-
Start Preamble
Start Printed Page 2598
AGENCY:
Federal Railroad Administration (FRA), Department of Transportation (DOT).
ACTION:
Final rule; request for comment on specific issues.
SUMMARY:
FRA is issuing regulations implementing a requirement of the Rail Safety Improvement Act of 2008 that defines criteria for certain passenger and freight rail lines requiring the implementation of positive train control (PTC) systems. This final rule includes required functionalities of PTC system technology and the means by which PTC systems will be certified. This final rule also describes the contents of the PTC implementation plans required by the statute and contains the process for submission of those plans for review and approval by FRA. These regulations could also be voluntarily complied with by entities not mandated to install PTC systems. This is a final rule; however, FRA has identified specific provisions for which we are considering making changes to the final rule, if warranted by the public comments received. We expect to publish our response to those comments, including any possible changes to the rule made as a result of them, as soon as possible following the end of the comment period. However, the limited areas of this rule open for additional comment do not affect the requirement for railroads to prepare and submit plans in accordance with the deadlines established in this final rule.
DATES:
This final rule is effective March 16, 2010. Petitions for reconsideration must be received on or before March 16, 2010. Comments must be received on or before February 16, 2010.
ADDRESSES:
Petitions for reconsideration and comments: Any petitions for reconsideration or comments related to Docket No. FRA-2008-0132, may be submitted by any of the following methods:
- Web site: The Federal eRulemaking Portal, http://www.regulations.gov. Follow the Web site's online instructions for submitting comments.
- Fax: 202-493-2251.
- Mail: Docket Management Facility, U.S. Department of Transportation, 1200 New Jersey Avenue, SE., W12-140, Washington, DC 20590.
- Hand Delivery: Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except Federal holidays.
Instructions: All submissions must include the agency name and docket number or Regulatory Identification Number (RIN) for this rulemaking. Note that all petitions received will be posted without change to http://www.regulations.gov including any personal information. Please see the Privacy Act heading in the SUPPLEMENTARY INFORMATION section of this document for Privacy Act information related to any submitted petitions, comments, or materials.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov or to Room W12-140 on the Ground level of the West Building, 1200 New Jersey Avenue, SE., Washington, DC between 9 a.m. and 5 p.m. Monday through Friday, except Federal holidays.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Thomas McFarlin, Office of Safety Assurance and Compliance, Staff Director, Signal & Train Control Division, Federal Railroad Administration, Mail Stop 25, West Building 3rd Floor, Room W35-332, 1200 New Jersey Avenue, SE., Washington, DC 20590 (telephone: 202-493-6203); or Jason Schlosberg, Trial Attorney, Office of Chief Counsel, RCC-10, Mail Stop 10, West Building 3rd Floor, Room W31-217, 1200 New Jersey Avenue, SE., Washington, DC 20590 (telephone: 202-493-6032).
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
FRA is issuing this final rule to provide regulatory guidance and performance standards for the development, testing, implementation, and use of Positive Train Control (PTC) systems for railroads mandated by the Rail Safety Improvement Act of 2008 § 104, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008) (codified at 9 U.S.C. 20157) (hereinafter “RSIA08”), to implement PTC systems. These regulations may also be voluntarily complied with by entities not mandated to install PTC in lieu of the requirements contained in subpart H of part 236. The final rule establishes requirements for PTC system standard design and functionality, the associated submissions for FRA PTC system approval and certification, requirements for training, and required risk-based criteria. The RSIA08 mandates that widespread implementation of PTC across a major portion of the U.S. rail industry be accomplished by December 31, 2015. This final rule intends to provide the necessary Federal oversight, guidance, and assistance toward successful completion of that congressional requirement. This final rule also necessitates or results in some minimal revision or amendment to parts 229, 234, and 235, as well as previously existing subparts A through H of part 236.
Table of Contents for Supplementary Information
I. Introduction
II. Background
A. The Need for Positive Train Control Technology
B. Earlier Efforts To Encourage Voluntary PTC Implementation
C. Technology Advances Under Subpart H
III. The Rail Safety Improvement Act of 2008
IV. Public Participation
A. RSAC Process
B. Public Hearing and Comments Filed
V. Overview: The Proposed Rule, Comments, and Resolution of Comments
VI. Seeking Further Comments
VII. Section-by-Section Analysis
VIII. Regulatory Impact and Notices
A. Executive Order 12866 and DOT Regulatory Policies and Procedures
B. Regulatory Flexibility Act and Executive Order 13272
C. Paperwork Reduction Act
D. Federalism Implications
E. Environmental Impact
F. Unfunded Mandates Reform Act of 1995
G. Energy Impact
H. Privacy Act
IX. The Rule
I. Introduction
This final rule provides new performance standards for the implementation and operation of PTC systems as mandated by the RSIA08 and as otherwise voluntarily adopted. This final rule also details the process and identifies the documents that railroads and operators of passenger trains are to utilize and incorporate in their PTC implementation plans required by the RSIA08. The final rule also details the process and procedure for obtaining FRA approval of such plans.
While developing this final rule, FRA applied the performance-based principles embodied in existing subpart H of part 236 to identify and remedy any weaknesses discovered in the subpart H regulatory approach, while exploiting lessons learned from products developed under subpart H. FRA has continued to make performance-based safety decisions while supporting railroads in their development and implementation of PTC system technologies. Development of this final rule was enhanced with the participation of the Railroad Safety Start Printed Page 2599Advisory Committee (RSAC), which tasked a PTC Working Group to provide advice regarding development of implementing regulations for PTC systems and their deployment that are required under the RSIA08. The PTC Working Group made a number of consensus recommendations, which were identified and included in the proposed rule, and has contributed further refinements in the form of recommendations for resolution of the public comments. The preamble discusses the statutory background, the regulatory background, the RSAC proceedings, the alternatives considered and the rationale for the options selected, the proceedings to date, as well as the comments and conclusions on general issues. Other comments and resolutions are discussed within the corresponding section-by-section analysis.
II. Background
A. The Need for Positive Train Control Technology
Since the early 1920s, systems have been in use that can intervene in train operations by warning crews or causing trains to stop if they are not being operated safely because of inattention, misinterpretation of wayside signal indications, or incapacitation of the crew. Pursuant to orders of the Interstate Commerce Commission (ICC)—whose safety regulatory activities were later transferred to FRA when it was established in 1967—cab signal systems, automatic train control, and automatic train stop systems were deployed on a significant portion of the national rail system to supplement and enforce the indications of wayside signals and operating speed limitations. However, these systems were expensive to install and maintain, and with the decline of intercity passenger service following the Second World War, the ICC and the industry allowed many of these systems to be discontinued. During this period, railroads were heavily regulated with respect to rates and service responsibilities. The development of the Interstate Highway System and other factors led to reductions in the railroads' revenues without regulatory relief, leading to bankruptcies, railroad mergers, and eventual abandonment of many rail lines. Consequently, railroads focused on fiscal survival, and investments in expensive relay-based train control technology were economically out of reach. The removal of these train control systems, which had never been pervasively installed, permitted train collisions to continue, notwithstanding enforcement of railroad operating rules designed to prevent them.
As early as 1970, following its investigation of the August 20, 1969, head-on collision of two Penn Central Commuter trains near Darien, Connecticut, in which 4 people were killed and 45 people were injured, the National Transportation Safety Board (NTSB) asked FRA to study the feasibility of requiring a form of automatic train control system to protect against train operator error and prevent train collisions. Following the Darien accident, the NTSB continued to investigate one railroad accident after another caused by human error. During the next two decades, the NTSB issued a number of safety recommendations asking for train control measures. Following its investigation of the May 7, 1986, rear-end collision involving a Boston and Maine Corporation commuter train and a Consolidated Rail Corporation (Conrail) freight train in which 153 people were injured, the NTSB recommended that FRA promulgate standards to require the installation and operation of a train control system that would provide for positive train separation. NTSB Recommendation R-87-16 (May 19, 1987), available at http://www.ntsb.gov/Recs/letters/1987/R87_16.pdf. When the NTSB first established its Most Wanted List of Transportation Safety Improvements in 1990, the issue of Positive Train Separation was among the improvements listed, and it remained on the list until just after enactment of the RSIA08. Original “Most Wanted” list of Transportation Safety Improvements, as adopted September 1990, available at http://www.ntsb.gov/Recs/mostwanted/original_list.htm. The NTSB continues to follow the progress of the technology's implementation closely and participated through staff in the most recent PTC Working Group deliberations.
Meanwhile, enactment of the Staggers Rail Act of 1980 signaled a shift in public policy that permitted the railroads to shed unprofitable lines, largely replace published “tariffs” with appropriately priced contract rates, and generally respond to marketplace realities, which increasingly demanded flexible service options responsive to customer needs. The advent of microprocessor-based electronic control systems and digital data radio technology during the mid-1980s led the freight railroad industry, through the Association of American Railroads (AAR) and the Railway Association of Canada, to explore the development of Advanced Train Control Systems (ATCS). With broad participation by suppliers, railroads, and FRA, detailed specifications were developed for a multi-level “open” architecture that would permit participation by many suppliers while ensuring that systems deployed on various railroads would work in harmony as trains crossed corporate boundaries. ATCS was intended to serve a variety of business purposes, in addition to enhancing the safety of train operations. Pilot versions of ATCS and a similar system known as Advanced Railroad Electronic Systems (ARES) were tested relatively successfully, but the systems were never deployed on a wide scale primarily due to cost. However, sub-elements of these systems were employed for various purposes, particularly for replacement of pole lines associated with signal systems.
Collisions, derailments, and incursions into work zones used by roadway workers continued as a result of the absence of effective enforcement systems designed to compensate for the effects of fatigue and other human factors. Renewed emphasis on rules compliance and federal regulatory initiatives, including rules for the control of alcohol and drug use in railroad operations, operational testing and inspection programs designed to verify railroad rules compliance, requirements for qualification and certification of locomotive engineers, and negotiated rules for roadway worker protection, led to substantial reductions in risk. However, the lack of an effective collision avoidance system allowed the continued occurrence of accidents, some involving tragic losses of life, serious injury, and significant property damage.
B. Earlier Efforts To Encourage Voluntary PTC Implementation
As the NTSB continued to highlight the opportunities for accident prevention associated with emerging train control technology through its investigations and findings, Congress showed increasing interest, mandating three separate reports over the period of a decade. In 1994, FRA reported to Congress on this problem, calling for implementation of an action plan to deploy PTC systems (Report to Congress on Railroad Communications and Train Control (July 1994) (hereinafter “1994 Report”)). The 1994 Report forecasted substantial benefits of advanced train control technology in supporting a variety of business and safety purposes, but noted that an immediate regulatory mandate for PTC could not be justified based upon normal cost-benefit principles relying on direct safety Start Printed Page 2600benefits. The report outlined an aggressive Action Plan implementing a public-private sector partnership to explore technology potential, deploy systems for demonstration, and structure a regulatory framework to support emerging PTC initiatives.
Following through on the 1994 Report, FRA committed approximately $40 million through the Next Generation High-Speed Rail Program and the Research and Development Program to support development, testing, and deployment of PTC prototype systems in the Pacific Northwest, Michigan, Illinois, Alaska, and on some Eastern railroads. FRA also initiated a comprehensive effort to structure an appropriate regulatory framework for facilitating voluntary implementation of PTC and for evaluating future safety needs and opportunities.
In September of 1997, FRA asked the RSAC to address the issue of PTC. The RSAC accepted three tasks: Standards for New Train Control Systems (Task 1997-06), Positive Train Control Systems-Implementation Issues (Task 1997-05), and Positive Train Control Systems-Technologies, Definitions, and Capabilities (Task 1997-04). The PTC Working Group was established, comprised of representatives of labor organizations, suppliers, passenger and freight railroads, other federal agencies, and interested state departments of transportation. The PTC Working Group was supported by FRA counsel and staff, analysts from the Volpe National Transportation Systems Center (Volpe Center), and advisors from the NTSB staff.
In 1999, the PTC Working Group provided to the Federal Railroad Administrator a consensus report (Report of the Railroad Safety Advisory Committee to the Federal Railroad Administrator, Implementation of Positive Train Control Systems (August 1999) (hereinafter “1999 Report”)) with an indication that it would be continuing its efforts. The 1999 Report defined the PTC core functions to include: prevention of train-to-train collisions (positive train separation); enforcement of speed restrictions, including civil engineering restrictions (curves, bridges, etc.) and temporary slow orders; and protection for roadway workers and their equipment operating within their limits of authority. The PTC Working Group identified additional safety functions that might be included in some PTC architectures: provide warning of on-track equipment operating outside their limits of authority; receive and act upon hazard information, when available, in a more timely or more secure manner (e.g., compromised bridge integrity, wayside detector data); and provide for future capability by generating data for transfer to highway users to enhance warning at highway-rail grade crossings. The PTC Working Group stressed that efforts to enhance highway-rail grade crossing safety must recognize the train's necessary right of way at grade crossings and that it is important that warning systems employed at highway-rail grade crossings be highly reliable and “fail-safe” in their design.
As the PTC Working Group's work continued, other collaborative efforts, including development of Passenger Equipment Safety Standards (including private standards through the American Public Transit Association), Passenger Train Emergency Preparedness rules, and proposals for improving locomotive crashworthiness (including improved fuel tank standards) have targeted reduction in collision and derailment consequences.
In 2003, in light of technological advances and potential increased cost and system savings related to prioritized deployment of PTC systems, the Appropriations Committees of Congress requested that FRA update the costs and benefits for the deployment of PTC and related systems. As requested, FRA carried out a detailed analysis that was filed in August of 2004, Benefits and Costs of Positive Train Control (Report in Response to Committees on Appropriations, August 2004) (“2004 Report”), which indicated that under one set of highly controversial assumptions, substantial public benefits would likely flow from the installation of PTC systems on the railroad system. Further, the total amount of these benefits was subject to considerable controversy. While many of the other findings of the 2004 Report were disputed, there were no data submitted to challenge the 2004 Report finding that reaffirmed earlier conclusions that the safety benefits of PTC systems were relatively small in comparison to the large capital and maintenance costs. Accordingly, FRA continued to believe that an immediate regulatory mandate for widespread PTC implementation could not be justified based upon traditional cost-benefit principles relying on direct railroad safety benefits.
Despite the economic infeasibility of PTC based on safety benefits alone, as outlined in the 1994, 1999, and 2004 Reports, FRA continued with regulatory and other efforts to facilitate and encourage the voluntary installation of PTC systems. As part of the High-Speed Rail Initiative, and in conjunction with the National Railroad Passenger Corporation (Amtrak), the AAR, the State of Illinois, and the Union Pacific Railroad Company (UP), FRA created the North American Joint Positive Train Control (NAJPTC) Program, which set out to describe a single standardized open source PTC architecture and system. UP's line between Springfield and Mazonia, Illinois was selected for initial installation of a train control system to support Amtrak operations up to 110 miles per hour, and the system was installed and tested on portions of that line. Although the system did not prove viable as then conceived, the project hastened the development of PTC technology that was subsequently employed in other projects. Promised standards for interoperability of PTC systems also proved elusive.
In addition to financially supporting the NAJPTC Program, FRA continued to work with the rail carriers, rail labor, and suppliers on regulatory reforms to facilitate voluntary PTC implementation. The regulatory reform effort culminated when FRA issued a final rule on March 7, 2005, establishing a technology neutral safety-based performance standard for processor-based signal and train control systems. This new regulation, codified as subpart H to part 236, was carefully crafted to encourage the voluntary implementation and operation of processor-based signal and train control systems without impairing technological development. 70 FR 11,052 (Mar. 7, 2005).
FRA intended that final rule—developed through the RSAC process in close cooperation with rail management, rail labor, and suppliers—to further facilitate individual railroad efforts to voluntarily develop and deploy cost effective PTC technologies that would make system-wide deployment more economically viable. It also appeared very possible that major railroads would elect to make voluntary investments in PTC to enhance safety, improve service quality, and foster efficiency (e.g., better asset utilization, reduced fuel use through train pacing).
C. Technology Advances Under Subpart H
While FRA and RSAC worked to develop consensus on the regulations that would become subpart H, the railroads continued with PTC prototype development. The technology neutral, performance-based regulatory process established by subpart H proved to be very successful in facilitating the development of other PTC implementation approaches. Although the railroads prototype development efforts were generally technically Start Printed Page 2601successful and offered significant improvements in safety, costs of nationwide deployment continued to be untenable in the judgment of those determining allocation of railroad capital. Information gained from prototype efforts did little to reduce the estimated costs for widespread implementation of the core PTC safety functions on the nation's railroads.
Working under subpart H, the BNSF Railway Company (BNSF), CSX Transportation, Inc. (CSXT), the Norfolk Southern Corporation (NS), and UP undertook more aggressive design and implementation work. The new subpart H regulatory approach also made it feasible for smaller railroads, such as the Alaska Railroad and the Ohio Central Railroad, to begin voluntary design and implementation work on PTC systems that best suited their needs. FRA provided, and continues to provide, technical assistance and guidance regarding regulatory compliance to enable the railroads to more effectively design, install, and test their respective systems.
In December 2006, FRA approved the initial version of the Electronic Train Management System (ETMS®) product for deployment on 35 of BNSF's subdivisions (“ETMS I Configuration”) comprising single track territory that was either non-signaled or equipped with traffic control systems. ETMS is a registered trademark of Wabtec Railway Electronics. BNSF Railway has also referred to its application of this technology as “ETMS.”
In a separate proceeding, FRA agreed that ETMS could be installed in lieu of restoring a block signal system on a line for which discontinuance had been authorized followed by a significant increase in traffic. During the same period, BNSF successfully demonstrated a Switch Point Monitoring System (SPMS)—a system that contains devices attached to switches that electronically report the position of the switches to the railroad's central dispatching office and to the crew of an approaching train—and a Track Integrity Warning System (TIWS)—a system that also electronically reports to the railroad's central dispatching office and to the crew of an approaching train if there are any breaks in the rail that might lead to derailments or the condition of track occupancy. FRA believes both of these technologies help to reduce risk in non-signaled territory and are forward-compatible for use with existing and new PTC systems. To be forward-compatible, not to be confused with the similar concept of extensibility, a system must be able to gracefully provide input intended for use in later system versions. The introduction of a forward-compatible technology implies that older devices can partly understand and provide data generated or used by new devices or systems. The concept can be applied to electrical interfaces, telecommunication signals, data communication protocols, file formats, and computer programming languages. A standard supports forward-compatibility if older product versions can receive, read, view, play, execute, or transmit data to the new standard. In the case of wayside devices, they are said to be forward-compatible if they can appropriately communicate and interact with a PTC system when later installed. A wayside device might serve the function of providing only information or providing information and accepting commands from a new system.
