[Federal Register Volume 76, Number 8 (Wednesday, January 12, 2011)]
[Proposed Rules]
[Pages 2200-2238]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2010-33244]



[[Page 2199]]

-----------------------------------------------------------------------

Part II

Department of Transportation
-----------------------------------------------------------------------



Federal Railroad Administration



-----------------------------------------------------------------------



49 CFR Parts 229 and 238



Locomotive Safety Standards; Proposed Rule

  Federal Register / Vol. 76 , No. 8 / Wednesday, January 12, 2011 / 
Proposed Rules  

[[Page 2200]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Railroad Administration

49 CFR Parts 229 and 238

[Docket No. FR-2009-0095; Notice No. 1]
RIN 2130-AC16


Locomotive Safety Standards

AGENCY: Federal Railroad Administration (FRA), Department of 
Transportation (DOT).

ACTION: Notice of proposed rulemaking (NPRM).

-----------------------------------------------------------------------

SUMMARY: FRA proposes to revise the existing regulations containing 
Railroad Locomotive Safety Standards. The proposed revisions would 
update, consolidate, and clarify the existing regulations. The proposal 
incorporates existing industry and engineering best practices related 
to locomotives and locomotive electronics. This includes the 
development of a safety analysis for new locomotive electronic systems. 
FRA believes this proposal will modernize and improve its safety 
regulatory program related to locomotives.

DATES: Comments: Written comments must be received by March 14, 2011. 
Comments received after that date will be considered to the extent 
possible without incurring additional expenses or delays.
    Hearing: FRA anticipates being able to complete this rulemaking 
without a public, oral hearing. However, if FRA receives a specific 
request for a public, oral hearing prior to February 11, 2011, one will 
be scheduled and FRA will publish a supplemental notice in the Federal 
Register to inform interested parties of the date, time, and location 
of any such hearing.

ADDRESSES: Comments: Comments related to Docket No. FRA-2009-0095, may 
be submitted by any of the following methods: Web Site: Federal 
eRulemaking Portal, http://www.regulations.gov. Follow the online 
instructions for submitting comments.
     Fax: 202-493-2251.
     Mail: Docket Management Facility, U.S. Department of 
Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC 
20590.
     Hand Delivery: Room W12-140 on the Ground level of the 
West Building, 1200 New Jersey Avenue, SE., W12-140, Washington, DC 
between 9 a.m. and 5 p.m. Monday through Friday, except Federal 
holidays.
     Federal eRulemaking Portal: Go to http://www.regulations.gov. Follow the online instructions for submitting 
comments.
    Instructions: All submissions must include the agency name and 
docket number or Regulatory Identification Number (RIN) for this 
rulemaking. Note that all comments received will be posted without 
change to http://www.regulation.gov including any personal information. 
Please see the Privacy Act heading in the SUPPLEMENTARY INFORMATION 
section of this document for Privacy Act information related to any 
submitted comments or materials.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov at any time or to 
Room W12-140 on the Ground level of the West Building, 1200 New Jersey 
Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through 
Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT: George Scerbo, Office of Safety 
Assurance and Compliance, Motive Power & Equipment Division, RRS-14, 
Federal Railroad Administration, 1200 New Jersey Avenue, SE., 
Washington, DC (telephone 202-493-6249), or Michael Masci, Trial 
Attorney, Office of Chief Counsel, Federal Railroad Administration, 
1200 New Jersey Avenue, SE., Washington, DC (telephone 202-493-6037).

SUPPLEMENTARY INFORMATION:

I. Statutory and Regulatory Background

    FRA has broad statutory authority to regulate railroad safety. The 
Federal railroad safety laws (formerly the Locomotive Boiler Inspection 
Act at 45 U.S.C. 22-34, repealed and recodified at 49 U.S.C. 20701-
20703) prohibit the use of unsafe locomotives and authorize FRA to 
issue standards for locomotive maintenance and testing. In order to 
further FRA's ability to respond effectively to contemporary safety 
problems and hazards as they arise in the railroad industry, Congress 
enacted the Federal Railroad Safety Act of 1970 (Safety Act) (formerly 
45 U.S.C. 421, 431 et seq., now found primarily in chapter 201 of Title 
49). The Safety Act grants the Secretary of Transportation rulemaking 
authority over all areas of railroad safety (49 U.S.C. 20103(a)) and 
confers all powers necessary to detect and penalize violations of any 
rail safety law. This authority was subsequently delegated to the FRA 
Administrator. (49 CFR 1.49) Until July 5, 1994, the Federal railroad 
safety statutes existed as separate acts found primarily in title 45 of 
the United States Code. On that date, all of the acts were repealed, 
and their provisions were recodified into title 49 of the United States 
Code. All references to parts and sections in this document shall be to 
parts and sections located in Title 49 of the Code of Federal 
Regulations.
    Pursuant to its general statutory rulemaking authority, FRA 
promulgates and enforces rules as part of a comprehensive regulatory 
program to address the safety of, inter alia, railroad track, signal 
systems, communications, rolling stock, operating practices, passenger 
train emergency preparedness, alcohol and drug testing, locomotive 
engineer certification, and workplace safety. In 1980, FRA issued the 
majority of the regulatory provisions currently found at 49 CFR part 
229 (``part 229'') addressing various locomotive related topics 
including: Inspections and tests; safety requirements for brake, draft, 
suspension, and electrical systems, and locomotive cabs; and locomotive 
cab equipment. Since 1980, various provisions currently contained in 
part 229 have been added or revised on an ad hoc basis to address 
specific safety concerns or in response to specific statutory mandates.
    Topics for new regulation typically arise from several sources. FRA 
continually reviews its regulations and revises them as needed to 
address emerging technology, changing operational realities, and to 
bolster existing standards as new safety concerns are identified. It is 
also common for the railroad industry to introduce regulatory issues 
through FRA's waiver process. Several of FRA's proposed requirements 
have been partially or previously addressed through FRA's waiver 
process. As detailed in part 211, FRA's Railroad Safety Board (Safety 
Board) reviews, and approves or denies, waiver petitions submitted by 
railroads and other parties subject to the regulations. Petitions 
granted by the Safety Board can be utilized only by the petitioning 
party. By incorporating existing relevant regulatory waivers into part 
229, FRA intends to extend the reach of the regulatory flexibilities 
permitted under those waivers. Although, FRA is proposing to alter a 
number of regulatory requirements, the comprehensive safety regulatory 
structure would remain.
    The requirement that a locomotive be safe to operate in the service 
in which it is placed remains the cornerstone of Federal regulation. 
Title 49 U.S.C. 20701 provides that ``[a] railroad carrier may use or 
allow to be used a locomotive or tender on its railroad line only when 
the locomotive or tender and its parts and appurtenances: (1) Are in 
proper condition and safe to operate

[[Page 2201]]

without unnecessary danger of personal injury; (2) have been inspected 
as required under this chapter and regulations prescribed by the 
Secretary of Transportation under this chapter; and (3) can withstand 
every test prescribed by the Secretary under this chapter.''
    The statute is extremely broad in scope and makes clear that each 
railroad is responsible for ensuring that locomotives used on its line 
are safe. Even the extensive requirements of part 229 are not intended 
to be exhaustive in scope, and with or without that regulatory 
structure the railroads remain directly responsible for finding and 
correcting all hazardous conditions. For example, even without these 
proposed regulations, a railroad would be responsible for repairing an 
inoperative alerter and an improperly functioning remote control 
transmitter, if the locomotive is equipped with these devices.
    On July 12, 2004, the Association of American Railroads (AAR), on 
behalf of itself and its member railroads, petitioned the FRA to delete 
the requirement contained in 49 CFR 229.131 related to locomotive 
sanders. The petition and supporting documentation asserted that 
contrary to popular belief, depositing sand on the rail in front of the 
locomotive wheels will not have any significant influence on the 
emergency stopping distance of a train. While contemplating the 
petition, FRA and interested industry members began identifying other 
issues related to the locomotive safety standards. The purpose of this 
task was to develop information so that FRA could potentially address 
the issues through the Railroad Safety Advisory Committee (RSAC).
    The locomotive sanders final rule was published on October 19, 2007 
(72 FR 59216). FRA continued to utilize the RSAC process to address 
additional locomotive safety issues. On September 10, 2009, after a 
series of detailed discussions, the RSAC approved and provided 
recommendations on a wide range of locomotive safety issues including, 
locomotive brake maintenance, pilot height, headlight operation, danger 
markings, and locomotive electronics. FRA is generally proposing the 
consensus rule text for these issues with minor clarifying 
modifications. The RSAC was unable to reach consensus on the issues 
related to remote control locomotives, cab temperature, and locomotive 
alerters. Based on its consideration of the information and views 
provided by the RSAC Locomotive Safety Standards Working Group, FRA is 
also proposing rule text related to the non-consensus items.

II. RSAC Overview

    In March 1996, FRA established the RSAC, which provides a forum for 
developing consensus recommendations on rulemakings and other safety 
program issues. The Committee includes representation from interested 
parties, including railroads, labor organizations, suppliers and 
manufacturers, and other interested parties. A list of member groups 
follows:

American Association of Private Railroad Car Owners (AARPCO)
American Association of State Highway & Transportation Officials 
(AASHTO)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
American Train Dispatchers Association (ATDA)
Amtrak
Association of American Railroads (AAR)
Association of Railway Museums (ARM)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Locomotive Engineers and Trainmen (BLET)
Brotherhood of Maintenance of Way Employes Division (BMWED)
Brotherhood of Railroad Signalmen (BRS)
Federal Transit Administration (FTA)*
High Speed Ground Transportation Association (HSGTA)
International Association of Machinists and Aerospace Workers
International Brotherhood of Electrical Workers (IBEW)
Labor Council for Latin American Advancement (LCLAA)*
League of Railway Industry Women*
National Association of Railroad Passengers (NARP)
National Association of Railway Business Women*
National Conference of Firemen & Oilers
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Safe Travel America (STA)
Secretaria de Communicaciones y Transporte*
Sheet Metal Workers International Association (SMWIA)
Tourist Railway Association Inc.
Transport Canada*
Transport Workers Union of America (TWU)
Transportation Communications International Union/BRC (TCIU/BRC)
United Transportation Union (UTU)
*Indicates associate membership.

    When appropriate, FRA assigns a task to the RSAC, and after 
consideration and debate, the RSAC may accept or reject the task. If 
accepted, the RSAC establishes a working group that possesses the 
appropriate expertise and representation of interests to develop 
recommendations to FRA for action on the task. These recommendations 
are developed by consensus. A working group may establish one or more 
task forces to develop facts and options on a particular aspect of a 
given task. The task force then provides that information to the 
working group for consideration. If a working group comes to unanimous 
consensus on recommendations for action, the package is presented to 
the RSAC for a vote. If the proposal is accepted by a simple majority 
of the RSAC, the proposal is formally recommended to FRA. FRA then 
determines what action to take on the recommendation. Because FRA staff 
has played an active role at the working group level in discussing the 
issues and options and in drafting the language of the consensus 
proposal, FRA is often favorably inclined toward the RSAC 
recommendation. However, FRA is in no way bound to follow the 
recommendation and the agency exercises its independent judgment on 
whether the recommended rule achieves the agency's regulatory goal, is 
soundly supported, and is in accordance with policy and legal 
requirements. Often, FRA varies in some respects from the RSAC 
recommendation in developing the actual regulatory proposal. If the 
working group or the RSAC is unable to reach consensus on 
recommendations for action, FRA moves ahead to resolve the issue 
through conventional practices including traditional rulemaking 
proceedings.

III. Proceedings to Date

    On February 22, 2006, FRA presented, and the RSAC accepted, the 
task of reviewing existing locomotive safety needs and recommending 
consideration of specific actions useful to advance the safety of rail 
operations. The RSAC established the Locomotive Safety Standards 
Working Group (Working Group) to handle this task and develop 
recommendations for the full RSAC to consider. Members of the Working 
Group, in addition to FRA, included the following:

APTA
ASLRRA
Amtrak
AAR
ASRSM
BLET
BMWE
BRS
BNSF Railway Company (BNSF)
California Department of Transportation
Canadian National Railway (CN)
Canadian Pacific Railway (CP)
Conrail
CSX Transportation (CSXT)

[[Page 2202]]

Florida East Coast Railroad
General Electric (GE)
Genesee & Wyoming Inc.
International Association of Machinists and Aerospace Workers
IBEW
Kansas City Southern Railway (KCS)
Long Island Rail Road
Metro-North Railroad
MTA Long Island
National Conference of Firemen and Oilers
Norfolk Southern Corporation (NS)
Public Service Commission of West Virginia
Rail America, Inc.
Southeastern Pennsylvania Transportation Agency
SMWIA
STV, Inc.
Tourist Railway Association Inc.
Transport Canada
Union Pacific Railroad (UP)
UTU
Volpe Center
Wabtec Corporation
Watco Companies

    The task statement approved by the full RSAC sought immediate 
action from the Working Group regarding the need for, and usefulness 
of, the existing regulation related to locomotive sanders. The task 
statement established a target date of 90 days for the Working Group to 
report back to the RSAC with recommendations to revise the existing 
regulatory sander provision. The Working Group conducted two meetings 
that focused almost exclusively on the sander requirement. The meetings 
were held on May 8-10, 2006, in St. Louis, Missouri, and on August 9-
10, 2006, in Fort Worth, Texas. Minutes of these meetings have been 
made part of the docket in this proceeding. After broad and meaningful 
discussion related to the potential safety and operational benefits 
provided by equipping locomotives with operative sanders, the Working 
Group reached consensus on a recommendation for the full RSAC.
    On September 21, 2006, the full RSAC unanimously adopted the 
Working Group's recommendation on locomotive sanders as its 
recommendation to FRA. The next twelve Working Group meeting addressed 
a wide range of locomotive safety issues. The meetings were held at the 
following locations on the following days:

Kansas City, MS, October 30 & 31, 2006;
Raleigh, NC, January 9 & 10, 2007;
Orlando, FL, March 6 & 7, 2007;
Chicago, IL, June 6 & 7, 2007;
Las Vegas, NV, September 18 & 19, 2007;
New Orleans, LA, November 27 & 28, 2007;
Fort Lauderdale, FL, February 5 & 6, 2008;
Grapevine, TX, May 20 & 21, 2008;
Silver Spring, MD, August 5 & 6, 2008;
Overland Park, KS, October 22 & 23, 2008;
Washington, D.C., January 6 & 7, 2009; and
Arlington, VA, April 15 & 16, 2009.

    At the above listed meetings, the Working Group successfully 
reached consensus on the following locomotive safety issues: Locomotive 
brake maintenance, pilot height, headlight operation, danger markings 
placement, load meter settings, reorganization of steam generator 
requirements, and the establishment locomotive electronics 
requirements. Throughout the preamble discussion of this proposal, FRA 
refers to comments, views, suggestions, or recommendations made by 
members of the Working Group. When using this terminology, FRA is 
referring to views, statements, discussions, or positions identified or 
contained in the minutes of the Working Group meetings. These documents 
have been made part of the docket in this proceeding and are available 
for public inspection as discussed in the ADDRESSES portion of this 
document. These points are discussed to show the origin of certain 
issues and the course of discussions on those issues at the task force 
or working group level. We believe this helps illuminate factors FRA 
has weighed in making its regulatory decisions, and the logic behind 
those decisions.
    The reader should keep in mind, of course, that only the full RSAC 
makes recommendations to FRA, and it is the consensus recommendation of 
the full RSAC on which FRA is primarily acting in this proceeding. As 
discussed above, the Working Group reported its findings and 
recommendations to the RSAC at its September 10, 2009 meeting. The RSAC 
approved the recommended consensus regulatory text proposed by the 
Working Group, which accounts for the majority of this NPRM. The 
specific regulatory language recommended by the RSAC was amended 
slightly for clarity and consistency. FRA independently developed 
proposals related to remote control locomotives, alerters, and 
locomotive cab temperature, issues that the Working Group discussed, 
but ultimately did not reach consensus.

IV. General Overview of Proposed Requirements

    Trends in locomotive operation, concern about the safe design of 
electronics, technology advances, and experience applying Federal 
regulations provide the main impetus for the proposed revisions to 
FRA's existing standards related to locomotive safety. An overview of 
some of the major areas addressed in this proposal is provided below.

A. Remote Control Locomotives

    Remote control devices have been used to operate locomotives at 
various locations in the United States for many years, primarily within 
yards and certain industrial sites. Railroads in Canada have 
extensively used remote control locomotives for more than a decade. FRA 
began investigating remote control operations in 1994 and held its 
first public hearing on the subject in mid-1990s to gather information 
and examine the safety issues relating to this new technology. On July 
19, 2000, FRA conducted a technical conference in which interested 
parties, including rail unions, remote control systems suppliers, and 
railroad representatives, shared their views and described their 
experiences with remote control operations.
    On February 14, 2001, FRA published a Safety Advisory in which FRA 
issued recommended guidelines for conducting remote control locomotive 
operations. See 66 FR 10340, Notice of Safety Advisory 2001-01, Docket 
No. FRA-2000-7325. By issuing these recommendations, FRA sought to 
identify a set of ``best practices'' to guide the rail industry when 
implementing this technology. As this was an emerging technology, FRA 
believed the approach served the railroad industry by providing 
flexibility to both manufacturers designing the equipment and to 
railroads using the technology in their operations, while reinforcing 
the importance of complying with all existing railroad safety 
regulations. All of the major railroads have adopted the 
recommendations contained in the advisory, with only slight 
modifications to suit their individual operations.
    In the Safety Advisory, FRA addressed the application and 
enforcement of the Federal regulations to remote control locomotives. 
FRA discussed the existing Federal locomotive inspection requirements 
and the application of those broad requirements to remote control 
locomotive technology. The Safety Advisory explains that: ``although 
compliance with this Safety Advisory is voluntary, nothing in this 
Safety Advisory is meant to relieve a railroad from compliance with all 
existing railroad safety regulations [and] [t]herefore, when procedures 
required by regulation are cited in this Safety Advisory, compliance is 
mandatory.'' Id. at 10343. For example, the Safety Advisory states that 
the remote control locomotive ``system must be included as part of the 
calendar day inspection required by section 229.21, since this 
equipment becomes an appurtenance to the locomotive.'' Id. at 10344. 
Another example of a mandatory requirement mentioned in the Safety 
Advisory is that the remote control locomotive ``system components that 
interface with the

[[Page 2203]]

mechanical devices of the locomotive, e.g., air pressure monitoring 
devices, pressure switches, speed sensors, etc., should be inspected 
and calibrated as often as necessary, but not less than the 
locomotive's periodic (92-day) inspection.'' Id.; see also 49 CFR 
229.23. Thus, the Safety Advisory made clear that the existing Federal 
regulations require inspection of the remote control locomotive 
equipment.
    The Safety Advisory also addressed the application of various 
requirements related to the operators of remote control locomotives. 
The Safety Advisory states that ``each person operating an RCL [remote 
control locomotive] must be certified and qualified in accordance with 
part 240 [FRA's locomotive engineer rule] if conventional operation of 
a locomotive under the same circumstances would require certification 
under that regulation.'' Id. at 10344. In 2006, FRA codified additional 
requirements to address specific operational issues such as situational 
awareness. See 71 FR 60372 (2006).
    During several productive meetings, the Working Group identified 
many areas of agreement regarding the regulation of remote control 
locomotive equipment. On issues that produced disagreement, FRA 
gathered useful information. Informed by the Working Group discussions, 
this proposal would codify the industry's best practices related to the 
use and operation of remote control locomotives.

B. Electronic Record-Keeping

    The development and improved capability of electronic record-
keeping systems has led to the potential for safe electronic 
maintenance of records required by part 229. Since April 3, 2002, FRA 
has granted a series of waivers permitting electronic record-keeping 
with certain conditions intended to ensure the safety, security and 
accessibility of such systems. See FRA-2001-11014. Based on the 
information gathered under the experiences of utilizing the electronic 
records permitted under these existing waivers, the Working Group 
discussed, and agreed to, generally applicable standards for electronic 
record-keeping systems.

C. Brake Maintenance

    Advances in technology have increased the longevity of locomotive 
brake system components. In conjunction with several railroads and the 
AAR, FRA has monitored the performance of new brake systems since the 
Locomotive Safety Standards regulation was first published in 1980. See 
45 FR 21092. The proposed revisions to locomotive air brake maintenance 
are based on this extensive history of study and testing. Over the last 
several decades, FRA has granted several conditional waivers extending 
the air brake cleaning, repair, and test requirements of Sec. Sec.  
229.27 and 229.29. These extensions were designed to accommodate 
testing of the reliability of electronic brake systems and other brake 
system components, with the intent of moving toward performance based 
test criterion with components being replaced or repaired based upon 
their reliability.
    In 1981, FRA granted a test waiver (H-80-7) to eight railroads, 
permitting them to extend the annual and biennial testing requirements 
contained in Sec. Sec.  229.27 and 229.29, in order to conduct a study 
of the safe service life and reliability of the locomotive brake 
components. On January 29, 1985, FRA expanded the waiver to permit all 
railroads to inspect the 26-L type brake equipment on a triennial 
basis. In the 1990's, the Canadian Pacific Railroad (CP) and the 
Canadian National Railroad (CN) petitioned the FRA to allow them to 
operate locomotives into the United States that received periodic 
attention every four years. The requests were based on a decision by 
Transport Canada to institute a four-year inspection program following 
a thorough test program in Canada. In November 2000, FRA granted 
conditional waivers to both the CN and CP, extending the testing 
interval to four years for Canadian-based locomotives equipped with 26-
L type brake systems and air dryers. The waiver also requires all air 
brake filtering devices to be changed annually and the air compressor 
to be overhauled not less than every six years. In 2005, this waiver 
was extended industry-wide. See FRA-2005-21325.
    In 2009, AAR petitioned for a waiver that would permit four year 
testing and maintenance intervals for locomotives that are equipped 
with 26-L type brake equipment and not equipped with air dryers. The 
petition assumed that the testing and maintenance intervals that are 
appropriate for locomotives equipped with air dryers are also 
appropriate for locomotives without air dryers. FRA denied the request, 
but granted a limited test program to determine whether the addition of 
operative air dryers on a locomotive merits different maintenance and 
testing requirements. FRA recognizes that the results of the test plan 
may indicate that locomotives that are not equipped with air dryers 
merit the same treatment as locomotives that operate without air 
dryers. FRA solicits comments on this issue.
    FRA also requests comments on what should constitute an operative 
air dryer and how a locomotive with an inoperative air dryer should be 
properly handled. FRA believes that these issues are essential to 
enforcement of a requirement that includes the use of operative air 
dryers. The proposed rule text does not address this issue. It is not 
clear how many days an air dryer would need to stop performing to allow 
contaminants in the brake line to adversely affect the brake valves to 
the extent that the air dryer is no longer considered operative. It is 
also unclear how many days an air dryer could be inoperative before it 
needs to be repaired in order to preserve the four year testing and 
maintenance schedule. FRA believes that one reasonable approach would 
be to permit a locomotive with an inoperative air dryer to run to the 
next periodic inspection to be repaired.
    The New York Air Brake Corporation (NYAB) sought by waiver, and was 
granted, an extension of the cleaning, repairing, and testing 
requirements for pneumatic components of the CCBI and CCBII brake 
systems (FRA-2000-7367, formerly H-95-3), and then modification of that 
waiver to include its new CCB-26 electronic airbrake system. The 
initial waiver, which was first granted on September 13, 1996, extended 
the interval for cleaning, repairing, and testing pneumatic components 
of the NYAB Computer Controlled Brake (CCB, now referred to as CCB-I) 
locomotive air brake system under 49 CFR 229.27(a)(2) and 49 CFR 
229.29(a) from 736 days to five years. The waiver was modified to 
include NYAB's CCB-II electronic air brake system on August 20, 1998.
    To confirm that the extended brake maintenance interval did not 
have a negative effect on safety, FRA required quarterly reports 
listing air brake failures, both pneumatic and electrical, of all 
locomotives operating under the waiver including: Locomotive reporting 
marks; and the cause and resolution of the problem. All verified 
failures were required to be reported to FRA prior to disassembly, so 
that NYAB, the railroad, and FRA could jointly witness the disassembly 
of the failed component to determine the cause. The last quarterly 
submission to FRA listed 1,889 CCBI and 1,806 CCBII equipped 
locomotives in the United States, all of which were operating at high 
levels of reliability and demonstrated safety. All past tests and 
teardown inspections confirm the safety and reliability of the five 
year interval.

[[Page 2204]]

    Based on successful performance of the two NYAB electronic air 
brake systems under the conditions of the 1996 and 1998 waivers, the 
waiver was extended for another five years on September 10, 2001, and 
the conditions of the waiver were modified on September 22, 2003. NYAB 
described the new CCB-26 electronic air brake system as an adaptation 
of the CCB-II system designed to be used on locomotives without 
integrated cab electronics. It used many of the same sub-assemblies of 
pneumatic valves, electronic controls and software (referred to as line 
replaceable units or LRUs) as the CCB-II. Some changes were made to 
simplify the system while maintaining or increasing the level of 
safety. For example, the penalty brake interface was changed to mimic 
the 26L system interface, allowing for a fully pneumatic penalty brake 
application. Also, the brake cylinder pilot pressure development has 
been simplified from an electronic control to a fully pneumatic version 
based on proven components.
    Much of the software and diagnostic logic which detects critical 
failures and takes appropriate action to effect a safe stop has been 
carried over from CCB-II. Overall, NYAB characterized the CCB-26 as 
being more similar to CCB-II than CCB-II is to CCB-I. As a final check 
on the performance of the CCB-26 system, it was included in the 
existing NYAB failure monitoring and recording systems. For the reasons 
above, FRA extended the waiver of compliance with brake maintenance 
requirements to locomotives equipped with CCB-26 brake systems.
    Similarly, WABCO Locomotive Products (WABCO), a Wabtec company, 
sought and was granted an extension of the cleaning, repairing, and 
testing requirements for pneumatic components of the EPIC brake systems 
(FRA-2002-13397, formerly H-92-3), and then modification of that waiver 
to include its new FastBrake line of electronic airbrake systems. The 
initial waiver conditionally extended to five years the clean, repair 
and test intervals for certain pneumatic air brake components contained 
in Sec. Sec.  229.27(a)(2) and 229.29(a) for WABCO's EPIC electronic 
air brake equipment. WABCO complied with all of the conditions of the 
waiver. Specifically, WABCO provided regular reports to FRA including 
summaries of locomotives equipped with EPIC brake systems and all 
pneumatic and electronic failures. FRA participated in two joint 
teardown inspections of EPIC equipment after five years of service in 
June 2000 and May 2002. After five years of service, the EPIC brake 
systems were found to function normally. No faults were found during 
locomotive tests, and the teardown revealed that the parts were clean 
and in working condition.
    In support of its proposal to extend brake maintenance for 
FastBrake brake systems, WABCO stated that virtually all of the core 
pneumatic technology that has been service proven in EPIC from the time 
of its introduction and documented as such under the provisions of the 
above waiver and were transferred into FastBrake with little or no 
change. They asserted that a further reduction of pneumatic logic 
devices had been made possible by the substitution of compute based 
logic. WABCO also provided a discussion of the similarities between the 
EPIC and FastBrake systems as well as the differences, which are 
primarily in the area of electronics rather than pneumatics. In 
conclusion, WABCO stated that the waiver could be amended without 
compromising safety. For the reasons above, FRA granted the waiver 
petition.
    Over time, several brake systems have been brought into a 
performance based standard. FRA, along with railroads and brake valve 
manufacturers, has participated in a series of brake valve evaluations. 
Each evaluation was performed after extended use of a particular brake 
valve system to determine whether it can perform safely when used 
beyond the number of days currently permitted by part 229. The Working 
Group agreed with the evidence of success and the overall approach 
taken by FRA. As a result, the Working Group reached consensus on the 
proposed brake maintenance standards.

