard
     apparatus..........................
    Failure to report as prescribed by             5,000           7,500
     this section.......................
    Non-compliant operation of                    15,000          25,000
     unequipped trains in PTC territory.
236.1007 Additional requirements for
 high-speed service:
    Operation of passenger trains at              15,000          25,000
     speed equal to or greater than 60
     mph on non-PTC-equipped territory
     where required.....................
    Operation of freight trains at speed          15,000          25,000
     equal to or greater than 50 mph on
     non-PTC-equipped territory where
     required...........................
    Failure to fully implement incursion           5,000           7,500
     protection where required..........
236.1009 Procedural requirements:
    Failure to file PTCIP when required.           5,000           7,500
    Failure to amend PTCIP when required           5,000           7,500
    Failure to obtain Type Approval when           5,000           7,500
     required...........................
    Failure to update NPI...............           5,000           7,500
    Operation of PTC system prior to              16,000          25,000
     system certification...............
236.1011 PTCIP content requirements:
    Failure to install a PTC system in            11,000          16,000
     accordance with subpart I when so
     required...........................
236.1013 PTCDP content requirements and
 Type Approval:
    Failure to maintain quality control            5,000           7,500
     system.............................
    Inappropriate use of Type Approval..           5,000           7,500
236.1015 PTCSP content requirements and
 PTC System Certification:
    Failure to implement PTC system in            16,000          25,000
     accordance with the associated
     PTCSP and resultant system
     certification......................
    Failure to maintain PTC system in             16,000          25,000
     accordance with the associated
     PTCSP and resultant system
     certification......................
    Failure to maintain required                   2,500           5,000
     supporting documentation...........
236.1017 Independent third party
 Verification and Validation:
    Failure to conduct independent third          11,000          16,000
     party Verification and Validation
     when ordered.......................
236.1019 Main line track exceptions:
    Revenue operations conducted in non-          16,000          25,000
     compliance with the passenger
     terminal exception.................
    Revenue operations conducted in non-          16,000          25,000
     compliance with the limited
     operations exception...............
    Failure to request modification of            11,000          16,000
     the PTCIP or PTCSP when required...
    Revenue operations conducted in               16,000          25,000
     violation of (c)(2)................
    Revenue operations conducted in               25,000          25,000
     violation of (c)(3)................
236.1021 Discontinuances, material
 modifications, and amendments:
    Failure to update PTCDP when                   5,000           7,500
     required...........................
    Failure to update PTCSP when                   5,000           7,500
     required...........................
    Failure to immediately adopt and               5,000           7,500
     comply with approved RFA...........
    Discontinuance or modification of a           11,000          16,000
     PTC system without approval when
     required...........................
236.1023 Errors and malfunctions:
    Railroad failure to provide proper             5,000           7,500
     notification of PTC system error or
     malfunction........................
    Failure to maintain PTCPVL..........           2,500           5,000
    Supplier failure to provide proper             5,000           7,500
     notification of previously
     identified PTC system error or
     malfunction........................
    Failure to provide timely                      5,000           7,500
     notification.......................
    Failure to provide appropriate                15,000          25,000
     protective measures in the event of
     PTC system failure.................
236.1027 Exclusions:
    Integration of primary train control           5,000           7,500
     system with locomotive electronic
     system without approval............
236.1029 PTC system use and en route
 failures:
    Failure to determine cause of PTC              5,000           7,500
     system component failure without
     undue delay........................
    Failure to adjust, repair, or                  5,000           7,500
     replace faulty PTC system component
     without undue delay................
    Failure to take appropriate action            15,000          25,000
     pending adjustment, repair, or
     replacement of faulty PTC system
     component..........................
    Non-compliant train operation within           5,000           7,500
     PTC-equipped territory with
     inoperative PTC onboard apparatus..
    Interference with the normal                  15,000          25,000
     functioning of safety-critical PTC
     system.............................
    Improper arrangement of the PTC                2,500           5,000
     system onboard apparatus...........

[[Page 2717]]

 
236.1033 Communications and security
 requirements:
    Failure to provide cryptographic               5,000           7,500
     message integrity and
     authentication.....................
    Improper use of revoked                        5,000          15,000
     cryptographic key..................
    Failure to protect cryptographic               5,000          15,000
     keys from unauthorized disclosure,
     modification, or substitution......
    Failure to establish prioritized               5,000           7,500
     service restoration and mitigation
     plan for communication services....
236.1035 Field testing requirements:
    Field testing without authorization           10,000          20,000
     or approval........................
236.1037 Records retention:
    Failure to maintain records and                7,500          15,000
     databases as required..............
    Failure to report inconsistency.....          10,000          20,000
    Failure to take prompt                        10,000          20,000
     countermeasures....................
    Failure to provide final report.....           2,500           5,000
236.1039 Operations and Maintenance
 Manual:
    Failure to implement and maintain              3,000           6,000
     Operations and Maintenance Manual
     as required........................
236.1043 Task analysis and basic
 requirements:
    Failure to develop and maintain an            10,000          20,000
     acceptable training program........
    Failure to train persons as required           2,500           5,000
    Failure to conduct evaluation of               2,500           5,000
     training program as required.......
    Failure to maintain records as                 1,500           3,000
     required...........................
236.1045 Training specific to office
 control personnel:
    Failure to conduct training unique             2,500           5,000
     to office control personnel........
236.1047 Training specific to locomotive
 engineers and other operating
 personnel:
    Failure to conduct training unique             2,500           5,000
     to locomotive engineers and other
     operating personnel................
236.1049 Training specific to roadway
 workers:
    Failure to conduct training unique             2,500           5,000
     to roadway workers.................
------------------------------------------------------------------------