In addition to scheduling the installation of the ETMS I configuration as capital funding became available, BNSF voluntarily undertook the design and testing of complementary versions of ETMS that would support BNSF operations on more complex track configurations, at higher allowable train speeds, and with additional types of rail traffic. Meanwhile, CSXT was in the process of redesigning and relocating the test bed for its Communications Based Train Management (CBTM) system, which it has tested for several years, and UP and NS were working on similar systems using vital onboard processing.
As congressional consideration of legislation that resulted in the RSIA08 commenced, all four major railroads had settled on the core technology developed for them by Wabtec Railway Electronics (“Wabtec”). As the legislation progressed, the railroads and Wabtec worked toward greater commonality in the basic functioning of the onboard system with a view toward interoperability. PTC applications of ETMS include the non-vital PTC systems of BNSF's ETMS I and ETMS II, CSXT's CBTM, UP's Vital Train Management System (VTMS), and NS's Optimized Train Control (OTC). Further work is being undertaken by BNSF to advance the capability of ETMS by integrating Amtrak operations (ETMS III). For a description of system enhancements planned by BNSF as per the Product Safety Plan filed in accordance with subpart H, see FRA Docket No. 2006-23687, Document 0017, at pp. 40-43.
While the freight railroads' efforts for developing and installing PTC systems progressed over a relatively long period of time, starting with demonstrations of ATCS and ARES in the late 1980s and culminating in the initial ETMS Product Safety Plan approval in December of 2006, Amtrak demonstrated its ability to turn on revenue-quality PTC systems on its own railroad in support of high-speed rail. Beginning in the early 1990s, Amtrak developed plans for enhanced high-speed service on the Northeast Corridor (NEC), which included electrification and other improvements between New Haven and Boston and introduction of the Acela trainsets as the premium service from Washington to New York and New York to Boston. In connection with these improvements, which support train speeds up to 150 miles per hour, Amtrak undertook to install the Advanced Civil Speed Enforcement System (ACSES) as a supplement to existing cab signals and automatic train control (speed control). Together, these systems deliver PTC core functionalities. In support of this effort, FRA issued an order for the installation of the system, which required all passenger and freight operators in the New Haven-Boston segment to equip their locomotives with ACSES. See 63 FR 39,343 (July 22, 1998). ACSES was installed between 2000 and 2002, and has functioned successfully between New Haven and Boston, and on selected high-speed segments between Washington and New York, for a number of years.
Amtrak voluntarily began development of an architecturally different PTC system, the Incremental Train Control System (ITCS), for installation on its Michigan Line. Amtrak developed and installed ITCS under waivers from specific sections of 49 CFR part 236, subparts A through G, granted by FRA. ITCS was applied to tenant NS locomotives as well as Amtrak locomotives traversing the route. Highway-rail grade crossings on the route were fitted with ITCS units to pre-start the warning systems for high-speed trains and to monitor crossing warning system health in real time. The ITCS was tested extensively in the field for safety and reliability, and it was placed in revenue service in 2001. As experience was gained, FRA authorized increases in speed to 95 miles per hour; and FRA is presently awaiting final results of an independent assessment of verification and validation for the system with a view toward authorizing operations at the design speed of 110 miles per hour.
Despite these successes, the widespread deployment of these various train control systems, particularly on the general freight system, remained very much constrained by prohibitive capital costs. While the railroads were committed to installing these new systems to enhance the safety afforded Start Printed Page 2602to the public and their employees, the railroads' actual widespread implementation remained forestalled due to an inability to generate sufficient funding for these new projects in excess of the capital expenditures necessary to cover the ongoing operating and maintenance costs. Accordingly, the railroads continued to plan very slow deployments of PTC system technologies.
III. The Rail Safety Improvement Act of 2008
On May 1, 2007, H.R. 2095 was introduced in the House of Representatives, which would, among other things, mandate the implementation and use of PTC systems. The bill passed the House, as amended, on October 17, 2007. The bill was then amended and passed by the Senate on August 1, 2008. While the bill was awaiting final passage, the FRA Administrator testified before Congress that “FRA is a strong supporter of PTC technology and is an active advocate for its continued development and deployment.” Senate Commerce Committee Briefing on Metrolink Accident, 110th Cong. (Sept. 23, 2008) (written statement of Federal Railroad Administrator Joseph H. Boardman), available at http://www.fra.dot.gov/downloads/PubAffairs/09-23-08FinalStatementFRAAdministratorPTC_Sen_Boxer_Meeting.pdf.
On September 24, 2008, the House concurred with the Senate amendment and added another amendment pursuant to H. Res. 1492. When considering the House's amendment, various Senators made statements referencing certain train accidents that were believed to be PTC-preventable. For instance, Senator Lautenberg (NJ) took notice of the collision at Graniteville, South Carolina, in 2005, and Senators Lautenberg, Hutchinson (TX), Boxer (CA), Levin (MI), and Carper (DE) took notice of an accident at Chatsworth, California, on September 12, 2008. According to Senator Levin, federal investigators have said that a collision warning system could have prevented that crash and the subject legislation would require that new technology to prevent crashes be installed in high risk tracks. Senators Carper and Boxer made similar statements, indicating that PTC systems are designed to prevent train derailments and collisions, like the one in Chatsworth. 154 Cong. Rec. S10283-S10290 (2008). Ultimately, on October 1, 2008, the Senate concurred with the House amendment.
The Graniteville accident referenced by Senator Lautenberg occurred in the early morning hours of January 6, 2005, when a northbound NS freight train, operating within non-signaled (dark) territory, encountered an improperly lined switch that diverted the train from the main line onto an industry track, where it struck the locomotive of an unoccupied, parked train. The collision derailed both locomotives and 16 of the 42 freight cars of the moving train, as well as the locomotive and 1 of the 2 cars of the parked train. Among the derailed cars from the moving train were three tank cars containing chlorine, one of which was breached, releasing about 60 tons of chlorine gas. The train engineer and eight other people died as a result of chlorine gas inhalation. About 554 people complaining of respiratory difficulties were taken to local hospitals. Of these, 75 were admitted for treatment. Because of the chlorine release, about 5,400 people within a 1-mile radius of the derailment site were evacuated for almost 2 weeks.
The Chatsworth train collision occurred on the afternoon of September 12, 2008, when a UP freight train and a Metrolink commuter train collided head-on on a single main track equipped with a Traffic Control System (TCS) in the Chatsworth district of Los Angeles, California. Although NTSB has not yet released its final report, evidence summarized at the NTSB's public hearing suggested that the Metrolink passenger train was being operated on the main track past an absolute signal at a control point displaying a stop indication, when it trailed through a power-operated switch lined against its movement, and entered a section of single track where the opposing UP freight train was operating on a permissive signal indication. The UP train was lined to enter the siding at the control point, after which the switch would have been lined for the Metrolink train to proceed. As a consequence of the accident, 25 people died and over 130 more were seriously injured.
Prior to the accidents in Graniteville and Chatsworth, the railroads' slow incremental deployment of PTC technologies—while not uniformly agreed upon by the railroads, FRA, and NTSB—was generally deemed acceptable by them in view of the tremendous costs involved. Partially as a consequence and severity of these very public accidents, coupled with a series of other less publicized accidents, Congress passed the RSIA08 and it was signed into law by the president on October 16, 2008, marking a public policy decision that, despite the implementation costs, railroad employee and general public safety warranted mandatory and accelerated installation and operation of PTC systems.
As immediately relevant to this rulemaking, the RSIA08 requires the installation and operation of PTC systems on all rail main lines, meaning all intercity and commuter lines—with limited exceptions entrusted to FRA—and on freight-only rail lines when they are part of a Class I railroad system, carrying at least 5 million gross tons of freight annually, and carrying any amount of poison- or toxic-by-inhalation (PIH or TIH) materials. While the statute vests certain responsibilities with the Secretary of the U.S. Department of Transportation, the Secretary has since delegated those responsibilities to the FRA Administrator. See 49 CFR 1.49(oo); 74 FR 26,981 (June 5, 2009); see also 49 U.S.C. 103(g).
In the RSIA08, Congress established very aggressive dates for PTC system build-out completion. Each subject railroad is required to submit to FRA by April 16, 2010, a PTC Implementation Plan (PTCIP) indicating where and how it intends to install PTC systems by December 31, 2015.
In light of the timetable instituted by Congress, and to better support railroads with their installation while maintaining safety, FRA decided that it is appropriate for mandatory PTC systems to be reviewed by FRA differently than the regulatory approval process provided under subpart H. FRA believes that it is important to develop a process more suited specifically for PTC systems that would better facilitate railroad reuse of safety documentation and simplify the process of showing that the installation of the intended PTC system did not degrade safety. FRA also believes that subpart H does not clearly address the statutory mandates and that such lack of clarity would complicate railroad efforts to comply with the new statutory requirements. Accordingly, FRA hereby amends part 236 by modifying existing subpart H and adding a new subpart I.
IV. Public Participation
A. RSAC Process
In March 1996, FRA established the RSAC, which provides a forum for collaborative rulemaking and program development. The RSAC includes representatives from all of the agency's major stakeholder groups, including railroads, labor organizations, suppliers and manufacturers, other government agencies, and other interested parties. When appropriate, FRA assigns a task to the RSAC, and after consideration and debate, the RSAC may accept or reject Start Printed Page 2603the task. If accepted, the RSAC establishes a working group comprised of persons that possess the appropriate expertise and representation of interests to develop recommendations to FRA for action on the task. These recommendations are developed by consensus. The working group may establish one or more task forces or other subgroups to develop facts and options on a particular aspect of a given task. The task force, or other subgroup, reports to the working group. If the working group comes to consensus on recommendations for action, the package is presented to the RSAC for a vote. If the proposal is accepted by a simple majority of the RSAC, the proposal is formally recommended to FRA. FRA then determines what action to take on the recommendation. Because FRA staff has played an active role at the working group and subgroup levels in discussing the issues and options and in drafting the language of the consensus proposal, and because the RSAC recommendation constitutes the consensus of some of the industry's leading experts on a given subject, FRA is generally favorably inclined toward the RSAC recommendation. However, FRA is in no way bound to follow the recommendation and the agency exercises its independent judgment on whether the recommended rule achieves the agency's regulatory goals, is soundly supported, and was developed in accordance with the applicable policy and legal requirements. Often, FRA varies in some respects from the RSAC recommendation in developing the actual regulatory proposal.
In developing the proposed rule in this proceeding, FRA adopted the RSAC approach by re-convening the PTC Working Group that had produced the rule recommendation resulting in subpart H. As part of this effort, FRA worked with the major stakeholders affected by this rulemaking in collaborative a manner as possible. FRA believes establishing a collaborative relationship early in the product development and regulatory development cycles can help bridge the divide between the railroad carrier's management, railroad labor organizations, the suppliers, and FRA by ensuring that all stakeholders are working with the same set of data and have a common understanding of product characteristics and functionality or their related processes production methods, including the regulatory provisions, with which compliance is mandatory. However, where the group failed to reach consensus on an issue, FRA used its authority to resolve the issue, attempting to reconcile as many of the divergent positions as possible through traditional rulemaking proceedings.
On December 10, 2008, the RSAC accepted a task (No. 08-04) entitled “Implementation of Positive Train Control Systems.” The purpose of this task was defined as follows: “To provide advice regarding development of implementing regulations for Positive Train Control (PTC) systems and their deployment under the Rail Safety Improvement Act of 2008.” The task called for the RSAC PTC Working Group to perform the following:
- Review the mandates and objectives of the Act related to deployment of PTC systems;
- Help to describe the specific functional attributes of systems meeting the statutory purposes in light of available technology;
- Review impacts on small entities and ascertain how best to address them in harmony with the statutory requirements;
- Help to describe the details that should be included in the implementation plans that railroads must file within 18 months of enactment of the Act;
- Offer recommendations on the specific content of implementing regulations; and
The task also required the PTC Working Group to:
- Report on the functionalities of PTC systems;
- Describe the essential elements bearing on interoperability and the requirements for consultation with other railroads in joint operations; and
- Determine how PTC systems will work with the operation of non-equipped trains.
The PTC Working Group was formed from interested organizations that are members of the RSAC. The following organizations contributed members:
American Association of State Highway and Transportation Officials (AAHSTO)
American Chemistry Council (ACC)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
Association of American Railroads (AAR)
Association of State Rail Safety Managers (ASRSM)
Brotherhood of Maintenance of Way Employes Division (BMWED)
Brotherhood of Locomotive Engineers and Trainmen Division (BLET)
Brotherhood of Railroad Signalmen (BRS)
Federal Transit Administration* (FTA)
International Brotherhood of Electrical Workers (IBEW)
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
National Transportation Safety Board (NTSB)*
Railway Supply Institute (RSI)
Transport Canada*
Tourist Railway Association Inc.
United Transportation Union (UTU)
——————
*Indicates associate (non-voting) member.
From January to April 2009, FRA met with the entire PTC Working Group 5 times over the course of 12 days. During those meetings, in order to efficiently accomplish the tasks assigned to it, the PTC Working Group empowered three task forces to work concurrently. These task forces were the passenger, short line and regional railroad, and the radio and communications task forces. Each discussed issues specific to its particular interests and needs and produced proposed rule language for the PTC Working Group's consideration. The majority of the proposals were adopted into the proposed rule as agreed upon by the working group, with rule language related to a remaining few issues being further discussed and enhanced for inclusion into the rule by the PTC Working Group.
The passenger task force discussed testing issues relating to parts 236 and 238 and the definition of “main line” under the statute, including possible passenger terminal and limited operations exceptions to PTC implementation. Recommendations of the task force were presented to the PTC Working Group, which adopted or refined each suggestion.
The short line and regional railroad task force was formed to address the questions pertaining to Class II and Class III railroads. Specifically, the group discussed issues regarding the trackage rights of Class II and III railroads using trains not equipped with PTC technology over a Class I railroad's PTC territory, passenger service over track owned by a Class II or Class III railroads where PTC would not otherwise be required, and rail-to-rail crossings-at-grade involving a Class I railroad's PTC equipped line and a Class II or III railroad's PTC unequipped line. After much discussion, there were no consensus resolutions reached to any of the main issues raised. However, the discussion yielded insights utilized by FRA in preparing this final rule.
The radio and communications task force addressed wireless communications issues, particularly as they relate to communications security, and recommended language for § 236.1033.
FRA staff worked with the PTC Working Group and its task forces in Start Printed Page 2604developing many facets of the final rule. FRA gratefully acknowledges the participation and leadership of representatives who served on the PTC Working Group and its task forces. These points are discussed to show the origin of certain issues and the course of discussion on these issues at the task force and working group levels. We believe this helps illuminate the factors FRA weighed in making its regulatory decisions regarding this final rule and the logic behind those decisions.
In general, the PTC Working Group agreed on the process for implementing PTC under the statute, including decisional criteria to be applied by FRA in evaluating safety plans, adaptation of subpart H principles to support this mandatory implementation, and refinements to subpart H and the part 236 appendices necessary to dovetail the two regulatory regimes and take lessons from early implementation of subpart H, including most aspects of the training requirements. Notable accords were reached, as well, on major functionalities of PTC and on exceptions applicable to passenger service (terminal areas and limited main line exceptions). Major areas of disagreement included whether to allow non-equipped trains on PTC lines, extension of PTC to lines not within the statutory mandate, and whether to provide for onboard displays or terminals visible and accessible to employees other than the locomotive engineer when two or more persons are regularly assigned duties in the cab. Some additional areas of concern were discussed but could not be resolved in the time available. It was understood that where discussion did not yield agreement, FRA would make proposals within a Notice of Proposed Rulemaking (NPRM) and receive public comment.
B. Public Hearing and Comments Filed
FRA issued an NPRM on July 21, 2009, and accepted comments on this proposed regulation until August 20, 2009. A public hearing was also held in connection with the NPRM in Washington, DC, on August 13, 2009, as further described below.
During the comment period, a number of entities filed comments requesting that FRA extend the comment period to the proposed rule in this proceeding. FRA regrettably denied those requests due to the urgent need to prepare, process, and publish a final rule at the earliest possible date. Since railroads subject to the rules are each required to file a PTCIP by April 16, 2010, under the terms of the RSIA08, it was important that FRA provide reliable guidance for this process to occur in a timely manner. However, FRA responded to two of those requests on the record, indicating that it is FRA's policy to consider late-filed comments to the extent practicable and inviting the railroads to supplement their comments as soon as possible even if it is necessary to file after the formal comment period has closed.
On August 13, 2009, FRA held a hearing to provide interested parties an opportunity to enter oral statements into the record. The AAR, Amtrak, BNSF, and CSXT entered prepared statements into the record and UP and NS indicated their concurrence with those statements. An oral statement was also entered into the record by a representative of six (6) rail labor organizations, including the American Train Dispatchers Association (ATDA), BLET, BMWED, BRS, IBEW, and UTU (collectively, the “Rail Labor Organizations” or “RLO”). AASHTO also provided an oral statement at the hearing, indicating that it fully supports the implementation of the proposed rule. Copies of the prepared statements and of the hearing transcript can be found in the docket to this proceeding.
Subsequently, written comments were filed by the American Shortline and Regional Railroad Association (ASLRRA), Amtrak, APTA, ACC, AAR, BNSF, Caltrain, Canadian Pacific (CP), The Chlorine Institute (CI), CSXT, Friends of the Earth, GE Transportation (GE), HCRQ, Inc. and Cattron Group International (collectively, “HCRQ/CGI”), Invensys Rail Group—Safetran Systems (“Safetran”), NTSB, New York State Metropolitan Transportation Authority (NYSMTA), NJ Transit, Northern Indiana Commuter Transportation District (NICTD), Pacific Southwest Railway Museum, RLO, Railroad Passenger Car Alliance, San Bernardino Railway Historical Society, Southern California Regional Rail Authority (SCRRA or Metrolink), The Fertilizer Institute (TFI), Tourist Railway Association, Trinity Railway Express (TRE or Trinity), Utah Transit Authority (UTA) and a number of individuals.
After the comment period closed on August 20, 2009, the RSAC PTC Working Group was reconvened for 3 days. The PTC Working Group agreed on a number of recommendations for resolution of comments which were presented to the full RSAC on September 10. In voting by mail ballot that concluded on September 24, the RSAC adopted the recommendations, which are discussed below in the context of the specific issues that they address.
V. Overview: The Proposed Rule, Comments, and Resolution of Comments
In broad summary, the proposed rule provided for joint filing of PTCIPs by all railroads engaged in joint operations. Each PTCIP was to be accompanied or preceded by a PTC Development Plan (PTCDP) or PTC Safety Plan (PTCSP) detailing the technology to be employed, or by a Type Approval obtained by another railroad through approval of a PTCDP. As further discussed below, this overall structure was generally embraced by the industry parties and the commenters; but the extended period for delivery of interoperability standards has given rise to the need for some significant adjustments that are included in the final rule.