D. Brakes, General

    In December of 1999, a MP&E Technical Resolution Committee (TRC), 
consisting of FRA and industry experts, met in Kansas City to consider 
the proper application of the phrase ``operate as intended'' contained 
in Sec.  229.46 when applied to trailing, non-controlling locomotives. 
Extensive discussion failed to reach consensus on this issue, but 
revealed valuable insight into the technical underpinnings and 
operational realities surrounding the issue. The Working Group revived 
this issue, and after lengthy discussion, reached consensus.
    Generally, even if a locomotive has a defective brake valve that 
prevents it from functioning as a lead locomotive, its brakes will 
still properly apply and release when it is placed and operated as a 
trailing locomotive. This situation can apply on either a pneumatic 26-
L application or on the electronic versions of the locomotive brake. 
The electronic brake often will have the breaker turned off, thus 
making the brake inoperative unless it is being controlled by another 
locomotive.
    Based on reading the plain language of the existing regulation it 
is not clear under what conditions a trailing, non-controlling 
locomotive operates as intended. The existing regulation provides that 
``the carrier shall know before each trip that the locomotive brakes 
and devices for regulating all pressures, including but not limited to 
the automatic and independent brake valves, operate as intended * * *'' 
See 49 CFR 229.46. One could reasonably argue that a trailing non-
controlling locomotive is operating as intended when the brakes are 
able to apply and release in response to a command from a controlling 
locomotive, because the locomotive is not intended to control the 
brakes when it is used in the trailing position. It could also be 
argued that the trailing, non-controlling locomotive's automatic and 
independent brake valves must be able to control the brakes whenever it 
is called on to do so. Under this reading, a trailing, non-controlling 
locomotive does not operate as intended when it is not able to control 
the brakes.
    At the TRC meeting, the representatives from NYAB Corporation, a 
brake manufacturer, asserted that a problem with a faulty automatic or 
independent brake valve will not create an unsafe condition when the 
locomotive is operating in the trail position, provided the locomotive 
consist has a successful brake test (application and release) from the 
lead unit. The reason offered was that in order for a locomotive to 
operate in the trailing position, the automatic and independent brake 
valves must be cut-out. FRA agrees, and currently applies this 
rationale in regards to performing a calendar day inspection. The 
calendar day inspection does not require that the operation of the 
automatic and independent brake controls be verified on trailing 
locomotives. The Working Group agreed, and recommended adding a tagging 
requirement to prevent a trailing, non-controlling locomotive with 
defective independent or automatic brakes from being used as a 
controlling locomotive.

E. Locomotive Cab Temperature

    In 1998, FRA led an RSAC Working Group to address various cab 
working condition issues. To aid the Working Group discussions, FRA 
conducted a study to determine the average temperature in each type of 
locomotive cab commonly used at the time. The

[[Page 2205]]

study concluded that at the location where the engineer operates the 
locomotive, each locomotive maintained an average temperature of at 
least 60 degrees. The window and door gaskets were maintained in proper 
condition on the locomotives that were studied. In 1998, FRA believed 
it was impractical to address the minimum temperature issue by 
regulation, especially given that, the existing industry practice was 
appropriate and revision of the regulation would have required 
considerable resources. Now that the locomotive safety standards are in 
the process of being revised, FRA proposes to incorporate existing 
industry practice into the regulation in an effort to maintain the 
current conditions. For review, the 1998 study has been included in the 
public docket related to this proceeding.
    In addition to proposing an increase in the minimum cab temperature 
from 50 [deg]F to 60 [deg]F, FRA believes that establishing a maximum 
cab temperature limit would result in improved locomotive crew 
performance, which in turn would increase railroad safety. Current 
literature regarding the effect of low temperature on human performance 
indicates that performance decreases when the temperature decreases 
below 60 [deg]F. Similarly, the literature regarding the effect of high 
temperature and humidity indicates that performance decreases when 
temperatures increase above 80[deg] F, and that performance decreases 
to an even greater extent when the temperature increases above 90 
[deg]F. Ergonomics, 2002 vol. 45, no. 10, 682-698.
    Locomotive crew performance is directly linked to railroad safety 
through the safe operation of trains. Locomotive engineers are 
responsible for operating trains in a safe and efficient manner. This 
requires the performance of cognitive tasks including the mathematical 
information processing required for train handling, constant vigilance, 
and accurate perception of the train and outside environment. 
Conductors are responsible for maintaining accurate train consists, 
including the contents and position of hazardous materials cars, for 
confirming the aspects and indications of signals, and for ensuring 
compliance with written orders and instructions. A decrease in 
performance of any of these tasks that can be anticipated from relevant 
scientific findings should be avoided where amelioration can be 
applied.
    In the Human Reliability Analysis (HRA) literature, stressors are 
considered to be important factors that can affect human performance 
and produce errors. Such stressors are, in fact, labeled performance-
shaping factors (PSFs) and include external (or environmental) factors 
such as temperature. In general, if one has an estimate of the human 
error probability (HEP) associated with some generic or specific task, 
the PSFs that exist are used to modulate the magnitude of that error. 
For example, an estimate of HEP associated with simple calculations is 
0.04, with a lower bound of 0.02 and an upper bound of 0.11. If stress 
is introduced in a situation in which there is decision-making and 
multi-tasking (all of which are typical of locomotive engineer work), 
human factor experts recommend that HEP be increased five-fold for 
skilled workers and ten-fold for novice workers. Consequently, mean HEP 
would be estimated at 0.2 for skilled workers and at 0.4 for novices. 
This same logic can be applied to estimate accident reduction. Accident 
reduction estimates can be obtained under the assumption that accidents 
are proportional to the task performance decrements that accrue due to 
temperature stress. If a proportion of the task performance decrements 
is eliminated, then accidents should also be proportionately decreased. 
For example, in 1999, 16 of the human factors train accidents reported 
to the FRA occurred when the ambient temperatures were 90 [deg]F or 
above. Conservatively assuming that at least eight (50 percent) of the 
locomotive cabs did not have operational air conditioning or other 
measures in place to reduce in cab temperatures below the ambient 
temperature and applying the overall task decrement of 0.148 as 
described in the meta-analysis an estimate may be made that a 65/86 
temperature rule would prevent more than one in eight of the 1999 human 
factors train accidents that occurred when ambient and in cab 
temperatures were 90 [deg]F or above. The results of applying task 
decrements to human factors train accidents in specific temperature 
ranges, however, can be considered conservative because the accidents 
considered only include accidents for which the primary cause was 
identified as ``Human Factors.'' Experts on accident causation indicate 
that accidents very rarely have a single cause. Rather, there are 
usually multiple factors that together contribute to the generation of 
an accident.
    In many occupational settings it is desirable to minimize the 
health and safety effects of temperature extremes. Depending upon the 
workplace, engineering controls may be employed as well as the 
management of employee exposure to excess cold or heat using such 
methods as work-rest regimens. Because of the unique nature of the 
railroad operating environment, the locomotive cab can be viewed as a 
captive workplace where the continuous work of the locomotive crew 
takes place in a relatively small space. For this reason, in an 
excessively hot cab, a locomotive crew member may have no escape from 
extreme temperatures, since they cannot be expected to readily 
disembark the train and rest in a cooler environment as part of a work-
rest regimen without prior planning by the railroad. As such, FRA 
expects reliance upon engineering controls to limit temperature 
extremes. When FRA considered controls for cold and hot temperature cab 
environments, FRA learned that there is a range of engineering controls 
available that can be employed. Some of these controls are presently 
employed to affect the cab temperature environment. Controls include 
isolation from heat sources such as the prime mover; reduced emissivity 
of hot surfaces; insulation from hot or cold ambient environments; 
radiation shielding including reflective shields, absorptive shielding, 
transparent shielding, and flexible shielding; localized workstation 
heating or cooling; general and spot (fan) ventilation; evaporative 
cooling; chilled coil cooling systems.
    As noted above, in 1998, FRA led an RSAC Working Group to address 
various cab working condition issues. To aid the Working Group 
discussions, FRA conducted a winter time study to determine the average 
low temperature in each type of locomotive cab commonly used at the 
time. The study concluded that at the location where the engineer 
operates the locomotive, each locomotive maintained an average 
temperature of at least 60 [deg]F. Ergonomics, 2002 vol. 45, no. 10, 
682-698. The window and door gaskets were maintained in proper 
condition on the locomotives that were studied. In 1998, FRA believed 
it was impractical to address the minimum temperature issue by 
regulation, especially given that, the existing industry practice was 
appropriate and revision of the regulation would have required 
considerable resources. Now that the locomotive safety standards are in 
the process of being revised, FRA proposes to incorporate existing 
industry practice into the regulation in an effort to maintain the 
current minimum cab temperature conditions.
    Based on the preceding discussion and its review of existing 
literature on the subject, FRA believe it is appropriate to consider 
not only

[[Page 2206]]

limiting minimum locomotive cab temperature but also limiting maximum 
locomotive cab temperature. FRA believes that an appropriate maximum 
temperature level for a locomotive cab is a wet bulb temperature (WBT) 
somewhere between 80[deg] and 90 [deg]F. FRA recognizes that the 
mechanical capabilities of cooling systems on both existing and new 
locomotives are directly affected by the outside ambient temperature. 
Thus, FRA expects that the maximum cab temperature limit may need to be 
flexible in extreme weather conditions due to the limited ability of 
existing cooling systems to produce a temperature a vast number of 
degrees cooler than the external ambient temperature. FRA seeks comment 
and information from interested parties regarding current practices 
within the industry with regard to maintaining a maximum locomotive cab 
temperature.
    There are a number of factors and issues that must be considered 
when imposing a maximum locomotive cab temperature. In an effort to 
develop safe and cost-effective requirements related to establishing a 
maximum locomotive cab temperature limit FRA seeks comments from 
interested parties on the following issues:
1. To what locomotives should the maximum cab temperature limits apply?
    FRA does not anticipate applying the maximum cab temperature limit 
to all locomotives. Existing locomotives that are not equipped with air 
conditioners would not be required to add air conditioning units. A 
significant portion of the industry's existing locomotive fleet is 
currently equipped with air conditioners. FRA believes that air 
conditioning units should remain on locomotives that are currently so 
equipped and would expect the maximum cab temperature limit to apply to 
such units. FRA also expects that the maximum temperature limit would 
be applicable to new locomotives, and remanufactured locomotives as 
defined in Sec.  229.5. FRA believes that one of the reasons that 
virtually all of these types of locomotives are constructed with air 
conditioning units in order to ensure the proper operation of the on-
board electronic equipment. Thus, the locomotives are already equipped 
with the facilities to maintain a cab temperature below the maximum 
temperatures being contemplated. FRA also recognizes that at some 
locations the ambient temperature may seldom or never rise above 90 
[deg]F. Thus, FRA is considering an approach that might provide an 
exception for these types of locations from the maximum cab temperature 
limits. With the above discussion in mind, FRA seeks information and 
comments from interested parties on the following:
     What percentage of locomotives in the existing fleet are 
equipped with air conditioning units?
     What percentages of newly constructed or remanufactured 
locomotives are equipped with air conditioning units?
     What potential requirements could apply to locomotives 
that spend the majority of their time in locations that rarely rise 
above 90 [deg]F, but also operate in locations where the temperature 
does rise above 90 [deg]F?
     How could these locations be properly excluded from the 
maximum temperature requirements?
     Are there technologies other than air conditioning units 
that could be utilized in these types of locations?
2. What are the capabilities of existing locomotive cab air 
conditioning units?
    Although FRA has not conducted tests to determine the effectiveness 
of air conditioning systems, FRA's knowledge of HVAC capabilities and 
experience riding locomotives with operative air conditioning units 
indicates that such systems can hold cab temperatures below 90 [deg]F 
under expected service conditions when properly maintained, as is the 
case with rail passenger coaches, passenger MU locomotives, motorized 
vehicles on the highway, and other means of conveyance. However, FRA 
recognizes that existing air conditioners have technical limitations, 
and that those limitations need to be considered when developing a 
maximum cab temperature requirement. FRA seeks comment and information 
on the following:
     At what rate can air conditioning units currently being 
used within the industry cool the interior of a locomotive cab?
     What external conditions or factors affect an air 
conditioning unit's ability to reduce the interior locomotive cab 
temperature?
     Would it be possible to modify an existing air 
conditioning unit or interior of the locomotive cab to address the 
conditions noted above?
3. What is the appropriate method for measuring maximum locomotive cab 
temperature?
    An effective and reliable method for measuring the maximum 
locomotive cab temperature will need to be included in the final rule 
in order to make any maximum temperature requirement enforceable. 
Railroad management, train crews, and FRA will need to be able to 
accurately measure the maximum cab temperature when a locomotive is in 
use. The existing and proposed minimum locomotive cab temperature 
requirement provides that the temperature be measured six inches above 
each seat in the cab. FRA believes that a similar location for 
measuring the maximum temperature would appear to be appropriate. FRA 
also recognizes that any cooling system will require a sufficient 
amount of time to adequately reduce the interior temperature of a 
locomotive cab. Thus, the ability to test or measure the temperature 
may not occur until a locomotive is already in use. In consideration of 
the above, FRA seeks comment and information from interested parties on 
the following:
     How do railroads currently measure or monitor locomotive 
cab temperatures to comply with the existing minimum temperature 
requirements?
     Do railroads measure cab temperature for other purposes? 
If so, what are those purposes?
     Could the same methods be used to monitor a maximum 
temperature requirement?
     Are there locations where testing or monitoring of air 
conditioning units would be extremely burdensome or impossible?
     The existing minimum cab temperature requirement is based 
on measurement of the temperature six inches above each seat in the 
cab. Would that also be an appropriate location in the cab to measure 
temperature to determine compliance with a maximum temperature 
requirement?
     Is there an appropriate frequency at which air 
conditioning units should be tested?
4. How should locomotive air conditioning units be maintained and 
repaired when found defective or inoperative?
    In order to ensure that locomotives to which the maximum cab 
temperature limits would apply are generally capable of compliance, the 
final rule would need to contain basic inspection, maintenance, and 
repair provisions related to on-board cooling systems. FRA recognizes 
that these maintenance and repair schedules and requirements would be 
most applicable during those annual periods where extreme hot weather 
is prevalent across most of the continental United States. Thus, FRA 
expects to concentrate such provisions during these vital time periods. 
Similarly, FRA recognizes that appropriate provisions related to the 
handling and use of a locomotive with an inoperative cooling system 
would

[[Page 2207]]

need to be provided. Under the existing part 229 movement for repair 
provisions, if a locomotive were required to meet a maximum cab 
temperature limit and was found unable to do so, then the locomotive 
could only be moved to the next forward location or to its next 
calendar day inspection where necessary repairs to the locomotive's 
cooling system could be performed. FRA realizes such a stringent 
requirement might unduly hinder a railroad's ability to operate trains 
or have sufficient locomotive power in certain locations. With the 
foregoing discussion in mind, FRA seeks comments from interested 
parties on the following:
     How frequently do railroads currently inspect locomotive 
air conditioning units for proper operation?
     What would an appropriate interval for testing and 
maintaining locomotive equipped with air conditioning units?
     What movement or use restrictions should be applied to a 
locomotive equipped with an air conditioning unit when discovered with 
a cab temperature that exceeds the maximum limit?
     What maintenance or repair requirements would be 
appropriate if a lead/occupied locomotive has an air conditioning unit 
fail en route, when the ambient temperature exceeds a regulatory 
requirement?
     What maintenance or repair requirements would be 
appropriate if an air conditioning unit in a lead or occupied 
locomotive is found to be inoperative or operating insufficiently at 
pre-departure (after the train has been made up and the air-brake test 
has been performed)?
     Should consistent management be a factor for determining 
when an inoperative air conditioning unit will properly be repaired or 
switched out? Why or why not?
5. What are the potential costs of complying with a maximum locomotive 
cab temperature limit as described in the preceding discussions?
    The cost implications of this proposal will depend on various 
factors, including temperature requirements, maintenance requirements, 
repair procedures, and the treatment of existing locomotives already 
equipped with air conditioning units. The regulatory burden may result 
from equipping new and remanufactured locomotives with air conditioning 
units. However, because most, if not all, new locomotives are currently 
purchased with air conditioning units already installed, the burden 
would likely come from the testing and maintenance, including repair, 
of air conditioning units.
    FRA estimates that the railroad industry purchases approximately 
600-700 new locomotives a year. Most of the new locomotives are 
purchased by Class I freight railroads. Other railroads such as Alaska 
Railroad, Amtrak, and some commuter railroads also purchase new 
locomotives. Generally, FRA does not anticipate that Class III 
railroads will purchase new locomotives, and thereby, be affected by 
this proposal in the immediate or near future. FRA is considering 
requiring air conditioning units on only new or remanufactured 
locomotives. FRA believes that most, if not all, new and remanufactured 
locomotives are manufactured with air conditioning units, and most 
locomotives that receive life extending modifications are also likely 
equipped. FRA requests information regarding the specifications for air 
conditioning units currently installed on new, remanufactured, and 
overhauled locomotives. Specifically, FRA seeks information regarding 
temperature and humidity capabilities. FRA also seeks information 
regarding the tolerances of the units in the locomotive running 
environment, which may include over 12 hours of continuous operation at 
high temperature and humidity levels. To the extent that new 
locomotives are already equipped with air conditioning units that can 
function well in the environment in which they operate, there would be 
little or no additional regulatory cost associated with the basic 
requirement to equip new locomotives with such units.
    Requirements for periodic testing of air conditioning units could 
also add regulatory cost. FRA believes that most railroads are 
prudently testing the air conditioning units on their locomotives 
annually or periodically at shorter intervals. These tests are most 
likely conducted when the locomotive is already out of service for a 92 
day inspection. FRA requests information on the frequency of testing 
and the cost associated with conducting the tests. Requirements for 
repairing air conditioning units could also add regulatory cost. In 
order to develop a cost analysis of the maintenance and repairs that 
would be needed to properly utilize the AC units, FRA requests 
information regarding the frequency of air conditioning failures and 
the nature of common defects as well as the costs associated with 
making the repairs. FRA also requests information regarding reasonable 
ways to address air conditioning units that are discovered defective 
outside of the maintenance window. FRA estimates that an air 
conditioning unit has a life-cycle of 8 and 10 years. The cost for 
testing and repairing air conditioning units on locomotives is most 
likely the highest cost element of this proposal. However, the 
potential regulatory cost for such a proposal would depend on the 
actual requirement that is promulgated. The cost would increase if a 
lead locomotive is required to be switched out after the initial air-
brake test, or if the AC unit on the lead locomotive failed en route.
    FRA seeks information and comments on the following issues related 
to costs:
     What are the costs associated with increased maintenance 
and modifications to locomotive equipped with air conditioning units to 
ensure they operate as intended?
     What would be the expected costs to equip new and 
remanufactured locomotives with air conditioners that are capable of 
satisfying the type of maximum temperature limit discussed above?
     How many new locomotives are currently equipped with air 
conditioning units?
     What operational burdens would be placed on the industry 
should a maximum cab temperature limit be included in the final rule?

F. Headlights

    The proposed revisions to the headlight provisions would 
incorporate waiver FRA 2005-23107 into part 229. This would permit a 
locomotive with one failed 350-watt incandescent lamp to operate in the 
lead until the next daily inspection, if the auxiliary lights remain 
continuously illuminated. Currently, a headlight with only one 
functioning 200-watt lamp is not defective and does not affect the 
permissible movement of a locomotive. However, a locomotive with only 
one functioning 350-watt lamp in the headlight can be moved only 
pursuant to section 229.9. The proposed treatment of locomotives with a 
failed 350-watt lamp would allow flexibility, and be consistent with 
the current treatment of 200-watt lamps.
    Testing showed that production tolerances for the 350-watt 
incandescent lamp cause most individual lamps to fall below the 200,000 
candela requirement at the center of the beam. As such, two working 
350-watt lamps are required to ensure 200,000 candela at the center of 
the beam. Testing also showed that the 350-watt incandescent lamp 
produced well over 100,000 candela at the center of the beam, and its 
high power and the position of the filament within the reflector causes 
the lamp to be brighter than the 200-watt

[[Page 2208]]

incandescent lamp at all angles greater than approximately 2.5 degrees 
off the centerline. In other words, the only area in which the 350-watt 
lamp produces insufficient illumination is within 2.5 degrees of the 
centerline. The proposed requirement would compensate for the reduced 
amount of illumination by requiring the auxiliary lights to be aimed 
parallel to the centerline of the locomotive and illuminate 
continuously.
    Significantly, in 1980, when FRA promulgated the 200,000 candela 
requirement it could not take into consideration the light produced by 
auxiliary lights, because they were not required and not often used. 
Today, there is light in front of a locomotive produced by both the 
headlight and the auxiliary lights. When discussing AAR's request that 
the final rule permit locomotives with a nonfunctioning 350-watt lamp 
to operate without restriction, FRA stated that AAR's comments ``may 
have merit when considering locomotives with auxiliary lights aimed 
parallel to the centerline of the locomotive.'' See 69 FR 12533. While 
the auxiliary lights on some locomotives are aimed parallel to the 
centerline, on many others the auxiliary lights are aimed so that their 
light will cross 400 feet in front of the locomotive. The regulations 
only require auxiliary lights to be aimed within 15 feet of the 
centerline. FRA is not aware of a basis for assuming that the light 
from two auxiliary lights complying with the regulations in any fashion 
would be insufficient, when combined with a 350-watt headlight lamp.

G. Alerters

    Alerters are a common safety device intended to verify that the 
locomotive engineer remains capable and vigilant to accomplish the 
tasks that he or she must perform. An alerter will initiate a penalty 
brake application to stop the train if it does not receive the proper 
response from the engineer. As an appurtenance to the locomotive, an 
alerter must operate as intended when present on a locomotive. Section 
20701 of Title 49 of the United States Code prohibits the use of a 
locomotive unless the entire locomotive and its appurtenances are in 
proper condition and safe to operate in the service to which they are 
placed. Under this authority, FRA has issued many violations against 
railroads for operating locomotives equipped with a non-functioning 
alerter.
    Alerters are currently required on passenger locomotives by Sec.  
238.237 (67 FR 19991 (2002)), and are present on most freight 
locomotives. A long-standing industry standard currently contains more 
stringent requirements than provisions being proposed in this document. 
See AAR Standard S-5513, ``Locomotive Alerter Requirements,'' (November 
26, 2007).
    After several productive meetings, the Working Group reached 
partial consensus on requirements related to the regulation of 
alerters. For those areas where agreement could not be reached, FRA has 
fully considered the information and views of the Working Group members 
in developing the proposed requirements related to locomotive alerters. 
The proposed provisions also take into consideration recommendations 
made by the NTSB.
    On July 10, 2005, at about 4:15 a.m., two Canadian National (CN) 
freight trains collided head-on in Anding, Mississippi. The collision 
occurred on the CN Yazoo Subdivision, where the trains were being 
operated under a centralized traffic control signal system on single 
track. Signal data indicated that the northbound train, IC 1013 North, 
continued past a stop (red) signal at North Anding and collided with 
the southbound train, IC 1023 South, about \1/4\ mile beyond the 
signal. The collision resulted in the derailment of six locomotives and 
17 cars. Approximately 15,000 gallons of diesel fuel were released from 
the locomotives and resulted in a fire that burned for roughly 15 
hours. Two crewmembers were on each train; all four were killed. As a 
precaution, about 100 Anding residents were evacuated; fortunately, 
they did not report any injuries. Property damages exceeded $9.5 
million and clearing and environmental cleanup costs totaled 
approximately $616,800.
    The NTSB has issued a series of safety recommendations that would 
require freight locomotives to be equipped with an alerter. On April 
25, 2007, the NTSB determined that a contributing cause of the head-on 
collision in Anding, Mississippi was the lack of an alerter on the lead 
locomotive, which if present, could have prompted the crew to be more 
attentive to their operation of the train. See Recommendation R-07-1. 
That recommendation provides as follows: ``[r]equire railroads to 
ensure that the lead locomotives used to operate trains on tracks not 
equipped with a positive train control system are equipped with an 
alerter.''
    Another NTSB recommendation relating to locomotive alerters was 
issued as a result of an investigation into the collision of two 
Norfolk Southern Railway freight trains at Sugar Valley, Georgia, on 
August 9, 1990. In that incident, the crew of one of the trains failed 
to stop at a signal. The NTSB concluded that the engineer of that train 
was probably experiencing a micro-sleep or was distracted. Based on 
testing, it was determined that as the train approached the stop 
signal, the alerter would have initiated an alarm cycle. The NTSB 
concluded that the engineer ``could have cancelled the alerter system 
while he was asleep by a simple reflex action that he performed without 
conscious thought.'' As a result of the investigation, the NTSB made 
the following recommendation FRA: ``[i]n conjunction with the study of 
fatigue of train crewmembers, explore the parameters of an optimum 
alerter system for locomotives. See NTSB Recommendation R-91-26.
    Typically, alerter alarms occur more frequently as train speed 
increases. Unlike the Sugar Valley, Georgia, accident in which the 
train had slowed and entered a siding before overrunning a signal, the 
northbound train in the Anding, Mississippi, remained on the main track 
at higher speeds. Had an alerter been installed, there was a four 
minute time period after passing the approach signal during which the 
alerter would have activated four to five times. It seems unlikely that 
the engineer could have reset the alerter multiple times by reflex 
action without any increase in his awareness. Therefore, the NTSB 
determined that an alerter likely would have detected the lack of 
activity by the engineer and sounded an alarm that could have alerted 
one or both crewmembers. Had the crew been incapacitated or not 
responded to the alarm, the alerter would have automatically applied 
the brakes and brought the train to a stop. The NTSB concluded that had 
an alerter been installed on the lead locomotive of the northbound 
train, it may have prevented the collision.
    The NTSB also closely examined the use of locomotive alerters when 
investigating the sideswipe collision between two Union Pacific 
Railroad (UP) freight trains in Delia, Kansas, on July 2, 1997. In that 
accident, a train entered a siding but did not stop at the other end, 
and it collided with a passing train on the main track. The NTSB 
concluded that ``had the striking locomotive been equipped with an 
alerter, it may have helped the engineer stay awake while his train 
traveled through the siding.'' As a result of its investigation, the 
NTSB made the following recommendation to the FRA: ``[r]evise the 
Federal regulations to require that all locomotives operating on lines 
that do not have a positive train separation system be equipped with a 
cognitive alerter system that cannot be

[[Page 2209]]

reset by reflex action.'' See NTSB Recommendation R-99-53.
    FRA believes that the proposed provisions related to alerters 
incorporate existing railroad practices and locomotive design and 
address each of the NTSB recommendations discussed above.

F. Locomotive Electronics

    After extensive discussion, the Working Group reached consensus on 
the proposed requirements related to locomotive electronic systems. 
Advances in electronics and software technology have resulted in 
changes to the implementation of locomotive control systems. Technology 
changes have allowed the introduction of new functional capabilities as 
well as the integration of different functions in ways that advance the 
building, operation, and maintenance of locomotive control systems. FRA 
encourages the use of these advanced technologies to improve safe, 
efficient, and economical operations. However, the increased 
complexities and interactions associated with these technologies 
increase the potential for unintentional and unplanned consequences, 
which could adversely affect the safety of rail operations.
    The proposed regulation would prescribe safety standards for 
safety-critical electronic locomotive control systems, subsystems, and 
components including requirements to ensure that the development, 
installation, implementation, inspection, testing, operation, 
maintenance, repair, and modification of those products will achieve 
and maintain an acceptable level of safety. This proposal would also 
prescribe standards to ensure that personnel working with safety-
critical products receive appropriate training. Of course, each 
railroad would be able to prescribe additional or more stringent rules, 
and other special instructions, provided they are consistent with the 
proposed standards.
    FRA also recognizes that advances in technology may further 
eliminate the traditional distinctions between locomotive control and 
train control functionalities. Indeed, technology advances may provide 
for opportunities for increased or improved functionalities in train 
control systems that run concurrent with locomotive control. Train 
control and locomotive control, however, remain two fundamentally 
different operations with different objectives. FRA does not want to 
restrict the adoption of new locomotive control functions and 
technologies by establishing regulations for locomotive control systems 
intended to address safety issues associated with train control.

G. Periodic Locomotive Inspection

    The Locomotive Safety Standards Working Group was unable to reach 
consensus on whether current locomotive inspection intervals and 
procedures are appropriate to current conditions. Recently, on June 22, 
2009, FRA granted the Burlington Northern Santa Fe's (BNSF) request for 
waiver from compliance with the periodic locomotive inspection 
requirements. See Docket FRA-2008-0157. BNSF stated in their request 
that each of the subject locomotives are equipped with new self-
diagnostic technology and advanced computer control, and that the 
locomotives were designed by the manufacturer to be maintained at a six 
month interval.
    In the waiver petition, BNSF requested that the required 92-day 
periodic inspection be performed at 184 day intervals on subject 
locomotives, if qualified mechanical forces perform at least one of the 
required daily inspections every 31 days and FRA non-complying 
conditions that are discovered en-route or during any daily inspection 
are moved to a mechanical facility capable of making required repairs. 
This approach to conducting inspections based on current conditions may 
be suitable to other similarly situated railroads. FRA seeks comment on 
this issue.

H. Rear End Markers

    In 2003, the U.S. DOT's Office of Governmental Affairs received a 
letter from Senator Feinstein on behalf of her constituent, Mr. David 
Creed. Mr. Creed suggested a revision to FRA's rear end marker 
regulation, which is found in part 221. Specifically, Mr. Creed 
suggested that Federal regulations should require trains with 
distributive power on the rear to have a red marker, because a red 
marker would make for a safer operating environment by giving a rail 
worker a better indication of whether he or she is looking at the rear 
or front end of the train. Mr. Creed made reference to a recent 
fatality involving a BNSF conductor who jumped from his train because 
he observed a headlight that he mistakenly believed was a train on the 
same track, directly ahead of his train. As FRA is currently reviewing 
its existing requirements for locomotive safety standards, FRA requests 
comments on this rear end marker issue.