0
13. Revise Appendix B to part 236 to read as follows:

Appendix B to Part 236--Risk Assessment Criteria

    The safety-critical performance of each product for which risk 
assessment is required under this part must be assessed in 
accordance with the following minimum criteria or other criteria if 
demonstrated to the Associate Administrator for Safety to be equally 
suitable:
    (a) How are risk metrics to be expressed? The risk metric for 
the proposed product must describe with a high degree of confidence 
the accumulated risk of a train control system that operates over 
the designated life-cycle of the product. Each risk metric for the 
proposed product must be expressed with an upper bound, as estimated 
with a sensitivity analysis, and the risk value selected must be 
demonstrated to have a high degree of confidence.
    (b) How does the risk assessment handle interaction risks for 
interconnected subsystems/components? The risk assessment of each 
safety-critical system (product) must account not only for the risks 
associated with each subsystem or component, but also for the risks 
associated with interactions (interfaces) between such subsystems.
    (c) What is the main principle in computing risk for the 
previous and current conditions? The risk for the previous condition 
must be computed using the same metrics as for the new system being 
proposed. A full risk assessment must consider the entire railroad 
environment where the product is being applied, and show all aspects 
of the previous condition that are affected by the installation of 
the product, considering all faults, operating errors, exposure 
scenarios, and consequences that are related as described in this 
part. For the full risk assessment, the total societal cost of the 
potential numbers of accidents assessed for both previous and new 
system conditions must be computed for comparison. An abbreviated 
risk assessment must, as a minimum, clearly compute the MTTHE for 
all of the hazardous events identified for both previous and current 
conditions. The comparison between MTTHE for both conditions is to 
determine whether the product implementation meets the safety 
criteria as required by subpart H or subpart I of this part as 
applicable.
    (d) What major system characteristics must be included when 
relevant to risk assessment? Each risk calculation must consider the 
total signaling and train control system and method of operation, as 
subjected to a list of hazards to be mitigated by the signaling and 
train control system. The methodology requirements must include the 
following major characteristics, when they are relevant to the 
product being considered:
    (1) Track plan infrastructure, switches, rail crossings at grade 
and highway-rail grade crossings as applicable;
    (2) Train movement density for freight, work, and passenger 
trains where applicable and computed over a time span of not less 
than 12 months;
    (3) Train movement operational rules, as enforced by the 
dispatcher, roadway worker/Employee in Charge, and train crew 
behaviors;
    (4) Wayside subsystems and components;
    (5) Onboard subsystems and components;
    (6) Consist contents such as hazardous material, oversize loads; 
and
    (7) Operating speeds if the provisions of part 236 cite 
additional requirements for certain type of train control systems to 
be used at such speeds for freight and passenger trains.
    (e) What other relevant parameters must be determined for the 
subsystems and components? In order to derive the frequency of 
hazardous events (or MTTHE) applicable for a product, subsystem or 
component included in the risk assessment, the railroad may use 
various techniques, such as reliability and availability 
calculations for subsystems and components, Fault Tree Analysis 
(FTA) of the subsystems, and results of the application of safety 
design principles as noted in Appendix C to this part. The MTTHE is 
to be derived for both fail-safe and non-fail-safe subsystems or 
components. The lower bounds of the MTTF or MTBF determined from the 
system sensitivity analysis, which account for all necessary and 
well justified assumptions, may be used to represent the estimate of 
MTTHE for the associated non-fail-safe subsystem or component in the 
risk assessment.
    (f) How are processor-based subsystems/components assessed? (1) 
An MTTHE value must be calculated for each processor-based subsystem 
or component, or both, indicating the safety-critical behavior of 
the integrated hardware/software subsystem or component, or both. 
The human factor impact must be included in the assessment, whenever 
applicable, to provide the integrated MTTHE value. The MTTHE 
calculation must consider the rates of failures caused by permanent, 
transient, and intermittent faults accounting for the fault coverage 
of the integrated hardware/software subsystem or component, phased-
interval maintenance, and restoration of the detected failures.
    (2) Software fault/failure analysis must be based on the 
assessment of the design and implementation of all safety-related 
software including the application code, its operating/executive 
program, COTS software, and associated device drivers, as well as 
historical performance data, analytical methods and experimental 
safety-critical performance testing performed on the subsystem or 
component. The software assessment process must demonstrate through 
repeatable predictive results that all software defects have been 
identified and