Under the NPRM language, Class I freight railroads would be required to describe in their PTCIPs the routes to be equipped based on traffic densities (lines carrying more than 5 million gross tons) and presence of PIH traffic during calendar year 2008. They would be permitted to amend those plans if FRA found that removal of a line was “consistent with safety and in the public interest.” The discussion below reflects the serious objections of the Class I railroads to this “base year” approach and adjustments that FRA makes in this final rule to provide somewhat greater flexibility on the face of the regulation. The discussion and final rule also provide FRA's response to a suggestion by the AAR that FRA create a “de minimis” exception to the requirement that lines carrying PIH traffic be equipped with PTC, an issue raised for the first time in response to the NPRM.
FRA proposed to adapt the performance-based structure of subpart H, which had been developed through the consensus process to encourage deployment of PTC and related technologies to provide a means of qualifying PTC systems under the RSIA08. In order to promote completion of PTC deployment by the end of 2015, as required by law, FRA proposed functional requirements that could be met by available technology. These provisions continue to enjoy broad support from the industry parties and commenters, but the final rule makes numerous perfecting changes to the implementing language in response to specific comments.
The NPRM set forth requirements for equipping of trains with PTC that reflected FRA's perception of practical considerations (e.g., not all locomotives can be equipped at once, and switching out locomotives to commit them to Start Printed Page 2605equipped routes would involve significant cost and safety exposure), historic tolerance for some incidental unequipped movements under circumstances where strict adherence would create obvious hardship without commensurate safety benefits (e.g., locomotives of Class II and III railroads generally spend little time on Class I railroads and have a good safety record, yet requiring that they be equipped could result in expenditures greater than the previous value of the locomotives), and movement restrictions applicable where controlling locomotives might have failed onboard PTC equipment. These proposals elicited some strong objections and proposals for improvement. Several commenters asked that occasional movement of trains led by historic locomotives be permitted without equipping the locomotives with PTC technology. The final rule makes a number of changes, while endeavoring to carry forward the lessons of many decades and while recognizing the need for regulatory flexibility.
Relying on existing train control requirements, the NPRM proposed that each assigned crew member be able to view the PTC display and perform assigned functions from their normal position in the cab. The NPRM also addressed the need to avoid task overload on the locomotive engineer by having that person perform functions that could distract from attention to current safety duties. FRA has considered the Class I railroads' argument that, if a single display was acceptable under subpart H, it should be acceptable under the proposed subpart I. Although FRA has considered carefully the carriers' arguments on this point, the final rule carries forward principles of crew resource management by ensuring that each crew member has the information and ability to perform their assigned function and, therefore, where a PTC overlay system is used, that all of the safety features of the underlying operation to which PTC is added will be kept.
One of the critical choices assigned to FRA under the law was specification of any exceptions to passenger “main track” requiring installation of PTC. The NPRM carried forward narrow exceptions crafted at the request of commuter and intercity railroads. Amtrak followed with comments on the NPRM asking for a broader exception. They noted in particular that the incremental costs of PTC on some lines with limited freight traffic and relatively few Amtrak trains might need to be borne by states that support particular services, and the funding might not be available to do so. Following recommendations from the RSAC Working Group, FRA is including additional latitude to bring forward specific exceptions for FRA review and approval, with or without conditions.
The NPRM was technology neutral and directed at the outcomes desired. A number of the comments addressed the issue of market concentration and absence of effective choices in selecting PTC technology. In this regard, some felt that FRA should specify attributes of interoperability in the form of open standards. The final rule continues to rely on safety performance as the basis for FRA certification of PTC systems. FRA declines at this time to deprive those railroads that have served as technology leaders in developing PTC systems of the latitude to implement their systems, given their apparent willingness to provide open standards for attributes of the technology over which they have control, and given the predictable delays that would ensue should alternative approaches be specified. FRA is aware that this creates a degree of reliance on others with respect to those railroads that stood back and waited for others to develop PTC technology. Further, some degree of market concentration may exist on the general freight network, in particular, given the dominance of one vendor or supplier with respect to the core of the onboard systems. FRA financially supported development of interoperability standards through the North American Positive Train Control Program (the technology selected for demonstration was not deployed, and no standards were delivered) and again through the American Railway Engineering and Maintenance Association (standards have been published and are available, but no railroad has signaled an intention to employ them). The choice of technology that will be deployed should, in FRA's view, be made by those who are making the investments.
Finally, the NPRM took a traditional approach to recognition of technology, requiring that railroads step forward, individually or with their suppliers, to request recognition of PTC systems. Suppliers commented that they should be able to step forward without railroad participation and receive recognition for systems, subsystems, and components that would later be incorporated in PTC systems approved by FRA. They noted that the NPRM would burden them with reporting obligations while not conferring status to receive direct product recognition. While recognizing the commenters' logic, FRA could not find a means in the final rule to relieve these concerns, given limited technical staffing at FRA, the potential for filings representing technology that the industry would not employ, the inherent difficulty associated with addressing the safety of technology below the system level, and the critical need to provide rapid responses to necessary filings.
Each of the comments on the NPRM, including comments not within the scope of this overview, is discussed in relation to the topic addressed in the section-by-section analysis below.
VI. Seeking Further Comments
While this final rule is effective on the date indicated herein, FRA believes that certain issues warrant further discussion. Accordingly, FRA will continue to seek comments limited to increasing the clarity, certainty, and transparency of the criteria governing the removal from a PTCIP (and therefore from the requirement to install PTC) of any track segments on which PTC systems have yet to be installed for which a railroad seeks relief from the requirement to install PTC. FRA considers this issue separate and distinct from the discontinuance of any already installed or existing PTC systems, which is governed under § 236.1021, part 235 of this title, and the “Signal Inspection Act” (codified at 49 U.S.C. 20501-20505). Any further comments should be limited to the scope of the issues indicated in this preamble to which FRA seeks further comments.
In § 236.1005(b)(4)(i)(A)(2), the final rule provides certain factors that FRA will consider when determining whether to approve exclusion of a line from the PTCIP in the case of cessation of PIH traffic over a particular track segment. For instance, under § 236.1005(b)(4)(i)(A)(2)(ii), the requesting railroad must show that any rerouting of PIH traffic from the subject track segment is justified based upon the route analysis submitted. FRA seeks comments on how the elements of a route analysis should be weighed by FRA when determining whether rerouting as provided under this paragraph is sufficiently justified.
Section 236.1005(b)(4)(i)(A)(2)(iii) concerns the risk remaining on a track segment if PIH traffic were to be removed. FRA also seeks comments on how to measure the appropriate level of risk established in § 236.1005(b)(4)(i)(A)(2)(iii) to require the installation of PTC on lines not carrying PIH or passenger traffic. No railroad has supplied data supporting further track exceptions from PTC system installation consistent with Start Printed Page 2606statutory and safety requirements. Thus, FRA requests additional data to support commenters' positions. FRA also seeks comment and information on ways that it might consider risk mitigations other than by a compensating extension of PTC or PTC technologies.
In § 236.1005(b)(4)(i), the final rule provides an exception to PTC system implementation where such implementation would provide only a de minimis PIH risk. While in the proposed rule FRA sought means to reduce the railroads' burdens associated with this rule, no specific de minimis exception was proposed. The AAR mentioned this possibility in its comment filed during the comment period and offered in supplementary comments filed after the comment period to work with FRA on this issue. FRA believes that the de minimis exception provided in this final rule falls within the scope of the issues set forth in the proposed rule. However, since none of the parties has had an opportunity to comment on this specific exception as provided in this final rule, FRA seeks comments on the extent of the de minimis exception.
As further explained below, this final rule uses 2008 traffic data as an initial baseline in each PTCIP to determine the breadth and scope of PTC system implementation and, in recognition of the fact that traffic patterns are likely to change to some degree before December 31, 2015, provides means of adjusting the track segments on which PTC must be installed where adjustments are appropriately justified. These issues relate to the potential scaling back of the breadth and scope of that baseline through the request by the railroads—made contemporaneously or subsequently to PTCIP submission and prior to actual PTC system implementation—on the subject track segments for FRA to apply certain regulatory exceptions. Under the procedures set forth in this final rule, requests for such amendments may be made after PTCIP submission. Since these issues should not affect the PTCIP required to be filed by the April 16, 2010, statutory deadline, FRA believes that time is available for some further consideration.
VII. Section-by-Section Analysis
Unless otherwise noted, all section references below refer to sections in title 49 of the Code of Federal Regulations (CFR). FRA sought comments on all proposals made in the NPRM. This portion of the preamble discusses the comments received, FRA's assessment of those comments, and the basis for the final rule provisions. Any analysis in the NPRM that is not explicitly modified in this final rule remains applicable.
Proposed Amendments to 49 CFR Part 229
Section 229.135 Event Recorders
The proposed amendment to the existing event recorder section of the Locomotive Safety Standards is intended to make that section parallel to the additions in § 236.1005(d) below. No comments were received, and the section is adopted as proposed.
Proposed Amendments to 49 CFR Part 234
Section 234.275 Processor-Based Systems
Section 234.275 presently requires that each processor-based system, subsystem, or component used for active warning at highway-rail grade crossings that is new or novel technology, or that provides safety-critical data to a railroad signal or train control system which is qualified using the subpart H process, shall also be governed by those requirements, including approval of a Product Safety Plan. Particularly with respect to high-speed rail, FRA anticipates that PTC systems will in some cases incorporate new or novel technology to provide for crossing warning system pre-starts (eliminating the necessity of lengthening the approach circuits for high-speed trains), to verify crossing system health between the wayside warning system and approaching trains, or to slow trains approaching locations where vehicle storage has been detected on a crossing, among other options. Indeed, each of these functions is presently incorporated in at least one train control system, and others may one day be feasible (including in-vehicle warning). There would appear to be no reason why such a functionality intended for inclusion in a PTC system mandated by subpart I could not be qualified with the rest of the PTC system under subpart I. On the other hand, care should be taken to set an appropriate safety standard taking into consideration highway users, occupants of the high-speed trains, and others potentially affected.
In fact, with new emphasis on high-speed rail, FRA needs to consider the ability of PTC systems to integrate this type of new technology and thereby reduce risk associated with high-speed rail service. Risk includes derailment of a high-speed train with catastrophic consequences after encountering an obstacle at a highway-rail grade crossing. To avoid such consequences, as many crossings as possible should be eliminated. To that end, 49 CFR 213.347 requires a warning and barrier plan to be approved for Class 7 track (speeds above 110 miles per hour) and prohibits grade crossings on Class 8 and 9 track (above 125 miles per hour). That leaves significant exposure on Class 5 and 6 track (80 miles per hour for freight and 90 miles per hour for passenger trains, up to 110 miles per hour for either) which is currently not specifically addressed by regulation.
At the public hearing in this proceeding, the RLO indicated its agreement with FRA's interpretation of 49 CFR 213.347 and stated that significant exposure remains at highway-rail grade crossings for Class 5 and 6 track, because “such plans or prohibitions are not currently addressed by Federal Regulation.” In addition to the proposed amendments to § 234.275, however, the RLO believes that PTC systems should also be mandated under subpart I to incorporate technology that would verify a highway-rail grade crossing warning system's activation for an approaching train and slow a train approaching a location where such system activation could not be verified. The RLO believes that such verification and speed restriction enforcement would significantly lower the exposure for a potential collision between a highway motor vehicle and a train. According to the RLO, this function is currently incorporated into at least one deployed train control system and is therefore feasible. In addition, the RLO propose that certain existing highway-rail grade crossing warning system regulations and requirements, including those in parts 213 and 234, and in subpart H to part 236, could be cross referenced or included in subpart I to ensure regulatory harmony.
While AAR understands the safety concern, it asserts that this function is not related to the core PTC functions mandated by Congress. Furthermore, asserts AAR, the cost of installing wayside interface units at grade crossings on PTC routes would be prohibitively expensive and would divert resources that would otherwise be devoted to meeting the mandated PTC deadline.
The NTSB recommends that the warning and barrier protection plans similar to those for Class 7 track at grade crossings in 49 CFR 213.347 should also apply to Class 5 and 6 tracks. According to the NTSB, such protection at crossings (similar to protection at crossings afforded within the ITCS project) should be integrated as part of an approved PTC plan to reduce the risk Start Printed Page 2607of high-speed catastrophic derailments at such grade crossings.
FRA, while certainly recognizing these concerns, does not choose to provide further prescriptive requirements for highway-rail grade crossings beyond those set forth in § 213.347. FRA will, however, require that highway-rail grade crossing safety at Class 5 and 6 track speeds be specifically addressed within a railroad's PTCDP and PTCSP (see §§ 236.1013 and 236.1015 respectively) subject to FRA approval. FRA has separately developed Guidelines for Highway-Rail Grade Crossing Safety for high-speed rail that will be employed in the grant review and negotiation process under the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, 123 Stat. 115 (2009) (ARRA). These Guidelines encourage use of sealed corridor strategies for Emerging High-Speed Rail systems and integration of highway-rail warning systems with PTC where feasible. See Docket No. FRA-2009-0095.
Proposed Amendments to 49 CFR Part 235
Section 235.7 Changes Not Requiring Filing of Application
FRA amends § 235.7, which allows specified changes within existing signal or train control systems be made without the necessity of filing an application. The amendments consist of adding allowance for a railroad to remove an intermittent automatic train stop system in conjunction with the implementation of a PTC system approved under subpart I of part 236, and a couple of minor editorial corrections.
The changes allowable under this section, without filing of an application, are those identified on the basis that the resultant condition will be at least no less safe than the previous condition. The required functions of PTC within subpart I provide a considerably higher level of functionality related to both alerting and enforcing necessary operating limitations than an intermediate automatic train stop system does. Additionally, in the event of the loss of PTC functionality (see § 236.1029 regarding a failure en route), the operating restrictions required will provide the needed level of safety in lieu of the railroad being expected to keep and maintain an underlying system such as intermittent automatic train stop for use only in such cases. Therefore, FRA believes that with the implementation of PTC under the requirements of subpart I, the safety value of any previously existing intermittent automatic train stop system is entirely obviated. There were no objections in the PTC Working Group to this amendment.
The AAR submitted comment that within § 236.1021, paragraphs (j)(2) and (j)(3) should be revised to recognize the allowance for removal of a signal used in lieu of an electric or mechanical lock in the same manner as removal of the electric or mechanical lock. These two paragraphs are intended to recognize that where train speed over the switch does not exceed 20 miles per hour, or where trains are not permitted to clear the main track at such switch, removal of the devices intended to provide the necessary protection without filing for approval is appropriate.
The regulation requiring the installation of an electric or mechanical lock identifies the allowance for a signal used in lieu thereof (see § 236.410). FRA agrees with the AAR that when the requirement for an electric or mechanical lock, or a signal used in lieu thereof, are eliminated, the removal of any of these devices in their entirety without filing for approval is appropriate. FRA is therefore amending paragraphs (j)(2) and (j)(3) of § 236.1021 as recommended in order to clarify these allowances.
For the same reasoning and in a consistent manner, FRA is amending paragraphs (b)(2) and (b)(3) in existing § 235.7 in order to provide the same allowances for removal of a signal used in lieu of an electric or mechanical lock within block signal systems without filing for approval.
Proposed Amendments to 49 CFR Part 236
Section 236.0 Applicability, Minimum Requirements, and Penalties
FRA amends this existing section of the regulation to remove manual block from the methods of operation permitting speeds of 50 miles per hour or greater for freight trains and 60 miles per hour or greater for passenger trains. Manual block rules create a reasonably secure means of preventing train collisions. However, where the attributes of block signal systems are not present, misaligned switches, broken rails, or fouling equipment may cause a train accident. FRA believes that contemporary expectations for safe operations require this adjustment, which also provides a more orderly foundation for the application of PTC to the subject territories. There were no objections in the PTC Working Group to this change and the NTSB supports the removal of manual block from a method of operation permitting train speeds of above 49 and 59 miles per hour for freight and passenger trains, respectively. According to the NTSB, manual block does not afford the level of safety that block signal or PTC systems provide for the detection of misaligned switches, broken rails, or fouling equipment that may cause a train accident.
After review of the NPRM, AAR stated that paragraph (c)(1)(ii)(A) seemed to preclude the operations identified in paragraph (c)(1)(ii)(B) and that it was unclear whether paragraph (c)(1)(ii)(A) applies to opposing trains or some other condition. Therefore, the AAR recommended that paragraphs (c)(1)(ii)(A) and (c)(1)(ii)(B) be revised. FRA agrees and has therefore revised paragraphs (c)(1)(ii)(A) and (c)(1)(ii)(B), and added paragraphs (c)(1)(ii)(C) and (c)(1)(ii)(D), in the final rule to improve clarity.
FRA has also added paragraph (d)(2) in the final rule to address the use of automatic cab signal, automatic train stop, or automatic train control systems on or after December 31, 2015. On or after December 31, 2015, the method of protecting high-speed train operations will be through the use of PTC. FRA recognizes that there may be justifiable reasons for continued use of automatic cab signal, automatic train stop, or automatic train control systems on or after December 31, 2015 on certain lines, where the installation of PTC would be inappropriate. In situations where the automatic cab signal, automatic train stop, or automatic train control systems are an integral part of the PTC system design, no action will be required by a railroad. In any other situation, however, FRA will only allow continued use of an automatic cab signal, automatic train stop, or automatic train control system on a case-by-case basis after sufficient justification has been provided to the Associate Administrator.
FRA has also added a preemption provision at the end of section 236.0. Part 236, which FRA inherited from the Interstate Commerce Commission at the time FRA was created, has had preemptive effect by operation of law at least since enactment of the Federal Railroad Safety Act of 1970 (Pub. L. 111-43). However, no preemption provision was ever added, largely as an historical accident. Since enactment of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act of 2007), Public Law 110-53, which amended 49 U.S.C. 20106 significantly, FRA has been updating the preemption provisions of its regulations to conform to the current statute as opportunities to do so are Start Printed Page 2608presented. New subsection 236.0(i) is added to accomplish that and to recite the preemptive effect of the Locomotive Boiler Inspection Act (49 U.S.C. 20701-20703), which has been held by the U.S. Supreme Court to preempt the entire field of locomotive safety; therefore, this part preempts any state law, including common law, covering the design, construction, or material of any part of or appurtenance to a locomotive.