I. Locomotive Horn

    FRA solicits comments regarding methods currently being used by 
railroads to test locomotive horns as required by Sec.  229.129. More 
than one method of testing will satisfy the current testing 
requirements. FRA is considering whether certain current methods of 
testing should be preferred, or additional methods should be permitted.

J. Risk Analysis Standardization and Harmonization

    FRA has been actively implementing, whenever practical, performance 
regulations based on the management of risk. In the process of doing 
so, a number of different system safety requirements, each unique to a 
particular regulation, have been promulgated. While this approach is 
consistent with the widely, and deeply, held conviction that risk 
management efforts should be specifically tailored for individual 
situations, it has resulted in confusion regarding the applicable 
regulatory requirements. This, in turn has defeated one of the primary 
objectives of using performance based regulations, reduction in costs 
from simplifying regulations.
    The problem is not the concept of tailoring, but the lack of 
standard terms, basic tools, and techniques. Numerous directives, 
standards, regulations, and regulatory guides establish the authority 
for system safety engineering requirements in the acquisition, 
development, and maintenance of hardware and software-based systems. 
The lack of commonality makes extremely difficult the task of training 
system safety personnel, evaluating and comparing programs, and 
effectively monitoring and controlling system safety efforts for the 
railroads, their vendors, and the government. Even though tailoring 
will continue to be an important system safety concept, at some point 
FRA believes the proliferation of techniques, worksheets, definitions, 
formats, and approaches has to end, or at least some common ground has 
to be established.
    To accomplish this, FRA proposes to harmonize risk management 
process requirements across all regulations that have been promulgated 
by the agency. This will implement a systematic approach to hardware 
and software safety analysis as an integral part of a project's overall 
system safety program for protecting the public, the worker, and the 
environment. Harmonization enhances compliance and improves the 
efficiency of the transportation system by minimizing the regulatory 
burden. Harmonization also facilitates interoperability among products 
and systems, which benefits all stakeholders. By overcoming 
institutional and financial barriers to

[[Page 2210]]

technology harmonization, stakeholders could realize lower life-cycle 
costs for the acquisition and maintenance of systems. To this end, FRA 
requests comments on appropriate, cost effective, performance based 
standards containing precise criteria to be used consistently as rules, 
guidelines, or definitions of characteristics, to ensure that 
materials, products, processes and services are fit for purpose, and 
present an acceptable level of risk that are applicable across all 
elements of the railroad industry.

K. MCB Contour 1904 Coupler

    FRA believes that the existing requirement related to MCB contour 
1904 couplers, contained in Sec.  229.61(a)(1), is out dated. The 
existing regulation prohibits the use of a MCB contour 1904 coupler, if 
the distance between the guard arm and the knuckle nose is more than 5 
\1/8\ inches. FRA understands that the MCB contour 1904 coupler design 
has not been used in the railroad industry since the 1930s. Most, if 
not all, of the current locomotive fleet are equipped with Type E 
couplers. For these couplers, the maximum distance permitted between 
the guard arm and the knuckle nose is 5 \5/16\ inches, as identified in 
Sec.  229.61(a)(1). FRA seeks comments as to whether any locomotives 
are currently being operated with MCB contour 1904 couplers, and 
whether the requirement related to MCB contour 1904 couplers should be 
removed from the locomotive safety standards.

L. Locomotive Cab Securement

    FRA is evaluating securement options for locomotive cab doors. Cab 
securement can potentially prevent unauthorized access to the 
locomotive cab, and thereby increase train crew safety. However, cab 
securement demands a careful and balanced approach because when 
emergencies requiring emergency egress or rescue access occur, 
securement systems must not hinder rapid and easy egress by train crews 
or access by emergency responders without undue delay. FRA is exploring 
how to achieve greater safety by properly balancing these concerns.
    On June 20, 2010, a CSX Conductor was shot and killed in the cab of 
the controlling locomotive of his standing train in New Orleans, during 
an attempted robbery. The Locomotive Engineer assigned to that train 
was also wounded by gunfire during the incident. This incident was 
particularly tragic, because it resulted in a fatality. By letter dated 
September 22, 2010, in response to this incident, the BLET requested 
that FRA require the use of door locks on locomotive cab doors. Under 
current industry practice, many locomotive cab doors are not locked. 
According to BLET's letter, requiring the use of door locks would 
impede unauthorized access to the locomotive cab and reduce the risk of 
violence to the train crew when confronted by a potential intruder. FRA 
solicits comments regarding the impact that a locked door would have on 
train crew safety. More specifically, FRA poses the following questions 
regarding existing locomotive doors:
     Can a door lock be broken when struck by a heavy, solid 
object like a baseball bat, sledge hammer, or crowbar?
     Can a door lock be broken by gunfire?
     If a keyed lock is used, is it possible that the lock can 
be picked by an unauthorized person?
     If a keyed lock is used, is it possible for the key to be 
lost, stolen, or duplicated without authorization?
     If the door is locked, can a potential intruder gain 
access to the cab by breaking through the door's window?
     If the door is locked, can gunfire penetrate the door's 
window, the door itself, or another portion of the car body?
    In addition, FRA requests comments regarding the potential 
effectiveness of using different locking mechanisms to secure the 
locomotive cab. A portion of the industry is currently equipping new 
locomotives with dead-bolt door locks. Door locks with quick release 
mechanisms, keyed locks, and biometric locks could also potentially be 
used to secure a locomotive cab. FRA seeks comments regarding the 
potential benefits and concerns for each type of locking mechanism. FRA 
also requests information concerning the effect of door locks during 
emergency situations requiring rapid and easy evacuation of the 
locomotive compartment or rescue access. After an accident or other 
life threatening situation, a train crew may need to quickly exit a 
locomotive cab, particularly in the event of a fire or a hazardous 
materials release, and a train crew may require assistance from 
emergency responders when injured or incapacitated. To help solicit an 
abundance of information, FRA poses the following questions:
     To what extent will the use of a door lock to secure the 
locomotive cab hinder rapid and easy egress of the train crew?
     If keyed locks are used, should emergency responders be 
given keys?
     To what extent will emergency responders' access to the 
cab be unduly delayed by door locks?
     Will door locks prohibit emergency responders' access to 
the cab when the crew is incapacitated?
     How can locomotive cab doors be secured without hindering 
the crews' ability to egress rapidly and easily or emergency 
responders' ability to gain access without undue delay?
    FRA also requests information related to the costs associated with 
installing and maintaining various locomotive cab locking mechanisms. 
More specifically, for existing locomotives how many do not have 
locking mechanisms? And, what type of locking device would be the most 
cost effective to install and maintain and also adequately address the 
three safety needs described above. Finally, are there any locomotives 
in the US (existing or new) that would be particularly difficult or 
expensive to equip with a locking mechanism? If so, which locomotives 
are they, and how many of these locomotives exist? FRA also requests 
comment as to how many locomotives are currently being manufactured for 
domestic service with these devices? If FRA decides to establish a 
uniform cab securement requirement for new locomotives, what type of 
locking mechanism is recommended, and why? Finally, how much would such 
a locking mechanism cost to install and maintain on new and existing 
locomotives?

VI. Section-by-Section Analysis

    This section-by-section analysis of the proposed rule is intended 
to explain the rationale for each section of the proposed rule. The 
analysis includes the requirements of the proposal, the purpose that 
the proposal would serve in enhancing locomotive safety, the current 
industry practice, and other pertinent information. The proposed 
regulatory changes are organized by section number. FRA seeks comments 
on all proposals made in this NPRM.

A. Proposed Amendments to Part 229 Subparts A, B, and C

Section 229.5 Definitions
    This section contains a set of definitions to be introduced into 
the regulation. FRA intends these definitions to clarify the meaning of 
important terms as they are used in the text of the proposed rule. The 
proposed definitions are carefully worded in an attempt to minimize the 
potential for misinterpretation of the rule. The definition of alerter 
introduces an unfamiliar term which requires further discussion.
    ``Alerter'' means a device or system installed in the locomotive 
cab to promote continuous, active locomotive

[[Page 2211]]

engineer attentiveness by monitoring select locomotive engineer-induced 
control activities. If fluctuation of a monitored locomotive engineer-
induced control activity is not detected within a predetermined time, a 
sequence of audible and visual alarms is activated so as to 
progressively prompt a response by the locomotive engineer. Failure by 
the locomotive engineer to institute a change of state in a monitored 
control, or acknowledge the alerter alarm activity through a manual 
reset provision, results in a penalty brake application that brings the 
locomotive or train to a stop. For regulatory consistency FRA is 
proposing the same definition as the one provided in part 238. FRA 
intends for a device or system that satisfies an accepted industry 
standard including, but not limited to, AAR Standard S-5513, 
``Locomotive Alerter Requirements,'' dated November 26, 2007, to 
constitute an alerter under this definition.
    New definitions for terms related to remote control locomotives are 
also being proposed. The proposed terms, ``Assignment Address,'' 
``Locomotive Control Unit,'' ``Operator Control Unit,'' ``Remote 
Control Locomotive,'' ``Remote Control Operator,'' and ``Remote Control 
Pullback Protection'' are common to the industry. On February 14, 2001, 
FRA published a Safety Advisory in which FRA issued recommended 
guidelines for conducting remote control locomotive operations. See 66 
FR 10340, Notice of Safety Advisory 2001-01, Docket No. FRA-2000-7325. 
The Safety Advisory includes definitions for each of the proposed 
terms. FRA's proposed definitions for these terms are informed by the 
Safety Advisory and Working Group discussions.
    ``Controlling locomotive'' means a locomotive from where the 
operator controls the traction and braking functions of the locomotive 
or locomotive consist, normally the lead locomotive. This proposed 
definition is being added to help identify which locomotives are 
required to be equipped with an alerter, and when the alerter is 
required to be tested.
Section 229.7 Prohibited Acts and Penalties
    Minimal changes are being proposed in this section to update the 
statutory reference and the statutory penalty information.
Section 229.15 Remote Control Locomotives
    After working with the railroad industry for many years to provide 
a framework for the safe use, development, and operation of remote 
control devices, FRA proposes to formally codify safety standards for 
remote control operated locomotives. For convenience, FRA proposes to 
divide the section into two headings: Design and operation, and 
inspection and testing.
    Generally, the proposed design and operation requirements are 
intended to prevent interference with the remote control system, 
maintain critical safety functions if a crew is conducting a movement 
that involves the pitch and catch of control between more than one 
operator, tag the equipment to notify anyone who would board the cab 
that the locomotive is operating remote control, and bring the train to 
a stop if certain safety hazards arise. The proposed inspection and 
testing requirements are intended to ensure that each remote control 
locomotive would be tested each time it is placed in use, and ensure 
that the operator is aware of the testing and repair history of the 
locomotive. It is FRA's understanding that virtually all railroads that 
operate remote control locomotives have already adopted similar 
standards, and that they have proven to provide consistent safety for a 
number of years.
Section 229.19 Prior Waivers
    FRA proposes to update the language in Sec.  229.19 to address the 
handling of prior waivers of requirements in part 229 under the 
proposed rule. A number of existing waivers are incorporated into the 
proposed rule, others may no longer be necessary in light of the 
proposal. The proposal allows railroads the opportunity to assert that 
their existing waiver is necessary, and should be effective after the 
proposed rule is adopted.
    On February 28, 2007, in a notice, FRA proposed the sunset of 
certain waivers granted for the existing locomotive safety standards. 
72 FR 9059. The proposal urged grantees to submit existing waivers for 
consideration for renewal in light of potential revisions to the 
regulation, and explained FRA's interest in treating older waivers 
consistently with newer waivers that were limited to five years. The 
five year limitations were issued as far back as March of 2000. The 
notice also established a docket to receive waivers for consideration.
    In addition, the notice discussed the possibility of requiring 
current grantees to re-register waivers. To streamline the process, 
FRA's proposal does not include a re-registration requirement.
Section 229.20 Electronic Record-keeping
    As explained in proposed paragraph (a), FRA would establish 
standards for electronic record-keeping that a railroad may elect to 
utilize to comply with many of the record-keeping provisions contained 
in this part. As with any records, replacing a paper system that 
requires the physical filing of records with an electronic system and 
the large and convenient storage capabilities of computers, will result 
in greater efficiency. Increased safety will also result, as railroads 
will be able to access and share records with appropriate employees and 
FRA quicker than with a paper system. To be acceptable, electronic 
record-keeping systems must satisfy all applicable regulatory 
requirements for records maintenance with the same degree of confidence 
as is provided with paper systems. The proposed requirements would be 
consistent with a series of waivers that FRA has granted since April 3, 
2002 (Docket Number FRA-2001-11014), permitting electronic record-
keeping with certain conditions intended to ensure safety. In this 
proposed section, FRA is adopting the Working Group's consensus 
regulatory text for electronic record-keeping that was approved and 
recommended to FRA by the RSAC on September 10, 2009. The proposed 
standards are organized into three categories: (1) Design requirements, 
(2) operational requirements, and (3) availability and accessibility 
requirements.
    (b) Design requirements. To properly serve the interest of safety, 
records must be accurate. Inspection of accurate records will reveal 
compliance or non-compliance with Federal regulations and general rail 
safety practices. To ensure the authenticity and integrity of 
electronic records it is important that security measures be in place 
to prevent unauthorized access to the data in the electronic record and 
to the electronic system. Proposed paragraphs (b)(1) through (b)(5) are 
intended to help secure the accuracy of the electronic records and the 
electronic system by preventing tampering, and other forms of 
interference, abuse, or neglect.
    (c) Operational requirements. Proposed paragraphs (c)(1) and (c)(2) 
are intended to utilize the improved safety capabilities of electronic 
systems. The requirements of paragraph (c)(1) would cover both 
inspection and repair records. In situations when the Hours of Service 
laws would potentially be violated, the electronic system would be 
required to prompt the person to input

[[Page 2212]]

the data as soon as he or she returns to duty.
    (d) Access and availability requirements. To properly serve the 
interest of safety, the electronic records and the electronic record-
keeping system must be made available and accessible to the appropriate 
people. FRA must have access to the railroads' electronic records and 
limited access to the electronic record-keeping systems to carry out 
its investigative responsibilities. During Working Group discussions, a 
member representing railroad management explained that his railroad 
currently can produce an electronic record within ten minutes, but that 
a paper record may take up to two weeks. As such, the proposal provides 
up to fifteen days to produce paper copies and requires that the 
electronic records will be provided upon request.
Section 229.23 Periodic Inspection: General
    This section would require railroads that choose to maintain and 
transfer records as provided for in proposed Sec.  229.20, to print the 
name of the person who performed the inspections, repairs, or certified 
work on the Form FRA F 6180-49A that is displayed in the cab of each 
locomotive. This would allow the train crew to know who did the 
previous inspection when they board the locomotive cab.
Section 229.25 Test: Every Periodic Inspection
    Two additional paragraphs are proposed in this section to include 
inspection requirements for remote control locomotives and locomotive 
alerters during the 92-day periodic inspection. FRA is proposing new 
regulations for remote control locomotives, see proposed Sec.  229.15, 
and locomotive alerters, see proposed section Sec.  229.140. For 
convenience, the maintenance for remote control locomotives and 
locomotive alerters that would properly be conducted at intervals 
matching the 92-day periodic inspection, are being incorporated into 
this section. The existing paragraphs would also be reorganized for 
convenience.
Section 229.27 Annual Tests
    FRA proposes to amend this section by deleting the following 
existing language from paragraph (b): ``The load meters shall be 
tested'' from paragraph (b). The modification would clarify the 
regulatory language to reflect the current understanding and 
application of the load meter requirement. FRA issued a clarification 
for load meters on AC locomotives on June 15, 1998. In a letter to GE 
Transportation Systems in March 2005, FRA issued a similar 
clarification of the requirements related to testing load meters on DC 
locomotives. The letter explained that on locomotives that are not 
equipped with load meters there are no testing requirements. Similarly, 
if a locomotive is equipped with a load meter but is using a proven 
alternative method for providing safety, and no longer needs to 
ascertain the current or amperage that is being applied to the traction 
motors, there are no testing requirements for the dormant load meter. 
Load meters have been eliminated or deactivated on many locomotives 
because the locomotives are equipped with thermal protection for 
traction motors and no longer require the operator to monitor 
locomotive traction motor load amps.
    FRA also proposes removing existing paragraph (a) from this section 
and merging it into the brake requirements contained in proposed Sec.  
229.29. Proposed Sec.  229.29 concerns brake maintenance, and as 
discussed below, would be reorganized by this proposal to consolidate 
all existing locomotive brake maintenance into one regulation.
Section 229.29 Air Brake System Calibration, Maintenance, and Testing
    This section would be re-titled, and existing requirements would be 
consolidated and better organized to improve clarity. Because proposed 
Sec.  229.29 concerns only brakes, it would be re-titled, ``Air Brake 
System Calibration, Maintenance, and Testing'' to more accurately 
reflect the section's content. Existing Sec.  229.27(a), which also 
addresses brake maintenance would be integrated into this section for 
convenience and clarity. Record-keeping requirements for this section 
would be moved from existing paragraphs (a) and (b) and merged into a 
single new proposed paragraph (g). The date of air flow method (AFM) 
indicator calibration would also be required to be recorded and 
certified in the remarks section of Form F6180-49A under paragraph (g).
    The proposed brake maintenance in this section would extend the 
intervals at which required brake maintenance is performed for several 
types of locomotive brake systems. The length of the proposed intervals 
reflects the results of studies and performance evaluations related to 
a series of waivers starting in 1981 and continuing to present day. 
Overall, the type of brake maintenance that would be required would 
remain the same. The current regulation provides for two levels of 
brake maintenance. Existing Sec.  229.27(a) requires routine 
maintenance for filters and dirt collectors, and brake valves. Existing 
Sec.  229.29(a) requires maintenance for certain brake components 
including parts that can deteriorate quickly and pieces of equipment 
that contain moving parts. To better tailor the maintenance 
requirements to the equipment needs and based on information 
ascertained from various studies and performance evaluations, filters 
and dirt collector maintenance would be required more frequently than 
brake valve maintenance. As a result, the proposal provides for three 
levels of brake maintenance instead of two.
    Studies and performance evaluations of brake systems continue, and 
may reach conclusion by the publication of a final rule in this 
proceeding. In an effort to incorporate FRA's findings in a timely 
manner, and produce an up-to-date final rule, FRA will consider 
adjusting the proposed regulations based on its findings. Specifically, 
FRA is currently studying the effect, if any, that air dryers have on 
the maintenance of brake systems. FRA seeks comment on this issue.
    Proposed paragraph (f)(2) would set maintenance intervals at four 
years for slug units that are semi-permanently attached to a host 
locomotive. Slugs are used in situations where high tractive effort is 
more important than extra power, such as switching operations in yards. 
A railroad slug is an accessory to a diesel-electric locomotive. It has 
trucks with traction motors but is unable to move about under its own 
power, as it does not contain a prime mover to produce electricity. 
Instead, it is connected to a locomotive, called the host, which 
provides current to operate the traction motors.
    FRA is proposing to incorporate conventional locomotive 
requirements from part 238 into this section for convenience. FRA 
believes that there may be some benefit to moving all of the locomotive 
requirements, including MU locomotives, from part 238 to part 229. FRA 
seeks comments on this issue.
    FRA is also considering whether moving AFM indicator calibration 
requirements from Sec.  232.205(c)(iii) into this section would be 
appropriate. Currently, both the calibration and testing requirements 
for the AFM are contained in part 232. While the testing requirements 
are most closely related to the subject matter addressed by part 232, 
power brakes; FRA believes that the calibration requirements are more 
closely related to the locomotives. FRA requests comments on this 
issue.

[[Page 2213]]

Section 229.46 Brakes: General
    FRA proposes to clarify this section, and provide standards for the 
safe use of a locomotive with an inoperative or ineffective automatic 
or independent brake control system. The proposal would allow a 
locomotive with a defective air brake control valve to run until the 
next periodic inspection required by Sec.  229.23. However, the 
requirement to place a tag on the isolation switch would notify the 
crew that the locomotive could be used only according to Sec.  
229.46(b) until it is repaired.
    The proposal would also clarify what it means for the brakes to 
operate as intended, as required by this section. Some Working Group 
members asserted that the automatic and independent brake valves are 
not intended to function on a trailing unit that is isolated from the 
train's air brake system, therefore they were ``operating as intended'' 
when not operating at all. Generally, when a unit is found with an 
automatic or independent brake defect, the railroad may choose to move 
the unit to a trailing position, and because it is in a trailing 
position, it may be dispatched without record of the need for 
maintenance. Proposed paragraph (b)(1) would explicitly permit units 
with defective independent brakes to be moved in the trailing position. 
Proposed paragraphs (b)(2) through (b)(6) are intended to ensure that 
the trailing unit is handled safely, and that appropriate records are 
kept and repairs are made.
Section 229.85 High Voltage Markings: Doors, Cover Plates, or Barriers
    FRA proposes to clarify this section. The purpose of this section 
is to warn people of a potential shock hazard before the high voltage 
equipment is exposed. A conspicuous marking on the last cover, door, or 
barrier guarding the high voltage equipment satisfies the purpose of 
this section. Many locomotives have multiple doors in front of high 
voltage equipment. Often there is a door on the car body that provides 
access to the interior of the car body which contains high voltage 
equipment that is guarded be an additional door, for example, main 
generator covers and electrical lockers. FRA's intent has been to 
require the danger marking only on the last door that guards the high 
voltage equipment. Thus, FRA is proposing to slightly modify the 
language currently contained in this section to make this intent clear 
and unambiguous. To further clarify the intent of this section, FRA is 
also proposing to change the title.
Section 229.114 Steam Generator Inspections and Tests
    FRA proposes to add this section in order to consolidate the steam 
generator requirements contained in various sections of part 229 into a 
single section. Currently, requirements related to steam generators can 
be found in Sec. Sec.  229.23, 229.25, and 229.27. Consolidating the 
requirements into one section will make them easier to find for the 
regulated community, and help simplify and clarify each of the sections 
that currently include a requirement related to steam generators. The 
proposal is not intended to change the substance of any of the existing 
requirements.
Section 229.119 Cabs, Floors, and Passageways
    In this section, FRA proposes to raise the minimum allowable 
temperature in an occupied locomotive cab from 50 degrees to 60 
degrees. Each occupied locomotive cab would be required to maintain a 
minimum temperature of 60 degrees Fahrenheit when the locomotive is in 
use. FRA recognizes that it takes some time for the cab to heat up when 
the locomotive is first turned on, and that some crew members may 
prefer to work in slightly cooler temperatures and temporarily turn off 
the heater. Thus, FRA would only apply this requirement in situations 
where the locomotive has had sufficient time to warm-up and where the 
crew has not adjusted that temperature to a personal setting.
Section 229.123 Pilots, Snowplows, End Plates
    FRA proposes to clarify paragraph (a) of this section. Based on 
experience applying the regulation, FRA recognizes that a reasonable, 
but improper, reading of the existing language could lead to the 
incorrect impression that a pilot or snowplow is not required to extend 
across both rails. To prevent this misunderstanding and to clarify the 
existing requirement, the phase ``pilot, snowplow or end plate that 
extends across both rails'', would be substituted for ``end plate which 
extends across both rails, a pilot, or a snowplow.'' FRA believes this 
language makes clear that any of the above mentioned items must extend 
across both rails.
    Due to the height of retarders in hump yards, it is not uncommon 
for the pilot, snowplow, or endplate to strike the retarder during 
ordinary hump yard operations. To accommodate the retarders and prevent 
unnecessary damage, FRA has issued waivers to permit more clearance 
(the amount of vertical space between the bottom of the pilot, 
snowplow, or endplate and the top of the rail) in hump yards, if 
certain conditions are met. FRA proposes the addition of paragraph (b) 
to this section to obviate the need for individual waivers by 
incorporating these conditions into the revised regulation. The 
conditions that were included in the waivers, are reflected in 
paragraphs (b)(1) through (b)(5).
    The clearance requirement is intended to ensure that obstructions 
are cleared from in front of the locomotive and to prevent the 
locomotive from climbing and derailing. In FRA's experience, hump yards 
contain few obstructions that present this potential risk. The 
protections provided by a pilot, snowplow, or endplate are most 
desirable at grade crossings where the requirement would remain without 
change. This section also proposes various requirements to ensure that 
the train crew is notified of the increased amount of clearance and to 
prevent the improper use of the locomotive. The proposed provisions 
would require locomotives with additional clearance to be stenciled at 
two locations, notification to the train crew of any restrictions being 
placed on the locomotive, and noting the amount of clearance on the 
Form FRA 6180-49a that is maintained in the cab of the locomotive.
Section 229.125 Headlights and Auxiliary Lights
    To incorporate an existing waiver, this proposed section would 
permit a locomotive to remain in the lead position until the next 
calendar day inspection after an en route failure of one incandescent 
PAR-56, 74-volt, 350-Watt lamp, if certain safety conditions are 
satisfied. FRA also proposes to extend the existing auxiliary intensity 
requirements at 7.5 degrees and 20 degrees to the headlight to clarify 
the criteria by which equivalence of new design head light lamps will 
be evaluated to achieve the same safety benefit.
    Recently, information has been submitted by a manufacturer 
asserting that a new Halogen PAR-56, 350-watt, 74-volt lamp is 
equivalent to the incandescent PAR-56, 200-watt, 30-volt lamp mentioned 
in the existing regulation. FRA believes this claim has merit, and the 
Working Group concurred. Therefore, proposed references to that lamp 
have been added at appropriate locations in this section.
    When one of two lamps in a headlight utilizing PAR-56, 350-watt, 
74-volt lamps is inoperative, the center beam illumination for that 
headlight often drops below 200,000 candela due to manufacturing 
tolerances. FRA issued a

[[Page 2214]]

waiver that allows a locomotive equipped with these lamps to continue 
in service as a lead unit until the next calendar day inspection, when 
one of the two lamps becomes inoperative. Alternatively, when 
locomotives are handled under the general movement for repair provision 
of Sec.  229.9, they are required to be repaired or switched to a 
trailing position at the next forward location where either could be 
accomplished. Proposed paragraph (a)(2)(i) of this section, 
incorporates the waiver into the regulation. Conditions listed in 
paragraphs (a)(2)(i)(A), (B), and (C) ensure that neither locomotive 
conspicuity at grade crossings, nor the illumination of the right of 
way will be compromised.
Section 229.133 Interim Locomotive Conspicuity Measures--Auxiliary 
External Lights
    To update the regulations related to locomotive conspicuity, FRA 
proposes to remove the ditch light and crossing light requirements in 
Sec.  229.133 that have been superseded by similar requirements in 
Sec.  229.125. Section 229.133 currently contains interim locomotive 
conspicuity measures that were incorporated into the regulations in 
1993 while the final provisions related to locomotive auxiliary lights 
were being developed. See 58 FR 6899; 60 FR 44457; and 61 FR 8881. The 
requirements related to ditch lights and crossing lights in Sec.  
229.133 were later superseded by similar requirements in Sec.  229.125, 
published in 1996, and revised in 2003 and 2004. See 68 FR 49713; and 
69 FR 12532. In 1996, locomotives equipped with ditch lights or 
crossing lights that were in compliance with the requirements of Sec.  
229.133, were temporarily deemed to be in compliance by Sec.  229.125 
(i.e., grandfathered into the new regulation). However, that provision 
expired on March 6, 2000. As a result, ditch lights and crossing lights 
that comply with Sec.  229.133 have not satisfied the requirements 
Sec.  229.125 for more than 10 years. No substantive changes to the 
auxiliary external light requirements are being proposed in this 
section.
Section 229.140 Alerters
    This section proposes to require locomotives that operate over 25 
mph be equipped with an alerter and would require the alerter to 
perform certain functions. Today, a majority of locomotives are 
equipped with alerters. As an appurtenance to the locomotive, the 
alerters are required to function as intended, if present. The proposed 
requirements would increase the number of locomotives equipped with an 
alerter, and would provide specific standards to ensure that the 
alerters are used and maintained in a manner that increases safety.
    During Working Group discussions, all parties agreed that an 
alerter would be considered non-compliant if it failed to reset in 
response to at least three of the commands listed in proposed 
paragraphs (b)(1) through (b)(6) of this section, in addition to the 
manual reset. It is important that locomotives equipped with an alerter 
adhere to minimum performance standards to ensure that the alerter 
serves its intended safety function. Utilizing several different reset 
options for the warning timing cycle increases the effectiveness of the 
alerter, as it would require differentiated cognitive actions by the 
operator. This will help prevent the operator from repeating the same 
reset many times as a reflex, without having full awareness of the 
action.
    FRA believes that tailoring the alerter standard to a minimum 
operational speed will permit operational flexibility while maintaining 
safety. Many freight railroads only operate over small territories. 
They generally move freight equipment between two industries or 
interchange traffic with other, larger railroads. For these operations, 
the advantages of and the ability to move at higher speeds are non-
existent. Moreover, movements at these lower speeds greatly reduce the 
risk of injury to the public and damage to equipment. For these 
reasons, there is a reduced safety need for requiring alerters on 
locomotives conducting these shorter low speed movements.
    Proposed paragraph (f) would ensure that the locomotive alerter on 
the controlling locomotive is always tested prior to being used as the 
controlling locomotive. The test would be required during the trip that 
the locomotive is used as a controlling locomotive. This requirement 
would allow the crew to know the alerter functions as intended each 
time a locomotive becomes the controlling locomotive.