[[Page 2718]]

corrected by process with a high degree of confidence.
    (g) How are non-processor-based subsystems/components assessed? 
(1) The safety-critical behavior of all non-processor-based 
components, which are part of a processor-based system or subsystem, 
must be quantified with an MTTHE metric. The MTTHE assessment 
methodology must consider failures caused by permanent, transient, 
and intermittent faults, phase-interval maintenance and restoration 
of operation after failures and the effect of fault coverage of each 
non-processor-based subsystem or component.
    (2) MTTHE compliance verification and validation must be based 
on the assessment of the design for adequacy by a documented 
verification and validation process, historical performance data, 
analytical methods and experimental safety-critical performance 
testing performed on the subsystem or component. The non-processor-
based quantification compliance must be demonstrated to have a high 
degree of confidence.
    (h) What assumptions must be documented for risk assessment? (1) 
The railroad shall document any assumptions regarding the derivation 
of risk metrics used. For example, for the full risk assessment, all 
assumptions made about each value of the parameters used in the 
calculation of total cost of accidents should be documented. For 
abbreviated risk assessment, all assumptions made for MTHHE 
derivation using existing reliability and availability data on the 
current system components should be documented. The railroad shall 
document these assumptions in such a form as to permit later 
comparisons with in-service experience.
    (2) The railroad shall document any assumptions regarding human 
performance. The documentation shall be in such a form as to 
facilitate later comparisons with in-service experience.
    (3) The railroad shall document any assumptions regarding 
software defects. These assumptions shall be in a form that permit 
the railroad to project the likelihood of detecting an in-service 
software defect. These assumptions shall be documented in such a 
form as to permit later comparisons with in-service experience.
    (4) The railroad shall document all of the identified safety-
critical fault paths to a mishap as predicted by the safety analysis 
methodology. The documentation shall be in such a form as to 
facilitate later comparisons with in-service faults.

0
14. Revise Appendix C to part 236 to read as follows:

Appendix C to Part 236--Safety Assurance Criteria and Processes

    (a) What is the purpose of this appendix? This appendix provides 
safety criteria and processes that the designer must use to develop 
and validate the product that meets safety requirements of this 
part. FRA uses the criteria and processes set forth in this appendix 
to evaluate the validity of safety targets and the results of system 
safety analyses provided in the RSPP, PSP, PTCIP, PTCDP, and PTCSP 
documents as appropriate. An analysis performed under this appendix 
must:
    (1) Address each of the safety principles of paragraph (b) of 
this appendix, or explain why they are not relevant, and
    (2) Employ a validation and verification process pursuant to 
paragraph (c) of this appendix.
    (b) What safety principles must be followed during product 
development? The designer shall address each of the following safety 
considerations principles when designing and demonstrating the 
safety of products covered by subpart H or I of this part. In the 
event that any of these principles are not followed, the PSP or 
PTCDP or PTCSP shall state both the reason(s) for departure and the 
alternative(s) utilized to mitigate or eliminate the hazards 
associated with the design principle not followed.
    (1) System safety under normal operating conditions. The system 
(all its elements including hardware and software) must be designed 
to assure safe operation with no hazardous events under normal 
anticipated operating conditions with proper inputs and within the 
expected range of environmental conditions. All safety-critical 
functions must be performed properly under these normal conditions. 
The system shall operate safely even in the absence of prescribed 
operator actions or procedures. The designer must identify and 
categorize all hazards that may lead to unsafe system operation. 
Hazards categorized as unacceptable, which are determined by hazard 
analysis, must be eliminated by design. Best effort shall also be 
made by the designer to eliminate by design the hazards categorized 
as undesirable. Those undesirable hazards that cannot be eliminated 
should be mitigated to the acceptable level as required by this 
part.
    (2) System safety under failures.
    (i) It must be shown how the product is designed to eliminate or 
mitigate unsafe systematic failures--those conditions which can be 
attributed to human error that could occur at various stages 
throughout product development. This includes unsafe errors in the 
software due to human error in the software specification, design, 
or coding phases; human errors that could impact hardware design; 
unsafe conditions that could occur because of an improperly designed 
human-machine interface; installation and maintenance errors; and 
errors associated with making modifications.
    (ii) The product must be shown to operate safely under 
conditions of random hardware failures. This includes single 
hardware failures as well as multiple hardware failures that may 
occur at different times but remain undetected (latent) and react in 
combination with a subsequent failure at a later time to cause an 
unsafe operating situation. In instances involving a latent failure, 
a subsequent failure is similar to there being a single failure. In 
the event of a transient failure, and if so designed, the system 
should restart itself if it is safe to do so. Frequency of attempted 
restarts must be considered in the hazard analysis required by Sec.  
236.907(a)(8).
    (iii) There shall be no single point failures in the product 
that can result in hazards categorized as unacceptable or 
undesirable. Occurrence of credible single point failures that can 
result in hazards must be detected and the product must achieve a 
known safe state that eliminates the possibility of false activation 
of any physical appliance.
    (iv) If one non-self-revealing failure combined with a second 
failure can cause a hazard that is categorized as unacceptable or 
undesirable, then the second failure must be detected and the 
product must achieve a known safe state that eliminates the 
possibility of false activation of any physical appliance.
    (v) Another concern of multiple failures involves common mode 
failures in which two or more subsystems or components intended to 
compensate one another to perform the same function all fail by the 
same mode and result in unsafe conditions. This is of particular 
concern in instances in which two or more elements (hardware or 
software, or both) are used in combination to ensure safety. If a 
common mode failure exists, then any analysis performed under this 
appendix cannot rely on the assumption that failures are 
independent. Examples include: The use of redundancy in which two or 
more elements perform a given function in parallel and when one 
(hardware or software) element checks/monitors another element (of 
hardware or software) to help ensure its safe operation. Common mode 
failure relates to independence, which must be ensured in these 
instances. When dealing with the effects of hardware failure, the 
designer shall address the effects of the failure not only on other 
hardware, but also on the execution of the software, since hardware 
failures can greatly affect how the software operates.
    (3) Closed loop principle. System design adhering to the closed 
loop principle requires that all conditions necessary for the 
existence of any permissive state or action be verified to be 
present before the permissive state or action can be initiated. 
Likewise the requisite conditions shall be verified to be 
continuously present for the permissive state or action to be 
maintained. This is in contrast to allowing a permissive state or 
action to be initiated or maintained in the absence of detected 
failures. In addition, closed loop design requires that failure to 
perform a logical operation, or absence of a logical input, output 
or decision shall not cause an unsafe condition, i.e. system safety 
does not depend upon the occurrence of an action or logical 
decision.
    (4) Safety assurance concepts. The product design must include 
one or more of the following Safety Assurance Concepts as described 
in IEEE-1483 standard to ensure that failures are detected and the 
product is placed in a safe state. One or more different principles 
may be applied to each individual subsystem or component, depending 
on the safety design objectives of that part of the product.
    (i) Design diversity and self-checking concept. This concept 
requires that all critical functions be performed in diverse ways, 
using diverse software operations and/or diverse hardware channels, 
and that critical hardware be tested with Self-Checking routines. 
Permissive outputs are allowed only if the results of the diverse 
operations correspond, and the Self-Checking