The text of section 236.0(i)(1) and (2) directly reflects FRA's interpretation of 49 U.S.C. 20106, as amended. Read by itself, 49 U.S.C. 20106(a) preempts state standards of care, including common law standards, Norfolk Southern Ry. v. Shanklin, 529 U.S. 344, 358-359 (2000), CSX Transp., Inc. v. Easterwood, 507 U.S. 658, 664 (1993), but does not expressly state whether anything replaces the preempted standards of care for purposes of tort suits. The focus of that provision is clearly on who regulates railroad safety: The federal government or the states. It is about improving railroad safety, for which Congress deems nationally uniform standards to be necessary in the great majority of cases. That purpose has collateral consequences for tort law which new statutory section 20106 paragraphs (b) and (c) address. New paragraph (b)(1) creates three exceptions to the possible consequences flowing from paragraph (a). One of those exceptions (paragraph (b)(1)(B)) precisely addresses an issue presented in Lundeen v. Canadian Pacific Ry., 507 F.Supp.2d 1006 (D.Minn. 2007) that Congress wished to rectify: It allows plaintiffs to sue a railroad in tort for violation of its own plan, rule, or standard that it created pursuant to a regulation or order issued by either of the secretaries. None of those exceptions covers a plan, rule, or standard that a regulated entity creates for itself in order to produce a higher level of safety than federal law requires, and such plans, rules, or standards were not at issue in Lundeen. The key concept of section 20106(b) is permitting actions under state law seeking damages for personal injury, death, or property damage to proceed using a federal standard of care. A plan, rule, or standard that a regulated entity creates pursuant to a federal regulation logically fits the paradigm of a federal standard of care—federal law requires it and determines its adequacy. A plan, rule, or standard, or portions of one, that a regulated entity creates on its own in order to exceed the requirements of federal law does not fit the paradigm of a federal standard of care—federal law does not require that the law be surpassed and, past the point at which the requirements of federal law are satisfied, says nothing about its adequacy. That is why FRA believes that section 20106(b)(1)(B) covers the former, but not the latter. The basic purpose of the statute—improving railroad safety—is best served by encouraging regulated entities to do more than the law requires and would be disserved by increasing potential tort liability of regulated entities that choose to exceed federal standards, which would discourage them from ever exceeding federal standards again.
In this manner, Congress adroitly preserved its policy of national uniformity of railroad safety regulation expressed in section 20106(a)(1) and assured plaintiffs in tort cases involving railroads, such as Lundeen, of their ability to pursue their cases by clarifying that federal railroad safety regulations preempt the standard of care, not the underlying causes of action in tort. Under this interpretation, all parts of the statute are given meanings that work together effectively and serve the safety purposes of the statute.
Section 236.410 Locking, Hand-Operated Switch; Requirements
In this final rule, FRA is removing the Note following paragraph (b) of this section. During FRA's review of the requirements contained in this part, FRA discovered that the Note following paragraph (b), which had previously been removed as part of FRA's 1984 amendments to this part, was inadvertently reprinted in the rule text several years later and has remained there. As reflected in the preamble discussion of the 1983 proposed rule, FRA moved the provisions for removal of electric or mechanical locks to § 235.7 based on FRA's determination that the industry was capable of achieving compliance of train operations in procedures more suitable to individual properties.
In light of the history of this section, FRA is taking the opportunity within this rulemaking to remove the Note following paragraph (b), which presents information in conflict with the allowances that have been added into §§ 235.7(b)(2) and (b)(3).
Section 236.909 Minimum Performance Standard
FRA is modifying paragraph (e)(1) of this section to include a requirement for the risk metric sensitivity analysis to be an integral part of the full risk assessment that is required to be provided in the Product Safety Plan (PSP) submittal in accordance with § 236.907(a)(7). Paragraph (e)(2) of this section is also being modified to eliminate an alternative option for a railroad to use a risk metric in which consequences of potential accidents are measured strictly in terms of fatalities.
Prior to the modification of this section, paragraph (e)(1) discussed how safety and risk should be measured for the full risk assessment, but did not accentuate the need for running a sensitivity analysis on chosen risk metrics to ensure that the worst case scenarios for the proposed system failures or malfunctions are accounted for in the risk assessment. On the other hand, Appendix B to this part mandates that each risk metric for the proposed product must be expressed with an upper bound, as estimated with a sensitivity analysis. The FRA's experience gained while reviewing PSP documents required by subpart H of this part and submitted to FRA for approval revealed that railroads did not consider it mandatory to run a sensitivity analysis for the chosen risk metrics. Thus, an additional effort was required from the FRA staff reviewing PSP submittals to demonstrate to the railroads the validity and significance of such a request. Therefore, this final rule amends paragraph (e)(1) to explicitly require the performance of a sensitivity analysis for the chosen risk metrics. The language in paragraph (e)(1) of this section explains why the sensitivity analysis is needed and what key input parameters must be analyzed.
FRA received comments on the proposed modification to paragraph (e)(1) of this section. While the RLO expressed support for making the risk metric sensitivity analysis an integral part of the full risk assessment, GE sought clarification and a sample regarding the proposed amendment to the clause regarding the risk assessment sensitivity analysis. GE believes that a literal interpretation of this clause would mean that the risk analysis must evaluate the risk sensitivity to variations in every individual electronic and mechanical component of the system. If so interpreted, GE asserts that the combinatorial calculations would present a significant barrier to the safety analysis and delay PTC system approval. GE further asserts that safety coverage of discrete component failures can be assured through other techniques in the overall system design. GE believes that the intent of this rule is that “component” should mean “functional subsystem,” as system safety can be completely addressed by performing the sensitivity analysis at that level. Accordingly, GE proffers that paragraph (e)(1) of this section should be modified to allow the level of detail Start Printed Page 2609of the risk analysis to be chosen based on the system safety philosophy and technology chosen.
Similar concerns were expressed by HCRQ/CGI, which questioned the need for an additional requirement in the rule that would require the sensitivity analysis to document the sensitivity to worst case failure scenarios. In the alternative, HCRQ/CGI suggested that the final rule should require a reasonable justification for all failure rates.
In response to these comments, FRA would like to clarify that the lowest level of system elements constructing the overall system that would be subject to risk analysis and the following sensitivity analysis are “components,” “modules,” “pieces of equipment,” or “subsystems” that are processor-based in nature, the functionality and performance of which are governed by this part. FRA declines, however, to provide a sample sensitivity analysis in this rulemaking document, as the technique of sensitivity analysis has been well covered by a number of system safety engineering studies.
FRA notes that the term, “worst case failure scenario” is a subject of general theory of system safety and reliability. Therefore, it does not appear to be necessary to provide an interpretation of this term. Nonetheless, in response to comments that have been received on this issue, FRA would like to add a clarifying statement. A sensitivity analysis must be conducted by defining the range of values (i.e., lower bound, upper bound, and associated distribution) for key input parameters and assessing the impact of variations over those ranges on the overall system risk. The worst case analysis must consider realistic combinations of the key input parameters as they tend toward their worst case values. Justification must be provided for the ranges and process used in the design of the sensitivity analysis.
Another comment from HCRQ/CGI relates to the requirement that “the sensitivity analysis must confirm that the risk metrics of the system are not negatively affected by sensitivity analysis input parameters. * * *” HCRQ/CGI requested that the meaning of the phrase “negatively affected” be specified. FRA agreed to provide such an explanation and therefore offered an interpretation of the words “negatively affected” in paragraph (e)(1).
The modification to paragraph (e)(2) of this section is intended to clarify how the exposure and its consequences, as main components of the risk computation formula, must be measured. As stated in paragraph (e)(2), the exposure must be measured in train miles per year over the relevant railroad infrastructure where a proposed system is to be implemented. When determining the consequences of potential accidents, the railroad must identify the total costs involved, including those relating to fatalities, injuries, property damage, and other incidentals. This final rule eliminates the option of using an alternative risk metric, which would allow the measurement of consequences strictly in terms of fatalities. It is FRA's experience that measuring consequences of accidents strictly in term of fatalities did not serve as an adequate alternative to metrics of total cost of accidents for two main reasons. First, the statistical data on railroad accidents shows that accidents involving fatalities also cause injuries and significant damage to railroad property and infrastructure for both freight and especially passenger operations. Even though the cost of human life is often the highest component of monetary estimates of accident consequences, the dollar estimates of injuries, property losses, and damage to the environment associated with accidents involving fatalities cannot and should not be discounted in the risk analysis. Second, allowing fatalities to serve as the only risk metrics of accident consequences confused the industry and the risk assessment analysts attempting to determine the overall risk associated with the use of certain types of train control systems. As a result, some risk analysts inappropriately converted injuries and property damages for observed accidents into relative estimates of fatalities. This method cannot be considered acceptable because, while distorting the overall picture of accident consequences, it also raises questions on appropriateness of conversion coefficients. Therefore, FRA considers it appropriate to eliminate from the rule the alternative option for consequences to be measured in fatalities only. This approach gained the support of the RLO, who in their comments concur with a modification of paragraph (e)(2) that is eliminating an option of risk consequences to be measured in fatalities only.
Subpart I—Positive Train Control Systems
Section 236.1001 Purpose and Scope
This section describes both the purpose and the scope of subpart I. Subpart I provides performance-based regulations for the development, test, installation, and maintenance of PTC systems, and the associated personnel training requirements, that are mandated for installation by FRA. This subpart details the process and identifies the documents that railroads and operators of passenger trains are to utilize and incorporate in their PTC implementation plans. This subpart also details the process and procedure for obtaining FRA approval of such plans.
A number of railroads indicated concern with a potentially significant reprogramming of funds due to the statutorily mandated implementation of PTC systems. These railroads claim that the costs associated with PTC system implementation will lead to deferred capital improvements and maintenance elsewhere in the general railroad system, including degraded track, bridge, or drainage conditions, which may then lead to accidents. Thus, according to these railroads, the mandated PTC implementation, within an extremely aggressive timeframe, may lead to an overall reduced level of safety. FRA recognizes that the cost of PTC will be substantial. FRA does note that capital expenditures can often be financed; and the Railroad Rehabilitation and Improvement Financing (RRIF) program is one source of such financing. Other potential sources include private financing, public bond authority, and state and federal appropriations. It is the responsibility of each public and private railroad to determine appropriate funding sources to meet its needs.
Various railroads also urge FRA to not use its discretion to require more than the minimum mandated by the RSIA08. These railroads note that under FRA's economic analysis, the costs of PTC implementation outweigh its benefits by a ratio of 15 to 1. While these railroads acknowledge that these costs are mostly unavoidable due to the congressional mandate, they believe that there are ways FRA may mitigate these and other costs associated with this rule. FRA has crafted this final rule to limit the cost of implementation and to avoid further PTC development that could require additional funding and additional time. Accordingly, in the proposed and final rule, FRA indicates a willingness to approve suitable systems employing non-vital onboard processing, to recognize wayside signal logic as an appropriate means of protecting movements over switches, to recognize systems that enforce the upper limit of restricted speed as suitable collision avoidance in the case of following trains and joint authorities, to avoid any requirements for monitoring of derails off the main line in conventional speed territory, to allow for conventional arrangements at rail-to-rail crossings at-Start Printed Page 2610grade where speeds are moderate, and to recognize to the maximum extent possible safety case showings made under subpart H prior to the effective date of this rule. In addition, FRA has made allowances for operation of Class II and III locomotives in PTC territory and significant “main line” exceptions for passenger routes. Together, these actions will save the railroads billions of dollars of initial expense, as well as continuing expense in maintenance over the coming years.
Section 236.1003 Definitions
Given that a natural language such as English contains, at any given time, a finite number of words, any comprehensive list of definitions must either be circular or leave some terms undefined. In some cases, it is not possible and indeed not necessary to state a definition. Where possible and practicable, FRA prefers to provide explicit definitions for terms and concepts rather than rely solely on a shared understanding of a term through use.
Paragraph (a) reinforces the applicability of existing definitions of subparts A through H. The definitions of subparts A through H are applicable to subpart I, unless otherwise modified by this part.
Paragraph (b) introduces definitions for a number of terms that have specific meanings within the context of subpart I. Paragraph (b) has been modified in the final rule by adding a definition for the term, “Notice of Product Intent.”
In lieu of analyzing each definition here, however, some of the delineated terms will be discussed as appropriate while analyzing other sections below.
As a general matter, however, FRA believes it is important to explain certain organizational changes required pursuant to the RSIA08. The statute establishes the position of a Chief Safety Officer within FRA. The Chief Safety Officer has been designated as the Associate Administrator for Railroad Safety. Thus, the use of the term Associate Administrator in this subpart refers to the Associate Administrator for Railroad Safety and Chief Safety Officer, or as otherwise referenced, the Associate Administrator for Railroad Safety/Chief Safety Officer.
The NPRM defined “host railroad” to mean “a railroad that has effective operating control over a segment of track.” This term is used in § 236.1005(b) to identify the party responsible for installing PTC and in § 236.1007 with respect to attributes of PTC systems for high-speed service. The host railroad is also responsible for planning and filing requirements (see, e.g., § 236.1009). In proposing this definition, FRA sought to capture in a word the essence of fundamental responsibility for the rail operation. FRA considered terms such as “track owner” (used in the Track Safety Standards), but found that the alternatives had drawbacks of one kind or another. There are places, for instance, where a non-railroad State or local government or private corporation owns the underlying fee beneath the railroad infrastructure but is not engaged in any way in managing or benefitting from the railroad (except in some cases by receiving revenue from a lease). There are also situations where multiple railroads are dispatched from a common location, either by one of the railroads or by a third party. It is increasingly the case that commuter service is provided by a public authority through multiple contractors who are responsible for discrete portions of service as agents of the sponsoring entity (e.g., equipment maintenance, track and signal maintenance, train operations, dispatching). In short, it is hard to describe, in a common way, who is responsible here; nevertheless, in any concrete case, there can be but one entity ultimately responsible.
The Southern California Regional Rail Authority submitted comments requesting that FRA provide additional clarification to what constitutes “effective operating control” as stated in the definition of the term “host railroad.” Specifically, SCRRA questioned whether FRA would consider control of dispatching as “effective operating control” even if responsibilities for the installation and maintenance of wayside devices and infrastructure are under a different party than the dispatcher. Although FRA does not find it necessary to change the definition contained in the regulation, FRA will offer clarification as to the intended meaning. As noted above, very often railroads cooperate in dispatching trains that traverse contiguous lines in order to maximize tactical planning and efficiency. Whether one railroad might dispatch another railroad's territory would not cause the dispatching railroad to take on the responsibilities of the host. Similarly, the fact that a railroad might contract with another railroad to dispatch all or a portion of its lines would not relieve the former railroad of responsibilities of the host.
In the example of SCRRA's Metrolink operations, we would expect SCRRA, which defines its route structure and timetable for passenger operations, to undertake the duties of the host for the lines for which it enjoys effective control in the sense that it has the right to determine who operates over the lines and under what conditions. In general, those are the lines it owns directly or through public authorities that cooperate in the joint powers arrangement. Lines owned and operated by BNSF or UP and over which Metrolink trains operate would be the responsibility of BNSF and UP, respectively, even if SCRRA or its contractor has day-to-day responsibility for dispatching some of them.
GE Transportation expressed concern regarding the definition and use of the term Type Approval in § 236.1003 and subsequent sections, including § 236.1031. GE Transportation notes that under the proposed rule Type Approvals apply only to complete PTC systems, although it is generally recognized in the industry that there are five core component subsystems in a PTC system configuration: (1) A locomotive onboard subsystem; (2) a dispatch center supervisory control and data acquisition (SCADA) subsystem; (3) a PTC server (central or wayside) if a server is required; (4) wayside interface units; and (5) a data communications network connecting the other subsystems. When a Type Approval is granted to a PTC system, GE Transportation suggests that core subsystems of that PTC system should be granted Component Type Approval under certain conditions. According to GE Transportation, the granting of such Component Type Approvals will drive simplified filings, faster approval, and faster deployment for new system configurations using a building block approach. In addition, states GE Transportation, it reduces the risks associated with PTC deployment by simplifying substitution of components in the event of a problem, the market for PTC system components becomes less restrictive, and the next logical step is for a supplier to be permitted to introduce a core subsystem component for approval. GE Transportation asserts that this will encourage market development and further reduce risks for PTC deployment and sustained operation.
FRA understands GE's concern. However, it appears to be based on a misunderstanding of FRA's definition of “Type Approval.” In developing the “Type Approval” concept, FRA looked to the Federal Aviation Administration (FAA) model of system approval as a basis. However, FRA modified the FAA approach to better fit FRA's regulatory mandate and resources. FRA considers the “Type Approval” to be more akin to the FAA concept of an “Airworthiness Certificate.” Under FAA rules, an airworthiness certificate is only issued Start Printed Page 2611to a system (and, in the case of the FAA, this system is an aircraft). This analogy is made only to make a minor clarification and should not necessarily be construed to entirely equate subpart I's Type Approval concept with that of FAA's Airworthiness Certificate concept.
FRA has also considered GE's position that an FRA failure to issue component level approvals could restrict the development of new products. FRA notes that the current industry practice is based on vendor or supplier determination that there will be a market for a particular product. This determination may be based on a specific request from a customer, or on the vendor's or supplier's perception that there is a need for the product. While this process may consider the regulatory requirements that may be applicable to a component, it has not required FRA to issue an “approval” for any particular component. Given the number of new products that have been brought to market, FRA believes that this development model has worked very successfully. Further, the requirements of the RSIA08 require FRA to certify that the PTC system, not the PTC system components, meets the regulatory requirements. The “Type Approval” does not in any way certify a PTC system as required by statute; it only indicates to the system developer/integrator that FRA believes that the proposed system, if properly implemented, may meet the statutory requirements. FRA therefore declines, at this time, to issue component level “type approvals”.
The AAR believes that the definition of “safe state” includes conditions not necessarily applicable. According to AAR, this term may be utilized to describe the operation of a system in non-failure scenarios and, in fact, is arguably used in this fashion even within the NPRM preamble (see, e.g., 74 FR 35,966 (July 21, 2009) (“If a switch is misaligned, the PTC system shall provide an acceptable safe state of train operations.”)). Accordingly, the AAR asserts that the definition of “safe state” should be modified to strike the clause “when the system fails.”
Some other commenters expressed the opinion that in the current definition of “safe state,” the clause “cannot cause harm” lacks specificity. FRA agrees to modify the definition of “safe state” by replacing the clause “system configuration that cannot cause harm when the system fails” with the clause “system state that, when the system fails, cannot cause death, injury, occupational illness, or damage to or loss of property, or damage to the environment.” This definition corresponds to that of the safe state definition in the U.S. Department of Defense Military Standard (MIL-STD) 882C. FRA, however, disagrees with AAR that the term “safe state” should be also applicable for the description of system state in non-failed conditions. The definition of the term “safe state” should not be confused with the term “safe operation” or “operating safely.” The term “safe state” was added in § 236.1003 strictly for the purpose of defining a “protective” state (safe state) of the system, which the system must take when it fails. At the same time, FRA admits erroneous use of the term “safe state” in the section quoted by AAR (74 FR 35,966) and amends it to read: “If a switch is misaligned, the PTC system shall provide an acceptable level of safety of train operations.”