B. Proposed Part 229 Subpart E--Locomotive Electronics

Section 229.301 Purpose and Scope
    The purpose of this subpart is to promote the safe design, 
operation, and maintenance of safety-critical electronic locomotive 
control systems, subsystems, and components. Safety-critical electronic 
systems identified in proposed paragraph (a) would include, but would 
not be limited to: directional control, graduated throttle or speed 
control, graduated locomotive independent brake application and 
release, train brake application and release, emergency air brake 
application and release, fuel shut-off and fire suppression, alerters, 
wheel slip/slide applications, audible and visual warnings, remote 
control locomotive systems, remote control transmitters, pacing 
systems, and speed control systems.
    In proposed paragraph (b), FRA emphasizes that when a new or 
proposed locomotive control system function interfaces or comingles 
with a safety critical train control system covered by 49 CFR part 236 
subpart H or I, the locomotive control system functionality would be 
required to be addressed in the train control systems Product Safety 
Plan or the Positive Train Control Safety Plan, as appropriate. FRA 
recognizes that advances in technology may further eliminate the 
traditional distinctions between locomotive control and train control 
functionalities. Indeed, technology advances may provide for 
opportunities for increased or improved functionalities in train 
control systems that run concurrent with locomotive control. Train 
control and locomotive control, however, remain two fundamentally 
different operations with different objectives. FRA does not intend to 
restrict the adoption of new locomotive control functions and 
technologies by imposing regulations on locomotive control systems 
intended to address safety issues associated with train control.
Section 229.303 Applicability
    A safety analysis would be required for new electronic equipment 
that is deployed for locomotives. However, FRA does not intend to 
impose retroactive safety analysis requirements for existing equipment. 
FRA recognizes that railroads and vendors may have already invested 
large sums of time, effort, and money in the development of new 
products that were envisioned prior to this proposed rule. Accordingly, 
FRA intends to clarify that the proposed requirements of this subpart 
are not retroactive and do not apply to existing equipment that is 
currently in use. The rule would provide sufficient time for railroads 
and vendors to realize profits on their investment in new technologies 
made prior to the adoption of this rule. For that reason, FRA would 
provide a grace period in proposed paragraphs (a) and (b) to allow the 
completion of existing new developments. Any system that has not been 
placed in use by the end of the proposed grace period would be required 
to comply with the safety analysis requirements. Vendors would be 
required to identify these projects to

[[Page 2215]]

FRA within 6 months after the effective date of this rule. FRA believes 
this will avoid misunderstandings concerning which systems receive the 
grace period. FRA would consider any systems not identified to FRA 
within the 6-month window to be a new product start that would require 
a safety analysis.
    In proposed paragraph (d), FRA makes clear that the exemption is 
limited in scope. Products that result in degradation of safety or a 
material increase in safety-critical functionality would not be exempt. 
Products with slightly different specifications that are used to allow 
the gradual enhancement of the product's capabilities would not require 
a full safety analysis, but would require a formal verification and 
validation to the extent that the changes involve safety-critical 
functions.
Section 229.305 Definitions
    Generally, this proposed section standardizes similar definitions 
between 49 CFR part 236 subpart H and I, and this part. Although 49 CFR 
part 236 subpart H and I addresses train control systems, and this 
subpart addresses locomotive control systems, both reflect the adoption 
of a risk-based engineering design and review process. The definition 
section, however, does introduce several new definitions applicable to 
locomotive control systems.
    The first new proposed definition is for ``New or next-generation 
locomotive control system.'' This term would refer to locomotive 
control products using technologies or combinations of technologies not 
in use on the effective date of this regulation, or without established 
histories of safe practice. Traditional, non-microprocessor systems, as 
well as microprocessor and software based locomotive control systems, 
are currently in use. These systems have used existing technologies, 
existing architectures, or combinations of these to implement their 
functionality. Development of a safety analysis to accomplish the 
requirements of this part would require reverse engineering these 
products. Reverse engineering a product is both time consuming and 
expensive. Requiring the performance of a safety analysis on existing 
products would present a large economic burden on both the railroads 
and the original equipment manufacturers (OEM). The economic burden 
would likely be significantly less for new combinations of technology 
and architectures that either implement existing functionality, or 
implement new functionality. These types of systems lack a proven 
service history. The safety analysis would mitigate the lack of a 
proven service history. The fundamental differences make it necessary 
to clearly distinguished between the two classes of locomotive control 
systems products.
    ``Product'' means any safety critical locomotive control system 
processor-based system, subsystem, or component. The proposed 
definition identifies the covered systems that would require a safety 
analysis. Generally, locomotive manufactures consider their product to 
be the entire locomotive. This includes systems and subsystems. In this 
situation, the manufacturers' extensive knowledge of the product would 
allow them to conduct a safety analysis on the safety critical 
elements, including locomotive control systems. Similarly, major 
suppliers to locomotive manufacturers are also familiar with their own 
products. They too can clearly identify the safety critical elements 
and conduct the safety analysis accordingly. However, the same is not 
necessarily true for suppliers without extensive domain knowledge. 
These suppliers may not understand that their product requires a safety 
analysis, or may lack experience to recognize that the subsystems or 
components of the product are subject to the safety analysis of this 
part. Accordingly, the proposed definition of ``product'' indentifies 
the covered systems requiring a safety analysis.
    The proposed definition of ``Safety Analysis'' would refer to a 
formal set of documentation that describes in detail all of the safety 
aspects of the product, including but not limited to procedures for its 
development, installation, implementation, operation, maintenance, 
repair, inspection, testing and modification, as well as analyses 
supporting its safety claims. A Safety Analysis (SA) is similar to the 
Product Safety Plan (PSP) required by 49 CFR part 236 subpart H or the 
Positive Train Control Safety Plan (PTCSP) required by 49 CFR part 236 
subpart I for signal and train control systems. There is, however, a 
fundamental difference between the PSP or PTCSP safety analysis, and 
the SA proposed by this subpart. The PSP requires formal FRA approval 
and is required prior to the product being placed in use. This 
difference is rooted in fundamental differences between functionality 
of signal and train control and locomotive control. Although developers 
of an SA and a PSP or PTCSP may merge functions to operate together on 
a common platform, different safety analyses would be required. In 
order to ensure that there is no confusion between the safety analyses 
required by 49 CFR part 236 subparts H or I, and the safety analysis 
required in this subpart, a different definition is being proposed for 
the SA in this part.
    The proposed definition of ``Safety-critical,'' as applied to a 
function, a system, or any portion thereof, would mean an aspect of the 
locomotive electronic control system that requires correct performance 
to provide for the safety of personnel, equipment, environment, or any 
combination of the three; or the incorrect performance of which could 
cause a hazardous condition, or allow a hazardous condition which was 
intended to be prevented by the function or system to exist. This 
definition is substantially similar to that found in 49 CFR part 236 
subparts H and I. FRA recognizes that functionality differs between 
locomotive control systems and signal and train control systems, and 
further recognizes that the failure modes, the probabilities of 
failure, and the specific consequences of a failure differ. Despite 
these differences, the result is the same, creation of a hazardous 
condition that could affect the safety of the personnel, equipment, or 
the environment. The same is also true for systems designed to prevent 
adverse hazards in either domain locomotive control systems, signal and 
train control systems, or both. The failure of these types of systems 
would either create a new hazard, or allow a system intended to prevent 
a hazard to occur, regardless of domain.
Section 229.307 Safety Analysis
    The proposed SA would serve as the principal safety documentation 
for a safety-critical locomotive control system product. Engineering 
best practice today recognizes that elimination of all risk is 
impossible. It recognizes that the traditional design philosophy, 
adversely affects a product's cost and performance. Consequently, 
designers have adopted a philosophy of risk management. Under this 
philosophy, designers consider both the consequences of a failure and 
the probability of a failure. Designers then select the appropriate 
risk mitigation technique. The risk mitigation philosophy reduces the 
impact of risk mitigation on a cost and performance compared to risk 
avoidance.
    Fundamental to the execution of the risk management philosophy is 
the development and documentation of a SA that closely examines the 
relationship between consequences of a failure, probability of 
occurrence, failure modes, and their mitigation strategies. Proposed 
paragraph (a) of this section clearly recognizes this, and would 
address this need by requiring the

[[Page 2216]]

development of the SA documentation. It also recognizes that some 
developers of SAs may have little experience in risk-based design. 
Appendix F, also being proposed in this proceeding, would offer one 
approach. There are a number of equally effective or better approaches. 
FRA encourages railroads and OEMs to select an approach best suited to 
their business model. FRA would consider as acceptable any approach 
that would be equal to, or more effective than, the one outlined in 
proposed Appendix F.
    Proposed paragraph (b), along with proposed paragraph (a) of this 
section would further establish a regulatory mandate for risk 
management design. FRA would require that railroads electing to allow a 
locomotive control system to be placed in use on its property would be 
required to ensure that an appropriate SA is completed first.
    Generally, only a single SA would be required for a product. 
Therefore, FRA would recognize as acceptable any appropriate SA done 
under the auspices of one railroad, or a consortium of railroads. FRA 
also recognizes that railroads may lack the necessary product 
familiarity or technical expertise to prepare the SA. FRA anticipates 
that vendors will accomplish the bulk of preparing the SA in the course 
of the product development.
    FRA also recognizes that product vendors may develop a product 
prior to its procurement by a railroad. In this situation, FRA would 
provide review and comment as requested by the vendor. This review by 
FRA would not represent an endorsement of the product. FRA expects that 
the vendor would work with a railroad, or a consortium of railroads, 
for final review and approval of the SA. FRA also wishes to make clear 
that the safety analysis would only be required for new or next 
generation locomotive control systems, as defined in Sec.  229.305, or 
for substantive changes to an existing product. A SA would only be 
required when safety critical functionality is added or deleted from 
the product, or if there has been a significant paradigm shift in the 
underlying systems' architecture or implementation technologies, or a 
significant departure from widely accepted and service proven industry 
best past practices. The half-life of microprocessor-based hardware is 
relatively short, and the associated software is subject to change as 
technical issues are discovered with existing functionality. FRA 
anticipates that there will be maintenance-related changes of software, 
as well as replacement of functionally identical hardware components as 
exiting hardware undergoes repair or reaches the end of its useful 
service life. FRA emphasizes that the later type of changes to safety 
critical products, and changes to non-safety critical products, would 
not require a SA. The railroads and vendors have generally 
demonstrated, with a high degree of confidence, that existing systems 
can safely operate. In response to potential liability issues, 
railroads have shown they carefully examine the safety of a product 
prior to placing it in use. FRA fully expects that the railroads would 
continue to apply the same due diligence to new or next generation 
systems as they review the SA for these more complex products. Proposed 
paragraph (b) is intended to limit FRA's review of the SAs. This of 
course, would not restrict FRA where it appears that due diligence has 
not been exercised, there are indications of fraud and malfeasance, or 
the underlying technology and or architecture represent significant 
departures from existing practice.
    In paragraph (b), FRA proposes that the SA would be required to 
establish with a high degree of confidence that safety-critical 
functions of the product will operate in a fail-safe manner in the 
operating environment in which it will be used. FRA anticipates that 
the railroad and vendor community would exercise due diligence in the 
design and review process prior to placing the product in use. Due 
diligence would typically be demonstrated by the completion, review and 
internal approval of the SA. The railroad would be required to 
determine that this standard has been met, prior to a product change, 
or placing a new or next generation product in use.
    Paragraph (b) also proposes that the railroads identify appropriate 
procedures to immediately repair safety-critical functions when they 
fail. If the procedures are not followed, it would result in a 
violation for failing to comply with the SA.
Section 229.309 Safety Critical Changes and Failures
    Safety critical microprocessors, like any electronics available 
today, are subject to significant change. To ensure that safe system 
operations continue in the event of planned changes to the software or 
hardware maintenance of hardware and software configurations is 
necessary. Failure to maintain hardware and software configurations 
increases the probability that unintended consequences will occur 
during system operation. These unintended consequences do not 
necessarily reveal themselves on initial installation and operation, 
but may occur much later.
    Not all railroads may experience the same software or hardware 
faults. The SA developer's software and hardware development, 
configuration management, and fault tracking play an important role in 
ensuring system safety. Without an effective configuration management 
and fault reporting system, it is difficult, if not impossible to 
evaluate the associated risks. The number of failures experienced by 
one railroad may not exceed the number of failures identified in the 
SA, but the aggregate from multiple railroads may. The vendor is best 
positioned to aggregate identified faults, and is best able to 
determine that the design and failure assumptions exceed those 
predicted by the safety analysis. An ongoing relationship between a 
railroad and its vendor is therefore essential to ensure that problems 
encountered by the railroad are promptly reported to the vendor for 
correction, and that problems encountered and reported by other 
railroads to the vendor are shared with other railroads. Furthermore, 
changes to the system developed by the vendor must be promptly provided 
to all railroads in order to eliminate the reported hazard. A formal, 
contractual relationship would provide the best vehicle for ensuring 
this relationship. This section proposes to clearly identify the 
responsibility of railroads, and car owners, to establish such a 
relationship for both reporting hazards.
    In order to accomplish their responsibilities, FRA expects that 
each railroad would have a configuration tracking system that will 
allow for the identification and reporting of hardware and software 
issues, as well as promptly implementing changes to the safety critical 
systems provided by the vendor regardless of the original reporting 
source of the problem. This section proposes to require railroads to 
identify, and create such a system if they have not already done so.
    Proposed paragraph (b) would require immediate notification to a 
railroad of real or potential safety hazards identified by the private 
car suppliers and private car owners. This would allow affected 
railroads to take appropriate actions to ensure the safety of rail 
operations.
    In proposed paragraph (c) the private car owner's configuration/
revision control measures should be accepted by the railroad that would 
be using the car and implementing the system. The private car owner may 
have placed safety critical equipment on their car that is unfamiliar 
to the railroad using

[[Page 2217]]

that car. And the necessary contractual relationship that would be 
required in proposed paragraph (a)(3) of this section may not exist 
because the equipment in question is not part of the railroad's 
inventory. The private car owner would be expected to communicate with 
the railroad. This proposed requirement is intended to ensure that the 
safety-functional and safety-critical hazard mitigation processes are 
not compromised by changes to software or hardware. Reporting 
responsibilities, as well as the configuration management and tracking 
responsibilities would also extend to private car owners.
Section 229.311 Review of SAs
    In proposed paragraph (a), FRA would require railroads to notify 
FRA before these locomotive electronic products are placed in use. As 
discussed above, FRA anticipates that review of the SA and amendments 
would be the exception, rather than the normal practice. However, FRA 
believes it would be appropriate to have the opportunity to review 
products and product changes to ensure safety. FRA would require the 
opportunity to have products and product changes identified to it, and 
the opportunity to elect a review. FRA also realizes that development 
of these products represents a significant financial investment, and 
that the railroad would like to utilize the products in order to 
recover its investment.
    Proposed paragraph (b) reflects the expectation that FRA would 
decide whether to review an SA within 60 days after receipt of the 
requested information. Based on the information provided to FRA, the 
Associate Administrator for Safety would evaluate the need and scope of 
any review. Within 60 days of receipt of the notification required in 
paragraph (a), FRA will either decline to review or request to review. 
Examples of causes for a review or audit prior to placing the product 
in use would include products: With unique architectural concepts; that 
use design or safety assurance concepts considered outside existing 
accepted practices; and, products that appear to commingle the 
locomotive control function with a safety-critical train control 
processing function. FRA may convene technical consultations as 
necessary to discuss issues related to the design and planned 
development of the product. Causes for an audit of the SA would 
include, but are not limited to, such circumstances as a credible 
allegation of error or fraud, SA assumptions determined to be invalid 
as a result of in-service experience, one or more unsafe events calling 
into question the safety analysis, or changes to the product.
    The following are some common reasons that FRA would likely need to 
review a product after it is placed in use: There is a credible 
allegation of error or fraud; SA assumptions are determined to be 
invalid as a result of in-service experience; or, the occurrence of one 
or more unsafe events related to that product.
    If FRA elects not to review a product's SA, railroads would be able 
to put the product immediately in use after notification that FRA 
elects not to review. In the event that FRA would elect to review, FRA 
would attempt to complete the review within 120 days. FRA's ability to 
complete the review within 120 days would depend upon various factors 
such as: The complexity of the new product or product change, its 
deviation from current practice, the functionality, the architecture, 
the extent of interfacing with other systems, and the number of 
technical consultations required. Products reviewed by FRA under these 
circumstances may not be placed in use until FRA's review is complete.
Section 229.313 Product Testing Results and Records
    This section would require that records of product testing 
conducted in accordance with this subpart be maintained. To effectively 
evaluate the degree to which the SA reflects real, as opposed to 
predicted performance, it is necessary to keep accurate records of 
performance for the product. In addition to collecting these records, 
it is also essential for regular comparison of the real performance 
results with the predicted performance. Thus, in this section FRA 
proposes that such records be maintained. Where the real performance, 
as measured by the collected data, exceeds the predicted performance of 
the SA, FRA proposes that no action would be required. If the real 
performance is worse than the predicted performance, this section 
proposes that the railroad take immediate action to improve performance 
to satisfy the predicted standard. Prompt and effective action would be 
required to bring the non-compliant system into compliance.
    FRA would not expect a railroad to proactively evaluate their 
systems, and take corrective action prior to the system becoming non-
compliant with the predicted performance standard. If an unpredicted 
hazard would occur the system would be required to be immediately 
evaluated, and the appropriate corrective action would need to be 
taken. FRA would not expect a railroad to defer any corrective action. 
In addition, FRA would not expect a railroad to proactively evaluate 
their systems, and take corrective action prior to the system becoming 
non-compliant with the designed performance specifications.
    This section proposes to establish a requirement for a railroad to 
keep detailed records to evaluate the system. However, the railroad may 
elect to have the system supplier keep these records. There would be 
many advantages to the later approach, primarily that the vendor would 
receive an aggregate of the technical issues, making them better 
positioned to analyze the system performance. Although a railroad may 
delegate record keeping, the railroad would retain the responsibility 
for keeping records of performance on their property. The railroads 
would be responsible for ensuring the safe operation of systems on 
their property, and would be required to have access to the performance 
data if they are to carry out their responsibilities under this 
proposed section.
    This section also proposes detailed handling requirements for 
required records. Proposed paragraph (a) would require specific content 
in the record. FRA would accept paper records or electronic records. 
Electronic record keeping would be encouraged as it reduces storage 
costs, simplifies collection of information, and allows data mining of 
the collected information. However, to ensure that the electronic 
records would provide all required information, approval by the 
Associate Administrator for Safety would be required.
    Signatures on paper records would be required to uniquely identify 
the person certifying the information contained in the record in such a 
manner that would enable detection of a forgery. Proposed paragraph (a) 
would also ensure that an electronic signature could be attributable to 
single individual as reliably as paper records. It would be possible to 
meet the storage requirement in several different ways. Physical paper 
records would be expected to be kept at the physical location of the 
supervising official. Electronic records would be permitted to be 
either stored locally, or remotely. FRA would have no preference as 
long as the records are accessible for FRA review.
    Proposed paragraph (b) would specify the required retention period 
for the records. FRA recognizes that retaining records involves a cost 
to railroads, and appreciates their desire to minimize both the number, 
and the required retention period. To this end, FRA has identified two 
different categories of

[[Page 2218]]

records, and proposes differing retention periods for each. The first 
category involves records associated with installation or modification 
of a system and would contain data required for evaluating the 
product's performance and compliance to the safety case conditions 
throughout the life of the product. FRA would consider the life of the 
product to begin when the product is first placed in use and end with 
the permanent withdrawal of the product from service. In the event of 
permanent transfer of the product to another, the receiving railroad 
would become responsible for maintaining them. This responsibility 
would continue until the product is completely withdrawn from rail 
service. The second category of records would address periodic testing 
and would have a retention period of at least one year, or the 
periodicity of the subsequent test, whichever is greater. Results 
obtained by subsequent a test would supersede the earlier test. The 
earlier test results would be moot for evaluating the current 
condition.
    Regrettably, in some cases, the use of electronic records may not 
meet the minimum standards required by FRA. Consequently, FRA is 
proposing procedures for withdrawing authorization to use electronic 
records in paragraph (c). If FRA finds it necessary to withdraw an 
authorization, FRA would explain the reason in writing.
Section 229.315 Operation Maintenance Manual
    This section proposes to require that each railroad have a manual 
covering the requirements for the installation, periodic maintenance 
and testing, modification, and repair of its safety critical locomotive 
control systems. This manual could be kept in paper or electronic form. 
It is recommended that electronic copies of the manual be maintained in 
the same manner as other electronic records kept for this part and that 
it be included in the railroad's configuration management plan (with 
the master copy and dated amendments carefully maintained so that the 
status of instructions to the field as of any given date can be readily 
determined).
    Proposed paragraph (a) would require that the manual be available 
to both persons required to perform such tasks and to FRA. Proposed 
paragraph (b) would require that plans necessary for proper maintenance 
and testing of products be correct, legible, and available where such 
systems are deployed or maintained. The paragraph also proposes that 
the manual identify the current version of software installed, 
revisions, and revision dates. Proposed paragraph (c) would require 
that the manual identify the hardware, software, and firmware revisions 
in accordance with the configuration management requirement. Proposed 
paragraph (d) would require the identification, replacement, handling, 
and repair of safety critical components in accordance with the 
configuration management requirements. Finally, proposed paragraph (e) 
would require the manual be ready for use prior to deployment of the 
product, and that it is available for FRA review.
Section 229.317 Training and Qualification Program
    This section proposes specific parameters for training railroad 
employees and contractor employees to ensure they have the necessary 
knowledge and skills to complete their duties related to safety-
critical products. Proposed paragraph (a) would require the training to 
be formally conducted and documented based on educational best 
practices. Paragraphs (b) and (c) propose that the employer identify 
employees that will be performing inspection, testing, maintenance, 
repairing, dispatching, and operating tasks related to the safety 
critical locomotive systems, and develop a written task analysis for 
the performance of duties. The employer to identify additional 
knowledge and skills above those required for basic job performance 
necessary to perform each task. Work situations often present 
unexpected challenges, and employees who understand the context within 
which the job is to be done would be better able to respond with 
actions that preserve safety. Further, the specific requirements of the 
job would be better understood; and requirements that are better 
understood are more likely to be adhered to. Well-informed employees 
would be less likely to conduct ad hoc troubleshooting; and therefore, 
should be of greater value in assisting with troubleshooting.
    Proposed paragraph (d) would require the employer to develop a 
training curriculum that includes either classroom, hands-on, or other 
formally-structured training designed to impart the knowledge and 
skills necessary to perform each task.
    Paragraph (e) proposes a requirement that all persons subject to 
training requirements and their direct supervisors must successfully 
complete the training curriculum and pass an examination for the tasks 
for which they are responsible. Generally, giving appropriate training 
to each of these employees prior to task assignment would be required. 
The exception would be when an employee, who has not received the 
appropriate training, is conducting the task under the direct, on-site 
supervision of a qualified person.
    Proposed paragraph (f) would require periodic refresher training. 
This periodic training must include classroom, hands-on, computer-based 
training, or other formally structured training. The intent would be 
for personnel to maintain the knowledge and skills required to perform 
their assigned task safely.
    Paragraph (g) proposes a requirement to compare and evaluate the 
effectiveness of training. The evaluation would first determine whether 
the training program materials and curriculum are imparting the 
specific skills, knowledge, and abilities to accomplish the stated 
goals of the training program; and second, determine whether the stated 
goals of the training program reflect the correct, and current, 
products and operations.
    Paragraph (h) proposes that the railroad must maintain records that 
designate qualified persons. Records retention would be required until 
recording new qualifications, or for at least one year after such 
person(s) leave applicable service. The records would be required to be 
available for FRA inspection and copying.
Section 229.319 Operating Personnel Training
    This section contains proposed minimum training requirements for 
locomotive engineers and other operating personnel who interact with 
safety critical locomotive control systems. ``Other operating 
personnel'' would refer to onboard train and engine crew members (i.e., 
conductors, brakemen, and assistant engineers).
    Proposed paragraph (a) would require training to contain 
familiarization with the onboard equipment and the functioning of that 
equipment as part of and its relationship to other onboard systems 
under that person's control. The training program would be required to 
cover all notifications by the system (i.e., onboard displays) and 
actions or responses to such notifications required by onboard 
personnel. The training would also be required to address how each 
action or response ensures proper operation of the system and safe 
operation of the train.
    During system operations emergent conditions could arise which 
would affect the safe operation of the system. This section would also 
require operating personnel to be informed as soon as practical after 
discovery of the

[[Page 2219]]

condition, and any special actions required for safe train operations.
    Paragraph (b) proposes that for certified locomotive engineers, the 
training requirements of this section would be required to be 
integrated into the training requirements of part 240. Although this 
requirement would only address engineers, in the event of certification 
of other operating personnel, the expectation that these requirements 
would be included into their training requirements.
Appendix F--Recommended Practices for Design and Safety Analysis
    Appendix F proposes a set of criteria for performing risk 
management design of locomotive control systems. FRA recognizes that 
not all safety risks associated with human error can be eliminated by 
designs, no matter how well trained and skilled the designers, 
implementers, and operators. The intention of the appendix would be to 
provide one set of safety guidelines distilled from proven design 
considerations. There are numerous other approaches to risk management-
based design. The basic principles of this appendix capture the lessons 
learned from the research, design, and implementation of similar 
technology in other modes of transportation and other industries. The 
overriding goal of this appendix is to minimize the potential for 
design-induced error by ensuring that systems are suitable for 
operators, and their tasks and environment.
    FRA believes that new locomotive systems will be in service for a 
long period. Over time, there will be system modifications from the 
original design. FRA is concerned subsequent modifications to a product 
might not conform to the product's original design philosophy. The 
original designers of products could likely be unavailable after 
several years of operation of the product. FRA believes mitigating this 
is most successful by fully explaining and documenting the original 
design decisions and their rationale. Further, FRA feels that 
assumption of a long product life cycles during the design and analysis 
phase will force product designers and users to consider long-term 
effects of operation. Such a criterion would not be applicable if, for 
instance, the railroad limited the product's term of proposed use.
    Translation of these guidelines into processes helps ensure the 
safe performance of the product and minimizes failures that would have 
the potential to affect the safety of railroad operations. Fault paths 
are essential to establishing failure modes and appropriate 
mitigations. Failing to identify a fault path can have the effect of 
making a system seem safer on paper than it actually is. When an 
unidentified fault path is discovered in service which leads to a 
previously unidentified safety-relevant hazard, the threshold in the 
safety analysis is automatically exceeded, and the both the designer 
and the railroad must take mitigating measures. The frequency of such 
discoveries relates to the quality of the safety analysis efforts. 
Safety analyses of poor quality are more likely to lead to in-service 
discovery of unidentified fault paths. Some of those paths might lead 
to potential serious consequences, while others might have less serious 
consequences.
    Given technology, cost, and other constraints there are limitations 
regarding the level of safety obtainable. FRA recognizes this. However, 
FRA also believes that there are well-established and proven design and 
analysis techniques that can successfully mitigate these design 
restrictions. The use of proven safety considerations and concepts is 
necessary for the development of products. Only by forcing conscious 
decisions by the designer on risk mitigation techniques adopted, and 
justifying those choices (and their decision that a mitigation 
technique is not applicable) does the designer fully consider the 
implications of those choices. FRA notes that in normal operation, the 
product design should preclude human errors that cause a safety hazard. 
In addition to documenting design decisions, describing system 
requirements within the context of the concept of operations further 
mitigates against the loss of individual designers. In summary, the 
recommended approach ensures retention of a body of corporate knowledge 
regarding the product, and influences on the safety of the design. It 
also promotes full disclosure of safety risks to minimize or 
eliminating elements of risk where practical.