[[Page 2719]]

process reveals no failures in either execution of software or in 
any monitored input or output hardware. If the diverse operations do 
not agree or if the checking reveals critical failures, safety-
critical functions and outputs must default to a known safe state.
    (ii) Checked redundancy concept. The Checked Redundancy concept 
requires implementation of two or more identical, independent 
hardware units, each executing identical software and performing 
identical functions. A means is to be provided to periodically 
compare vital parameters and results of the independent redundant 
units, requiring agreement of all compared parameters to assert or 
maintain a permissive output. If the units do not agree, safety-
critical functions and outputs must default to a known safe state.
    (iii) N-version programming concept. This concept requires a 
processor-based product to use at least two software programs 
performing identical functions and executing concurrently in a 
cycle. The software programs must be written by independent teams, 
using different tools. The multiple independently written software 
programs comprise a redundant system, and may be executed either on 
separate hardware units (which may or may not be identical) or 
within one hardware unit. A means is to be provided to compare the 
results and output states of the multiple redundant software 
systems. If the system results do not agree, then the safety-
critical functions and outputs must default to a known safe state.
    (iv) Numerical assurance concept. This concept requires that the 
state of each vital parameter of the product or system be uniquely 
represented by a large encoded numerical value, such that permissive 
results are calculated by pseudo-randomly combining the 
representative numerical values of each of the critical constituent 
parameters of a permissive decision. Vital algorithms must be 
entirely represented by data structures containing numerical values 
with verified characteristics, and no vital decisions are to be made 
in the executing software, only by the numerical representations 
themselves. In the event of critical failures, the safety-critical 
functions and outputs must default to a known safe state.
    (v) Intrinsic fail-safe design concept. Intrinsically fail-safe 
hardware circuits or systems are those that employ discrete 
mechanical and/or electrical components. The fail-safe operation for 
a product or subsystem designed using this principle concept 
requires a verification that the effect of every relevant failure 
mode of each component, and relevant combinations of component 
failure modes, be considered, analyzed, and documented. This is 
typically performed by a comprehensive failure modes and effects 
analysis (FMEA) which must show no residual unmitigated failures. In 
the event of critical failures, the safety-critical functions and 
outputs must default to a known safe state.
    (5) Human factor engineering principle. The product design must 
sufficiently incorporate human factors engineering that is 
appropriate to the complexity of the product; the educational, 
mental, and physical capabilities of the intended operators and 
maintainers; the degree of required human interaction with the 
component; and the environment in which the product will be used.
    (6) System safety under external influences. The product must be 
shown to operate safely when subjected to different external 
influences, including:
    (i) Electrical influences such as power supply anomalies/
transients, abnormal/improper input conditions (e.g., outside of 
normal range inputs relative to amplitude and frequency, unusual 
combinations of inputs) including those related to a human operator, 
and others such as electromagnetic interference or electrostatic 
discharges, or both;
    (ii) Mechanical influences such as vibration and shock; and
    (iii) Climatic conditions such as temperature and humidity.
    (7) System safety after modifications. Safety must be ensured 
following modifications to the hardware or software, or both. All or 
some of the concerns identified in this paragraph may be applicable 
depending upon the nature and extent of the modifications. Such 
modifications must follow all of the concept, design, implementation 
and test processes and principles as documented in the PSP for the 
original product. Regression testing must be comprehensive and 
documented to include all scenarios which are affected by the change 
made, and the operating modes of the changed product during normal 
and failure state (fallback) operation.
    (c) What standards are acceptable for Verification and 
Validation? (1) The standards employed for Verification or 
Validation, or both, of products subject to this subpart must be 
sufficient to support achievement of the applicable requirements of 
subpart H and subpart I of this part.
    (2) U.S. Department of Defense Military Standard (MIL-STD) 882C, 
``System Safety Program Requirements'' (January 19, 1993), is 
recognized as providing appropriate risk analysis processes for 
incorporation into verification and validation standards.
    (3) The following standards designed for application to 
processor-based signal and train control systems are recognized as 
acceptable with respect to applicable elements of safety analysis 
required by subpart H and subpart I of this part. The latest 
versions of the standards listed below should be used unless 
otherwise provided.
    (i) IEEE standards as follows:
    (A) IEEE 1483-2000, Standard for the Verification of Vital 
Functions in Processor-Based Systems Used in Rail Transit Control.
    (B) IEEE 1474.2-2003, Standard for user interface requirements 
in communications based train control (CBTC) systems.
    (C) IEEE 1474.1-2004, Standard for Communications-Based Train 
Control (CBTC) Performance and Functional Requirements.
    (ii) CENELEC Standards as follows:
    (A) EN50129: 2003, Railway Applications: Communications, 
Signaling, and Processing Systems-Safety Related Electronic Systems 
for Signaling; and
    (B) EN50155:2001/A1:2002, Railway Applications: Electronic 
Equipment Used in Rolling Stock.
    (iii) ATCS Specification 200 Communications Systems 
Architecture.
    (iv) ATCS Specification 250 Message Formats.
    (v) AREMA 2009 Communications and Signal Manual of Recommended 
Practices, Part 16, Part 17, 21, and 23.
    (vi) Safety of High-Speed Ground Transportation Systems. 
Analytical Methodology for Safety Validation of Computer Controlled 
Subsystems. Volume II: Development of a Safety Validation 
Methodology. Final Report September 1995. Author: Jonathan F. 
Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
    (vii) IEC 61508 (International Electrotechnical Commission), 
Functional Safety of Electrical/Electronic/Programmable/Electronic 
Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
    (A) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 
61508-1 Corr. (1999-05) Corrigendum 1--Part 1: General Requirements.
    (B) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/
electronic/programmable electronic safety-related systems.
    (C) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC 
61508-3 Corr. 1 (1999-04) Corrigendum 1--Part 3: Software 
requirements.
    (D) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations 
and IEC 61508-4 Corr. 1 (1999-04) Corrigendum 1--Part 4: Definitions 
and abbreviations.
    (E) IEC 61508-5 (1998-12) Part 5: Examples of methods for the 
determination of safety integrity levels and IEC 61508-5 Corr. 1 
(1999-04) Corrigendum 1--Part 5: Examples of methods for 
determination of safety integrity levels.
    (F) IEC 61508-6 (2000-04) Part 6: Guidelines on the applications 
of IEC 61508-2 and -3.
    (G) IEC 61508-7 (2000-03) Part 7: Overview of techniques and 
measures.
    (H) IEC 62278: 2002, Railway Applications: Specification and 
Demonstration of Reliability, Availability, Maintainability and 
Safety (RAMS);
    (I) IEC 62279: 2002 Railway Applications: Software for Railway 
Control and Protection Systems;
    (4) Use of unpublished standards, including proprietary 
standards, is authorized to the extent that such standards are shown 
to achieve the requirements of this part. However, any such 
standards shall be available for inspection and replication by FRA 
and for public examination in any public proceeding before the FRA 
to which they are relevant.
    (5) The various standards provided in this paragraph are for 
illustrative purposes only. Copies of these standards can be 
obtained in accordance with the following:
    (i) U.S. government standards and technical publications may be 
obtained by contacting the federal National Technical Information 
Service, 5301 Shawnee Rd, Alexandria, VA 22312.
    (ii) U.S. National Standards may be obtained by contacting the 
American