Section 236.1005 Requirements for Positive Train Control Systems
The RSIA08 specifically requires that each PTC system be designed to prevent train-to-train collisions, overspeed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position. Section 236.1005 includes the minimum statutory requirements and provides amplifying information defining the necessary PTC functions and the situations under which PTC systems must be installed. Each PTC system must be reliable and perform the functions specified in the RSIA08.
Train-to-train collisions. Paragraph (a)(1)(i) applies the statutory requirement that a mandatory PTC system must be designed to prevent train-to-train collisions. FRA understands this to mean head-to-head, rear-end, and side and raking collisions between trains on the same, converging, or intersecting tracks. Currently available PTC technology can meet these needs by providing current and continuous guidance to the locomotive engineer and enforcement using predictive braking to stop short of known targets. FRA notes that the technology associated with currently available PTC systems may not completely eliminate all collisions risks. For instance, a PTC system mandated by this subpart is not required to prevent a collision caused by a train that derails and moves onto a neighboring or adjacent track (known in common parlance as a “secondary collision”).
During discussions regarding available PTC technology, it has been noted that this technology also has inherent limitations with respect to prevention of certain collisions that might occur at restricted speed. In signaled territory, there are circumstances under which trains may pass red signals, other than absolute signals without verbal authority, either at restricted speed or after stopping and then proceeding at restricted speed. To avoid rear end collisions, available PTC technology does not always track the rear-end of each train, but instead relies on the signal system to indicate the appropriate action. In this example, the PTC system would display “restricted speed” to the locomotive engineer as the action required and would enforce the upper limit of restricted speed (i.e., 15 or 20 miles per hour, depending on the railroad). This means that more serious rear end collisions will be prevented, because the upper limit of restricted speed is enforced. This also means that fewer low speed rear-end collisions will occur because a continuous reminder of the required action will be displayed to the locomotive engineer (rather than the engineer relying on the aspect displayed by the last signal, which may have been passed some time ago). However, some potential for a low speed rear-end collision will remain in these cases, and the rule is clear that this limitation has been accepted. Similar exposure may occur in non-signaled territory where trains are conducting switching operations or other activities under joint authorities. The PTC system can enforce the limits of the authority and the upper limit of restricted speed, but it cannot guarantee that the trains sharing the authority will not collide. Again, however, the likelihood and average severity of any potential collisions would be greatly reduced considering such movements would be made under restricted speed. FRA may address this issue in a later modification to subpart I if necessary as technology becomes available.
FRA received comments on this discussion of the inherent limitations of available PTC technology with respect to the prevention of certain collisions that may occur at restricted speed from NYSMTA. NYSMTA sought clarification that PTC is not intended to enforce conformance of block entry speeds associated with wayside signal aspects or similar cab signal aspects provided without speed control, except when a train is operating under a wayside signal or cab signal aspect requiring a speed not to exceed restricted speed. FRA noted in the NPRM, and repeats here, that FRA recognizes that some PTC architectures will not directly enforce speed restrictions imposed by all intermediate signals. FRA does expect that the Start Printed Page 2612PTCDP will be clear on how the system accomplishes train separation and regulation of speeds over turnouts.
The final rule text, however, does provide an example of a potential train-to-train collision that a PTC system should be designed to prevent. Rail-to-rail crossings-at-grade—otherwise known as diamond crossings—present a risk of side collisions. FRA recognizes that such intersecting lines may or may not require PTC system implementation and operation. Since a train operating with an unregulated PTC system cannot necessarily recognize a train not operating with a PTC system or moving on an intersecting track without a PTC system, the PTC system—no matter how intelligent—may not be able to prevent a train-to-train collision in such circumstances.
Accordingly, paragraph (a)(1)(i) requires certain protections for such rail-to-rail crossings-at-grade. While these locations are specifically referenced in paragraph (a)(1)(i), their inclusion is merely illustrative and does not necessarily preclude any other type of potential train-to-train collision. Moreover, a host railroad may have alternative arrangements to the specific protections referenced in the associated table under paragraph (a)(1)(i), which it must submit in its PTCSP—discussed in detail below—and receive a PTC System Certification associated with that PTCSP.
Rail-to-rail crossings-at-grade that have one or more PTC routes intersecting with one or more routes without a PTC system must have an interlocking signal arrangement in place developed in accordance with subparts A through G of part 236 and a PTC enforced stop on all PTC routes. FRA has also determined that the level of risk varies based upon the speeds at which the trains operate through such crossings, as well as the presence, or lack, of PTC equipped lines leading into the crossing. Accordingly, under a compromise accepted by the PTC Working Group, if the maximum speed on at least one of the intersecting tracks is more than 40 miles per hour, then the routes without a PTC system must also have either some type of positive stop enforcement or a split-point derail on each approach to the crossing and incorporated into the signal system, and a permanent maximum speed limit of 20 miles per hour. FRA expects that these protections be instituted as far in advance of the crossing as is necessary to stop the encroaching train from entering the crossing. The 40 miles per hour threshold appears to be appropriate given three factors. First, the frequency of collisions at these rail intersections is low, because typically one of the routes is favored on a regular basis and train crews expect delays until signals clear for their movement. Second, the special track structure used at these intersections, known as crossing diamonds, experiences heavy wear; and railroads tend to limit speeds over these locations to no more than 40 miles per hour. Finally, FRA recognizes that for a train on either intersecting route, elevated speed will translate into higher kinetic energy available to do damage in a collision-induced derailment. Thus, for the small number of rail crossings with one or more routes having an authorized train speed above 40 miles per hour, including higher speed passenger routes, it is particularly important that any collision be prevented. FRA believes that these more aggressive measures are required to ensure train safety in the event the engineer does not stop a train before reaching the crossing when the engineer does not have a cleared route displayed by the interlocking signal system and higher speed operations are possible on the route intersected. The split-point derail would prevent a collision in such a case by derailing the offending train onto the ground before it reaches the crossing. Should the train encounter a split-point derail as a result of the crew's failure to observe the signal indication, the slower speed at which the unequipped train is required to travel would minimize the damage to the unequipped train and the potential affect on the surrounding area.
As an alternative to split-point derails, the non-PTC line may be outfitted with some other mechanism that ensures a positive stop of the unequipped crossing train. If a PTC system or systems are installed and operated on all crossing lines, there are no speed restrictions other than those that might be enforced as part of a civil or temporary speed restriction. However, the crossing must be interlocked and the PTC system or systems must ensure that each of the crossing trains can be brought safely to a stop before reaching the crossing in the event that another train is already cleared through or occupying the crossing.
The Rail Labor Organizations shares FRA's concerns regarding diamond crossings, supporting the requirements for interlocking signal arrangements, a PTC enforced stop on PTC routes, and installation of split-point derails with a 20 miles per hour maximum authorized speed on the approach of any intersecting non-PTC route. However, the RLO believe that split-point derails should be required regardless of the PTC route's maximum speed in order to protect the PTC route against a non-equipped train passing through a stop indication and equipment inadvertently rolling out (i.e., a roll away) from the non-PTC route.
AAR and CSXT challenge the imposition of split-point derails. CSXT believes that the proposed rule merely shifts the safety risks associated with Class II and III railroads, but does not eliminate them altogether. For instance, CSXT points out that unlike a PTC-compliant system, the split-point derail would not avoid derailment altogether; rather, it would simply cause the non-PTC Class II or III train to derail away from the crossing. According to CSXT, the most comprehensive safety regime that would avoid both collisions and derailments would be to require Class II and Class III railroads operating on PTC routes also to be PTC equipped.
One commenter objected to the costs of derails being borne by PTC equipped Class I railroads. The NPRM did not purport to address who would pay this cost, but merely recited in a brief reference that the assumption had been made in the Regulatory Flexibility Analysis that the railroad installing PTC would bear the cost. FRA does not stipulate who is responsible for the cost of split-point derails at rail-to-rail crossings at-grade, as the cost will be borne in conformance with any agreements between the railroads or prior rights arising out of previous transactions under which property was acquired. FRA would have appreciated some indication of how those costs are likely to fall, but no information was provided on this point.
The commenter also proposes exploration of lower-cost alternatives in lieu of split-point derails. FRA agrees that less expensive alternatives to split-point derails at rail-to-rail crossings at-grade can and should be proposed in a railroad's PTCIP or PTCDP. As FRA stated in the preamble discussion of paragraph (a)(1)(i) in the proposed rule, “the non-PTC line may be outfitted with some other mechanism that ensures a positive stop of the unequipped * * * train.” (74 FR 35,950, 35,960). FRA expects, however, that any alternative to the split-point derail will provide the same level of separation as that afforded by the installation of the split-point derail.
CSXT submitted comments stating that the installation of split-point derails would create a new danger, including a secondary collision. However, FRA believes that these aggressive measures at locations where train speeds exceed 40 miles per hour through rail-to-rail crossings at-grade, where not all routes Start Printed Page 2613have been equipped with a PTC system or positive stop enforcement, are necessary in order to ensure train safety. FRA fully agrees that full PTC technology that provides positive stop enforcement from all directions is a more desirable method of protecting such locations. However, where such technology has not been installed, the prescribed use of split-point derails in approach to the crossing-at-grade is deemed necessary in the event the engineer of a train operating on a line without positive stop enforcement does not have a cleared route and fails to stop the train prior to reaching the crossing. The split-point derail, in combination with the required speed limitation of 20 miles per hour or less, would prevent a collision by derailing the offending train onto the ground before it reached the crossing. Should such a train encounter a split-point derail in its derailing position as a result of the crew's failure to observe or adhere to the signal indication, the slower speed at which an unequipped train is required to travel would minimize damage to the unequipped train and the potential effect on the surrounding area.
FRA has also considered the comments of the RLO that more secure arrangements should be provided at each rail-to-rail crossing-at-grade, regardless of speed. FRA believes that where the PTC-equipped and non-PTC-equipped lines of the Class I railroads intersect, the railroads will generally utilize the available PTC technology to ensure a positive stop short of the crossing for any train required to stop short of the interlocking. The WIU at the location and available onboard capability supported by a radio data link should make this an obvious solution. FRA will scrutinize Class I PTCDPs to ensure that this is the case. FRA remains concerned that more aggressive solutions for intersections with Class II and III lines could impose substantial costs without returning significant benefits.
Overspeed derailments. Paragraph (a)(1)(ii) requires that PTC systems mandated under subpart I be designed to prevent overspeed derailments and addresses specialized requirements for doing so. FRA notes that a number of passenger train accidents with a significant number of injuries have been caused by trains exceeding the maximum allowable speed at turnouts and crossovers and upon entering stations. Accordingly, FRA emphasizes the importance of enforcement of turnout and crossover speed restrictions, as well as civil speed restrictions.
For instance, in the Chicago region, two serious train accidents occurred on the same Metra commuter line when locomotive engineers operated trains at more than 60 miles per hour while traversing between tracks using crossovers, which were designed to be safely traversed at 10 miles per hour. For illustrative purposes, the rule text makes clear that such derailments may be related to railroad civil engineering speed restrictions, slow orders, and excessive speeds over switches and through turnouts and that these types of speed restrictions are to be enforced by the system.
The UTA and APTA each submitted the same basic comment pertaining to paragraph (a)(1)(ii), with which SCRRA concurred. They contend that speed restrictions are often set at a speed that is far below a speed that would cause a derailment. Therefore, they request that a PTC system should allow or display a speed higher than the actual speed restriction, but well short of a speed that may cause a derailment.
The RLO submitted a comment that, while the language “prevent overspeed derailments” accurately reflects the language found in the RSIA08, this paragraph misses the congressional intent of the statute and appears to be unenforceable unless a derailment occurs in conjunction with a PTC system that fails to enforce an overspeed event. The RLO believe that FRA should amend this paragraph to establish that it will be a violation of this section if the PTC system fails to enforce an overspeed condition that is not corrected by the locomotive engineer regardless of whether or not such overspeed results in a derailment. Since most overspeed occurrences do not result in a derailment, the RLO asserts that waiting for a derailment to happen before declaring that the PTC system is not operating as intended is contrary to the purpose of the law.
FRA intends and believes that the PTC core feature concerning “overspeed derailments” is such that the system shall enforce various speed restrictions (i.e., civil speed restrictions, temporary slow orders, excessive speeds over switches and through turnouts and crossovers, etc.) regardless of whether a derailment actually occurs. However, FRA elects to leave the rule text of paragraph (a)(1)(ii) as it was written in the proposed rule. FRA is aware of various train control systems that have a tolerance of 3 miles per hour before the system displays a warning to the train operator and that apply a penalty brake application when the train reaches a speed 5 miles per hour above the posted speed restriction. Appropriate speed margins or leeways associated with maximum authorized speed are expected, but they must be presented, justified, and approved within the context of a railroad's PTCDP and PTCSP.
Roadway work zones. Paragraph (a)(1)(iii) requires that PTC systems mandated under subpart I be designed to prevent incursions into established work zone limits. Work zone limits are defined by time and space. The length of time a work zone limit is applicable is determined by human elements. Working limits are obtained by contacting the train dispatcher, who will confirm an authority only after it has been transmitted to the PTC system's server. Paragraph (a)(1)(iii) emphasizes the importance of each PTC system to provide positive protection for roadway workers working within the limits of their work zone. Accordingly, once a work zone limit has been established, the PTC system must be notified. The PTC system must continue to obey that limit until it is notified by the dispatcher or roadway worker in charge, with verification from the other, either that the limit has been released and the train is authorized to enter or the roadway worker in charge has authorized movement of the train through the work zone.
As a way to achieve this technological functionality, FRA's Office of Railroad Development has funded the development of a Roadway Worker Employee in Charge (EIC) Portable Terminal that allows the EIC to control the entry of trains into the work zone. While no rule includes the commonly used term EIC, FRA recognizes that it is the equivalent to the term “Roadway Worker In Charge” as used in part 214. With the portable terminal, the EIC can directly control the entry of trains into the work zone and restrict the speed of the train through the work zone. If the EIC does not grant authority for the train to enter the work zone, the train is forced to a stop by the PTC system prior to violating the work zone authority limits. If the EIC authorizes entry of the train into the work zone, the EIC may establish a maximum operating speed for the train consistent with the safety of the roadway work employees. This speed is then enforced on the train authorized to enter and pass through the work zone. The technology is significantly less complex than the technology associated with dispatching systems and the PTC onboard system. In view of this, FRA strongly encourages deployment of such portable terminals as opposed to current methods that only require the locomotive engineer to, in some manner, “acknowledge” his or her Start Printed Page 2614authority to operate into or through the limits of the work zone (e.g., by pressing a soft key on the onboard display, even if in error).
Pending the adoption of more secure technology, such as the EIC Portable Terminal, FRA will scrutinize each submitted PTCDP and PTCSP to determine whether they leave any opportunity for single point human failure in the enforcement of work zone limits. FRA again notes that some methods in the past have allowed the locomotive engineer to simply acknowledge a work zone warning, even if inappropriately, after which the train could proceed into the work zone. FRA expects that more secure procedures will be included in safety plans submitted under subpart I.
The RLO submitted a comment that, in order for a PTC system to effectively perform the core function of protecting roadway workers operating within the limits of their authority, the PTC system must be designed in a manner that prevents override of an enforced stop prior to entering an established work zone through simple acknowledgement of the existence of work zone limits by a member of the train crew (i.e., by pressing a soft key on the onboard display, even if in error). The RLO expressed support for FRA's intention to closely scrutinize each PTCSP to determine whether they leave any opportunity for a single point human failure in the enforcement of work limits. The RLO strongly encouraged FRA to withhold approval of any PTC system that does not enforce a positive stop at the entrance to established work zones until notified directly by the dispatcher or the roadway worker in charge, with verification from the other, that the movement into the work zone has been authorized by the roadway worker in charge.
FRA agrees with the concern expressed by the RLO on this issue. However, in the spirit of staying strictly within the mandate of the RSIA08 relating to required PTC functionality, FRA will require that the actual method of enforcement and acknowledgement associated with work zones be presented within the PTCDP and PTCSP and subject to FRA approval. FRA continues to strongly encourage use of EIC portable terminals with electronic handshake of acknowledgement and authorizations to enter work zones.
Movement over main line switches. Paragraph (a)(1)(iv) requires that PTC systems mandated under subpart I be designed to prevent the movement of a train through a main line switch in the improper position. Given the complicated nature of switches—especially when operating in concert with wayside, cab, or other similar signal systems—the final rule provides more specific requirements in paragraph (e) as discussed further below.
In numerous paragraphs, the final rule requires various operating requirements based primarily on signal indications. Generally, these indications are communicated to the engineer, who would then be expected to operate the train in accordance with the indications and authorities provided. However, a technology that receives the same information does not necessarily have the wherewithal to respond unless it is programmed to do so. Thus, paragraph (a)(2) requires PTC systems implemented under subpart I to obey and enforce all such indications and authorities provided by these safety-critical underlying systems. The integration of the delivery of the indication or authority with the PTC system's response to those communications must be described and justified in the PTCDP—further described below—and the PTCSP, as applicable, and then must comply with those descriptions and justifications. Again, FRA recognizes that in the case of intermediate signals, this may not involve direct enforcement of the signal indication.
APTA submitted a comment that the draft language of paragraph (a)(2) appears to disallow systems such as moving block overlays that may provide superior service. Since APTA does not believe this was the intent of the provision, APTA suggests that FRA clarify the language in this paragraph.
Paragraph (a)(2) is clear that the specified functions must be performed “except as justified” in the PTCDP or PTCSP. Here, FRA specifically intends to afford a means by which advanced systems permitting moving block operations could be qualified, either as stand-alone systems or as overlays integrated with the existing signal and train control arrangements.
The PTC Working Group had extensive discussions concerning the monitoring of main line switches and came to the following general conclusions:
First, signal systems do a good job of monitoring switch position, and enforcement of restrictions imposed in accordance with the signal system is the best approach within signaled territory (main track and controlled sidings). As a general rule, the enforcement required for crossovers, junctions, and entry into and departure from controlled sidings will be a positive stop, and the enforcement provided for other switches (providing access to industry tracks and non-signaled sidings and auxiliary tracks) will be display and enforcement of the upper limit of restricted speed. National Transportation Safety Board representatives were asked to evaluate whether this strategy meets the needs of safety from their perspective. The NTSB returned with a list of accidents caused by misaligned switches that it had investigated in recent years, none of which was in signaled territory. Based on that data, the NTSB staff decided that it was not necessary to monitor individual switches in signaled territory.