C. Proposed Amendments to Part 238

Section 238.105 Train Electronic Hardware and Software Safety
    This section proposes the incorporation of existing waivers and 
addresses certain operational realities. Since the implementation of 
the Passenger Equipment Safety Standards, FRA has granted one waiver 
from the requirements of Sec.  238.105(d) (FRA-2004-19396) for 26 EMU 
bi-level passenger cars operated by Northeastern Illinois Regional 
Commuter Railroad Corporation (METRA). FRA is in receipt of a second 
waiver (FRA-2008-0139) for 14 new EMU bi-level passenger cars to be 
operated by Northern Indiana Commuter Transportation District. There 
are over 1000 EMU passenger cars (M-7) being operated by Long Island 
Railroad & Metro-North Commuter Railroad (MNCW) for the past five years 
that FRA has discovered will need a waiver to be in compliance with 
Sec.  238.105(d). The MNCW has placed an order for additional 300 plus 
options, EMU passenger cars (M-8) that will also need a waiver from the 
requirements of existing Sec.  238.105(d).
    The portion of the requirements that these cars' brake systems 
cannot satisfy is the requirement for a full service brake in the event 
of hardware/software failure of the brake system or access to direct 
manual control of the primary braking system both service and emergency 
braking. The braking system on these cars does not have the full 
service function but does default to emergency brake application in the 
event of hardware/software failure of the brake system and the operator 
has the ability to apply the brake system at an emergency rate from the 
conductor's valve located in the cab. A slight change to the language 
in Sec.  238.105 would alleviate the need for these waivers and would 
not reduce the braking rate of the equipment or the stop distances.
Section 238.309 Periodic Brake Equipment Maintenance
    For convenience and clarity, FRA proposes to consolidate locomotive 
air brake maintenance for conventional locomotives into part 229. No 
substantive change to the regulation would result. Currently, because 
conventional locomotives are used in passenger service, certain air 
brake maintenance requirements are included in the Passenger Equipment 
Safety Standards contained in part 238. Placing all of the requirements 
for conventional locomotives in part 229 would make the standards 
easier to follow and avoid confusion.
    The proposed brake maintenance in this section would also extend 
the intervals at which required brake maintenance is performed for 
several types of brake systems for non-conventional locomotives. The 
length of the proposed intervals reflects the results of studies and 
performance evaluations related to a series of waivers starting in 1981 
and continuing to present day. Overall, the type of brake maintenance 
that would be required would remain the same.

[[Page 2220]]

VII. Regulatory Impact and Notices

Executive Order 12866 and DOT Regulatory Policies and Procedures

    This proposed rule has been evaluated in accordance with existing 
policies and procedures, and determined to be non-significant under 
both Executive Order 12866 and DOT policies and procedures (44 FR 
11034; February 26, 1979). FRA has prepared and placed in the docket a 
regulatory analysis addressing the economic impact of this proposed 
rule. Document inspection and copying facilities are available at Room 
W12-140 on the Ground level of the West Building, 1200 New Jersey 
Avenue, SE., Washington, DC 20590.
    As part of the regulatory impact analysis FRA has assessed 
quantitative measurements of cost and benefit streams expected from the 
adoption of this proposed rule. This analysis includes qualitative 
discussions and quantitative measurements of costs and benefits of the 
proposed regulatory text in this rulemaking. The primary costs or 
burdens in this proposed rule are from the alerter and revised minimum 
(i.e., cold weather) cab temperature requirements. The savings will 
accrue from fewer train accidents, future waivers, and waiver renewals. 
In addition, savings would also accrue from a reduction in downtime for 
locomotives due to proposed changes to headlight and brake 
requirements. For the twenty year period the estimated quantified costs 
have a Present Value (PV) 7% of $7 million. For this period the 
estimated quantified benefits have a PV, 7% of $7.3 million.

Regulatory Flexibility Act and Executive Order 13272

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) and Executive 
Order 13272 require a review of proposed and final rules to assess 
their impacts on small entities. An agency must prepare an initial 
regulatory flexibility analysis (IRFA) unless it determines and 
certifies that a rule, if promulgated, would not have a significant 
impact on a substantial number of small entities. FRA is confident that 
this proposed rule would not impose a significant economic impact on a 
substantial number of small entities. However, FRA is reserving the 
final decision on certification for the final rule. Hence, interested 
parties are invited to submit data and information regarding the 
potential economic impact that would result from adoption of the 
proposals in the NPRM. Comments and input that FRA receives during the 
comment period of this rulemaking will assist the agency in making its 
final decision. FRA estimates that only 12 percent of the total cost 
associated with implementing the proposed rule would be borne by small 
entities and most of that will be the cost for the proposed cab 
temperature change.
    Below FRA provides the process it went through when assessing the 
potential impacts of this rule on small entities.
1. Reasons for Considering Agency Action
    As discussed in earlier sections of the preamble to this 
rulemaking, in its efforts to update and re-evaluate its current 
regulations FRA formed an RSAC Working Group to review 49 CFR part 229 
and recommend revisions as appropriate. Thus the proposed revisions in 
this rulemaking serve to update a regulation that was originally 
promulgated prior to 1980. It will clarify some existing requirements, 
and incorporate some existing industry standards. In addition it will 
incorporate some current waivers that some members of the industry 
have, and some engineering best practices. Most of these revisions add 
clarity to the rule, reduce industry burden to comply with some 
requirements, and in some cases streamline or consolidate the FRA 
requirements. Some revisions are intended to enhance railroad safety.
2. Objectives and Legal Basis for the Proposed Rule
(a) Legal Basis for the Proposed Rule
    Railroad locomotive inspection requirements are one of the oldest 
areas of Federal safety regulations. The primary statutory authority, 
The Locomotive Inspection Act, was enacted in 1911. Pursuant to that 
authority, in the area of locomotive safety, FRA has issued regulations 
found at part 229 addressing topics such as inspections and tests, 
safety requirements for brake, draft, suspension, and electrical 
systems, and cabs and cab equipment.
    FRA has broad statutory authority to regulate railroad safety. The 
Locomotive Inspection Act (formerly 45 U.S.C. 22-34, now 49 U.S.C. 
20701-20703) prohibits the use of unsafe locomotives and authorizes FRA 
to issue standards for locomotive maintenance and testing. In order to 
further FRA's ability to respond effectively to contemporary safety 
problems and hazards as they arise in the railroad industry, Congress 
enacted the Federal Railroad Safety Act of 1970 (Safety Act) (formerly 
45 U.S.C. 421, 431 et seq., now found primarily in chapter 201 of Title 
49). The Safety Act grants the Secretary of Transportation rulemaking 
authority over all areas of railroad safety (49 U.S.C. 20103(a)) and 
confers all powers necessary to detect and penalize violations of any 
rail safety law. This authority was subsequently delegated to the FRA 
Administrator (49 CFR 1.49) (Until July 5, 1994, the Federal railroad 
safety statutes existed as separate acts found primarily in title 45 of 
the United States Code. On that date, all of the acts were repealed, 
and their provisions were recodified into title 49 of the United States 
Code).
(b) Objective of the Proposed Rule
    This action is taken by FRA in an effort to enhance its safety 
regulatory program. The proposed revision would update, consolidate, 
and clarify existing rules, and incorporate existing industry and 
engineering best practices.
3. Description and Estimate of Small Entities Affected
    The ``universe'' of the entities to be considered generally 
includes only those small entities that can reasonably be expected to 
be directly regulated by this action. Two types of small entities are 
potentially affected by this rulemaking: (1) Small railroads, and (2) 
governmental jurisdictions of small communities.
    ``Small entity'' is defined in 5 U.S.C. 601. Section 601(3) defines 
a ``small entity'' as having the same meaning as ``small business 
concern'' under section 3 of the Small Business Act. This includes any 
small business concern that is independently owned and operated, and is 
not dominant in its field of operation. Section 601(4) includes not-
for-profit enterprises that are independently owned and operated, and 
are not dominant in their field of operations within the definition of 
``small entities.'' Additionally, section 601(5) defines as ``small 
entities'' governments of cities, counties, towns, townships, villages, 
school districts, or special districts with populations less than 
50,000.
    The U.S. Small Business Administration (SBA) stipulates ``size 
standards'' for small entities. It provides that the largest a for-
profit railroad business firm may be (and still classify as a ``small 
entity'') is 1,500 employees for ``Line-Haul Operating'' railroads, and 
500 employees for ``Short-Line Operating'' railroads.\1\
---------------------------------------------------------------------------

    \1\ ``Table of Size Standards,'' U.S. Small Business 
Administration, January 31, 1996, 13 CFR part 121. See also NAICS 
Codes 482111 and 482112.
---------------------------------------------------------------------------

    SBA size standards may be altered by Federal agencies in 
consultation with SBA, and in conjunction with public comment. Pursuant 
to the authority

[[Page 2221]]

provided to it by SBA, FRA has published a final policy, which formally 
establishes small entities as railroads that meet the line haulage 
revenue requirements of a Class III railroad.\2\ Currently, the revenue 
requirements are $20 million or less in annual operating revenue, 
adjusted annually for inflation. The $20 million limit (adjusted 
annually for inflation) is based on the Surface Transportation Board's 
threshold of a Class III railroad carrier, which is adjusted by 
applying the railroad revenue deflator adjustment.\3\ The same dollar 
limit on revenues is established to determine whether a railroad 
shipper or contractor is a small entity. FRA is proposing to use this 
definition for this rulemaking.
---------------------------------------------------------------------------

    \2\ See 68 FR 24891 (May 9, 2003).
    \3\ For further information on the calculation of the specific 
dollar limit, please see 49 CFR part 1201.
---------------------------------------------------------------------------

(a) Railroads
    There are approximately 685 small railroads meeting the definition 
of ``small entity'' as described above. FRA estimates that all of these 
small entities could potentially be impacted by one or more of the 
proposed changes in this rulemaking. Note, however, that approximately 
fifty of these railroads are subsidiaries of large short line holding 
companies with the technical multidisciplinary expertise and resources 
comparable to larger railroads. It is important to note that many of 
the changes or additions in this rulemaking will not impact all or many 
small railroads. The nature of some of the changes would dictate that 
the impacts primarily fall on large railroads that purchase new and/or 
electronically advanced locomotives. Small railroads generally do not 
purchase new locomotives, they tend to buy used locomotives from larger 
railroads. Also, two of the proposed requirements, i.e., requirements 
for alerters and RCL standards, would burden very few if any small 
railroads. The most burdensome requirement for small railroads would be 
the proposed revisions to cab temperature since older locomotives are 
less likely to meet the revised standards and small railroads tend to 
own older locomotives. It is also important to note that the proposed 
changes only apply to non-steam locomotives. There are some small 
railroads that own one or more steam locomotives which these changes 
will not impact. There are a few small railroads that own all or almost 
all steam locomotives. Most of these entities are either museum 
railroads or tourist railroads. For these entities this proposed 
regulations would have very little or no impact. FRA estimates that 
there are about five small railroads that only own steam locomotives.
(b) Governmental Jurisdictions of Small Communities
    Small entities that are classified as governmental jurisdictions 
would also be affected by the proposals in this rulemaking. As stated 
above, and defined by SBA, this term refers to governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts with populations of less than 50,000. FRA does not expect 
this group of entities to be impacted.
    The rule would apply to governmental jurisdictions or transit 
authorities that provide commuter rail service--none of which is small 
as defined above (i.e., no entity serves a locality with a population 
less than 50,000). These entities also receive Federal transportation 
funds. Intercity rail service providers Amtrak and the Alaska Railroad 
Corporation would also be subject to this rule, but they are not small 
entities and likewise receive Federal transportation funds. While other 
railroads are subject to this final rule by the application of Sec.  
238.3, FRA is not aware of any railroad subject to this rule that is a 
small entity that will be impacted by this rule.
4. Description of Reporting, Recordkeeping, and Other Compliance 
Requirements and Impacts on Small Entities Resulting From Specific 
Requirements
    The impacts to small railroads from this rulemaking would primarily 
result from proposed alerter requirements and cold weather cab 
temperature change. The rulemaking should result in regulatory relief 
for many railroads. The proposed rule clarifies some existing sections, 
adds some existing industry standards, and it incorporates some current 
waivers.
(a) Remote Control Locomotives Sec.  229.15
    FRA proposes to formally codify safety standards for remote control 
operated locomotives. Such standards should not impact any small 
railroads. FRA does not know of any small railroads that use RCL 
operations. In addition, RCL operations are not required to operate a 
railroad. The conduction of future RCL operations by small railroads 
would be is a business decision that takes into consideration 
regulatory costs.
(b) Electronic Recordkeeping Sec.  229.20
    This proposed section permits the use of electronic recordkeeping 
systems related to the maintenance of records related to locomotives. 
This proposed section does not require electronic recordkeeping. FRA is 
not aware of any small railroads that would utilize this proposed 
provision. FRA also anticipates cost savings for any railroad that 
would utilize the provisions.
(c) Periodic Inspection: General Sec.  229.23
    This section would require railroads that choose to maintain and 
transfer records electronically as provided for in Sec.  229.20, to 
print the name of the person who performed the inspections, repairs, or 
certified work on the Form FRA F 6180-49A that is displayed in the cab 
of each locomotive. As small railroads are not likely to maintain 
records electronically, the proposed changes to this section would not 
impact any small railroads.
(d) Test: Every Periodic Inspection Sec.  229.25
    Two additional paragraphs are proposed in this section to include 
inspection requirements for remote control locomotives and locomotive 
alerters during the 92-day Periodic Inspection. Since almost no small 
railroads utilize RCL or have locomotives and many small railroad 
operations would not require alerters, these new paragraphs are not 
expected to have a significant impact on small railroads. In general, 
older locomotives, which are less likely to be equipped with alerters, 
are used for lower speed operations. Small railroads commonly engage in 
such operations and thus a substantial number would probably not be 
impacted by the proposed alerter inspection requirement.
(e) Air Brake System Maintenance and Testing Sec.  229.29
    This section would be re-titled, and consolidate and better 
organize existing requirements to improve clarity. Because 49 CFR 
229.29 concerns only brakes, it would be re-titled, ``Air Brake System 
Maintenance and Testing'' to more accurately reflect the section's 
content. In addition, the proposed changes to this section would fold 
the current waivers for air brakes into the regulation. Thus, these 
changes may seem to add more to the section, but they actually provide 
longer inspection periods for some air brake systems. This will 
produces two benefits. First it will produce a cost savings for future 
waivers and waiver renewals. Second, it will produce a benefit for 
other entities that happen to have one of these types of air brake 
systems, and do not currently have a waiver. The length of the proposed 
intervals reflects the results of studies and performance

[[Page 2222]]

evaluations related to a series of waivers starting in 1981 and 
continuing to present day. The proposed changes for this section will 
not impact many, if any, small railroads. The air brake systems that 
the proposed provisions cover are systems used by newer locomotives. 
Since most small railroads do not own newer locomotives, the proposed 
changes to this section should have no impact on any small entities.
(f) Brakes General Sec.  229.46
    FRA proposes to clarify this section, and provide standards for the 
safe use of a locomotive with an inoperative or ineffective automatic 
or independent brake. The proposal would not require the automatic or 
independent brake to be repaired. However, the requirement to place a 
tag on the isolation switch would notify the crew that the locomotive 
could be used only according to Sec.  229.46(b) until it is repaired. 
Basically under the current rule such a locomotive could only be moved 
under the requirements of Sec.  229.9, until the next daily inspection 
or a location where repairs could be made. With the proposed 
requirement the locomotive can continue to be utilized in a non-lead 
position until repaired or until it receives a periodic inspection. 
This proposed change is expected to produce cost savings for railroads 
and therefore is not expected to impose any negative burdens on small 
railroads.
(g) Steam Generator Inspections and Tests Sec.  229.4
    This proposed section is being added to consolidate the steam 
generator requirements of part 229 into a single section. The proposal 
would not change the substance of the requirements. Therefore no small 
railroads will be negatively impacted by the proposed change.
(h) Locomotive Cab Temperature Sec.  229.119
    This rulemaking includes a revision to paragraph (d) of Sec.  
229.119, Cab Temperature. The proposed rule is increasing the minimum 
temperature that must be maintained in the locomotive cab from 50 
degree to 60 degrees. This proposed change is not one that the RSAC 
Working Group agreed to. It is based on an FRA recommendation.
    FRA estimates that two percent of the locomotive fleet for the 
industry will need improved maintenance of their heaters. Also FRA 
estimates that one percent of the locomotive fleet for the industry 
will require additional heaters installed to meet the proposed 
requirement. This represents 530 and 265 locomotives, respectively. 
This requirement would likely affect many yard/switching locomotives of 
various size railroads. Such locomotives generally tend to be older 
than most road locomotives. Small railroads would also be impacted 
because they generally operate older locomotives as well. The cost of 
adding a heater to a locomotive is about $500. Annual maintenance cost 
to ensure heaters work as necessary to comply with the higher minimum 
temperature requirements is estimated at $100 per locomotive per year. 
The average life expectancy of a heater is about 10 years and many 
older locomotives could be retired before replacement is necessary. FRA 
estimates that approximately 60 percent of this cost would be borne by 
small railroads. This is the most significant cost that would burden 
small railroads.
(i) Pilots, Snowplows and End Plates; and Headlights Sec. Sec.  229.123 
through 229.125
    The proposed rule includes changes to Sections 229.123 for 
snowplows and endplates and Sec.  229.125 for headlights. The proposed 
changes for both sections are more permissive, increase the flexibility 
of the rule, and will serve to decrease the number of waiver requests 
that the railroad industry submits to FRA. FRA does not see any 
negative impact being imposed on small entities by the proposed changes 
in these sections.
(j) Alerters Sec.  229.140
    Alerters are common safety devices intended to verify that 
locomotive engineers remain capable and vigilant to accomplish the 
tasks that he or she must perform. This proposed section would require 
locomotives that operate over 25 mph to be equipped with an alerter, 
and would require the alerter to perform certain functions. FRA is 
estimating that there will be a regulatory impact from this proposal. 
However, very few, if any, shortline railroads operate trains at speed 
that exceed 25 mph. Therefore this proposal is not expected to have an 
impact on small entities. FRA specifically requests comments regarding 
this estimate.
(k) Locomotive Electronics, Subpart E
    FRA is proposing a new Subpart titled ``locomotive electronics.'' 
The purpose of this subpart is to promote the safe design, operation, 
and maintenance of safety-critical electronic locomotive systems, 
subsystems, and components. It is important to first note that these 
proposed requirements only apply to new locomotives. Second, the 
effective date for products in development is delayed by a few 
additional years. As a practical matter, there are no costs for the 
requirements of this proposed subpart because it is simply codifying 
good engineering practices. Since generally small railroads do not 
purchase new locomotives this proposed new subpart is not expected to 
have an impact on any small railroads.
5. Identification of Relevant Duplicative, Overlapping, or Conflicting 
Federal Rules
    There are no Federal rules that would duplicate, overlap, or 
conflict with this proposed rule.
6. Alternatives Considered
    FRA has identified no significant alternative to the proposed rule 
which meets the agency's objective in promulgating this rule, and that 
would minimize the economic impact of the proposed rule on small 
entities. As in all aspects of this IRFA, FRA requests comments on this 
finding of no significant alternative related to small entities. The 
process by which this proposed rule was developed provided outreach to 
small entities. As noted earlier in sections I, II, and III of this 
preamble, this notice was developed in consultation with industry 
representatives via the RSAC, which includes small railroad 
representatives. On September 21, 2006, the full RSAC unanimously 
adopted the Working Group's recommendation on locomotive sanders as its 
recommendation to FRA. The next twelve Working Group meeting addressed 
a wide range of locomotive safety issues. Minutes of these meetings 
have been made part of the docket in this proceeding. On September 10, 
2009, after a series of detailed discussions, the RSAC approved and 
provided recommendations on a wide range of locomotive safety issues 
including, locomotive brake maintenance, pilot height, headlight 
operation, danger markings, and locomotive electronics.

Paperwork Reduction Act

    The information collection requirements in this proposed rule have 
been submitted for approval to the Office of Management and Budget 
(OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. 
The sections that contain the new and current information collection 
requirements and the estimated time to fulfill each requirement are as 
follows:

[[Page 2223]]



----------------------------------------------------------------------------------------------------------------
                                        Respondent          Total annual       Average time per    Total annual
           CFR Section                   universe            responses             response        burden hours
----------------------------------------------------------------------------------------------------------------
229.9-Movement of Non-Complying    44 Railroads.......  21,000 tags........  1 minute...........             350
 Locomotives.
229.15--Remote Control
 Locomotives (RCL)--(New
 Requirements).
--Tagging at Control Stand         44 Railroads.......  3,000 tags.........  2 minutes..........             100
 Throttle.
--Testing and Repair of            44 Railroads.......  200 testing/repair   5 minutes..........              17
 Operational Control Unit (OCU)                          records.
 on RCL--Records.
229.17--Accident Reports.........  44 Railroads.......  1 report...........  15 minutes.........             .25
229.20--Electronic Recordkeeping-- 44 Railroads.......  21,000               1 second...........               6
 Electronic Record of Inspections                        notifications.
 and Maintenance and Automatic
 Notification to Railroad that
 Locomotive is Due for Inspection
 (New Requirement).
229.21--Daily Inspection.........  720 Railroads......  6,890,000 records..  16 or 18 min.......       1,911,780
--MU Locomotives: Written Reports  720 Railroads......  250 reports........  13 minutes.........              54
Form FRA F 6180.49A Locomotive     720 Railroads......  4,000 forms........  2 minutes..........             133
 Inspection/Repair Record.
210.31--Main Reservoir Tests--     720 Railroads......  19,000 tests/forms.  8 hours............         152,000
 Form FRA F 6180.49A.
229.23/229.27/229.29/229.31--      720 Railroads......  19,000 records.....  2 minutes..........             633
 Periodic Inspection/Annual
 Biennial Tests/Main Res. Tests--
 Secondary Records of Information
 on Form FRA F 6180.49A.
--List of Defects and Repairs on   720 Railroads......  4,000 lists + 4,000  2 minutes..........             266
 Each Locomotive and Copy to                             copies.
 Employees Performing Insp. (New
 Requirement).
Document to Employees Performing   720 Railroads......  19,000 documents...  2 minutes..........             633
 Inspections of All Tests Since
 Last Periodic Inspection (New
 Requirement).
229.33--Out-of Use Credit........  720 Railroads......  500 notations......  5 minutes..........              42
229.25(1)--Test: Every Periodic    720 Railroads......  200 amendments.....  15 minutes.........              50
 Insp.--Written Copies of
 Instruction.
229.25(2)--Duty Verification       720 Railroads......  4,025 records......  90 minutes.........           6,038
 Readout Record.
229.25(3)--Pre-Maintenance Test--  720 Railroads......  700 notations......  30 minutes.........             350
 Failures.
229.135(A.)--Removal From Service  720 Railroads......  1,000 tags.........  1 minute...........              17
229.135(B.)--Preserving Accident   720 Railroads......  10,000 reports.....  15 minutes.........           2,500
 Data.
229.27--Annual Tests.............  720 Railroads......  700 test records...  90 minutes.........           1,050
229.29--Air Brake System           720 Railroads......  88,000 tests/        15 seconds.........             367
 Maintenance and Testing (New                            records.
 Requirement)--Air Flow Meter
 Testing--Record.
229.46--Brakes General--Tagging    720 Railroads......  2,100 tags.........  2 minutes..........              70
 Isolation Switch of Locomotive
 That May Only Be Used in
 Trailing Position (New
 Requirement).
229.85--Danger Markings on All     720 Railroads......  1,000 decals.......  1 minute...........              17
 Doors, Cover Plates, or Barriers.
229.123--Pilots, Snowplows, End    720 Railroads......  20 stencilling.....  2 minutes..........               1
 Plates--Markings--Stencilling
 (New Requirement).
--Notation on Form FRA F 6180.49A  720 Railroads......  20 notations.......  2 minutes..........               1
 for Pilot, Snowplows, or End
 Plate Clearance Above Six Inches
 (New Requirement).
229.135--Event Recorders.........  720 Railroads......  1,000 Certified      2 hours............           2,000
229.135(b)(5)--Equipment                                 Memory Modules.
 Requirements--Remanufactured
 Locomotives with Certified
 Crashworthy Memory Module.
NEW REQUIREMENTS--SUBPART E--
 LOCOMOTIVE ELECTRONICS
229.303--Requests to FRA for       720 Railroads......  20 requests........  8 hours............             160
 Approval of On-Track Testing of
 Products Outside a Test Facility.
--Identification to FRA of         720 Railroads/3      20 products........  2 hours............              40
 Products Under Development.        Manufacturers.
229.307--Safety Analysis by RR of  720 Railroads......  300 analyses.......  240 hours..........          72,000
 Each Product Developed.
229.309--Notification to FRA of    720 Railroads......  10 notification....  16 hours...........             160
 Safety-Critical Change in
 Product.
Report to Railroad by Product      3 Manufacturers....  10 reports.........  8 hours............              80
 Suppliers/Private Equipment
 Owners of Previously
 Unidentified Hazards of a
 Product.
229.311--Review of Safety
 Analyses (SA).
--Notification to FRA of Railroad  720 Railroads......  300 notifications..  2 hours............             600
 Intent to Place Product In
 Service.
--RR Documents That Demonstrate    720 Railroads......  300 documents......  2 hours............             600
 Product Meets Safety
 Requirements of the SA for the
 Life-Cycle of Product.
--RR Database of All Safety        720 Railroads......  300 databases......  4 hours............           1,200
 Relevant Hazards Encountered
 with Product Placed in Service.
--Written Reports to FRA If        720 Railroads......  10 reports.........  2 hours............              20
 Frequency of Safety-Relevant
 Hazards Exceeds Threshold.
--Final Reports to FRA on          720 Railroads......  10 reports.........  4 hours............              40
 Countermeasures to Reduce
 Frequency of Safety-Relevant
 Hazard(s).
229.313--Product Testing Results-- 720 Railroads......  120,000 records....  5 minutes..........          10,000
 Records.

[[Page 2224]]

 
229.315--Operations and            720 Railroads......  300 manuals........  40 hours...........          12,000
 Maintenance Manual--All Product
 Documents.
--Configuration Management         720 Railroads......  300 plans..........  8 hours............           2,400
 Control Plans.
--Identification of Safety-        720 Railroads......  60,000 components..  5 minutes..........           5,000
 Critical Components.
229.317--Product Training and      720 Railroads......  300 programs.......  40 hours...........          12,000
 Qualifications Program.
--Product Training of Individuals  720 Railroads......  10,000 trained       30 minutes.........           5,000
                                                         employees.
--Refresher Training.............  720 Railroads......  1,000 trained        20 minutes.........             333
                                                         employees.
--RR Regular and Periodic          720 Railroads......  300 evaluations....  4 hours............           1,200
 Evaluation of Effectiveness of
 Training Program.
--Records of Qualified             727 Railroads......  10,000 records.....  10 minutes.........           1,667
 Individuals.
Appendix F--Guidance for           720 Railroads/3      1 assessment.......  4,000 hours........           4,000
 Verification and Validation of     Manufacturers.
 Product--Third Party Assessment.
--Reviewer Final Report..........  720 Railroads/3      1 report...........  80 hours...........              80
                                    Manufacturers.
----------------------------------------------------------------------------------------------------------------

    All estimates include the time for reviewing instructions; 
searching existing data sources; gathering or maintaining the needed 
data; and reviewing the information. Pursuant to 44 U.S.C. 
3506(c)(2)(B), FRA solicits comments concerning: Whether these 
information collection requirements are necessary for the proper 
performance of the functions of FRA, including whether the information 
has practical utility; the accuracy of FRA's estimates of the burden of 
the information collection requirements; the quality, utility, and 
clarity of the information to be collected; and whether the burden of 
collection of information on those who are to respond, including 
through the use of automated collection techniques or other forms of 
information technology, may be minimized. For information or a copy of 
the paperwork package submitted to OMB, contact Mr. Robert Brogan, 
Office of Safety, Information Clearance Officer, at 202-493-6292, or 
Ms. Kimberly Toone, Office of Information Technology, at 202-493-6139.
    Organizations and individuals desiring to submit comments on the 
collection of information requirements should direct them to Mr. Robert 
Brogan or Ms. Kimberly Toone, Federal Railroad Administration, 1200 New 
Jersey Avenue, SE., 3rd Floor, Washington, DC 20590. Comments may also 
be submitted via e-mail to Mr. Brogan or Ms. Toone at the following 
address: [email protected]; [email protected]
    OMB is required to make a decision concerning the collection of 
information requirements contained in this proposed rule between 30 and 
60 days after publication of this document in the Federal Register. 
Therefore, a comment to OMB is best assured of having its full effect 
if OMB receives it within 30 days of publication. The final rule will 
respond to any OMB or public comments on the information collection 
requirements contained in this proposal.
    FRA is not authorized to impose a penalty on persons for violating 
information collection requirements which do not display a current OMB 
control number, if required. FRA intends to obtain current OMB control 
numbers for any new information collection requirements resulting from 
this rulemaking action prior to the effective date of the final rule. 
The OMB control number, when assigned, will be announced by separate 
notice in the Federal Register.