[[Page 2720]]

National Standards Institute, 25 West 43rd Street, 4 Floor, New 
York, NY 10036.
    (iii) IEC Standards may be obtained by contacting the 
International Electrotechnical Commission, 3, rue de Varemb[eacute], 
P.O. Box 131 CH--1211, GENEVA, 20, Switzerland.
    (iv) CENLEC Standards may be obtained by contacting any of one 
the national standards bodies that make up the European Committee 
for Electrotechnical Standardization.
    (v) IEEE standards may be obtained by contacting the IEEE 
Publications Office, 10662 Los Vaqueros Circle, P.O. Box 3014, Los 
Alamitos, CA 90720-1264.
    (vi) AREMA standards may be obtained from the American Railway 
Engineering and Maintenance-of-Way Association, 10003 Derekwood 
Lane, Suite 210, Lanham, MD 20706.


0
15. Revise Appendix D to part 236 to read as follows:

Appendix D to Part 236--Independent Review of Verification and 
Validation

    (a) This appendix provides minimum requirements for independent 
third-party assessment of product safety verification and validation 
pursuant to subpart H or subpart I of this part. The goal of this 
assessment is to provide an independent evaluation of the product 
manufacturer's utilization of safety design practices during the 
product's development and testing phases, as required by any 
mutually agreed upon controlling documents and standards and the 
applicable railroad's:
    (1) Railroad Safety Program Plan (RSPP) and Product Safety Plan 
(PSP) for processor based systems developed under subpart H or,
    (2) PTC Product Development Plan (PTCDP) and PTC Safety Plan 
(PTCSP) for PTC systems developed under subpart I.
    (b) The supplier may request advice and assistance of the 
reviewer concerning the actions identified in paragraphs (c) through 
(g) of this appendix. However, the reviewer shall not engage in any 
design efforts associated with the product, the products subsystems, 
or the products components, in order to preserve the reviewer's 
independence and maintain the supplier's proprietary right to the 
product.
    (c) The supplier shall provide the reviewer access to any and 
all documentation that the reviewer requests and attendance at any 
design review or walkthrough that the reviewer determines as 
necessary to complete and accomplish the third party assessment. The 
reviewer may be accompanied by representatives of FRA as necessary, 
in FRA's judgment, for FRA to monitor the assessment.
    (d) The reviewer shall evaluate the product with respect to 
safety and comment on the adequacy of the processes which the 
supplier applies to the design and development of the product. At a 
minimum, the reviewer shall compare the supplier processes with 
acceptable validation and verification methodology and employ any 
other such tests or comparisons if they have been agreed to 
previously with FRA. Based on these analyses, the reviewer shall 
identify and document any significant safety vulnerabilities which 
are not adequately mitigated by the supplier's (or user's) 
processes. Finally, the reviewer shall evaluate and document the 
adequacy of the railroad's
    (1) RSPP, the PSP, and any other documents pertinent to a 
product being developed under subpart H of this part; or
    (2) PTCDP and PTCSP for systems being developed under subpart I 
of this part.
    (e) The reviewer shall analyze the Hazard Log and/or any other 
hazard analysis documents for comprehensiveness and compliance with 
applicable railroad, vendor, supplier, industry, national, and 
international standards.
    (f) The reviewer shall analyze all Fault Tree Analyses (FTA), 
Failure Mode and Effects Criticality Analysis (FMECA), and other 
hazard analyses for completeness, correctness, and compliance with 
applicable railroad, vendor, supplier, industry, national and 
international standards.
    (g) The reviewer shall randomly select various safety-critical 
software, and hardware modules, if directed by FRA, for audit to 
verify whether the requirements of the applicable railroad, vendor, 
supplier, industry, national, and international standards were 
followed. The number of modules audited must be determined as a 
representative number sufficient to provide confidence that all 
unaudited modules were developed in compliance with the applicable 
railroad, vendor, supplier, industry, national, and international 
standards.
    (h) The reviewer shall evaluate and comment on the plan for 
installation and test procedures of the product for revenue service.