In a filing to this proceeding, the NTSB indicated that switch monitoring in both dark and signaled territories must demonstrate that a train will be stopped before crossing through a misaligned switch. Although the NTSB recognizes that signal systems currently provide information about switch positions, it asserts that FRA must ensure that any PTC system that uses the signal system to monitor switch positions will provide adequate safeguards to prevent trains from being routed through misaligned switches. Accordingly, the NTSB agreed with FRA's decision to protect switches within sidings with speed limits greater than 20 miles per hour to prevent switch misalignment accidents.
Second, switch monitoring functions of contemporary PTC systems provide an excellent approach to addressing this requirement in dark territory. However, it is important to ensure that switch position is determined with the same degree of integrity that one would expect within a signaling system (e.g., fail-safe point detection, proper verification of adjustment). The PTC Working Group puzzled over sidings in dark territory and how to handle the requirement for switch monitoring in connection with those situations. (While these are not “controlled” sidings, as such, they will often be mapped so that train movements into and out of the sidings are appropriately constrained.) At the final PTC Working Group meeting, a proposal was accepted that would treat a siding as part of the main line track structure requiring monitoring of each switch off of the siding if the siding is non-signaled and the authorized train speed within the siding exceeds 20 miles per hour. This issue is more fully discussed below.
Other functions. While FRA has included the core PTC system requirements in § 236.1005, there is the possibility that other functions may be explicitly or implicitly required elsewhere in subpart I. Accordingly, under paragraph (a)(3), each PTC system required by subpart I must also perform Start Printed Page 2615any other functions specified in subpart I. According to 49 U.S.C. 20157(g), FRA must prescribe regulations specifying in appropriate technical detail the essential functionalities of positive train control systems and the means by which those systems will be qualified.
In addition to the general performance standards required under paragraphs (a)(1)-(3), paragraph (a)(4) contains more detailed standards relating to the situations paragraphs (a)(1)-(3) intend to prevent. Paragraph (a)(4) defines specific situations where FRA has determined that specific warning and enforcement measures are necessary to provide for the safety of train operations, their crews, and the public and to accomplish the goals of the PTC system's essential core functions. Under paragraph (a)(4)(i), FRA intends to prevent unintended movements onto PTC main lines and possible collisions at switches by ensuring proper integration and enforcement of the PTC system as it relates to derails and switches protecting access to the main line.
Paragraph (a)(4)(ii) intends to account for operating restrictions associated with a highway-rail grade crossing active warning system that is in a reduced or non-operative state and unable to provide the required warning for the motoring public. In this situation, the PTC system must provide positive protection and enforcement related to the operational restrictions of alternative warning that are issued to the crew of any train operating over such crossing in accordance with part 234. Paragraph (a)(4)(iii) concerns the movement of a PTC operated train in conjunction with the issuance of an after arrival mandatory directive. While FRA recognizes that the use of after arrival mandatory directives poses a risk that the train crew will misidentify one or more trains and proceed prematurely, PTC provides a means to intervene should that occur. Further, such directives may sometimes be considered operationally useful. Accordingly, FRA fully expects that the PTC system will prevent collisions between the receiving trains and the approaching train or trains.
Numerous comments were received related to PTC system functional requirements associated with highway-rail grade crossing active warning systems. At the public hearing, the RLO asserted that the use of technologies providing warning system pre-starts, activation verification, and various health monitoring information related to the warning system to approaching trains needs to be a required component of the PTC system warning and enforcement functionalities where warranted. AASHTO submitted comments expressing agreement that inclusion of hazard warning detection in PTC systems for highway-rail grade crossing warning systems is a significant enhancement to mitigate potential risk. AASHTO also underlined its position of enhancing grade crossing safety further by implementation of a program to fully eliminate at-grade highway-rail crossings through consolidation and grade separation wherever possible.
Some commenters expressed various logistic concerns with the proposed rule language relating to operational restrictions issued in response to a warning system malfunction as required by §§ 234.105, 236.106, and 236.107 of this part. Other commenters asserted that any PTC system functional requirements related to highway-rail grade crossing warning systems fall entirely outside the scope of the statutory mandate contained within the RSIA08 and therefore should not be addressed in this rulemaking.
The AAR stated that, while they understand the safety concern, this function is not even remotely related to the “core” PTC functions mandated by Congress. Furthermore, the AAR asserts that the great cost of installing wayside interface units at grade crossings on PTC routes would be prohibitively expensive and would divert resources that would otherwise be devoted to meeting the mandated PTC deadline.
NJ Transit stated that the RSIA08 does not indicate a requirement for highway-rail grade crossing inclusion in the PTC system speed and stop enforcement. Thus, the requirement contained in paragraph (a)(4)(ii) to include warning and enforcement functionality simply adds an additional effort to an already extremely aggressive December 31, 2015, mandate for PTC.
APTA and SCRRA stated that the requirements contained in proposed paragraph (a)(4)(ii) were unclear. APTA and SCRRA recommended that FRA should clarify that the language in paragraph (a)(4)(ii) is intended solely to provide that a dispatcher can place a restriction on a crossing that the PTC system must enforce in the event that a malfunction is reported. However, according to APTA, paragraph (a)(4)(ii) should not be read to require a PTC system to protect a grade crossing and restrict or prevent a movement authority of a train from being advanced across the crossing in the event of a failure being detected in real time; nor should paragraph (a)(4)(ii) be interpreted to require a grade crossing warning system to self-monitor and, if in a degraded condition, impose a speed restriction or stop for an approaching train.
NYSMTA states that the addition of highway-rail grade crossings to this subpart falls outside the statutory mandate for PTC systems within the RSIA08. This additional functionality presents an additional burden for LIRR and Metro-North. Both railroads have hundreds of grade crossings in their rail networks. NYSMTA further asserted that the language in paragraph (a)(4)(ii) was ambiguous with respect to whether “warning or enforcement” of reported grade crossing failures would be required, and what constitutes a “warning.” Required enforcement will increase the capital cost of PTC, have an adverse impact on operations, risk modifications to ACSES that could trigger verification and validation, and create a further impediment to meeting the other requirements of the proposed FRA regulations. NYSMTA therefore recommended that the final rule be limited at this time to the four requirements of the RSIA08.
FRA believes that, although the RSIA08 does not specifically require PTC systems to cover highway-rail grade crossing warning system malfunctions and associated operational requirements, it does stipulate that FRA must develop rules and standards for PTC system functionality, which include the four core features identified. In light of the safety-critical nature of the specified operational limitations for providing alternative warning to highway users pursuant to §§ 234.105, 236.106, and 236.107, and the catastrophic consequences that have often been experienced when those operational limitations have not been accomplished (including actual and potential impacts with motor vehicles involving serious injury and loss of life) and the fact that these operational limitations equate to speed and stop targets that PTC systems may surely warn and enforce, FRA intends to carry the language contained within the proposed paragraph into this final rule. Although FRA believes that the proposed rule was clear that its purpose was to enforce dispatcher-issued “stop-and-flag” orders and slow orders associated with credible reports of highway-rail grade crossing warning device malfunctions, reference has been added to “mandatory directives,” a term with a well-established meaning in FRA regulatory parlance (see 49 CFR part 220).
While FRA recognizes that technologies exist to provide even further interface with warning system activation and health, and encourages railroads to include these technologies Start Printed Page 2616to the extent possible, FRA elects to not require those interfaces beyond that which has been already identified within this paragraph.
The NTSB submitted comments recommending that requirements for warning and barrier protection plans for Class 7 track should also apply to Class 5 and 6 tracks as part of an approved PTCSP in order to reduce the risk of high-speed catastrophic derailments at associated grade crossings. FRA notes that the requirements contained within § 213.347 of this part require that a warning/barrier plan be approved and adhered to for Class 7 track operations and prohibit grade crossings on Class 8 and 9 track. Those requirements do not, however, address Class 5 and 6 tracks specifically. Therefore, FRA believes that this comment falls outside the scope of the present rulemaking. As noted elsewhere in this preamble, FRA has developed Guidelines for Highway-Rail Grade Crossing Safety on high-speed rail lines that endeavor to improve engineering with a strong emphasis on closures. Those Guidelines will be used to review and negotiate grants under ARRA.
FRA recognizes that movable bridges, including draw bridges, present an operational issue for PTC systems. Under subpart C, § 236.312 already governs the interlocking of signal appliances with movable bridge devices and FRA believes that this section should equally apply to PTC systems governing movement over such bridges. While subparts A through H apply to PTC systems—as stated in § 236.1001—paragraph (a)(4)(iv) proposes to make this abundantly clear. Accordingly, in paragraph (a)(4)(iv) and consistent with § 236.312, movable bridges within a PTC route are to be equipped with an interlocked signal arrangement which is also to be integrated into the PTC system. A train shall be forced to stop prior to the bridge in the event that the bridge locking mechanism is not locked, the locking device is out of position, or the bridge rails of the movable span are out of position vertically or horizontally from the rails of the fixed span. Effective locking of the bridge is necessary to assure that the bridge is properly seated and thereby capable to support both the weight of the bridge and that of a passing train(s) and preventing possible derailment or other potential unsafe conditions. Proper track rail alignment is also necessary to prevent derailments, either of which again could result in damage to the bridge or a train derailing off the bridge. No comments were received on this issue, and the provision is carried forward in the final rule.
Paragraph (a)(4)(v) requires that hazard detectors integrated into the PTC system—as required by paragraph (c) of this section or the FRA approved PTCSP—must provide an appropriate warning and associated applicable enforcement through the PTC system. There are many types of hazard detection systems and devices. Each type has varying operational requirements, limitations, and warnings based on the types and levels of hazard indications and severities. FRA expects this enforcement to include a positive stop where necessary to protect the train (e.g., areas with high water, flood, rock slide, or track structure flaws) or to provide an appropriate warning with possible movement restriction being acknowledged (i.e., hot journal or flat wheel detection). The details of these warnings and associated required enforcements are to be specifically addressed within a PTCDP and PTCSP subject to FRA approval, and the PTC system functions are to be maintained in accordance with the system specifications. FRA does not expect that all hazard detectors be integrated into the PTC systems, but where they are, they must interact properly with the PTC system to protect the train from the hazard that the detector is monitoring. With the exception of the RLO's strong emphasis on safety in PTC system deployment, no comments were received on this issue; and the provision is carried forward in the final rule.
Paragraph (a)(5) addresses the issue of broken rails, which is the leading cause of train derailments. FRA proposes to strictly limit the speed of passenger and freight operations in those areas where broken rail detection is not provided. Under § 236.0(c), as amended in this final rule, 24 months after the publication of this final rule, freight trains operating at or above 50 miles per hour, and passenger trains operating at or above 60 miles per hour, are required to have a block signal system unless a PTC system meeting the requirements of this part is installed. Since current technology for block signal systems relies on track circuits—which also provide for broken rail detection—this final rule requires limiting speeds where broken rail detection is not available to the maximums allowed under amended § 236.0 when a block signal system is not installed. No comments were received on this issue, and the provision is carried forward in the final rule.
Deployment requirements. Paragraph (a) of 49 U.S.C. 20157, as enacted by the RSIA08, reads as follows:
“(a) IN GENERAL.—
“(1) PLAN REQUIRED.—Not later than 18 months after the date of enactment of the Rail Safety Improvement Act of 2008, each Class I railroad carrier and each entity providing regularly scheduled intercity or commuter rail passenger transportation shall develop and submit to the Secretary of Transportation a plan for implementing a positive train control system by December 31, 2015, governing operations on—
“(A) its main line over which intercity rail passenger transportation or commuter rail passenger transportation, as defined in section 24102, is regularly provided;
“(B) its main line over which poison- or toxic-by-inhalation hazardous materials, as defined in parts 171.8, 173.115, and 173.132 of title 49, Code of Federal Regulations,
are transported; and
“(C) such other tracks as the Secretary may prescribe by regulation or order.
“(2) IMPLEMENTATION.—The plan shall describe how it will provide for interoperability of the system with movements of trains of other railroad carriers over its lines and shall, to the extent practical, implement the system in a manner that addresses areas of greater risk before areas of lesser risk. The railroad carrier shall implement a positive train control system in accordance with the plan.”
It is plain on the face of the statute that certain actions are required and some are discretionary and that these actions must come together progressively over a period beginning on April 16, 2010 (18 months after enactment) and ending on December 31, 2015. FRA has included revisions in this final rule designed to fully express this intent.
In paragraph (b) of § 236.1005 in the NPRM, FRA proposed to use 2008 traffic levels as a baseline to fix the network that would receive PTC, subject to any subsequently requested and approved amendments to the PTCIP that would justify removal of the line, and subject to the addition of lines that might qualify under the statutory mandate based on later data. In addition to FRA's understanding of the rail lines Congress intended to cover, FRA had several other fundamental reasons for doing so. First, in order to reach completion by December 31, 2015, as required by law, the railroads and FRA need to identify the relevant route structure very early in the short implementation period and the railroads need to stage the financing and logistics to reach completion. Otherwise, the statutory deadline will not be met. Second, 2009 traffic levels will be notably atypical as a result of the recession, which has caused overall traffic levels to fall by as much as 20%. Third, the burden of installing PTC, which the statute applies obligatorily to very large railroads but not to others, may create an incentive to further “spin off” certain lines to avoid installing PTC Start Printed Page 2617on lines Congress intended to cover. Finally, FRA was concerned about responsive and anticipatory actions being taken by some railroads in the face of emerging regulatory influences. Accordingly, FRA sought in the NPRM to take a snapshot of the Class I system at the time the Congress directed the implementation of PTC and then, using its discretionary authority under the statute, to evaluate what adjustments may be in order.
The Class I railroads responded with the suggestion that FRA is without discretion to require inclusion of lines that do not qualify as of 2015. However, FRA has already quoted the statute, which makes clear the inclusion of FRA-identified lines in the 2015 mandate. The statutory “shall” applies to these lines. Also, FRA and its predecessor agency have long enjoyed the power to require installation of train control under the “Signal Inspection Act” (codified at 49 U.S.C. 20501-20505). Further, FRA has been mandated since 1970 to issue rules and standards covering “every area of railroad safety” (49 U.S.C. 20103). In conferring new responsibilities, the Congress in no sense repealed what preceded them.
Arguing in the alternative, the Class I railroads said that FRA had failed to rely on its discretionary authority to accomplish its purpose. In fact, the subject statutory provisions were called out in the authority section of the NPRM text, with the exception of the Signal Inspection Act, as codified (an oversight remedied here).[1] FRA also explicitly stated in the preamble to the NPRM its intention to use its statutory discretion to preserve congressional intent and tied that intention to the use of 2008 traffic levels. The railroads' ancillary claim is that, in effect, FRA would be “arbitrary and capricious” should the agency require PTC on lines not carrying PIH as of the end of 2015 absent a further congressional mandate or a showing that PTC on the subject lines would be “cost beneficial.”
FRA is very conscious of the fact that PTC is expensive, and the agency's regulatory evaluation for the proposed rule does not seek to conceal it. The unit costs will be particularly high during the period before December 31, 2015, and trying to do too much too fast could result in significant disruption of rail transportation. Accordingly, during the initial implementation period, FRA will not exercise its authority to require a build out of the PTC network beyond something on the order of what the Congress contemplated. However, FRA will exercise its discretion to ensure that the network design reflects safety needs and places a value on PTC that reflects an understanding of the value applied by the Congress.
FRA understands the arguments surrounding PTC costs and benefits, having filed three congressionally-required reports since 1994 with information on the subject, having worked through the RSAC for several years evaluating this issue, having funded PTC technology development and overseen PTC pilot projects from the State of Washington to the State of South Carolina, and having provided testimony to the Congress on many occasions. However, FRA believes that the issue is now presented in a different light than before. The Congress was aware that the monetized safety benefits of PTC were not large in comparison with the loss of life and injuries associated with PTC-preventable accidents. With the passage of RSIA08, Congress has in effect set its own value on PTC and directed implementation of PTC without regard to the rules by which costs and benefits are normally evaluated in rulemaking.
One could conclude that the Congress set the value only with respect to passenger trains and PIH releases, but that would assume that the interest expressed by the Congress over much more than a decade and a half was so limited. In fact, longtime congressional interest stemmed in large part from the loss of life among railroad crew members in collisions, as well the potential for release of other hazardous materials. Most of the NTSB investigations and investigations pertaining to this “most wanted” transportation safety improvement in fact derived from such events.
In this light, the focus of the statute on PIH and scheduled passenger trains was clearly intended to provide specific guidance to the agency—a minimum standard for action—and reflected the prominence of passenger train accidents (Placentia, CA, April 23, 2002; Chatsworth, CA); and PIH releases (Macdona, TX, June 28, 2004; Graniteville, SC) in the most serious of the recent PTC-preventable accidents. FRA does not take this to mean that the Congress meant us to be indifferent to the crew fatality at Shepherd, Texas, on September 15, 2005, which resulted from a misaligned main track switch in a collision very similar to the one at Graniteville. Nor do we believe that FRA was expected to be indifferent to the collision between two freight trains at Anding, Mississippi, on July 10, 2005, which killed four crew members, or the collision with release of liquefied propylene gas and ensuing explosion at Texarkana, Arkansas, on October 15, 2005, which killed a resident of a community abutting the railroad.[2] See, e.g., Rail Safety Reauthorization: Hearing Before the Subcomm. on Surface Transportation and Merchant Marine of the S. Comm. on Commerce, Science, & Transportation, 110th Cong. (May 22, 2007) (statement of Robert L. Sumwalt, Vice Chairman, National Transportation Safety Board). Thus, FRA was provided latitude to require PTC system installation and operation on lines beyond those specifically prescribed by Congress. While FRA has enjoyed the same latitude under pre-existing authority, RSIA08 indicates Congress' elevated concern that FRA ensure the more serious and thoughtful proliferation of PTC system technologies. Although, as noted above, FRA would expect to exercise any such authority with significant reserve, given the high costs involved, it would be an abdication of the agency's responsibility not to determine that the basic core of the Class I system is addressed, as would be the case based on 2008 traffic patterns.
The tone of the Class I freight railroad comments justified FRA's concerns that railroads might take the wrong lesson from the statutory mandate. The lesson FRA perceives is that the core of the national rail system, which carries passenger and PIH traffic, needs to be equipped with PTC and that Congress used 5 million gross tons of freight traffic, the presence of PIH traffic, and the presence of passenger service as readily perceptible markers identifying the core lines on which Congress wants PTC to be installed. In making its judgments, Congress was necessarily looking at the national rail system as it existed in 2008 when the statute was passed. A corollary of that lesson is that the later disappearance or diminution of Start Printed Page 2618one of those markers from a line does not necessarily mean that Congress would no longer see that line as part of the core national rail system meriting PTC. An alternative response would be to adopt policies and tactics that penalize rail passenger service and attempt to drive PIH traffic off the network, consolidating the traffic that remains on the smallest possible route structure for PTC.