Federalism Implications

    FRA has analyzed this proposed rule in accordance with the 
principles and criteria contained in Executive Order 13132, issued on 
August 4, 1999, which directs Federal agencies to exercise great care 
in establishing policies that have federalism implications. See 64 FR 
43255. This proposed rule will not have a substantial effect on the 
States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among 
various levels of government. This proposed rule will not have 
federalism implications that impose any direct compliance costs on 
State and local governments.
    FRA notes that the RSAC, which endorsed and recommended the 
majority of this proposed rule to FRA, has as permanent members, two 
organizations representing State and local interests: AASHTO and the 
Association of State Rail Safety Managers (ASRSM). Both of these State 
organizations concurred with the RSAC recommendation endorsing this 
proposed rule. The RSAC regularly provides recommendations to the FRA 
Administrator for solutions to regulatory issues that reflect 
significant input from its State members. To date, FRA has received no 
indication of concerns about the Federalism implications of this 
rulemaking from these representatives or of any other representatives 
of State government. Consequently, FRA concludes that this proposed 
rule has no federalism implications, other than the preemption of state 
laws covering the subject matter of this proposed rule, which occurs by 
operation of law as discussed below.
    This proposed rule could have preemptive effect by operation of law 
under certain provisions of the Federal railroad safety statutes, 
specifically the former Federal Railroad Safety Act of 1970 (former 
FRSA), repealed and recodified at 49 U.S.C. 20106, and the former 
Locomotive Boiler Inspection Act at 45 U.S.C. 22-34, repealed and 
recodified at 49 U.S.C. 20701-20703. The former FRSA provides that 
States may not adopt or continue in effect any law, regulation, or 
order related to railroad safety or security that covers the subject 
matter of a regulation prescribed or order issued by the Secretary of 
Transportation (with respect to railroad safety matters) or the 
Secretary of Homeland Security (with respect to railroad security 
matters), except when the State law, regulation, or order qualifies 
under the ``local safety or security hazard'' exception to section 
20106. Moreover, the former LIA has been interpreted by the Supreme 
Court as preempting the field concerning locomotive safety. See Napier 
v. Atlantic Coast Line R.R., 272 U.S. 605 (1926).

Environmental Impact

    FRA has evaluated this proposed regulation in accordance with its 
``Procedures for Considering Environmental Impacts'' (FRA's Procedures) 
(64 FR 28545, May 26, 1999) as required by the National

[[Page 2225]]

Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental 
statutes, Executive Orders, and related regulatory requirements. FRA 
has determined that this proposed regulation is not a major FRA action 
(requiring the preparation of an environmental impact statement or 
environmental assessment) because it is categorically excluded from 
detailed environmental review pursuant to section 4(c)(20) of FRA's 
Procedures. 64 FR 28547, May 26, 1999. Section 4(c)(20) reads as 
follows: (c) Actions categorically excluded. Certain classes of FRA 
actions have been determined to be categorically excluded from the 
requirements of these Procedures as they do not individually or 
cumulatively have a significant effect on the human environment. 
Promulgation of railroad safety rules and policy statements that do not 
result in significantly increased emissions or air or water pollutants 
or noise or increased traffic congestion in any mode of transportation 
are excluded.
    In accordance with section 4(c) and (e) of FRA's Procedures, the 
agency has further concluded that no extraordinary circumstances exist 
with respect to this regulation that might trigger the need for a more 
detailed environmental review. As a result, FRA finds that this 
proposed regulation is not a major Federal action significantly 
affecting the quality of the human environment.

Unfunded Mandates Reform Act of 1995

    Pursuant to Section 201 of the Unfunded Mandates Reform Act of 1995 
(Pub. L. 104-4, 2 U.S.C. 1531), each Federal agency ``shall, unless 
otherwise prohibited by law, assess the effects of Federal regulatory 
actions on State, local, and tribal governments, and the private sector 
(other than to the extent that such regulations incorporate 
requirements specifically set forth in law).'' Section 202 of the Act 
(2 U.S.C. 1532) further requires that ``before promulgating any general 
notice of proposed rulemaking that is likely to result in the 
promulgation of any rule that includes any Federal mandate that may 
result in expenditure by State, local, and tribal governments, in the 
aggregate, or by the private sector, of $100,000,000 or more (adjusted 
annually for inflation) in any 1 year, and before promulgating any 
final rule for which a general notice of proposed rulemaking was 
published, the agency shall prepare a written statement'' detailing the 
effect on State, local, and tribal governments and the private sector. 
For the year 2010, this monetary amount of $100,000,000 has been 
adjusted to $140,800,000 to account for inflation. This proposed rule 
would not result in the expenditure of more than $140,800,000 by the 
public sector in any one year, and thus preparation of such a statement 
is not required.

Privacy Act

    FRA wishes to inform all potential commenters that anyone is able 
to search the electronic form of all comments received into any agency 
docket by the name of the individual submitting the comment (or signing 
the comment, if submitted on behalf of an association, business, labor 
union, etc.). You may review DOT's complete Privacy Act Statement in 
the Federal Register published on April 11, 2000 (Volume 65, Number 70; 
Pages 19477-78) or you may visit http://dms.dot.gov.

List of Subjects

49 CFR Part 229

    Locomotive headlights, Locomotives, Railroad safety.

49 CFR Part 238

    Passenger equipment, Penalties, Railroad safety, Reporting and 
recordkeeping requirements.

The Proposed Rule

    For the reasons discussed in the preamble, FRA proposes to amend 
parts 229 and 238 of chapter II, subtitle B of Title 49, Code of 
Federal Regulations, as follows:

PART 229--[AMENDED]

    1. The authority citation for part 229 continues to read as 
follows:

    Authority:  49 U.S.C. 20102-03, 20107, 20133, 20137-38, 20143, 
20701-03, 21301-02, 21304; 28 U.S.C. 2401, note; and 49 CFR 1.49.

    2. Section 229.5 is amended by adding in alphabetical order the 
following definitions to read as follows:


Sec.  229.5  Definitions.

* * * * *
    Alerter means a device or system installed in the locomotive cab to 
promote continuous, active locomotive engineer attentiveness by 
monitoring select locomotive engineer-induced control activities. If 
fluctuation of a monitored locomotive engineer-induced control activity 
is not detected within a predetermined time, a sequence of audible and 
visual alarms is activated so as to progressively prompt a response by 
the locomotive engineer. Failure by the locomotive engineer to 
institute a change of state in a monitored control, or acknowledge the 
alerter alarm activity through a manual reset provision, results in a 
penalty brake application that brings the locomotive or train to a 
stop.
* * * * *
    Assignment Address means a unique identifier of the RCL that 
insures that only the OCU's linked to a specific RCL can command that 
RCL.
* * * * *
    Controlling locomotive means a locomotive from where the operator 
controls the traction and braking functions of the locomotive or 
locomotive consist, normally the lead locomotive.
* * * * *
    Locomotive Control Unit (LCU) means a system onboard an RCL that 
communicates via a radio link which receives, processes, and confirms 
commands from the OCU, which directs the locomotive to execute them.
* * * * *
    Operator Control Unit (OCU) means a mobile unit that communicates 
via a radio link the commands for movement (direction, speed, braking) 
or for operations (bell, horn, sand) to an RCL.
* * * * *
    Remote Control Locomotive (RCL) means a remote control locomotive 
that, through use of a radio link can be operated by a person not 
physically within the confines of the locomotive cab. For purposes of 
this definition, the term RCL does not refer to a locomotive or group 
of locomotives remotely controlled from the lead locomotive of a train, 
as in a distributed power arrangement.
    Remote Control Operator (RCO) means a person who utilizes an OCU in 
connection with operations involving a RCL with or without cars.
    Remote Control Pullback Protection means a function of a RCL that 
enforces speeds and stops in the direction of pulling movement.
* * * * *
    3. Section 229.7 is revised to read as follows:


Sec.  229.7  Prohibited acts and penalties.

    (a) Federal Rail Safety Law (49 U.S.C. 20701-20703) makes it 
unlawful for any carrier to use or permit to be used on its line any 
locomotive unless the entire locomotive and its appurtenances--
    (1) Are in proper condition and safe to operate in the service to 
which they are put, without unnecessary peril to life or limb; and
    (2) Have been inspected and tested as required by this part.
    (b) Any person (including but not limited to a railroad; any 
manager, supervisor, official, or other employee or agent of a 
railroad; any owner, manufacturer, lessor, or lessee of

[[Page 2226]]

railroad equipment, track, or facilities; any employee of such owner, 
manufacturer, lessor, lessee, or independent contractor) who violates 
any requirement of this part or of the Federal Rail Safety Laws or 
causes the violation of any such requirement is subject to a civil 
penalty of at least $650, but not more than $25,000 per violation, 
except that: Penalties may be assessed against individuals only for 
willful violations, and, where a grossly negligent violation or a 
pattern of repeated violations has created an imminent hazard of death 
or injury to persons, or has caused death or injury, a penalty not to 
exceed $100,000 per violation may be assessed. Each day a violation 
continues shall constitute a separate offense. Appendix B of this part 
contains a statement of agency civil penalty policy.
    (c) Any person who knowingly and willfully falsifies a record or 
report required by this part is subject to criminal penalties under 49 
U.S.C. 21311.
    4. Section 229.15 is added to read as follows:


Sec.  229.15  Remote control locomotives.

    (a) Design and operation. (1) Each locomotive equipped with a 
locomotive control unit (LCU) shall respond only to the operator 
control units (OCUs) assigned to that receiver.
    (2) If one or more OCUs are assigned to a LCU, the LCU shall 
respond only to the OCU that is in primary command. If a subsequent OCU 
is assigned to a LCU, the previous assignment will be automatically 
cancelled.
    (3) If more than one OCU is assigned to a LCU, the secondary OCUs' 
man down feature, bell, horn, and emergency brake application functions 
shall remain active.
    The remote control system shall be designed so that if the signal 
from the OCU to the RCL is interrupted for a set period not to exceed 
five seconds, the remote control system shall cause:
    (i) A full service application of the locomotive and train brakes; 
and
    (ii) The elimination of locomotive tractive effort.
    (4) Each OCU shall be designed to control only one RCL at a time. 
OCUs having the capability to control more than one RCL shall have a 
means to lock in one RCL ``assignment address'' to prevent simultaneous 
control over more than one locomotive.
    (5) If an OCU is equipped with an ``on'' and ``off'' switch, when 
the switch is moved from the ``on'' to the ``off'' position, the remote 
control system shall cause:
    (i) A full service application of the locomotive train brakes; and
    (ii) The elimination of locomotive tractive effort.
    (6) Each RCL shall have a distinct and unambiguous audible or 
visual warning device that indicates to nearby personnel that the 
locomotive is under active remote control operation.
    (7) When the main reservoir pressure drops below 90 psi, a RCL 
shall initiate a full service application of the locomotive and train 
brakes, and eliminate locomotive tractive effort.
    (8) When the air valves and the electrical selector switch on the 
RCL are moved from manual to remote control mode or from remote control 
to manual mode, an emergency application of the locomotive and train 
brakes shall be initiated.
    (9) Operating control handles located in the RCL cab shall be 
removed, pinned in place, protected electronically, or otherwise 
rendered inoperable as necessary to prevent movement caused by the 
RCL's cab controls while the RCL is being operated by remote control.
    (10) The RCL system (both the OCU and LCU), shall be designed to 
perform a self diagnostic test of the electronic components of the 
system. The system shall be designed to immediately effect a full 
service application of the locomotive and train brakes and the 
elimination of locomotive tractive effort in the event a failure is 
detected.
    (11) Each RCL shall be tagged at the locomotive control stand 
throttle indicating the locomotive is being used in a remote control 
mode. The tag shall be removed when the locomotive is placed back in 
manual mode.
    (12) Each OCU shall have the following controls and switches and 
shall be capable of performing the following functions:
    (i) Directional control;
    (ii) Throttle or speed control;
    (iii) Locomotive independent air brake application and release;
    (iv) Automatic train air brake application and release control;
    (v) Audible warning device control (horn);
    (vi) Audible bell control, if equipped;
    (vii) Sand control (unless automatic);
    (viii) Bi-directional headlight control;
    (ix) Emergency air brake application switch;
    (x) Generator field switch or equivalent to eliminate tractive 
effort to the locomotive;
    (xi) Audio/visual indication of wheel slip/slide;
    (xii) Audio indication of movement of the RCL; and
    (xiv) Require at least two separate actions by the RCO to begin 
movement of the RCL.
    (l3) Each OCU shall be equipped with the following features:
    (i) A harness with a breakaway safety feature;
    (ii) An operator alertness device that requires manual resetting or 
its equivalent.
    The alertness device shall incorporate a timing sequence not to 
exceed 60 seconds. Failure to reset the switch within the timing 
sequence shall cause an application of the locomotive and train brakes, 
and the elimination of locomotive tractive effort.
    (iii) A tilt feature that, when tilted to a predetermined angle, 
shall cause:
    (A) An emergency application of the locomotive and train brakes, 
and the elimination of locomotive tractive effort; and
    (B) If the OCU is equipped with a tilt bypass system that permits 
the tilt protection feature to be temporarily disabled, this bypass 
feature shall deactivate within 15 seconds on the primary OCU and 
within 60 seconds for all secondary OCUs, unless reactivated by the 
RCO.
    (14) Each OCU shall be equipped with one of the following control 
systems:
    (A) An automatic speed control system with a maximum 15 mph speed 
limiter; or
    (B) A graduated throttle and brake. A graduated throttle and brake 
control system built after (90 days after date of rule) shall be 
equipped with a speed limiter to a maximum of 15 mph.
    (15) RCL systems built after (DATE 90 DAYS AFTER EFFECTIVE DATE OF 
THE FINAL RULE) shall be equipped to automatically notify the railroad 
in the event the RCO becomes incapacitated or OCU tilt feature is 
activated.
    (16) RCL systems built prior to (DATE 90 DAYS AFTER EFFECTIVE DATE 
OF THE FINAL RULE) not equipped with automatic notification of operator 
incapacitated feature may not be utilized in one-person operation.
    (b) Inspection, testing, and repair. (1) Each time an OCU is linked 
to a RCL, and at the start of each shift, a railroad shall test:
    (i) The air brakes and the OCU's safety features, including the 
tilt switch and alerter device; and
    (ii) The man down/tilt feature automatic notification.
    (2) An OCU shall not continue in use with any defective safety 
feature identified in paragraph (b)(1) of this section.
    (3) A defective OCU shall be tracked under its own identification 
number assigned by the railroad. Records of repairs shall be maintained 
by the railroad and made available to FRA upon request.

[[Page 2227]]

    (4) Each time an RCL is placed in service and at the start of each 
shift locomotives that utilize a positive train stop system shall 
perform a conditioning run over tracks that the positive train stop 
system is being utilized on to ensure that the system functions as 
intended.
    5. Section 229.19 is revised to read as follows:


Sec.  229.19  Prior waivers.

    Waivers from any requirement of this part, issued prior to January 
12, 2011, shall terminate on the date specified in the letter granting 
the waiver. If no date is specified, then the waiver shall 
automatically terminate on January 12, 2016.
    6. Section 229.20 is added to subpart A to read as follows:


Sec.  229.20  Electronic record keeping.

    (a) General. For purposes of compliance with the recordkeeping 
requirements of this part, except for the daily inspection record 
maintained on the locomotive required by Sec.  229.21, the cab copy of 
Form FRA F 6180-49-A required by Sec.  229.23, the fragmented air brake 
maintenance record required by Sec.  229.27, and records required under 
Sec.  229.9, a railroad may create, maintain, and transfer any of the 
records required by this part through electronic transmission, storage, 
and retrieval provided that all of the requirements contained in this 
section are met.
    (b) Design requirements. Any electronic record system used to 
create, maintain, or transfer a record required to be maintained by 
this part shall meet the following design requirements:
    (1) The electronic record system shall be designed such that the 
integrity of each record is maintained through appropriate levels of 
security such as recognition of an electronic signature, or other 
means, which uniquely identify the initiating person as the author of 
that record. No two persons shall have the same electronic identity;
    (2) The electronic system shall ensure that each record cannot be 
modified, or replaced, once the record is transmitted;
    (3) Any amendment to a record shall be electronically stored apart 
from the record which it amends. Each amendment to a record shall 
uniquely identify the person making the amendment;
    (4) The electronic system shall provide for the maintenance of 
inspection records as originally submitted without corruption or loss 
of data; and
    (5) Policies and procedures shall be in place to prevent persons 
from altering electronic records, or otherwise interfering with the 
electronic system.
    (c) Operational requirements. Any electronic record system used to 
create, maintain, or transfer a record required to be maintained by 
this part shall meet the following operating requirements:
    (1) The electronic storage of any record required by this part 
shall be initiated by the person performing the activity to which the 
record pertains within 24 hours following the completion of the 
activity; and
    (2) For each locomotive for which records of inspection or 
maintenance required by this part are maintained electronically, the 
electronic record system shall automatically notify the railroad each 
time the locomotive is due for an inspection, or maintenance that the 
electronic system is tracking. The automatic notification tracking 
requirement does not apply to daily inspections.
    (d) Accessibility and availability requirements. Any electronic 
record system used to create, maintain, or transfer a record required 
to be maintained by this part shall meet the following access and 
availability requirements:
    (1) The carrier shall provide FRA with all electronic records 
maintained for compliance with this part for any specific locomotives 
at any mechanical department terminal upon request;
    (2) Paper copies of electronic records and amendments to those 
records that may be necessary to document compliance with this part, 
shall be provided to FRA for inspection and copying upon request. Paper 
copies shall be provided to FRA no later than 15 days from the date the 
request is made;
    (3) Inspection records required by this part shall be available to 
persons who performed the inspection and to persons performing 
subsequent inspections on the same locomotive.
    7. Section 229.23 is revised to read as follows:


Sec.  229.23  Periodic inspection: General.

    (a) Each locomotive shall be inspected at each periodic inspection 
to determine whether it complies with this part. Except as provided in 
Sec.  229.9, all non-complying conditions shall be repaired before the 
locomotive is used. Except as provided in Sec.  229.33, the interval 
between any two periodic inspections may not exceed 92 days. Periodic 
inspections shall only be made where adequate facilities are available. 
At each periodic inspection, a locomotive shall be positioned so that a 
person may safely inspect the entire underneath portion of the 
locomotive.
    (b) Each new locomotive shall receive an initial periodic 
inspection before it is used. Except as provided in Sec.  229.33, each 
locomotive shall receive an initial periodic inspection within 92 days 
of the last 30-day inspection performed under the prior rules (49 CFR 
230.331 and 230.451). At the initial periodic inspection, the date and 
place of the last tests performed that are the equivalent of the tests 
required by Sec. Sec.  229.27, 229.29, and 229.31 shall be entered on 
Form FRA F 6180-49A. These dates shall determine when the tests first 
become due under Sec. Sec.  229.27, 229.29, and 229.31. Out of use 
credit may be carried over from Form FRA F 6180-49 and entered on Form 
FRA F 6180-49A.
    (c) Each periodic inspection shall be recorded on Form FRA F 6180-
49A. The form shall be signed by the person conducting the inspection 
and certified by that person's supervisor that the work was done. The 
form shall be displayed under a transparent cover in a conspicuous 
place in the cab of each locomotive. A railroad maintaining and 
transferring records as provided for in Sec.  229.20 shall print the 
name of the person who performed the inspections, repairs, or certified 
work on the Form FRA F 6180-49A that is displayed in the cab of each 
locomotive.
    (d) At the first periodic inspection in each calendar year the 
carrier shall remove from each locomotive Form FRA F 6180-49A covering 
the previous calendar year. If a locomotive does not receive its first 
periodic inspection in a calendar year before April 2 because it is out 
of use, the form shall be promptly replaced. The Form FRA F 6180-49A 
covering the preceding year for each locomotive, in or out of use, 
shall be signed by the railroad official responsible for the locomotive 
and filed as required in Sec.  229.23(f). The date and place of the 
last periodic inspection and the date and place of the last tests 
performed under Sec. Sec.  229.27, 229.29, and 229.31 shall be 
transferred to the replacement Form FRA F 6180-49A.
    (e) The railroad mechanical officer who is in charge of a 
locomotive shall maintain in his office a secondary record of the 
information reported on Form FRA F 6180-49A. The secondary record shall 
be retained until Form FRA F 6180-49A has been removed from the 
locomotive and filed in the railroad office of the mechanical officer 
in charge of the locomotive. If the Form FRA F 6180-49A removed from 
the locomotive is not clearly legible, the secondary record shall be 
retained until the Form FRA F 6180-49A for the succeeding year is 
filed. The Form F 6180-49A removed from a locomotive shall be retained 
until the Form FRA F

[[Page 2228]]

6180-49A for the succeeding year is filed.
    (f) The railroad shall maintain, and provide employees performing 
inspections under this section with, a list of the defects and repairs 
made on each locomotive over the last ninety-two days;
    (g) The railroad shall provide employees performing inspections 
under this section with a document containing all tests conducted since 
the last periodic inspection, and procedures needed to perform the 
inspection.
    8. Section 229.25 is amended by revising paragraphs (d) and (e), 
and adding paragraph (f) to read as follows:


Sec.  229.25  Test: Every periodic inspection.

* * * * *
    (d) Event recorder. A microprocessor-based self-monitoring event 
recorder, if installed, is exempt from periodic inspection under 
paragraphs (d)(1) through (5) of this section and shall be inspected 
annually as required by Sec.  229.27(c). Other types of event 
recorders, if installed, shall be inspected, maintained, and tested in 
accordance with instructions of the manufacturer, supplier, or owner 
thereof and in accordance with the following criteria:
    (1) A written or electronic copy of the instructions in use shall 
be kept at the point where the work is performed and a hard-copy 
version, written in the English language, shall be made available upon 
request to FRA.
    (2) The event recorder shall be tested before any maintenance work 
is performed on it. At a minimum, the event recorder test shall include 
cycling, as practicable, all required recording elements and 
determining the full range of each element by reading out recorded 
data.
    (3) If the pre-maintenance test reveals that the device is not 
recording all the specified data and that all recordings are within the 
designed recording elements, this fact shall be noted, and maintenance 
and testing shall be performed as necessary until a subsequent test is 
successful.
    (4) When a successful test is accomplished, a copy of the data-
verification results shall be maintained in any medium with the 
maintenance records for the locomotive until the next one is filed.
    (5) A railroad's event recorder periodic maintenance shall be 
considered effective if 90 percent of the recorders on locomotives 
inbound for periodic inspection in any given calendar month are still 
fully functional; maintenance practices and test intervals shall be 
adjusted as necessary to yield effective periodic maintenance.
    (e) Remote control locomotive. Remote control locomotive system 
components that interface with the mechanical devices of the locomotive 
shall be tested including, but not limited to, air pressure monitoring 
devices, pressure switches, and speed sensors.
    (f) Alerters. The alerter shall be tested, and all automatic timing 
resets shall function as intended.
    9. Section 229.27 is revised to read as follows:


Sec.  229.27  Annual tests.

    (a) All testing under this section shall be performed at intervals 
that do not exceed 368 calendar days.
    (b) Load meters that indicate current (amperage) being applied to 
traction motors shall be tested. Each device used by the engineer to 
aid in the control or braking of the train or locomotive that provides 
an indication of air pressure electronically shall be tested by 
comparison with a test gauge or self-test designed for this purpose. An 
error greater than five percent or greater than three pounds per square 
inch shall be corrected. The date and place of the test shall be 
recorded on Form FRA F 6180-49A, and the person conducting the test and 
that person's supervisor shall sign the form.
    (c) A microprocessor-based event recorder with a self-monitoring 
feature equipped to verify that all data elements required by this part 
are recorded, requires further maintenance and testing only if either 
or both of the following conditions exist:
    (1) The self-monitoring feature displays an indication of a 
failure. If a failure is displayed, further maintenance and testing 
must be performed until a subsequent test is successful. When a 
successful test is accomplished, a record, in any medium, shall be made 
of that fact and of any maintenance work necessary to achieve the 
successful result. This record shall be available at the location where 
the locomotive is maintained until a record of a subsequent successful 
test is filed; or,
    (2) A download of the event recorder, taken within the preceding 30 
days and reviewed for the previous 48 hours of locomotive operation, 
reveals a failure to record a regularly recurring data element or 
reveals that any required data element is not representative of the 
actual operations of the locomotive during this time period. If the 
review is not successful, further maintenance and testing shall be 
performed until a subsequent test is successful. When a successful test 
is accomplished, a record, in any medium, shall be made of that fact 
and of any maintenance work necessary to achieve the successful result. 
This record shall be kept at the location where the locomotive is 
maintained until a record of a subsequent successful test is filed. The 
download shall be taken from information stored in the certified 
crashworthy crash hardened event recorder memory module if the 
locomotive is so equipped.
    10. Section 229.29 is revised to read as follows:


Sec.  229.29  Air brake system calibration, maintenance, and testing.

    (a) A locomotive's air brake system shall receive the calibration, 
maintenance, and testing as prescribed in this section. The level of 
maintenance and testing and the intervals for receiving such 
maintenance and testing of locomotives with various types of air brake 
systems shall be conducted in accordance with paragraphs (d) through 
(f) of this section. Records of the maintenance and testing required in 
this section shall be maintained in accordance with paragraph (g) of 
this section.
    (b) Except for DMU or MU locomotives covered under Sec.  238.309 of 
this chapter, the air flow method (AFM) indicator shall be calibrated 
in accordance with section 232.205(c)(1)(iii) at intervals not to 
exceed 92 days, and records shall be maintained as prescribed in 
paragraph (g)(1) of this section.
    (c) Except for DMU or MU locomotives covered under Sec.  238.309 of 
this chapter, the extent of air brake system maintenance and testing 
that is required on a locomotive shall be in accordance with the 
following levels:
    (1) Level one: Locomotives shall have the filtering devices or dirt 
collectors located in the main reservoir supply line to the air brake 
system cleaned, repaired, or replaced.
    (2) Level two: Locomotives shall have the following components 
cleaned, repaired, and tested: Brake cylinder relay valve portions; 
main reservoir safety valves; brake pipe vent valve portions; and, feed 
and reducing valve portions in the air brake system (including related 
dirt collectors and filters).
    (3) Level three: Locomotives shall have the components identified 
in this paragraph removed from the locomotive and disassembled, cleaned 
and lubricated (if necessary), and tested. In addition, all parts of 
such components that can deteriorate within the inspection interval as 
defined in

[[Page 2229]]

paragraphs (d) through (f) of this section shall be replaced and 
tested. The components include: All pneumatic components of the 
locomotive equipment's brake system that contain moving parts, and are 
sealed against air leaks; all valves and valve portions; electric-
pneumatic master controllers in the air brake system; and all air brake 
related filters and dirt collectors.
    (d) Except for MU locomotives covered under Sec.  238.309 of this 
chapter, all locomotives shall receive level one air brake maintenance 
and testing as described in this section at intervals that do not 
exceed 368 days.
    (e) Locomotives equipped with an air brake system not specifically 
identified in paragraphs (f)(1) through (3) of this section shall 
receive level two air brake maintenance and testing as described in 
this section at intervals that do not exceed 368 days and level three 
air brake maintenance and testing at intervals that do not exceed 736 
days.
    (f) Level two and level three air brake maintenance and testing 
shall be performed on each locomotive identified in this paragraph at 
the following intervals:
    (1) At intervals that do not exceed 1,104 days for a locomotive 
equipped with a 26-L or equivalent brake system;
    (2) At intervals that do not exceed 1,472 days for locomotives 
equipped with an air dryer and a 26-L or equivalent brake system and 
for locomotives not equipped with an air compressor and that are semi-
permanently coupled and dedicated to locomotives with an air dryer; or
    (3) At intervals that do not exceed 1,840 days for locomotives 
equipped with CCB-1, CCB-2, CCB-26, EPIC 1 (formerly EPIC 3102), EPIC 
3102D2, EPIC 2, KB-HS1, or Fastbrake brake systems.
    (g) Records of the air brake system maintenance and testing 
required by this section shall be generated and maintained in 
accordance with the following:
    (1) The date of AFM indicator calibration shall be recorded and 
certified in the remarks section of Form F6180-49A.
    (2) The date and place of the cleaning, repairing and testing 
required by this section shall be recorded on Form FRA F6180-49A, and 
the work shall be certified. A record of the parts of the air brake 
system that are cleaned, repaired, and tested shall be kept in the 
railroad's files or in the cab of the locomotive.
    (3) At its option, a railroad may fragment the work required by 
this section. In that event, a separate record shall be maintained 
under a transparent cover in the cab. The air record shall include: The 
locomotive number; a list of the air brake components; and the date and 
place of the inspection and testing of each component. The signature of 
the person performing the work and the signature of that person's 
supervisor shall be included for each component. A duplicate record 
shall be maintained in the railroad's files.
    11. Section 229.46 is revised to read as follows:


Sec.  229.46  Brakes: General.

    (a) Before each trip, the railroad shall know the following:
    (1) The locomotive brakes and devices for regulating pressures, 
including but not limited to the automatic and independent brake 
control systems, operate as intended; and
    (2) The water and oil have been drained from the air brake system 
of all locomotives in the consist.
    (b) A locomotive with an inoperative or ineffective automatic or 
independent brake control system will be considered to be operating as 
intended for purposes of paragraph (a) of this section, if all of the 
following conditions are met:
    (1) The locomotive is in a trailing position and is not the 
controlling locomotive in a distributed power train consist;
    (2) The railroad has previously determined, in conjunction with the 
locomotive and/or air brake manufacturer, that placing such a 
locomotive in trailing position adequately isolates the non-functional 
valves so as to allow safe operation of the brake systems from the 
controlling locomotive;
    (3) If deactivation of the circuit breaker for the air brake system 
is required, it shall be specified in the railroad's operating rules;
    (4) A tag shall immediately be placed on the isolation switch of 
the locomotive giving the date and location and stating that the unit 
may only be used in a trailing position and may not be used as a lead 
or controlling locomotive;
    (5) The tag required in paragraph (b)(4) of this section remains 
attached to the isolation switch of the locomotive until repairs are 
made; and
    (6) The inoperative or ineffective brake control system is repaired 
prior to or at the next periodic inspection.
    12. Section 229.85 is revised to read as follows:


Sec.  229.85  High voltage markings: Doors, cover plates, or barriers.