    (i) The reviewer shall prepare a final report of the assessment. 
The report shall be submitted to the railroad prior to the 
commencement of installation testing and contain at least the 
following information:
    (1) Reviewer's evaluation of the adequacy of the PSP in the case 
of products developed under subpart H, or PTCSP for products 
developed under subpart I of this part, including the supplier's 
MTTHE and risk estimates for the product, and the supplier's 
confidence interval in these estimates;
    (2) Product vulnerabilities, potentially hazardous failure 
modes, or potentially hazardous operating circumstances which the 
reviewer felt were not adequately identified, tracked, mitigated, 
and corrected by either the vendor or supplier or the railroad;
    (3) A clear statement of position for all parties involved for 
each product vulnerability cited by the reviewer;
    (4) Identification of any documentation or information sought by 
the reviewer that was denied, incomplete, or inadequate;
    (5) A listing of each applicable vendor, supplier, industry, 
national, or international standard, procedure or process which was 
not properly followed;
    (6) Identification of the software verification and validation 
procedures, as well as the hardware verification validation 
procedures if deemed appropriate by FRA, for the product's safety-
critical applications, and the reviewer's evaluation of the adequacy 
of these procedures;
    (7) Methods employed by the product manufacturer to develop 
safety-critical software;
    (8) If deemed applicable by FRA, the methods employed by the 
product manufacturer to develop safety-critical hardware by 
generally acceptable techniques;
    (9) Method by which the supplier or railroad addresses 
comprehensiveness of the product design which considers the safety 
elements listed in paragraph (b) of appendix C to this part.


0
16. Revise Appendix E to part 236 to read as follows:

Appendix E to Part 236--Human-Machine Interface (HMI) Design

    (a) This appendix provides human factors design criteria 
applicable to both subpart H and subpart I of this part. HMI design 
criteria will minimize negative safety effects by causing designers 
to consider human factors in the development of HMIs. The product 
design should sufficiently incorporate human factors engineering 
that is appropriate to the complexity of the product; the gender, 
educational, mental, and physical capabilities of the intended 
operators and maintainers; the degree of required human interaction 
with the component; and the environment in which the product will be 
used.
    (b) As used in this section, ``designer'' means anyone who 
specifies requirements for--or designs a system or subsystem, or 
both, for--a product subject to subpart H or subpart I of this part, 
and ``operator'' means any human who is intended to receive 
information from, provide information to, or perform repairs or 
maintenance on a safety-critical product subject to subpart H or I 
of this part.
    (c) Human factors issues the designers must consider with regard 
to the general function of a system include:
    (1) Reduced situational awareness and over-reliance. HMI design 
must give an operator active functions to perform, feedback on the 
results of the operator's actions, and information on the automatic 
functions of the system as well as its performance. The operator 
must be ``in-the-loop.'' Designers must consider at a minimum the 
following methods of maintaining an active role for human operators:
    (i) The system must require an operator to initiate action to 
operate the train and require an operator to remain ``in-the-loop'' 
for at least 30 minutes at a time;
    (ii) The system must provide timely feedback to an operator 
regarding the system's automated actions, the reasons for such 
actions, and the effects of the operator's manual actions on the 
system;
    (iii) The system must warn operators in advance when it requires 
an operator to take action;
    (iv) HMI design must equalize an operator's workload; and
    (v) HMI design must not distract from the operator's safety 
related duties.
    (2) Expectation of predictability and consistency in product 
behavior and communications. HMI design must accommodate an 
operator's expectation of logical and consistent relationships 
between actions and results. Similar objects must behave 
consistently when an operator performs the same action upon them.