The freight railroads do not pretend that FRA is wrong in perceiving that the freight railroads wish to remove PIH traffic from the network. That is wise, since the public record is replete with pleas from the Class I railroads to remove their common carrier obligation to transport PIH traffic. Rather, they contend, in effect, that FRA should not trouble itself with this issue, since the Congress and the Surface Transportation Safety Board (STB) will ensure that PIH shippers receive fair treatment, and the Pipeline and Hazardous Materials Safety Administration (PHMSA) Rail Route Analysis Rule will determine whether the traffic goes on the safest and most secure routes.
There are significant problems with this contention. First, while the Congress shows no interest in relieving the carriers of duty to transport PIH commodities, and STB has likewise brushed back a recent attempt by a Class I railroad to avoid this duty (see Surface Transportation Board Decision, Union Pacific Railroad Company—Petition for Declaratory Order, STB Finance Docket No. 35219 (June 11, 2009)), it is by no means yet determined how the cost burden associated with PTC will be borne. A railroad seeking to make the most favorable case for burdening a PIH shipper with the cost of PTC installation would first clear a line of overhead traffic through rerouting and then seek to surcharge the remaining shipper(s) for the incremental cost of installing the system. Under those circumstances, would the STB decide that the railroad should transfer all of those costs to other shippers, or would the STB uphold the surcharge in whole or in part, thereby potentially making the cost of transportation unsupportable?
The carriers would have us rely on the PHMSA Rail Route Analysis Rule in determining whether the PIH criterion requires installation of PTC on a particular line. The Class I railroads' comments state that “FRA is not even the DOT agency with substantive responsibility for how railroads route TIH.” This is an odd point, considering that: (1) The statutory authority for both this rulemaking and the Rail Route Analysis Rulemaking are vested in the Secretary of Transportation, and FRA and PHMSA have a long and well established history of working together for the safe transportation of hazardous materials; (2) as reflected in the rulemaking documents, FRA initiated the Rail Routing action in concert with PHMSA and participated in developing the proposed rule well before the Congress mandated that the rulemaking be concluded; (3) the final rule affirms that PHMSA issued the revision in coordination with FRA and TSA; (4) by delegation from the Secretary, FRA is the agency responsible for administering and enforcing the Rail Route Analysis Rule and has issued a final rule (73 FR 72,194 (Nov. 26, 2008)) detailing the procedures railroads must follow when challenging FRA enforcement decisions; and (5) FRA and has worked with TSA to provide funding and oversight for development of the risk model intended for use under the rule.
As it happens, FRA has good reason to be concerned with rail routing of PIH commodities (as well as explosives and high level radioactive waste, which are also covered by the PHMSA rule), both on the merits of the routing decisions (as the agency responsible for administering the rule) and in relation to the incidental impacts of re-routing decisions on the network of lines that will be equipped with PTC technology. Because the Rail Route Analysis Rule addresses both security and safety risks, operations under that rule necessarily lack the transparency typically afforded to safety risks.
Significant re-routing has already occurred since 2008 as a result of the TSA Rail Transportation Security Rule (73 FR 72,130 (Nov. 26, 2008)). In its comments, CSXT states that the TSA rule “required railroads to modify their routing operations to ensure that only attended interchanges are used for transporting TIH.” The resulting changes are said to be “dramatic.” Comment of CSX Transportation, Inc., Docket FRA-2008-0132-0028.1, at 12 (Aug. 24, 2009). However, the TSA regulation requires a secure chain of custody, not re-routing; and so any re-routing resulting from the TSA regulation presumably resulted not from the direct command of the rule itself but from the desire to hold down costs by focusing the handoffs of these commodities where personnel are already employed to oversee the transfers. This is perfectly sensible, of course, to the extent that the re-routing did not create greater safety or security concerns. However, since railroads have contended for years that their current routings were already optimized for safety, investigation is warranted.
The Rail Route Analysis Rule is only now being put into effect. Most railroads will not complete their initial analysis until the first quarter of 2009, using 12 months of 2008 data (per their request in the subject rulemaking). While the rule requires railroads to consider the use of interchange agreements when considering alternative routes, FRA has not had the opportunity to verify that this has actually occurred with the two railroads opting to comply with the September 2009 due date for use of only six months of data.
The risk model intended to provide the foundation for the rail routing process is still subject to considerable refinement. No methodology is currently specified for evaluating the potential impact of a PTC system (which would vary in risk reduction depending upon the underlying or previous method of operation). Under these circumstances, there is a distinct possibility the railroads may not give sufficient weight to train control (existing or planned).[3] Railroads are not required to submit their route analysis and route selections to FRA for approval. While FRA intends to aggressively oversee railroads' route analysis and route selections during FRA's normal review process, including their consideration of PTC, and require rerouting when justified, this process will be resource-intensive and time-consuming to complete. So FRA sees no reason necessarily to defer in this context to decision making made under the Rail Route Analysis Rule, even as to the role of PTC in safeguarding the transportation of traffic within its ambit (PIH, certain explosives, and spent nuclear fuel). Instead, those decisions are simply useful information under this rule. In April of 2010 when railroads must complete their PTCIP's, a railroad may know its own routing decisions under the Rail Route Analysis Rule, but not FRA's evaluation of those decisions. Furthermore, the Rail Route Analysis Rule analysis does not consider the safety risk posed by the rail movement of hazardous materials it does not cover—but, as noted above, this is a legitimate concern when deciding where to put PTC.
The Rail Route Analysis Rule considers both safety and security, and PHMSA and FRA have worked with TSA to ensure that the inherently Start Printed Page 2619speculative risk of a security incident does not overwhelm known safety risks in the decision making. At the same time, the structure is very responsive to known threats and special circumstances. However, FRA is aware of at least one railroad that has balanced its evaluation of safety and security risks under the rule affording equal weight to each across the board. FRA will be working with that railroad to determine the basis for this action and may later require the railroad to revise its analysis and possibly reroute traffic. See Railroad Safety Enforcement Procedures; Enforcement, Appeal and Hearing Procedures for Rail Routing Decisions, 73 FR 72,194 (Nov. 26, 2008).
Since any given railroad may have thousands of origin-destination pairs for its PIH traffic, and since railroads are just at the threshold of cooperation to evaluate interline re-routing options, this new program will settle out over a period of several years during which lessons are learned. As custodian of this program, FRA is best situated to conclude that using the products of initial analysis within a framework that confers significant discretion to utilize judgment should not control where PTC is built—particularly given the strong incentives that carriers perceive to reduce the wayside mileage equipped with PTC and the fact that installation of PTC might overwhelm other considerations with respect to PIH routing.
In the proposed rule, FRA said that changes from the 2008 base could be granted if “consistent with safety.” Even though this is a familiar phrase drawn from FRA's basic safety statute, concern was expressed regarding how this term might be applied. The final rule further defines that standard by adding a rule for FRA decision making, i.e., if the remaining safety risk on the line exceeds the average safety risk per route mile on lines carrying PIH traffic, as determined in accordance with Appendix B to 49 CFR part 236, FRA denies the request. The provision leaves open the possibility of granting the request if the railroad making application offers a compensating further build out on another line where the resources would be better spent because they would enhance safety to a greater degree. FRA has available to it adequate data to construct a simple risk model for use in this context and expects to do so when reviewing such requests. This provision treats similarly risky rail lines similarly in carrying out the perceived congressional intent for PTC to be installed on the portion of the rail system Congress described, and it is an appropriate exercise of FRA's statutory discretion because it is rationally related to the reduction in risk Congress sought to achieve across the national rail system.
The structure of paragraph (b) of § 236.1005 is as follows:
Paragraph (b)(1) brings together the policy of the statute requiring a phased, risk-based roll out of PTC with the types of lines required to be equipped. FRA has included the additional language “progressively equip” to remind the industry that the law does not expect a risk-based implementation in which no safety benefits are achieved until December 31, 2015. To the contrary, the law and FRA evidence a strong expectation that PTC safety benefits will be increasingly achieved as lines and locomotives are equipped. See § 236.1006. FRA was distressed to hear claims in the Class I railroad testimonies and filings to the effect that, not only are the railroads under no legal obligations to deploy incrementally and take advantage of safety technology required by the law, FRA is without authority to require PTC system operation until December 31, 2015. We consider both claims to be without merit on the face of the law, including FRA's pre-existing authority over signal and train control systems.
Paragraph (b)(2) describes the operation of the 2008 baseline as the initial point of PTC implementation. The section is clear that if any track segment mandated for PTC exclusively on the basis of PIH traffic falls below 5 million gross tons for two consecutive years, the line would be eligible for removal. The paragraph also identifies the presence of PIH traffic in 2008 (or prior to filing the PTCIP) as initially identifying the track segment in the PTCIP for PTC implementation, but refers to paragraph (b)(4) as a means of removing it.
Paragraph (b)(3) refers to changed conditions after the filing of the PTCIP that might require a line or track segment to be added. This could occur, inter alia, because overall freight volume increases, a shipper requests PIH service on the line, or PIH traffic is (actually or prospectively) rerouted over the line to satisfy the Rail Route Analysis Rule. The provision requires “prompt” filing when conditions change. It makes clear that the railroad will have at least 24 months after approval of its RFA to install the PTC system on the line.
In the NPRM, FRA proposed that, in order to have a line segment no longer carrying the PIH traffic be excepted from the requirement that it be initially equipped, the railroad would need to provide estimated traffic projections for the next 5 years (e.g., as a result of planned rerouting, coordinations, location of new business on the line). In addition, where the request involves prior or planned rerouting of PIH traffic, the railroad would be required to provide a supporting analysis that takes into consideration the rail security provisions of the PHMSA rail routing rule, including any railroad-specific and interline routing impacts. FRA proposed that it could approve an exception if FRA finds that it would be consistent with safety and in the public interest.
The AAR acknowledged in its comments that “FRA does offer railroads the ability to apply to FRA for approval to not install PTC on a route which, in 2015, is no longer used for PIH traffic or which no longer meets the definition of a main line.” However, asserted AAR, “FRA approval is predicated on the nebulous criteria of “consistent with safety and in the public interest.”
In this final rule, paragraph (b)(4) provides the methods by which a railroad may seek the exclusion or removal of track segments from its PTCIP. Paragraph (b)(4)(i) deals with the evaluation of track segments that no longer carry 5 million gross tons or PIH traffic that the railroad seeks to remove from the PTCIP, either at the time of initial filing or through an RFA thereafter. A request to remove a line would need to be accompanied by future traffic projections. FRA understands that, in some cases, railroads will not be able to state with certainty whether total tonnage or PIH traffic will return to a line; and certainty is not required. However, in other cases a railroad may in fact be able to make reasonable projections (because of control over a parallel main line that is approaching capacity, planned coordination with another railroad, etc.).
In the case of cessation of passenger service or a decline of tonnage on a PIH line, FRA anticipates that approval of such requests will normally be routine. However, in light of AAR's comments, the final rule provides that, where PIH traffic has been removed (or is projected to be removed), three conditions must be met in order for FRA to approve such requests. First, it is not expected that there will be any local PIH traffic on the subject track segment. Second, to the extent overhead traffic has been (or will be) removed from the line, the request must be supported by routing analysis justifying the alternative routing of any traffic formerly traversing the line or which might traverse the line as an alternative routing. This is not the same routing analysis required under part 49 CFR part 172, but it may be presented Start Printed Page 2620in the same format. The difference is that, under the Rail Route Analysis Rule, the current best route for the movement of security sensitive materials (which included PIH materials) must be determined, taking into consideration both safety and security and assuming the existing method of operation, any changes that a carrier may reasonably be anticipated to occur in the upcoming year, and any mitigation measures that the carrier intends to implement. That is a tactical question, which focuses on a particular geographical or logistical area. The question that needs to be addressed for PTC planning is the future best route, taking into consideration the fact that any route used for PIH will need to be equipped within the schedule contained in the approved PTCIP (but not later than December 31, 2015, for the least risky lines that need to be equipped). This is a strategic question, which applies to the carrier's entire network. Accordingly, this analysis would need to show that, even by equipping the subject line with PTC, it would not have an advantage over the route proposed to be selected.
As noted in section VI of this preamble, FRA seeks comments on how elements of a route analysis should be weighed by FRA when determining whether rerouting under this paragraph is sufficiently justified.
FRA includes one additional requirement that invokes its discretionary authority under the law. Even if a line has not or will not carry PIH traffic after the 2008 base year or later time period prior to filing of the PTCIP (i.e., for those filing a PTCIP for new service initiated after the statutory deadlines), the final rule requires an additional test that fleshes out the “consistent with safety” notion contained in the proposed rule with the desired objective of providing greater predictability, transparency, and consistency in decision making. This test requires that, in order for a track segment to be excluded, the remaining risk on the line not exceed the average risk extant on lines required to be equipped with PTC because they meet the threshold for tonnage of 5 million gross tons and carry PIH traffic. The effect of this test should be to allow a majority of lines that formerly carried PIH, which has been removed for legitimate reasons, to be removed from the PTCIP. With no intercity/commuter passenger traffic and no PIH, these will mostly be lines with moderate traffic involving commodities such as coal or grain and minimal quantities of other hazardous materials. However, with respect to lines with higher risk, PTC may be required despite the consolidation of PIH traffic on other lines. For instance, FRA does not believe that consolidation of PIH traffic due to security reasons should unduly influence PTC deployment. Train crews, roadway workers, and communities along the routes have a strong interest in seeing PTC provided for their benefit. Examples of lines that could be captured by this requirement are very high density lines to coal fields or between major terminals where collision risk is significant and other very dangerous or environmentally sensitive hazardous materials are transported in significant quantities (e.g., flammable compressed gas, halogenated organic compounds). Non-signaled lines with traffic nearing capacity and many manually operated switches, together with significant hazardous materials, would also be candidates for retention.
As previously noted in the Introduction and section VI to this preamble, FRA seeks further comments on paragraph (b)(4)(i). This provision describes the specific considerations FRA will take into account in determining whether a deviation from the baseline is “consistent with safety.” FRA believes that this final rule could still benefit from input concerning this application of the “consistent with safety” standard FRA has applied for decades in considering waivers under 49 U.S.C. 20103(d) and whether FRA should interpret that standard differently or in greater detail here. Accordingly, FRA continues to seek comments on this issue with the desired objective of providing greater predictability, transparency, and consistency in decision making. More specifically, FRA seeks comments that would help clarify what issues, facts, standards, and methodologies it should consider when determining whether to approve a request for amendment made pursuant to paragraph (b)(4)(i). FRA also seeks comments on how it should compare the levels of risk between lines with PIH and lines without PIH for the purposes of paragraph (b)(4)(i).
Paragraph (b)(4)(ii) contains a new provision that provides a basis for a railroad to request removal of a track segment from a PTCIP either at the time of initial filing or through an RFA thereafter. The provision is being added in an effort to respond to comments submitted on the NPRM requesting a de minimis exception for low density track segments with minimal PIH traffic. The AAR noted that, under the proposed regulations, even one car containing PIH on a main line would require installation of PTC. AAR believes that this position is untenable in light of the cost-benefit concerns (e.g., the 15-to-1 cost to benefit ratio under FRA's economic analysis), especially on routes with minimal PIH traffic. The AAR takes the position that it would therefore be arbitrary and capricious for FRA to not employ a de minimis exception. According to AAR, its preliminary analysis shows that a meaningful de minimis exception could save the industry hundreds of millions of dollars without significantly changing the safety benefit calculation.
The AAR and some of its member railroads assert that FRA has the authority to include a de minimis exception in the final rule. In separate comments, CSXT also recommends that FRA recognize a de minimis exception for PIH transport. CSXT asserts that, in cases where a limited quantity of PIH materials are transported on a particular route—or where a segment of track happens to carry PIH materials on a single occasion because of mere happenstance—there are no safety benefits that would justify costly PTC implementation. In addition, in the absence of specific language in the RSIA08 that would preclude FRA from recognizing a de minimis exception, CSXT asserts that FRA possesses the requisite authority to do so. In support of this assertion, CSXT points to three cases from the DC Circuit (Shays v. FEC, 414 F.3d 76 (DC Cir. 2005); Environmental Def. Fund, Inc. v. EPA, 82 F.3d 451 (D.C. Cir. 1996); and State of Ohio v. EPA, 997 F.2d 1520 (DC Cir. 1993)), in which the DC Circuit acknowledged the inherent authority conferred upon agencies, in the absence of an express prohibition, to promulgate a de minimis exception as a tool for implementing legislative design and avoiding pointless expenditures of effort.
FRA has reviewed the suggestion of the Class I railroads that FRA possesses an inherent, or at least reasonably inferred, authority to withhold any requirement for deployment of PTC on lines with very low risk. FRA agrees that, as a general matter, it has an inherent authority to create de minimis exceptions in its regulations to statutes FRA administers. In fact, FRA has utilized this inherent authority in this final rule in the following areas: Providing limited exceptions for yard operations; addressing the movement of equipment with inoperative PTC systems; and providing for limited movements by non-equipped trains operated by Class II and Class III Start Printed Page 2621railroads over PTC equipped main line.[4] FRA believes these are all appropriate uses of its discretionary authority. Based on existing case law, as well as its review of the comments provided in this proceeding, FRA believes that a de minimis exception to the statutory mandate requiring the installation of PTC systems on any and all main lines transporting any quantity of PIH hazardous materials should also be provided to low density main lines with minimal safety hazards that carry a truly minimal quantity of PIH hazardous materials.
With this said, however, and as explained below, that discretionary authority will not sustain the creation of the broad-brush exception sought by the Class I railroads in this proceeding. United States Circuit Court decisions recognize that federal agencies may promulgate de minimis exemptions to statutes they administer. See, e.g., Shays v. FEC, 414 F.3d 76, 113 (DC Cir. 2005); Ass'n of Admin. Law Judges v. FLRA, 397 F.3d 957, 961-62 (DC Cir. 2005) (“[T]he Congress is always presumed to intend that pointless expenditures of effort be avoided” and that such authority “is inherent in most statutory schemes, by implication.”); Environmental Defense Fund, Inc. v. EPA, 82 F.3d 451, 466 (DC Cir. 1996) (“[C]ategorical exemptions from the requirements of a statute may be permissible as an exercise of agency power, inherent in most statutory schemes, to overlook circumstances that in context may fairly be considered de minimis.”) (inner quotations and citation omitted); Alabama Power Co. v. Costle, 636 F.2d 323, 360 (DC Cir. 1979) (the ability to create a de minimis exemption “is not an ability to depart from the statute, but rather a tool to be used in implementing the legislative design.”); New York v. EPA, 443 F.3d 880, 888 (DC Cir. 2006) (noting the maxim de minimis non curat lex—“the law cares not for trifles.”).