    All doors, cover plates, or barriers providing direct access to 
high voltage equipment shall be marked ``Danger--High Voltage'' or with 
the word ``Danger'' and the normal voltage carried by the parts so 
protected.
    13. Section 229.114 is added to read as follows:


Sec.  229.114  Steam generator inspections and tests.

    (a) Periodic steam generator inspection. Except as provided in 
Sec.  229.33, each steam generator shall be inspected and tested in 
accordance with paragraph (d) of this section at intervals not to 
exceed 92 days, unless the steam generator is isolated in accordance 
with paragraph (b) of this section. All non-complying conditions shall 
be repaired or the steam generator shall be isolated as prescribed in 
paragraph (b) of this section before the locomotive is used.
    (b) Isolation of a steam generator. A steam generator will be 
considered isolated if the water suction pipe to the water pump and the 
leads to the main switch (steam generator switch) are disconnected, and 
the train line shut-off-valve is wired closed or a blind gasket is 
applied. Before an isolated steam generator is returned to use, it 
shall be inspected and tested pursuant to paragraph (d) of this 
section.
    (c) Each periodic steam generator inspection and test shall be 
recorded on Form FRA F6180-49A required by paragraph Sec.  229.23. When 
Form FRA F6180-49A for the locomotive is replaced, data for the steam 
generator inspections shall be transferred to the new Form FRA F6180-
49A.
    (d) Each periodic steam generator inspection and test shall include 
the following tests and requirements:
    (1) All electrical devices and visible insulation shall be 
inspected.
    (2) All automatic controls, alarms and protective devices shall be 
inspected and tested.
    (3) Steam pressure gauges shall be tested by comparison with a 
dead-weight tester or a test gauge designed for this purpose. The 
siphons to the steam gauges shall be removed and their connections 
examined to determine that they are open.
    (4) Safety valves shall be set and tested under steam after the 
steam pressure gauge is tested.
    (e) Annual steam generator tests. Each steam generator that is not 
isolated in accordance with paragraph (b) of this section, shall be 
subjected to a hydrostatic pressure at least 25 percent above the 
working pressure and the visual return water-flow indicator shall be 
removed and inspected. The testing under this paragraph shall be 
performed at intervals that do not exceed 368 calendar days.

[[Page 2230]]

    14. Section 229.119 is amended by revising paragraph (d) to read as 
follows:


Sec.  229.119  Cabs, floors, and passageways.

* * * * *
    (d) Any occupied locomotive cab shall be provided with proper 
ventilation and with a heating arrangement that maintains a temperature 
of at least 60 degrees Fahrenheit 6 inches above the center of each 
seat in the cab compartment.
* * * * *
    15. Section 229.123 is revised to read as follows:


Sec.  229.123  Pilots, snowplows, end plates.

    (a) Each lead locomotive shall be equipped with a pilot, snowplow, 
or end plate that extends across both rails. The minimum clearance 
above the rail of the pilot, snowplow or end plate shall be 3 inches. 
Except as provided in paragraph (b) of this section, the maximum 
clearance shall be 6 inches. When the locomotive is equipped with a 
combination of the equipment listed in this paragraph, each extending 
across both rails, only the lowest piece of that equipment must satisfy 
clearance requirements of this section.
    (b) To provide clearance for passing over retarders, locomotives 
utilized in hump yard or switching service at hump yard locations may 
have pilot, snowplow, or end plate maximum height of 9 inches.
    (1) Each locomotive equipped with a pilot, snowplow, or end plate 
with clearance above 6 inches shall be prominently stenciled at each 
end of the locomotive with the words ``9-inch Maximum End Plate Height, 
Yard or Trail Service Only.''
    (2) When operated in switching service in a leading position, 
locomotives with a pilot, snowplow, or end plate clearance above 6 
inches shall be limited to 10 miles per hour over grade crossings.
    (3) Train crews shall be notified in writing of the restrictions on 
the locomotive, by label or stencil in the cab, or by written operating 
instruction given to the crew and maintained in the cab of the 
locomotive.
    (4) Pilot, snowplow, or end plate clearance above 6 inches shall be 
noted in the remarks section of Form FRA 6180-49a.
    (5) Locomotives with a pilot, snowplow, or end plate clearance 
above 6 inches shall not be placed in the lead position when being 
moved under section Sec.  229.9.
    16. Section 229.125 is amended by revising paragraphs (a) and 
(d)(2) and (3) to read as follows:


Sec.  229.125  Headlights and auxiliary lights.

    (a) Each lead locomotive used in road service shall illuminate its 
headlight while the locomotive is in use. When illuminated, the 
headlight shall produce a peak intensity of at least 200,000 candela 
and produce at least 3,000 candela at an angle of 7.5 degrees and at 
least 400 candela at an angle of 20 degrees from the centerline of the 
locomotive when the light is aimed parallel to the tracks. If a 
locomotive or locomotive consist in road service is regularly required 
to run backward for any portion of its trip other than to pick up a 
detached portion of its train or to make terminal movements, it shall 
also have on its rear a headlight that meets the intensity requirements 
above. Each headlight shall be aimed to illuminate a person at least 
800 feet ahead and in front of the headlight. For purposes of this 
section, a headlight shall be comprised of either one or two lamps.
    (1) If a locomotive is equipped with a single-lamp headlight, the 
single lamp shall produce a peak intensity of at least 200,000 candela 
and shall produce at least 3,000 candela at an angle of 7.5 degrees and 
at least 400 candela at an angle of 20 degrees from the centerline of 
the locomotive when the light is aimed parallel to the tracks. The 
following operative lamps meet the standard set forth in this 
paragraph: A single incandescent PAR-56, 200-watt, 30-volt lamp; a 
single halogen PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 
350-watt, 75-volt lamp, or a single lamp meeting the intensity 
requirements given above.
    (2) If a locomotive is equipped with a dual-lamp headlight, a peak 
intensity of at least 200,000 candela and at least 3,000 candela at an 
angle of 7.5 degrees and at least 400 candela at an angle of 20 degrees 
from the centerline of the locomotive when the light is aimed parallel 
to the tracks shall be produced by the headlight based either on a 
single lamp capable of individually producing the required peak 
intensity or on the candela produced by the headlight with both lamps 
illuminated. If both lamps are needed to produce the required peak 
intensity, then both lamps in the headlight shall be operational. The 
following operative lamps meet the standard set forth in this paragraph 
(a)(2): A single incandescent PAR-56, 200-watt, 30-volt lamp; a single 
halogen PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 350-
watt, 75-volt lamp; two incandescent PAR-56, 350-watt, 75-volt lamps; 
or lamp(s) meeting the intensity requirements given above.
    (i) A locomotive equipped with the two incandescent PAR-56, 350-
watt, 75 volt lamps which has an en route failure of one lamp in the 
headlight fixture, may continue in service as a lead locomotive until 
its next daily inspection required by Sec.  229.21 only if:
    (A) Auxiliary lights burn steadily;
    (B) Auxiliary lights are aimed horizontally parallel to the 
longitudinal centerline of the locomotive or aimed to cross no less 
than 400 feet in front of the locomotive.
    (C) Second headlight lamp and both auxiliary lights continue to 
operate.
    (ii) [Reserved]
* * * * *
    (d) * * *
    (2) Each auxiliary light shall produce a peak intensity of at least 
200,000 candela or shall produce at least 3,000 candela at an angle of 
7.5 degrees and at least 400 candela at an angle of 20 degrees from the 
centerline of the locomotive when the light is aimed parallel to the 
tracks. Any of the following operative lamps meet the standard set 
forth in this paragraph: An incandescent PAR-56, 200-watt, 30-volt 
lamp; a halogen PAR-56, 200-watt, 30-volt lamp; a halogen PAR-56, 350-
watt, 75-volt lamp; an incandescent PAR-56, 350-watt, 75-volt lamp; or 
a single lamp having equivalent intensities at the specified angles.
    (3) The auxiliary lights shall be aimed horizontally within 15 
degrees of the longitudinal centerline of the locomotive.
* * * * *
    17. Section 229.133 is amended by revising paragraphs (b) 
introductory text, (b)(1) and (2), and (c) to read as follows:


Sec.  229.133  Interim locomotive conspicuity measures--auxiliary 
external lights.

* * * * *
    (b) Each qualifying arrangement of auxiliary external lights shall 
conform to one of the following descriptions:
    (1) Strobe lights. (i) Strobe lights shall consist of two white 
stroboscopic lights, each with ``effective intensity,'' as defined by 
the Illuminating Engineering Society's Guide for Calculating the 
Effective Intensity of Flashing Signal Lights (November 1964), of at 
least 500 candela.
    (ii) The flash rate of strobe lights shall be at least 40 flashes 
per minute and at most 180 flashes per minute.
    (iii) Strobe lights shall be placed at the front of the locomotive, 
at least 48 inches apart, and at least 36 inches above the top of the 
rail.
    (2) Oscillating light. (i) An oscillating light shall consist of:
    (A) One steadily burning white light producing at least 200,000 
candela in a moving beam that depicts a circle or a

[[Page 2231]]

horizontal figure ``8'' to the front, about the longitudinal centerline 
of the locomotive; or
    (B) Two or more white lights producing at least 200,000 candela 
each, at one location on the front of the locomotive, that flash 
alternately with beams within five degrees horizontally to either side 
of the longitudinal centerline of the locomotive.
    (ii) An oscillating light may incorporate a device that 
automatically extinguishes the white light if display of a light of 
another color is required to protect the safety of railroad operations.
* * * * *
    (c)(1) Any lead locomotive equipped with oscillating lights as 
described in paragraph (b)(2) that were ordered for installation on 
that locomotive prior to January 1, 1996, is considered in compliance 
with Sec.  229.125(d) (1) through (3).
    (2) Any lead locomotive equipped with strobe lights as described in 
paragraph (b)(1) of this section and operated at speeds no greater than 
40 miles per hour, is considered in compliance with Sec.  229.125(d) 
(1) through (3) until the locomotive is retired or rebuilt, whichever 
comes first.
* * * * *
    18. Section 229.140 is added to subpart C to read as follows:


Sec.  229.140  Alerters.

    (a) Except for locomotives covered by part 238 of this chapter, 
each of the following locomotives shall be equipped with a functioning 
alerter as described in paragraphs (b) through (d) of this section:
    (1) A new locomotive that is placed in service for the first time 
on or after [DATE 90 DAYS AFTER THE EFFECTIVE DATE OF THE FINAL RULE] 
when used as a controlling locomotive and operated at speeds in excess 
of 25 mph.
    (2) All controlling locomotives operated at speeds in excess of 25 
mph on or after January 1, 2016.
    (b) The alerter on locomotives subject to paragraph (a) of this 
section shall be equipped with a manual reset and the alerter warning 
timing cycle shall automatically reset as the result of any of the 
following operations, and at least three of the following automatic 
resets shall be functional at any given time:
    (1) Movement of the throttle handle;
    (2) Movement of the dynamic brake control handle;
    (3) Movement of the operator's horn activation handle;
    (4) Movement of the operator's bell activation switch;
    (5) Movement of the automatic brake valve handle; or
    (6) Bailing the independent brake by depressing the independent 
brake valve handle.
    (c) All alerters shall provide an audio alarm upon expiration of 
the timing cycle interval. An alerter on a locomotive that is placed in 
service on or after [DATE 90 DAYS AFTER THE EFFECTIVE DATE OF THE FINAL 
RULE] shall display a visual indication to the operator at least five 
seconds prior to an audio alarm. The visual indication on an alerter so 
equipped shall be visible to the operator from their normal position in 
the cab.
    (d) Alerter warning timing cycle interval shall be within 10 
seconds of the calculated setting utilizing the formula (timing cycle 
specified in seconds = 2400 / track speed specified in miles per hour).
    (e) Any locomotive that is equipped with an alerter shall have the 
alerter functioning and operating as intended when the locomotive is 
used as a controlling locomotive.
    (f) A controlling locomotive equipped with an alerter shall be 
tested prior to departure from each initial terminal, or prior to being 
coupled as the lead locomotive in a locomotive consist by allowing the 
warning timing cycle to expire that results in an application of the 
locomotive brakes at a penalty rate.
    19. Part 229 is amended by adding a new subpart E to read as 
follows:
Subpart E--Locomotive Electronics
Sec.
229.301 Purpose and scope.
229.303 Applicability.
229.305 Definitions.
229.307 Safety Analysis.
229.309 Safety-critical changes and failures.
229.311 Review of SAs.
229.313 Product testing results and records.
229.315 Operations and Maintenance Manual.
229.317 Training and qualification program.
229.319 Operating personnel training.

Subpart E--Locomotive Electronics


Sec.  229.301  Purpose and scope.

    (a) The purpose of this subpart is to promote the safe design, 
operation, and maintenance of safety-critical, as defined in Sec.  
229.305, electronic locomotive control systems, subsystems, and 
components.
    (b) Locomotive control systems or their functions that commingle or 
interface with safety critical processor based signal and train control 
systems are regulated under part 236 subparts H and I of this chapter.


Sec.  229.303  Applicability.

    (a) The requirements of this subpart apply to all safety-critical 
electronic locomotive control systems, subsystems, and components 
(i.e.; ``products'' as defined in Sec.  229.305), except for the 
following:
    (1) Products that are in service prior to January 12, 2011.
    (2) Products that are under development as of July 12, 2011, and 
are placed in service prior to July 14, 2014.
    (3) Products that commingle or interface with safety critical 
processor based signal and train control systems;
    (4) Products that are used during on-track testing within a test 
facility; and
    (5) Products that are used during on-track testing out-side a test 
facility, if approved by FRA. To obtain FRA approval of on-track 
testing outside of a test facility, a railroad shall submit a request 
to FRA that provides:
    (i) Adequate information regarding the function and history of the 
product that it intends to use;
    (ii) The proposed tests;
    (iii) The date, time and location of the tests; and
    (iv) The potential safety consequences that will result from 
operating the product for purposes of testing.
    (b) Railroads and vendors shall identify all products that are 
under development to FRA by [DATE 6 MONTHS FROM PUBLICATION OF THE 
FINAL RULE].
    (c) The exceptions provided in paragraph (a) of this section do not 
apply to products or product changes that result in degradation of 
safety, or a material increase in safety-critical functionality.


Sec.  229.305  Definitions.

    As used in this subpart--
    Component means an electronic element, device, or appliance 
(including hardware or software) that is part of a system or subsystem.
    Configuration management control plan means a plan designed to 
ensure that the proper and intended product configuration, including 
the electronic hardware components and software version, is documented 
and maintained through the life-cycle of the products in use.
    Executive software means software common to all installations of a 
given electronic product. It generally is used to schedule the 
execution of the site-specific application programs, run timers, read 
inputs, drive outputs, perform self-diagnostics, access and check 
memory, and monitor the execution of the application software to detect 
unsolicited changes in outputs.
    Initialization refers to the startup process when it is determined 
that a product has all required data input and the product is prepared 
to function as intended.

[[Page 2232]]

    Materials handling refers to explicit instructions for handling 
safety-critical components established to comply with procedures 
specified by the railroad.
    New or next-generation locomotive control system means a locomotive 
control system using technologies or combinations of technologies not 
in use in revenue service as of January 12, 2011, or without 
established histories of safe practice.
    Product means any safety critical electronic locomotive control 
system, subsystem, or component.
    Revision control means a chain of custody regimen designed to 
positively identify safety-critical components and spare equipment 
availability, including repair/replacement tracking.
    Safety Analysis refers to a formal set of documentation which 
describes in detail all of the safety aspects of the product, including 
but not limited to procedures for its development, installation, 
implementation, operation, maintenance, repair, inspection, testing and 
modification, as well as analyses supporting its safety claims.
    Safety-critical, as applied to a function, a system, or any portion 
thereof, means the correct performance of which is essential to safety 
of personnel or equipment, or both; or the incorrect performance of 
which could cause a hazardous condition, or allow a hazardous condition 
which was intended to be prevented by the function or system to exist.
    Subsystem means a defined portion of a system.
    System refers to any electronic locomotive control system and 
includes all subsystems and components thereof, as the context 
requires.
    Test facility means a track that is not part of the general 
railroad system of transportation and is being used exclusively for the 
purpose of testing equipment and has all of its public grade crossings 
protected.


Sec.  229.307  Safety Analysis.

    (a) A railroad shall develop a Safety Analysis (SA) for each 
product subject to this subpart prior to the initial use of such 
product on their railroad.
    (b) The SA shall:
    (1) Establish and document the minimum requirements that will 
govern the development and implementation of all products subject to 
this subpart, and be based on good engineering practice and should be 
consistent with the guidance contained in Appendix F of this part in 
order to establish that a product's safety-critical functions will 
operate with a high degree of confidence in a fail-safe manner;
    (2) Include procedures for immediate repair of safety-critical 
functions; and
    (3) Be made available to FRA upon request.
    (c) Each railroad shall comply with the SA requirements and 
procedures related to the development, implementation, and repair of a 
product subject to this subpart.


Sec.  229.309  Safety-critical changes and failures.

    (a) Whenever a planned safety-critical design change is made to a 
product subject to this subpart, the railroad shall:
    (1) Notify FRA's Associate Administrator for Safety of the design 
changes;
    (2) Update the SA as required;
    (3) Conduct all safety critical changes in a manner that allows the 
change to be audited;
    (4) Specify all contractual arrangements with suppliers and private 
equipment owners for notification of any and all electronic safety 
critical changes as well as safety critical failures in their system, 
subsystem, or components, and the reasons from the suppliers or 
equipment owners, whether or not the railroad has experienced a failure 
of that safety critical system, sub-system, or component;
    (5) Specify the railroad's procedures for action upon receipt of 
notification of a safety-critical change or failure of an electronic 
system, sub-system, or component, and until the upgrade, patch, or 
revision has been installed; and
    (6) Identify all configuration/revision control measures designed 
to ensure that safety-functional requirements and safety-critical 
hazard mitigation processes are not compromised as a result of any such 
change, and that any such change can be audited.
    (b) Product suppliers and private equipment owners shall report any 
safety critical changes and previously unidentified hazards to each 
railroad using the product.
    (c) Private equipment owners shall establish configuration/revision 
control measures for control of safety critical changes and 
identification of previously unidentified hazards.


Sec.  229.311  Review of SAs.

    (a) Prior to the initial planned use of a product subject to this 
subpart, a railroad shall inform the Associate Administrator for 
Safety, FRA, 1200 New Jersey Avenue, SE., Mail Stop 25, Washington, DC 
20590 of the intent to place this product in service. The notification 
shall provide a description of the product, and identify the location 
where the complete SA documentation described in Sec.  229.307 and the 
training and qualification program described in Sec.  229.319 is 
maintained.
    (b) FRA may review and/or audit the SA within 60 days of receipt of 
the notification or anytime after the product is placed in use.
    (c) A railroad shall maintain and make available to FRA upon 
request all documentation used to demonstrate that the product meets 
the safety requirements of the SA for the life-cycle of the product.
    (d) After a product is placed in service, the railroad shall 
maintain a database of all safety relevant hazards encountered with the 
product. The database shall include all hazards identified in the SA 
and those that had not been previously identified in the SA. If the 
frequency of the safety-relevant hazards exceeds the threshold set 
forth in the SA, then the railroad shall:
    (1) Report the inconsistency by mail, facsimile, e-mail, or hand 
delivery to the Director, Office of Safety Assurance and Compliance, 
FRA, 1200 New Jersey Ave., SE., Mail Stop 25, Washington, DC 20590, 
within 15 days of discovery;
    (2) Take immediate countermeasures to reduce the frequency of the 
safety relevant hazard(s) below the threshold set forth in the SA; and
    (3) Provide a final report to the FRA, Director, Office of Safety 
Assurance and Compliance, on the results of the analysis and 
countermeasures taken to reduce the frequency of the safety relevant 
hazard(s) below the calculated probability of failure threshold set 
forth in the SA when the problem is resolved. For hazards not 
identified in the SA the threshold shall be exceeded at one occurrence.


Sec.  229.313  Product testing results and records.

    (a) Results of product testing conducted in accordance with this 
subpart shall be recorded on preprinted forms provided by the railroad, 
or stored electronically. Electronic record keeping or automated 
tracking systems, subject to the provisions contained in paragraph (e) 
of this section, may be utilized to store and maintain any testing or 
training record required by this subpart.
    (b) The testing records shall contain all of the following:
    (1) The name of the railroad;
    (2) The location and date that the test was conducted;
    (3) The equipment tested;
    (4) The results of tests;
    (5) The repairs or replacement of equipment;
    (6) Any preventative adjustments made; and,

[[Page 2233]]

    (7) The condition in which the equipment is left.
    (c) Each record shall be:
    (1) Signed by the employee conducting the test, or electronically 
coded, or identified by the automated test equipment number;
    (2) Filed in the office of a supervisory official having 
jurisdiction, unless otherwise noted; and
    (3) Available for inspection and copying by FRA.
    (d) The results of the testing conducted in accordance with this 
subpart shall be retained as follows:
    (1) The results of tests that pertain to installation or 
modification of a product shall be retained for the life-cycle of the 
product tested and may be kept in any office designated by the 
railroad;
    (2) The results of periodic tests required for the maintenance or 
repair of the product tested shall be retained until the next record is 
filed and in no case less than one year; and
    (3) The results of all other tests and training shall be retained 
until the next record is filed and in no case less than one year.
    (e) Electronic or automated tracking systems used to meet the 
requirements contained in paragraph (a) of this section shall be 
capable of being reviewed and monitored by FRA at any time to ensure 
the integrity of the system. FRA's Associate Administrator for Safety 
may prohibit or revoke a railroad's authority to utilize an electronic 
or automated tracking system in lieu of preprinted forms if FRA finds 
that the electronic or automated tracking system is not properly 
secured, is inaccessible to FRA, or railroad employees requiring access 
to discharge their assigned duties, or fails to adequately track and 
monitor the equipment. The Associate Administrator for Safety will 
provide the affected railroad with a written statement of the basis for 
the decision prohibiting or revoking the railroad from utilizing an 
electronic or automated tracking system.


Sec.  229.315  Operations and Maintenance Manual.

    (a) The railroad shall maintain all documents pertaining to the 
installation, maintenance, repair, modification, inspection, and 
testing of a product subject to this part in one Operations and 
Maintenance Manual (OMM).
    (1) The OMM shall be legible and shall be readily available to 
persons who conduct the installation, maintenance, repair, 
modification, inspection, and testing, and for inspection by FRA.
    (2) At a minimum, the OMM shall contain all product vendor 
operation and maintenance guidance.
    (b) The OMM shall contain the plans and detailed information 
necessary for the proper maintenance, repair, inspection, and testing 
of products subject to this subpart. The plans shall identify all 
software versions, revisions, and revision dates.
    (c) Hardware, software, and firmware revisions shall be documented 
in the OMM according to the railroad's configuration management control 
plan.
    (d) Safety-critical components, including spare products, shall be 
positively identified, handled, replaced, and repaired in accordance 
with the procedures specified in the railroad's configuration 
management control plan.
    (e) A railroad shall determine that the requirements of this 
section have been met prior to placing a product subject to this 
subpart in use on their property.


Sec.  229.317  Training and qualification program.

    (a) A railroad shall establish and implement training and 
qualification program for products subject to this subpart. These 
programs shall meet the requirements set forth in this section and in 
Sec.  229.319.
    (b) The program shall provide training for the individuals 
identified in this paragraph to ensure that they possess the necessary 
knowledge and skills to effectively complete their duties related to 
the product. These include:
    (1) Individuals whose duties include installing, maintaining, 
repairing, modifying, inspecting, and testing safety-critical elements 
of the product;
    (2) Individuals who operate trains or serve as a train or engine 
crew member subject to instruction and testing under part 217 of this 
chapter;
    (3) Roadway and maintenance-of-way workers whose duties require 
them to know and understand how the product affects their safety and 
how to avoid interfering with its proper functioning; and
    (4) Direct supervisors of the individuals identified in paragraphs 
(b)(1) through (3) of this section.
    (c) When developing the training and qualification program required 
in this section, a railroad shall conduct a formal task analysis. The 
task analysis shall:
    (1) Identify the specific goals of the program for each target 
population (craft, experience level, scope of work, etc.), task(s), and 
desired success rate;
    (2) Identify the installation, maintenance, repair, modification, 
inspection, testing, and operating tasks that will be performed on the 
railroad's products, including but not limited to the development of 
failure scenarios and the actions expected under such scenarios;
    (3) Develop written procedures for the performance of the tasks 
identified; and
    (4) Identify any the additional knowledge, skills, and abilities 
above those required for basic job performance necessary to perform 
each task.
    (d) Based on the task analysis, a railroad shall develop a training 
curriculum that includes formally structured training designed to 
impart the knowledge, skills, and abilities identified as necessary to 
perform each task;
    (e) All individuals identified in paragraph (b) of this section 
shall successfully complete a training curriculum and pass an 
examination that covers the product and appropriate rules and tasks for 
which they are responsible (however, such persons may perform such 
tasks under the direct onsite supervision of a qualified person prior 
to completing such training and passing the examination);
    (f) A railroad shall conduct periodic refresher training at 
intervals to be formally specified in the program, except with respect 
to basic skills for which proficiency is known to remain high as a 
result of frequent repetition of the task.
    (g) A railroad shall conduct regular and periodic evaluations of 
the effectiveness of the training program, verifying the adequacy of 
the training material and its validity with respect to the railroad's 
products and operations.
    (h) A railroad shall maintain records that designate individuals 
who are qualified under this section until new designations are 
recorded or for at least one year after such persons leave applicable 
service. These records shall be maintained in a designated location and 
be available for inspection and replication by FRA and FRA-certified 
State inspectors.


Sec.  229.319  Operating personnel training.

    (a) The training required under Sec.  229.317 for any locomotive 
engineer or other person who participates in the operation of a train 
using an onboard electronic locomotive control system shall address all 
of the following elements and shall be specified in the training 
program.
    (1) Familiarization with the electronic control system equipment 
onboard the locomotive and the functioning of that equipment as part of 
the system and in relation to other onboard systems under that person's 
control;
    (2) Any actions required of the operating personnel to enable or 
enter

[[Page 2234]]

data into the system and the role of that function in the safe 
operation of the train;
    (3) Sequencing of interventions by the system, including 
notification, enforcement, penalty initiation and post penalty 
application procedures as applicable;
    (4) Railroad operating rules applicable to control systems, 
including provisions for movement and protection of any unequipped 
trains, or trains with failed or cut-out controls;
    (5) Means to detect deviations from proper functioning of onboard 
electronic control system equipment and instructions explaining the 
proper response to be taken regarding control of the train and 
notification of designated railroad personnel; and,
    (6) Information needed to prevent unintentional interference with 
the proper functioning of onboard electronic control equipment.
    (b) The training required under this subpart for a locomotive 
engineer, together with required records, shall be integrated into the 
program of training required by part 240 of this chapter.
    20. Part 229 is amended by adding Appendix F to read as follows:

Appendix F to Part 229--Recommended Practices for Design and Safety 
Analysis

    The purpose of this appendix is to provide recommended criteria 
for design and safety analysis that will maximize the safety of 
electronic locomotive control systems and mitigate potential 
negative safety effects. It seeks to promote full disclosure of 
potential safety risks to facilitate minimizing or eliminating 
elements of risk where practicable. It discuses critical elements of 
good engineering practice that the designer should consider when 
developing safety critical electronic locomotive control systems to 
accomplish this objective. The criteria and processes specified this 
appendix is intended to minimize the probability of failure to an 
acceptable level within the limitations of the available engineering 
science, cost, and other constraints. Railroads procuring safety 
critical electronic locomotive controls are encouraged to ensure 
that their vendor addresses each of the elements of this appendix in 
the design of the product being procured. FRA uses the criteria and 
processes set forth in this appendix (or other technically 
equivalent criteria and processes that may be recommended by 
industry) when evaluating analyses, assumptions, and conclusions 
provided in the SA documents.