[[Page 2721]]

    (3) End user limited ability to process information. HMI design 
must therefore minimize an operator's information processing load. 
To minimize information processing load, the designer must:
    (i) Present integrated information that directly supports the 
variety and types of decisions that an operator makes;
    (ii) Provide information in a format or representation that 
minimizes the time required to understand and act; and
    (iii) Conduct utility tests of decision aids to establish clear 
benefits such as processing time saved or improved quality of 
decisions.
    (4) End user limited memory. HMI design must therefore minimize 
an operator's information processing load.
    (i) To minimize short-term memory load, the designer shall 
integrate data or information from multiple sources into a single 
format or representation (``chunking'') and design so that three or 
fewer ``chunks'' of information need to be remembered at any one 
time.
    (ii) To minimize long-term memory load, the designer shall 
design to support recognition memory, design memory aids to minimize 
the amount of information that must be recalled from unaided memory 
when making critical decisions, and promote active processing of the 
information.
    (d) Design systems that anticipate possible user errors and 
include capabilities to catch errors before they propagate through 
the system;
    (1) Conduct cognitive task analyses prior to designing the 
system to better understand the information processing requirements 
of operators when making critical decisions; and
    (2) Present information that accurately represents or predicts 
system states.
    (e) When creating displays and controls, the designer must 
consider user ergonomics and shall:
    (1) Locate displays as close as possible to the controls that 
affect them;
    (2) Locate displays and controls based on an operator's 
position;
    (3) Arrange controls to minimize the need for the operator to 
change position;
    (4) Arrange controls according to their expected order of use;
    (5) Group similar controls together;
    (6) Design for high stimulus-response compatibility (geometric 
and conceptual);
    (7) Design safety-critical controls to require more than one 
positive action to activate (e.g., auto stick shift requires two 
movements to go into reverse);
    (8) Design controls to allow easy recovery from error; and
    (9) Design display and controls to reflect specific gender and 
physical limitations of the intended operators.
    (f) The designer shall also address information management. To 
that end, HMI design shall:
    (1) Display information in a manner which emphasizes its 
relative importance;
    (2) Comply with the ANSI/HFS 100-1988 standard;
    (3) Utilize a display luminance that has a difference of at 
least 35cd/m2 between the foreground and background (the displays 
should be capable of a minimum contrast 3:1 with 7:1 preferred, and 
controls should be provided to adjust the brightness level and 
contrast level);
    (4) Display only the information necessary to the user;
    (5) Where text is needed, use short, simple sentences or phrases 
with wording that an operator will understand and appropriate to the 
educational and cognitive capabilities of the intended operator;
    (6) Use complete words where possible; where abbreviations are 
necessary, choose a commonly accepted abbreviation or consistent 
method and select commonly used terms and words that the operator 
will understand;
    (7) Adopt a consistent format for all display screens by placing 
each design element in a consistent and specified location;
    (8) Display critical information in the center of the operator's 
field of view by placing items that need to be found quickly in the 
upper left hand corner and items which are not time-critical in the 
lower right hand corner of the field of view;
    (9) Group items that belong together;
    (10) Design all visual displays to meet human performance 
criteria under monochrome conditions and add color only if it will 
help the user in performing a task, and use color coding as a 
redundant coding technique;
    (11) Limit the number of colors over a group of displays to no 
more than seven;
    (12) Design warnings to match the level of risk or danger with 
the alerting nature of the signal; and
    (13) With respect to information entry, avoid full QWERTY 
keyboards for data entry.
    (g) With respect to problem management, the HMI designer shall 
ensure that the:
    (1) HMI design must enhance an operator's situation awareness;
    (2) HMI design must support response selection and scheduling; 
and
    (3) HMI design must support contingency planning.
    (h) Ensure that electronics equipment radio frequency emissions 
are compliant with appropriate Federal Communications Commission 
regulations. The FCC rules and regulations are codified in Title 47 
of the Code of Federal Regulations (CFR).
    (1) Electronics equipment must have appropriate FCC Equipment 
Authorizations. The following documentation is applicable to 
obtaining FCC Equipment Authorization:
    (i) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987 
issue) FCC Equipment Authorization Program for Radio Frequency 
Devices. This document provides an overview of the equipment 
authorization program to control radio interference from radio 
transmitters and certain other electronic products and an overview 
of how to obtain an equipment authorization.
    (ii) OET Bulletin 63: (October 1993) Understanding The FCC Part 
15 Regulations for Low Power, Non-Licensed Transmitters. This 
document provides a basic understanding of the FCC regulations for 
low power, unlicensed transmitters, and includes answers to some 
commonly-asked questions. This edition of the bulletin does not 
contain information concerning personal communication services (PCS) 
transmitters operating under Part 15, Subpart D of the rules.
    (iii) 47 Code of Federal Regulations Parts 0 to 19. The FCC 
rules and regulations governing PCS transmitters may be found in 47 
CFR, Parts 0 to 19.
    (iv) OET Bulletin 62 (December 1993) Understanding The FCC 
Regulations for Computers and other Digital Devices. This document 
has been prepared to provide a basic understanding of the FCC 
regulations for digital (computing) devices, and includes answers to 
some commonly-asked questions.
    (2) Designers must comply with FCC requirements for Maximum 
Permissible Exposure limits for field strength and power density for 
the transmitters operating at frequencies of 300 kHz to 100 GHz and 
specific absorption rate (SAR) limits for devices operating within 
close proximity to the body. The Commission's requirements are 
detailed in parts 1 and 2 of the FCC's Rules and Regulations (47 CFR 
1.1307(b), 1.1310, 2.1091, 2.1093). The following documentation is 
applicable to demonstrating whether proposed or existing 
transmitting facilities, operations or devices comply with limits 
for human exposure to radiofrequency RF fields adopted by the FCC:
    (i) OET Bulletin No. 65 (Edition 97-01, August 1997), 
``Evaluating Compliance With FCC Guidelines For Human Exposure To 
Radiofrequency Electromagnetic Fields'',
    (ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August 
1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997) 
and
    (iii) OET Bulletin No 65 Supplement C (Edition 01-01, June 
2001).
    (3) The bulletin and supplements offer guidelines and 
suggestions for evaluating compliance. However, they are not 
intended to establish mandatory procedures. Other methods and 
procedures may be acceptable if based on sound engineering practice.