Definitions

    In addition to the definitions contained in Sec.  229.305, the 
following definitions are applicable to this Appendix:
    Hazard means an existing or potential condition that can result 
in an accident.
    High degree of confidence, as applied to the highest level of 
aggregation, means there exists credible safety analysis supporting 
the conclusion that the risks associated with the product have been 
adequately mitigated.
    Human factors refers to a body of knowledge about human 
limitations, human abilities, and other human characteristics, such 
as behavior and motivation, that shall be considered in product 
design.
    Human-machine interface (HMI) means the interrelated set of 
controls and displays that allows humans to interact with the 
machine.
    Risk means the expected probability of occurrence for an 
individual accident event (probability) multiplied by the severity 
of the expected consequences associated with the accident 
(severity).
    Risk assessment means the process of determining, either 
quantitatively or qualitatively, the measure of risk associated with 
use of the product under all intended operating conditions.
    System Safety Precedence means the order of precedence in which 
methods used to eliminate or control identified hazards within a 
system are implemented.
    Validation means the process of determining whether a product's 
design requirements fulfill its intended design objectives during 
its development and life-cycle. The goal of the validation process 
is to determine ``whether the correct product was built.''
    Verification means the process of determining whether the 
results of a given phase of the development cycle fulfill the 
validated requirements established at the start of that phase. The 
goal of the verification process is to determine ``whether the 
product was built correctly.''

Safety Assessments--Recommended Contents

    The safety-critical assessment of each product should include 
all of its interconnected subsystems and components and, where 
applicable, the interaction between such subsystems. FRA recommends 
that such assessments contain the following:
    (a) A complete description of the product, including a list of 
all product components and their physical relationship in the 
subsystem or system;
    (b) A description of the railroad operation or categories of 
operations on which the product is designed to be used;
    (c) An operational concepts document, including a complete 
description of the product functionality and information flows;
    (d) A safety requirements document, including a list with 
complete descriptions of all functions, which the product performs 
to enhance or preserve safety, and that describes the manner in 
which product architecture satisfies safety requirements;
    (e) A hazard log consisting of a comprehensive description of 
all safety relevant hazards addressed during the life cycle of the 
product, including maximum threshold limits for each hazard (for 
unidentified hazards, the threshold shall be exceeded at one 
occurrence);
    (1) The analysis should document any assumptions regarding the 
reliability or availability of mechanical, electric, or electronic 
components. Such assumptions include MTTF projections, as well as 
Mean Time To Repair (MTTR) projections, unless the risk assessment 
specifically explains why these assumptions are not relevant to the 
risk assessment. The analysis should document these assumptions in 
such a form as to permit later automated comparisons with in-service 
experience (e.g., a spreadsheet). The analysis should also document 
any assumptions regarding human performance. The documentation 
should be in a form that facilitates later comparisons with in-
service experience.
    (2) The analysis should also document any assumptions regarding 
software defects. These assumptions should be in a form which 
permits the railroad to project the likelihood of detecting an in-
service software defect and later automated comparisons with in-
service experience.
    (3) The analysis should document all of the identified safety-
critical fault paths. The documentation should be in a form that 
facilitates later comparisons with in-service faults.
    (f) A risk assessment.
    (1) The risk metric for the proposed product should describe 
with a high degree of confidence the accumulated risk of a 
locomotive control system that operates over a life-cycle of 25 
years or greater. Each risk metric for the proposed product should 
be expressed with an upper bound, as estimated with a sensitivity 
analysis, and the risk value selected is demonstrated to have a high 
degree of confidence.
    (2) Each risk calculation should consider the totality of the 
locomotive control system and its method of operation. The failure 
modes of each subsystem or component, or both, should be determined 
for the integrated hardware/software (where applicable) as a 
function of the Mean Time to Hazardous Events (MTTHE), failure 
restoration rates, and the integrated hardware/software coverage of 
all processor based subsystems or components, or both. Train 
operating and movement rules, along with components that are layered 
in order to enhance safety-critical behavior, should also be 
considered.
    (3) An MTTHE value should be calculated for each subsystem or 
component, or both, indicating the safety-critical behavior of the 
integrated hardware/software subsystem or component, or both. The 
human factor impact should be included in the assessment, whenever 
applicable, to provide an integrated MTTHE value. The MTTHE 
calculation should consider the rates of failures caused by 
permanent, transient, and intermittent faults accounting for the 
fault coverage of the integrated hardware/software subsystem or 
component, phased-interval maintenance, and restoration of the 
detected failures.
    (4) MTTHE compliance verification and validation should be based 
on the assessment of the design for verification and validation 
process, historical performance data, analytical methods and 
experimental safety critical performance testing performed on the 
subsystem or component. The compliance process shall be demonstrated 
to be compliant and consistent with the MTTHE metric and 
demonstrated to have a high degree of confidence.
    (5) The safety-critical behavior of all non-processor based 
components, which are part

[[Page 2235]]

of a processor-based system or subsystem, should be quantified with 
an MTTHE metric. The MTTHE assessment methodology should consider 
failures caused by permanent, transient, and intermittent faults, 
phase interval maintenance and restoration of failures and the 
effect of fault coverage of each non-processor-based subsystem or 
component. The MTTHE compliance verification and validation should 
be based on the assessment of the design for verification and 
validation process, historical performance data, analytical methods 
and experimental safety critical performance testing performed on 
the subsystem or component. The non-processor based quantification 
compliance should also be demonstrated to have a high degree of 
confidence.
    (g) A hazard mitigation analysis, including a complete and 
comprehensive description of all hazards to be addressed in the 
system design and development, mitigation techniques used, and 
system safety precedence followed;
    (h) A complete description of the safety assessment and 
verification and validation processes applied to the product and the 
results of these processes;
    (i) A complete description of the safety assurance concepts used 
in the product design, including an explanation of the design 
principles and assumptions; the designer should address each of the 
following safety considerations when designing and demonstrating the 
safety of products covered by this part. In the event that any of 
these principles are not followed, the analysis should describe both 
the reason(s) for departure and the alternative(s) utilized to 
mitigate or eliminate the hazards associated with the design 
principle not followed.
    (1) Normal operation. The system (including all hardware and 
software) should demonstrate safe operation with no hardware 
failures under normal anticipated operating conditions with proper 
inputs and within the expected range of environmental conditions. 
All safety-critical functions should be performed properly under 
these normal conditions. Absence of specific operator actions or 
procedures will not prevent the system from operating safely. There 
should be no hazards that are categorized as unacceptable or 
undesirable. Hazards categorized as unacceptable should be 
eliminated by design.
    (2) Systematic failure. It should be shown how the product is 
designed to mitigate or eliminate unsafe systematic failures--those 
conditions which can be attributed to human error that could occur 
at various stages throughout product development. This includes 
unsafe errors in the software due to human error in the software 
specification, design or coding phases, or both; human errors that 
could impact hardware design; unsafe conditions that could occur 
because of an improperly designed human-machine interface; 
installation and maintenance errors; and errors associated with 
making modifications.
    (3) Random failure. The product should be shown to operate 
safely under conditions of random hardware failure. This includes 
single as well as multiple hardware failures, particularly in 
instances where one or more failures could occur, remain undetected 
(latent) and react in combination with a subsequent failure at a 
later time to cause an unsafe operating situation. In instances 
involving a latent failure, a subsequent failure is similar to there 
being a single failure. In the event of a transient failure, and if 
so designed, the system should restart itself if it is safe to do 
so. Frequency of attempted restarts should be considered in the 
hazard analysis. There should be no single point failures in the 
product that can result in hazards categorized as unacceptable or 
undesirable. Occurrence of credible single point failures that can 
result in hazards shall be detected and the product should achieve a 
known safe state before falsely activating any physical appliance. 
If one non-self-revealing failure combined with a second failure can 
cause a hazard that is categorized as unacceptable or undesirable, 
then the second failure should be detected and the product should 
achieve a known safe state before falsely activating any physical 
appliance.
    (4) Common Mode failure. Another concern of multiple failures 
involves common mode failure in which two or more subsystems or 
components intended to compensate one another to perform the same 
function all fail by the same mode and result in unsafe conditions. 
This is of particular concern in instances in which two or more 
elements (hardware or software, or both) are used in combination to 
ensure safety. If a common mode failure exists, then any analysis 
cannot rely on the assumption that failures are independent. 
Examples include: the use of redundancy in which two or more 
elements perform a given function in parallel and when one (hardware 
or software) element checks/monitors another element (of hardware or 
software) to help ensure its safe operation. Common mode failure 
relates to independence, which shall be ensured in these instances. 
When dealing with the effects of hardware failure, the designer 
should address the effects of the failure not only on other 
hardware, but also on the execution of the software, since hardware 
failures can greatly affect how the software operates.
    (5) External influences. The product should operate safely when 
subjected to different external influences, including:
    (i) Electrical influences such as power supply anomalies/
transients, abnormal/improper input conditions (e.g., outside of 
normal range inputs relative to amplitude and frequency, unusual 
combinations of inputs) including those related to a human operator, 
and others such as electromagnetic interference or electrostatic 
discharges, or both;
    (ii) Mechanical influences such as vibration and shock; and 
climatic conditions such as temperature and humidity.
    (6) Modifications. Safety must be ensured following 
modifications to the hardware or software, or both. All or some of 
the concerns previously identified may be applicable depending upon 
the nature and extent of the modifications.
    (7) Software. Software faults should not cause hazards 
categorized as unacceptable or undesirable.
    (8) Closed Loop Principle. The product design should require 
positive action to be taken in a prescribed manner to either begin 
product operation or continue product operation.
    (j) A human factors analysis, including a complete description 
of all human-machine interfaces, a complete description of all 
functions performed by humans in connection with the product to 
enhance or preserve safety, and an analysis of the physical 
ergonomics of the product on the operators and the safe operation of 
the system;
    (k) A complete description of the specific training of railroad 
and contractor employees and supervisors necessary to ensure the 
safe and proper installation, implementation, operation, 
maintenance, repair, inspection, testing, and modification of the 
product;
    (l) A complete description of the specific procedures and test 
equipment necessary to ensure the safe and proper installation, 
implementation, operation, maintenance, repair, inspection, test, 
and modification of the product. These procedures, including 
calibration requirements, should be consistent with or explain 
deviations from the equipment manufacturer's recommendations;
    (m) A complete description of the necessary security measures 
for the product over its life-cycle;
    (n) A complete description of each warning to be placed in the 
Operations and Maintenance Manual and of all warning labels required 
to be placed on equipment as necessary to ensure safety;
    (o) A complete description of all initial implementation testing 
procedures necessary to establish that safety-functional 
requirements are met and safety-critical hazards are appropriately 
mitigated;
    (p) A complete description of all post-implementation testing 
(validation) and monitoring procedures, including the intervals 
necessary to establish that safety-functional requirements, safety-
critical hazard mitigation processes, and safety-critical tolerances 
are not compromised over time, through use, or after maintenance 
(repair, replacement, adjustment) is performed; and
    (q) A complete description of each record necessary to ensure 
the safety of the system that is associated with periodic 
maintenance, inspections, tests, repairs, replacements, adjustments, 
and the system's resulting conditions, including records of 
component failures resulting in safety relevant hazards;
    (r) A complete description of any safety-critical assumptions 
regarding availability of the product, and a complete description of 
all backup methods of operation; and
    (s) The configuration/revision control measures designed to 
ensure that safety-functional requirements and safety-critical 
hazard mitigation processes are not compromised as a result of any 
change. Changes classified as maintenance require validation.

[[Page 2236]]

Guidance Regarding the Application of Human Factors in the Design of 
Products

    The product design should sufficiently incorporate human factors 
engineering that is appropriate to the complexity of the product; 
the gender, educational, mental, and physical capabilities of the 
intended operators and maintainers; the degree of required human 
interaction with the component; and the environment in which the 
product will be used. HMI design criteria minimize negative safety 
effects by causing designers to consider human factors in the 
development of HMIs. As used in this discussion, ``designer'' means 
anyone who specifies requirements for--or designs a system or 
subsystem, or both, for--a product subject to this part, and 
``operator'' means any human who is intended to receive information 
from, provide information to, or perform repairs or maintenance on a 
safety critical locomotive control product subject to this part.
    I. FRA recommends that system designers should:
    (a) Design systems that anticipate possible user errors and 
include capabilities to catch errors before they propagate through 
the system;
    (b) Conduct cognitive task analyses prior to designing the 
system to better understand the information processing requirements 
of operators when making critical decisions;
    (c) Present information that accurately represents or predicts 
system states; and
    (d) Ensure that electronics equipment radio frequency emissions 
are compliant with appropriate Federal Communications Commission 
(FCC) regulations. The FCC rules and regulations are codified in 
Title 47 of the Code of Federal Regulations (CFR). The following 
documentation is applicable to obtaining FCC Equipment 
Authorization:
    (1) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987 
issue) FCC Equipment Authorization Program for Radio Frequency 
Devices. This document provides an overview of the equipment 
authorization program to control radio interference from radio 
transmitters and certain other electronic products and how to obtain 
an equipment authorization.
    (2) OET Bulletin 63: (October 1993) Understanding The FCC Part 
15 Regulations for Low Power, Non-Licensed Transmitters. This 
document provides a basic understanding of the FCC regulations for 
low power, unlicensed transmitters, and includes answers to some 
commonly-asked questions. This edition of the bulletin does not 
contain information concerning personal communication services (PCS) 
transmitters operating under Part 15, Subpart D of the rules.
    (3) Title 47 Code of Federal Regulations Parts 0 to 19. The FCC 
rules and regulations governing PCS transmitters may be found in 47 
CFR, Parts 0 to 19.
    (4) OET Bulletin 62 (December 1993) Understanding The FCC 
Regulations for Computers and other Digital Devices. This document 
has been prepared to provide a basic understanding of the FCC 
regulations for digital (computing) devices, and includes answers to 
some commonly-asked questions.
    II. Human factors issues designers should consider with regard 
to the general functioning of a system include:
    (a) Reduced situational awareness and over-reliance. HMI design 
shall give an operator active functions to perform, feedback on the 
results of the operator's actions, and information on the automatic 
functions of the system as well as its performance. The operator 
shall be ``in-the loop.'' Designers should consider at minimum the 
following methods of maintaining an active role for human operators:
    (1) The system should require an operator to initiate action to 
operate the train and require an operator to remain ``in-the-loop'' 
for at least 30 minutes at a time;
    (2) The system should provide timely feedback to an operator 
regarding the system's automated actions, the reasons for such 
actions, and the effects of the operator's manual actions on the 
system;
    (3) The system should warn operators in advance when they 
require an operator to take action;
    (4) HMI design should equalize an operator's workload; and
    (5) HMI design should not distract from the operator's safety 
related duties.
    (b) Expectation of predictability and consistency in product 
behavior and communications. HMI design should accommodate an 
operator's expectation of logical and consistent relationships 
between actions and results. Similar objects should behave 
consistently when an operator performs the same action upon them. 
End users have a limited memory and ability to process information. 
Therefore, HMI design should also minimize an operator's information 
processing load.
    (1) To minimize information processing load, the designer 
should:
    (i) Present integrated information that directly supports the 
variety and types of decisions that an operator makes;
    (ii) Provide information in a format or representation that 
minimizes the time required to understand and act; and
    (iii) Conduct utility tests of decision aids to establish clear 
benefits such as processing time saved or improved quality of 
decisions.
    (2) To minimize short-term memory load, the designer should 
integrate data or information from multiple sources into a single 
format or representation (``chunking'') and design so that three or 
fewer ``chunks'' of information need to be remembered at any one 
time. To minimize long-term memory load, the designer should design 
to support recognition memory, design memory aids to minimize the 
amount of information that should be recalled from unaided memory 
when making critical decisions, and promote active processing of the 
information.
    (3) When creating displays and controls, the designer shall 
consider user ergonomics and should:
    (i) Locate displays as close as possible to the controls that 
affect them;
    (ii) Locate displays and controls based on an operator's 
position;
    (iii) Arrange controls to minimize the need for the operator to 
change position;
    (iv) Arrange controls according to their expected order of use;
    (v) Group similar controls together;
    (vi) Design for high stimulus-response compatibility (geometric 
and conceptual);
    (vii) Design safety-critical controls to require more than one 
positive action to activate (e.g., auto stick shift requires two 
movements to go into reverse);
    (viii) Design controls to allow easy recovery from error; and
    (ix) Design display and controls to reflect specific gender and 
physical limitations of the intended operators.
    (4) Detailed locomotive ergonomics human machine interface 
guidance may be found in ``Human Factors Guidelines for Locomotive 
Cabs'' (FRA/ORD-98/03 or DOT-VNTSC-FRA-98-8).
    (5) The designer should also address information management. To 
that end, HMI design should:
    (i) Display information in a manner which emphasizes its 
relative importance;
    (ii) Comply with the ANSI/HFS 100-1988 standard;
    (iii) Utilize a display luminance that has a difference of at 
least 35cd/m2 between the foreground and background (the displays 
should be capable of a minimum contrast 3:1 with 7:1 preferred, and 
controls should be provided to adjust the brightness level and 
contrast level);
    (iv) Display only the information necessary to the user;
    (v) Where text is needed, use short, simple sentences or phrases 
with wording that an operator will understand and appropriate to the 
educational and cognitive capabilities of the intended operator;
    (vi) Use complete words where possible; where abbreviations are 
necessary, choose a commonly accepted abbreviation or consistent 
method and select commonly used terms and words that the operator 
will understand;
    (vii) Adopt a consistent format for all display screens by 
placing each design element in a consistent and specified location;
    (viii) Display critical information in the center of the 
operator's field of view by placing items that need to be found 
quickly in the upper left hand corner and items which are not time-
critical in the lower right hand corner of the field of view;
    (ix) Group items that belong together;
    (x) Design all visual displays to meet human performance 
criteria under monochrome conditions and add color only if it will 
help the user in performing a task, and use color coding as a 
redundant coding technique;
    (xi) Limit the number of colors over a group of displays to no 
more than seven;
    (xii) Design warnings to match the level of risk or danger with 
the alerting nature of the signal; and
    (xiii) With respect to information entry, avoid full QWERTY 
keyboards for data entry.
    (6) With respect to problem management, the HMI designer should 
ensure that the HMI design:
    (i) Enhances an operator's situation awareness;
    (ii) Supports response selection and scheduling; and
    (iii) Supports contingency planning.
    (7) Designers should comply with FCC requirements for Maximum 
Permissible Exposure limits for field strength and power

[[Page 2237]]

density for the transmitters operating at frequencies of 300 kHz to 
100 GHz and specific absorption rate (SAR) limits for devices 
operating within close proximity to the body. The Commission's 
requirements are detailed in Parts 1 and 2 of the FCC's Rules and 
Regulations [47 CFR 1.1307(b), 1.1310, 2.1091, 2.1093. The FCC has a 
number of bulletins and supplements that offer guidelines and 
suggestions for evaluating compliance. These documents are not 
intended to establish mandatory procedures, other methods and 
procedures may be acceptable if based on sound engineering practice.
    (i) OET Bulletin No. 65 (Edition 97-01, August 1997), 
``Evaluating Compliance With FCC Guidelines For Human Exposure To 
Radio Frequency Electromagnetic Fields'';
    (ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August 
1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997); 
and
    (iii) OET Bulletin No 65 Supplement C (Edition 01-01, June 
2001). This bulletin provides assistance in determining whether 
proposed or existing transmitting facilities, operations, or devices 
comply with limits for human exposure to radio frequency RF fields 
adopted by the FCC.

Guidance for Verification and Validation of Products

    The goal of this assessment is to provide an evaluation of the 
product manufacturer's utilization of safety design practices during 
the product's development and testing phases, as required by the 
applicable railroad's requirements, the requirements of this part, 
and any other previously agreed-upon controlling documents or 
standards. The standards employed for verification or validation, or 
both, of products shall be sufficient to support achievement of the 
applicable requirements of this part.
    (a) The latest version of the following standards have been 
recognized by FRA as providing appropriate risk analysis processes 
for incorporation into verification and validation standards.
    (1) U.S. Department of Defense Military Standard (MIL-STD) 882C, 
``System Safety Program Requirements'' (January 19, 1993);
    (2) CENELEC Standards as follows:
    (i) EN50126: 1999, Railway Applications: Specification and 
Demonstration of Reliability, Availability, Maintainability and 
Safety (RAMS);
    (ii) EN50128 (May 2001), Railway Applications: Software for 
Railway Control and Protection Systems;
    (iii) EN50129: 2003, Railway Applications: Communications, 
Signaling, and Processing Systems-Safety Related Electronic Systems 
for Signaling; and
    (iv) EN50155:2001/A1:2002, Railway Applications: Electronic 
Equipment Used in Rolling Stock.
    (3) ATCS Specification 140, Recommended Practices for Safety and 
Systems Assurance.
    (4) ATCS Specification 130, Software Quality Assurance.
    (5) Safety of High Speed Ground Transportation Systems. 
Analytical Methodology for Safety Validation of Computer Controlled 
Subsystems. Volume II: Development of a Safety Validation 
Methodology. Final Report September 1995. Author: Jonathan F. 
Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
    (6) IEC 61508 (International Electro-technical Commission), 
Functional Safety of Electrical/Electronic/Programmable/Electronic 
Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
    (i) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 
61508-1 Corr. (1999-05) Corrigendum 1-Part 1: General Requirements;
    (ii) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/
electronic/programmable electronic safety-related systems;
    (iii) IEC 61508-3 (1998-12) Part 3: Software requirements and 
IEC 61508-3 Corr.1(1999-04) Corrigendum 1-Part3: Software 
requirements;
    (iv) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations 
and IEC 61508-4 Corr.1(1999-04) Corrigendum 1-Part 4: Definitions 
and abbreviations;
    (v) IEC 61508-5 (1998-12) Part 5: Examples of methods for the 
determination of safety integrity levels and IEC 61508-5 Corr.1 
(1999-04) Corrigendum 1 Part 5: Examples of methods for 
determination of safety integrity levels;
    (vi) 1IEC 61508-6 (2000-04) Part 6: Guidelines on the 
applications of IEC 61508-2 and -3; and
    (vii) IEC 61508-7 (2000-03) Part 7: Overview of techniques and 
measures.
    (b) When using unpublished standards, including proprietary 
standards, the standards should be available for inspection and 
replication by the railroad and FRA and should be available for 
public examination.
    (c) Third party assessments. The railroad, the supplier, or FRA 
may conclude it is necessary for a third party assessment of the 
system. A third party assessor should be ``independent''. An 
``independent third party'' means a technically competent entity 
responsible to and compensated by the railroad (or an association on 
behalf of one or more railroads) that is independent of the supplier 
of the product. An entity that is owned or controlled by the 
supplier, that is under common ownership or control with the 
supplier, or that is otherwise involved in the development of the 
product would not be considered ``independent''.
    (1) The reviewer should not engage in design efforts, in order 
to preserve the reviewer's independence and maintain the supplier's 
proprietary right to the product. The supplier should provide the 
reviewer access to any, and all, documentation that the reviewer 
requests and attendance at any design review or walk through that 
the reviewer determines as necessary to complete and accomplish the 
third party assessment. Representatives from FRA or the railroad 
might accompany the reviewer.
    (2) Third party reviews can occur at a preliminary level, a 
functional level, or implementation level. At the preliminary level, 
the reviewer should evaluate with respect to safety and comment on 
the adequacy of the processes, which the supplier applies to the 
design, and development of the product. At a minimum, the reviewer 
should compare the supplier processes with industry best practices 
to determine if the vendor methodology is acceptable and employ any 
other such tests or comparisons if they have been agreed to 
previously with the railroad or FRA. Based on these analyses, the 
reviewer shall identify and document any significant safety 
vulnerabilities that are not adequately mitigated by the supplier's 
(or user's) processes. At the functional level, the reviewer 
evaluates the adequacy, and comprehensiveness, of the safety 
analysis, and any other documents pertinent to the product being 
assessed for completeness, correctness, and compliance with 
applicable standards. This includes, but is not limited to the 
Preliminary Hazard Analysis (PHA), all Fault Tree Analyses (FTA), 
all Failure Mode and Effects Criticality Analysis (FMECA), and other 
hazard analyses. At the implementation level the reviewer randomly 
selects various safety-critical software modules for audit to verify 
whether the system process and design requirements were followed. 
The number of modules audited shall be determined as a 
representative number sufficient to provide confidence that all un-
audited modules were developed in similar manner as the audited 
module. During this phase the reviewer would also evaluate and 
comment on the adequacy of the plan for installation and test of the 
product for revenue service.
    (d) Reviewer Report. Upon completion of an assessment, the 
reviewer prepares a final report of the assessment. The report 
should contain the following information:
    (1) The reviewer's evaluation of the adequacy of the risk 
analysis, including the supplier's MTTHE and risk estimates for the 
product, and the supplier's confidence interval in these estimates;
    (2) Product vulnerabilities which the reviewer felt were not 
adequately mitigated, including the method by which the railroad 
would assure product safety in the event of a hardware or software 
failure (i.e., how does the railroad or vendor assure that all 
potentially hazardous failure modes are identified?) and the method 
by which the railroad or vendor addresses comprehensiveness of the 
product design for the requirements of the operations it will govern 
(i.e., how does the railroad and/or vendor assure that all 
potentially hazardous operating circumstances are identified? Who 
records any deficiencies identified in the design process? Who 
tracks the correction of these deficiencies and confirms that they 
are corrected?);
    (3) A clear statement of position for all parties involved for 
each product vulnerability cited by the reviewer;
    (4) Identification of any documentation or information sought by 
the reviewer that was denied, incomplete, or inadequate;
    (5) A listing of each design procedure or process which was not 
properly followed;
    (6) Identification of the software verification and validation 
procedures for the product's safety-critical applications, and the 
reviewer's evaluation of the adequacy of these procedures;
    (7) Methods employed by the product manufacturer to develop 
safety-critical

[[Page 2238]]

software, such as use of structured language, code checks, 
modularity, or other similar generally acceptable techniques; and
    (8) Methods by which the supplier or railroad addresses 
comprehensiveness of the product design which considers the safety 
elements.

PART 238--[AMENDED]

    21. The authority citation for part 238 continues to read as 
follows:

    Authority:  49 U.S.C. 20103, 20107, 20133, 20141, 20302-20303, 
20306, 20701-20702, 21301-21302, 21304; 28 U.S.C. 2461, note; and 49 
CFR 1.49.

    22. Section 238.105 is amended by revising paragraph (d)(1) to read 
as follows:


Sec.  238.105  Train electronic hardware and software safety.

* * * * *
    (d) * * *
    (1) Hardware and software that controls or monitors a train's 
primary braking system shall either:
    (i) Fail safely by initiating a full service or emergency brake 
application in the event of a hardware or software failure that could 
impair the ability of the engineer to apply or release the brakes; or
    (ii) Provide the engineer access to direct manual control of the 
primary braking system (service or emergency braking).
* * * * *
    23. Section 238.309 is amended by revising paragraphs (b), (c), and 
(e) to read as follows:


Sec.  238.309  Periodic brake equipment maintenance.

* * * * *
    (b) DMU and MU locomotives. The brake equipment and brake cylinders 
of each DMU or MU locomotive shall be cleaned, repaired, and tested, 
and the filtering devices or dirt collectors located in the main 
reservoir supply line to the air brake system cleaned, repaired, or 
replaced at intervals in accordance with the following schedule:
    (1) Every 736 days if the DMU or MU locomotive is part of a fleet 
that is not 100 percent equipped with air dryers;
    (2) Every 1,104 days if the DMU or MU locomotive is part of a fleet 
that is 100 percent equipped with air dryers and is equipped with PS-
68, 26-C, 26-L, PS-90, CS-1, RT-2, RT-5A, GRB-1, CS-2, or 26-R brake 
systems. (This listing of brake system types is intended to subsume all 
brake systems using 26 type, ABD, or ABDW control valves and PS68, PS-
90, 26B-1, 26C, 26CE, 26-B1, 30CDW, or 30ECDW engineer's brake 
valves.);
    (3) Every 1,840 days if the DMU or MU locomotive is part of a fleet 
that is 100 percent equipped with air dryers and is equipped with KB-
HL1, KB-HS1, or KBCT1; and,
    (4) Every 736 days for all other DMU or MU locomotives.
    (c) Conventional locomotives. The brake equipment of each 
conventional locomotive shall be cleaned, repaired, and tested in 
accordance with the schedule provided in Sec.  229.29 of this chapter.
* * * * *
    (e) Cab cars. The brake equipment of each cab car shall be cleaned, 
repaired, and tested at intervals in accordance with the following 
schedule:
    (1) Every 1,840 days for locomotives equipped with CCB-1, CCB-2, 
CCB-26, EPIC 1 (formerly EPIC 3102), EPIC 3102D2, EPIC 2, KB-HS1, or 
Fastbrake brake systems.
    (2) Every 1,476 days for that portion of the cab car brake system 
using brake valves that are identical to the passenger coach 26-C brake 
system;
    (3) Every 1,104 days for that portion of the cab car brake system 
using brake valves that are identical to the locomotive 26-L brake 
system; and
    (4) Every 736 days for all other types of cab car brake valves.
* * * * *

    Issued in Washington, DC, on December 29, 2010.
Karen J. Rae,
Deputy Administrator.
[FR Doc. 2010-33244 Filed 1-11-11; 8:45 am]
BILLING CODE 4910-06-P