0
17. Add an Appendix F to part 236 to read as follows:

Appendix F to Part 236--Minimum Requirements of FRA Directed 
Independent Third-Party Assessment of PTC System Safety Verification 
and Validation

    (a) This appendix provides minimum requirements for mandatory 
independent third-party assessment of PTC system safety verification 
and validation pursuant to subpart H or I of this part. The goal of 
this assessment is to provide an independent evaluation of the PTC 
system manufacturer's utilization of safety design practices during 
the PTC system's development and testing phases, as required by the 
applicable PSP, PTCDP, and PTCSP, the applicable requirements of 
subpart H or I of this part, and any other previously agreed-upon 
controlling documents or standards.
    (b) The supplier may request advice and assistance of the 
independent third-party reviewer concerning the actions identified 
in paragraphs (c) through (g) of this appendix. However, the 
reviewer should not engage in design efforts in order to preserve 
the reviewer's independence and maintain the

[[Page 2722]]

supplier's proprietary right to the PTC system.
    (c) The supplier shall provide the reviewer access to any and 
all documentation that the reviewer requests and attendance at any 
design review or walkthrough that the reviewer determines as 
necessary to complete and accomplish the third party assessment. The 
reviewer may be accompanied by representatives of FRA as necessary, 
in FRA's judgment, for FRA to monitor the assessment.
    (d) The reviewer shall evaluate with respect to safety and 
comment on the adequacy of the processes which the supplier applies 
to the design and development of the PTC system. At a minimum, the 
reviewer shall evaluate the supplier design and development process 
regarding the use of an appropriate design methodology. The reviewer 
may use the comparison processes and test procedures that have been 
previously agreed to with FRA. Based on these analyses, the reviewer 
shall identify and document any significant safety vulnerabilities 
which are not adequately mitigated by the supplier's (or user's) 
processes. Finally, the reviewer shall evaluate the adequacy of the 
railroad's applicable PSP or PTCSP, and any other documents 
pertinent to the PTC system being assessed.
    (e) The reviewer shall analyze the Hazard Log and/or any other 
hazard analysis documents for comprehensiveness and compliance with 
railroad, vendor, supplier, industry, national, or international 
standards.
    (f) The reviewer shall analyze all Fault Tree Analyses (FTA), 
Failure Mode and Effects Criticality Analysis (FMECA), and other 
hazard analyses for completeness, correctness, and compliance with 
railroad, vendor, supplier, industry, national, or international 
standards.
    (g) The reviewer shall randomly select various safety-critical 
software modules, as well as safety-critical hardware components if 
required by FRA for audit to verify whether the railroad, vendor, 
supplier, industry, national, or international standards were 
followed. The number of modules audited must be determined as a 
representative number sufficient to provide confidence that all 
unaudited modules were developed in compliance with railroad, 
vendor, supplier, industry, national, or international standards
    (h) The reviewer shall evaluate and comment on the plan for 
installation and test procedures of the PTC system for revenue 
service.
    (i) The reviewer shall prepare a final report of the assessment. 
The report shall be submitted to the railroad prior to the 
commencement of installation testing and contain at least the 
following information:
    (1) Reviewer's evaluation of the adequacy of the PSP or PTCSP 
including the supplier's MTTHE and risk estimates for the PTC 
system, and the supplier's confidence interval in these estimates;
    (2) PTC system vulnerabilities, potentially hazardous failure 
modes, or potentially hazardous operating circumstances which the 
reviewer felt were not adequately identified, tracked or mitigated;
    (3) A clear statement of position for all parties involved for 
each PTC system vulnerability cited by the reviewer;
    (4) Identification of any documentation or information sought by 
the reviewer that was denied, incomplete, or inadequate;
    (5) A listing of each applicable vendor, supplier, industry, 
national or international standard, process, or procedure which was 
not properly followed;
    (6) Identification of the hardware and software verification and 
validation procedures for the PTC system's safety-critical 
applications, and the reviewer's evaluation of the adequacy of these 
procedures;
    (7) Methods employed by PTC system manufacturer to develop 
safety-critical software; and
    (8) If directed by FRA, methods employed by PTC system 
manufacturer to develop safety-critical hardware.

    Issued in Washington, DC, on December 30, 2009.
Joseph C. Szabo,
Administrator.
[FR Doc. E9-31362 Filed 1-12-10; 11:15 am]
BILLING CODE 4910-06-P