However, “a de minimis exemption cannot stand if it is contrary to the express terms of the statute.” Environmental Defense Fund, 82 F.3d at 466 (citing Public Citizen v. Young, 831 F.2d 1108, 1122 (DC Cir. 1987)). In other words, agency authority to promulgate de minimis exemptions does not extend to “extraordinarily rigid” statutes. See Shays, 414 F.3d at 114 (“By promulgating a rigid regime, Congress signals that the strict letter of its law applies in all circumstances.”); Ass'n of ALJs, 397 F.3d at 962; Alabama Power, 636 F.2d at 360-61 (As long as the Congress has not been “extraordinarily rigid” in drafting the statute, however, “there is likely a basis for an implication of de minimis authority.”). Furthermore, such authority does not extend to situations “where the regulatory function does provide benefits, in the sense of furthering regulatory objectives, but the agency concludes that the acknowledged benefits are exceeded by the costs.” Public Citizen v. FTC, 869 F.2d 1541, 1557 (DC Cir. 1989) (quoting Alabama Power, 636 F.2d at 360-61) (emphasis removed); see also Shays, 414 F.3d at 114; Kentucky Waterways Alliance v. Johnson, 540 F.3d 466, 483 (6th Cir. 2008). “Instead, situations covered by a de minimis exemption must be truly de minimis.” Shays, 414 F.3d at 114. That is, they must cover only situations where “the burdens of regulation yield a gain of trivial or no value.” Environmental Defense Fund at 466 (inner quotations omitted) (citing Alabama Power, 636 F.2d at 360-61).
In this case, where release of the contents of one PIH tank car can have catastrophic consequences (e.g., the 2005 Graniteville accident), FRA must determine whether the gain yielded by installing PTC on any rail line that carries a minimal amount of PIH materials is “of trivial or no value.” During the RSAC Working Group discussions conducted on August 31-September 2, 2009, the major freight railroads suggested that any track segment carrying fewer than 100 PIH cars annually should be considered to present a de minimis risk and be subject to an exception. (Their representatives were very clear that the request did not extend to lines carrying intercity or commuter passenger trains.) During the Working Group discussion, AAR was asked to describe additional safety limitations that might apply to these types of track segments (e.g., tonnage, track class, population densities). The AAR elected not to do so, adhering to the simple less than 100 car exception. Subsequently, in an October 7, 2009, docket filing, AAR suggested that safety mitigations could be applied where necessary to bring risk down to de minimis levels.
FRA has considered AAR's proposed exception and has noted that, although the number of cars appears small, in fact only about 100,000 loaded PIH cars are offered for transportation in the United States each year (approximately 200,000 loads and residue cars). Accordingly, FRA would expect that such an exception might have a significant impact on the number of miles of railroad subject to the PTC mandate. None of the filings in this docket, and none of the discussion in the PTC Working Group, shed light on the relevant facts despite an express request from FRA to Class I railroads to supply facts bearing on their requested exception. Based on the limited information available to FRA, FRA believes that such an exception would excuse installation of PTC on roughly 10,000 miles of railroad out of the almost 70,000 route miles FRA has projected would need to be equipped based on the proposed requirements. Based on the limited information available, it appears that some of the lines within the AAR request carry very heavy tonnages (with many train movements raising the risk for a collision) at freight speeds up to 60 or 70 miles per hour (predicting severe outcomes when accidents do occur). Putting trains with PIH bulk cargoes into this mix in the absence of effective train control would not be a de minimis risk as to those cars of PIH actually transported. Further, any public policy decision to excuse PTC installation under these circumstances would have to ignore other risk on those track segments. Creating a de minimis exception for less than 100 PIH cars on a very busy and risk-laden track segment simply on the basis of the number of PIH cars would, accordingly, ignore the separate charge that the Congress gave to the agency in 1970 to adopt regulations “as necessary” for “every area of railroad safety” (49 U.S.C. 20103(a)) and the value that the Congress has obviously placed on PTC as a means of reducing risk within the reach of the four PTC core functions under the RSIA08. Further, it would stand on its head the structure of 49 U.S.C. 20157, as added by the RSIA08, which mandates completion by the end of 2015 of PTC on (1) lines of intercity and commuter passenger trains, (2) lines of Class I railroads carrying 5 million gross tons and PIH, and (3) “such other tracks as the Secretary may prescribe by regulation or order.”
FRA believes that the broad-based type of de minimis exception sought by the AAR and its member railroads based Start Printed Page 2622solely on the number of PIH cars transported annually is not supported either legally or on a safety basis. However, FRA believes a limited exception is necessary and justified for those main lines that transport a truly limited quantity of PIH materials and that pose little safety hazard to the general public by not being equipped with an operational PTC system. Thus, FRA is including paragraph (b)(4)(ii) in this final rule to permit railroads exclude these types of main track segments from the statutory requirement to install a PTC system. The initial qualifying criterion is that of less than 100 PIH cars per year (loaded or residue), as suggested by the AAR.
In order to foster as much clarity as possible regarding the exceptions provided, FRA has broken the concept into two separate divisions. The first creates a presumption that a requested exception will be provided based on existing circumstances on the line, plus an operating restriction. The second involves more challenging circumstances and involves no presumption, but the railroad may proffer safety mitigations in order to drive down risk to demonstrably negligible levels (subject to FRA review). Both are limited to lines that carry less than 15 million gross tons of traffic annually, a figure three times the threshold in the law. FRA has no confidence that a railroad could assure “negligible risk” in a busier and therefore more complex operation, and allowing for consideration of lines with more traffic could lead to neglect of other risk of concern (e.g., harm to train crews in collisions, casualties to roadway workers, release of other hazardous materials).
Paragraph (b)(4)(ii)(B) specifies additional tests that apply to the first exception:
- The line segment must consist exclusively of Class 1 or 2 track under the Track Safety Standards (maximum authorized speed 25 mph);
- The line segment must have a ruling grade of less than 1 percent; and
- Any train transporting a car containing PIH materials (including a residue car) must be operated under conditions of temporal separation, as explained in § 236.1019(e) and in Appendix A to part 211 of this title, from other trains using the line segment, as documented by a temporal separation plan submitted with the request and approved by FRA.
Limiting maximum authorized train speed reduces the kinetic energy available in any accident, and the forces impinging on the tank should be sustainable.[5] Placing a limit on ruling grade helps to avoid any situation in which a train “gets away” as a result of a failure to invoke a brake application until momentum is such that no stop is possible (as the surface between the brake shoe and wheel “goes liquid”). (PTC can prevent the initial overspeed and intervene early.) Requiring that a train carrying PIH and other trains be “temporally separated” can help prevent a collision in which a PIH car is struck directly by the locomotive of another train while traversing a turnout (potentially exceeding the force levels the tank can withstand). Given these combinations of circumstances, a de minimis exception should ordinarily be warranted. FRA would withhold approval only upon a showing of special circumstances, such as where there might be a need to protect movements over a moveable bridge. Should FRA identify such a circumstance, the railroad might elect to proceed under the additional exception.
Paragraph (b)(4)(ii)(C) provides an alternative path to a de minimis exception by opening the door for proposed risk mitigations that could drive risk down to negligible levels. The railroad could offer any combination of operating procedures, technology, or other means of risk reduction. Basically, the paragraph requires the railroad to “make its case” to FRA as to why a limited exception should be provided for the identified main line. The railroad must provide FRA sufficient information to justify the application of a de minimis exception to the identified track segment, including current and future traffic predictions, detailed information regarding the safety hazards present on the involved track segment, and an explanation of how the proposed mitigations would reduce the risk to a negligible level. FRA believes that, beyond the relatively narrow categorical exception provided in (B), a separate case-by-case analysis of each request is necessary to properly apply its inherent discretionary authority to grant de minimis exceptions in this area. Approaching the issue in this manner also permits full consideration of mitigations tailored to the particular circumstances. FRA would evaluate the submittal and, if satisfied that the proffered mitigations would be successful, approve the exception of the line segment. FRA wishes to note that elements of PTC technology may in some cases provide the means for accomplishing this. Developing a track database for a line segment, installing an intermittent data radio capability, and utilizing PTC-equipped locomotives on the line could be used to enforce temporary speed restrictions and enforce track warrants without the major expense on the wayside. Where necessary, based on somewhat higher train speeds, key switches could be monitored; or, alternately, only those trains containing PIH cars could be speed restricted (with speed enforced on board). The notion here is to leverage investments already made with modest additional expenditures that capture the bulk of the safety benefits while specially protecting trains with PIH cars.
FRA believes that the savings from these provisions should be substantial. Most of the line segments falling within the criteria set forth for de minimis risk will be non-signaled lines with limited freight traffic. The ability to omit equipping these routes with full data radio infrastructure and with switch position monitoring at all switches should constitute a significant savings. In fact, based on available information, FRA believes that as much as 3,500 miles of railroad could be included in one of the exceptions provided. FRA estimates that the gross savings from omitting PTC from these lines might amount to about $175 million and that mitigations might offset roughly $32 million of those savings, for net savings still exceeding $140 million. Of that amount, approximately $15 million could come from the first exception, which deals with very low risk lines left in their current state and operated under temporal separation of trains containing PIH traffic.
This provision was developed in the absence of a robust record. On October 7, 2009, the AAR filed supplementary comments offering to work with FRA on a more flexible process for de minimis exceptions that would consider safety mitigations designed expressly to drive risk down to de minimis levels on candidate line segments. FRA attempted to respond to this late-filed comment in full recognition that the final rule will impose substantial costs and that avoiding unnecessary cost is desirable. However none of the parties has had an opportunity to comment on the exception provided in this final rule. Accordingly, FRA seeks comments on the extent of the de minimis exception. Such comments should be supported by sufficient and applicable safety data. FRA notes that the time required for Start Printed Page 2623refinement of this provision should fit within the existing PTC system implementation timetable, since any lines where risk is low will be slated for PTC system installation relatively late in the implementation period that ends on December 31, 2015.
Paragraph (b)(5) addresses an additional reason for proposing to use 2008 data as a baseline for PTC installation, rather than de facto conditions in 2015: i.e., the prospect that Class I railroads will divest lines in order to avoid the PTC mandate. Based on past practice at the Interstate Commerce Commission and STB, lines sales can occur under circumstances where the new operator of the line is to a large extent the alter ego of the seller. The seller may retain overhead trackage rights or merely lease the line; or circumstances may be such that the seller is the only available interchange partner and thus continues to enjoy the “long haul” portion of the rate. Typically the buyer will have a lower cost structure, and to the extent the sale is merely a recognition that the line has declined in traffic and will need to be redeveloped as a source of carload traffic, that may be the best way to preserve rail service. However, to the extent that the seller sheds costs while retaining significant practical control and depriving the buyer of adequate revenues, safety issues can arise. FRA has historically been reluctant to allow discontinuance of signal systems in some of these cases, particularly where it remained within the seller's ability to rebuild overhead traffic on the line downstream, where the seller retained the right to repossess the property at a later time, or where the line carried passenger traffic.
This background may help explain why FRA made reference to the issue of whether omitting PTC on a line that carried PIH traffic in 2008 might be “in the public interest” in the proposed rule. In references during the subsequent RSAC working group deliberations, some question was raised about what that could mean. In light of that confusion, FRA has omitted the phrase from the final rule but has added language addressing the issue of line sales that expresses more directly how FRA would handle line sales and modifications to a PTCIP. FRA's purpose is to ensure that decisions regarding where PTC is deployed are made in light of all the relevant circumstances. To the extent that this approach represents an exercise of discretionary authority (and should any such exercise in fact occur), FRA would expect to make the decision based upon safety criteria after the STB had determined the public interest with respect to rail service. Again, FRA would expect to recognize the value that the Congress placed on PTC as a means of risk reduction while not rewarding transactions designed to avoid installation of PTC on the line in question.
Paragraph (b)(6) states that no new intercity or commuter passenger service shall commence after December 31, 2015, until a PTC system certified under this subpart has been installed and made operative. FRA believes this is a clearly necessary requirement to satisfy the statute. In response to the comments, FRA has removed the reference to “continuing” of previous passenger service. FRA agrees that the remedy associated with any delays in completing PTC system installation should be determined based upon circumstances at the time and without disfavoring passenger service in relation to freight service.
General objections to a 2008 baseline. FRA is aware that the approach embodied in the final rule may not play out as an elegantly optimized risk reduction strategy. If FRA were writing on a blank slate, the agency may have considered factors that drive risk and thresholds for those factors, taking into consideration more than PIH and intercity or commuter passenger traffic. Some lines that the Congress has required to be equipped by the end of 2015 because of PIH traffic would be left for deployment well downstream. Under such a hypothetical scenario, others with heavy train counts or without signal systems (and with robust traffic) may have been in theory added to the list for deployment of PTC by the end of 2015. But FRA is not writing on a clean slate. Rather, FRA is endeavoring to implement the statute with fidelity both to its terms and its intent, utilizing the discretion underscored by the law to get the job done.
Part of the complexity of this task is the schedule. FRA has labored to publish this final rule as soon as humanly possible so that the industry could be ready to file PTC Implementation Plans by the statutory deadline of April 16, 2010. FRA will then be required, again by the statute, to approve or disapprove each plan within a period of 90 days. Accordingly, establishing some degree of order in framing the Implementation Plan requirements is clearly necessary. Taking the 2008 traffic base as a known starting point, and evaluating any deviations from that base, will permit FRA to identify any potentially inappropriate traffic consolidations and focus on those areas as matters for review. FRA could, of course, take a different approach and order a categorically broader implementation. However, that has been understandably opposed by the railroads; and crafting any such approach would likely not have been feasible during the time available for this rulemaking. Accordingly, what we have done in § 236.1011(b) is to require the PTCIP to include a statement of criteria that the Class I railroad will apply in planning future deployment of PTC and a requirement that the railroad's Risk Reduction Program Plan (required by the RSIA08 to be filed in 2013) contain a specification of additional lines that will be equipped in full (meeting all of the requirements of subpart I) or as a partial implementation (subset of functionalities). Approaching the end of the initial deployment period, therefore, FRA should be in a position to consider whether requiring additional PTC deployments will be appropriate to address remaining risk or whether elective actions by the railroads will meet that need. Over time, then, any rough edges that remain should be smoothed over.
Another objection to the 2008 baseline is that more may need to be accomplished (i.e., the need to capture more lines) in the period between enactment and December 31, 2015. FRA responds as follows: First, no more will need to be done than the Congress likely expected. If FRA, an expert agency, did not foresee the “dramatic” consolidation of PIH traffic resulting from the TSA rule, it is fairly unlikely that the Congress did. Second, the Class I freight industry has had it within its control to get this done, and one of FRA's major objectives in conducting this rulemaking has been to ensure success by keeping the technology bar at a reasonable height and deferring as much as possible to work already accomplished. During the September 10, 2009, RSAC meeting, the leaders of the Interoperable Train Control project—an effort led by BNSF, CSXT, NS, and UP to develop interoperability standards for the general freight system—advised that those standards will not be available until the end of 2010 to the many commuter railroads and Amtrak working in concert with a major freight carrier. But the industry developed Advanced Train Control Standards in the 1980s, standards that FRA pronounced mature in its 1994 Report, after which the industry abandoned the project. PTC interoperability standards were identified as a need in the consensus report of the original PTC Start Printed Page 2624Working Group to the FRA Administrator in 1999, and creation of such standards was a major deliverable of the North American PTC Program (funded jointly by the FRA, industry, and the State of Illinois). That delivery was never made. In the interim, the major signal suppliers, working through the American Railway Engineering and Maintenance Association managed to produce interoperability standards (again with FRA support), but these are not standards that the freight railroads have elected to employ. Accordingly, FRA concludes that the principal obstacle to completion of PTC is the perfection of technology, including interoperability standards, by an industry that has had two decades to work. Any further delays in that quadrant should not deprive the Nation of a reasonably scaled PTC deployment.
Other comments. FRA received generally favorable comments on the base year issue from Friends of the Earth[6] and the Rail Labor Organizations. The Chlorine Institute also urged the broadest application of PTC to the national rail network, and the American Chemistry Council submitted generally favorable comments without lingering on this specific issue. The Fertilizer Institute commented that limiting lines to the 2008 PIH network could restrict shipping options in the future and also advocated a broader mandate.
Final rule adjustments. FRA has further considered the need to optimize the risk reduction strategy captured in this final rule with respect to lines that may no longer carry PIH traffic as of some point (whether at filing of the PTCIP or thereafter). FRA has included a requirement that the subject line from which PIH has been removed would be required to be equipped with PTC only if the line's remaining traffic involves a level of risk that is above the average for lines that carry PIH traffic. As noted above, FRA would expect most lines from which PIH traffic might be legitimately removed, exclusive of those that carry intercity or commuter passenger traffic (which will need to be equipped in any event), to fall below the average risk level and be removed from the PTCIP. These will be primarily what are referred to as branch lines or secondary main lines, carrying moderate traffic volumes. However, if a line such as a very busy coal line with intermixed general freight (including, e.g., flammable compressed gas or halogenated organic compounds) were in question, FRA would expect that line to remain equipped. Further optimization of this approach is offered in the form of compensating risk reduction. That is, a railroad could offer up a line that was not included in 2008 traffic base for PTC implementation if it carries traffic that involves very substantial risk. Although this option is offered, FRA does not expect any such situation to arise. Based on FRA's review of known traffic flows and densities, FRA expects that most lines omitted from those reported in the PTCIP based on 2008 data will fall into a very low range of risk in relation to lines carrying PIH traffic. Further, FRA believes it is very unlikely that any legitimate consolidation of PIH traffic after 2008 would have utilized a line that was not previously carrying at least some PIH traffic. In short, although the agency may not have taken the same approach, there is wisdom behind the congressional formulation based on conditions when the Congress acted.
In summary, FRA has fashioned an approach to review of candidate track segments for PTC Implementation that seeks to uphold the letter and the intent of the RSIA08, that utilizes FRA discretionary authority sparingly but in a risk-informed manner, that it is administrable within the time allowed by law to review PTCIPs, that offers the best chance of creating some stability in deployment strategy by permitting the agency to focus on areas of greatest sensitivity early in the process (including, as necessary, a threshold evaluation of whether Rail Route Analysis Rule decisions require further evaluation), and that will ensure, to the extent possible, that safety alone is the governing criterion in determining where PTC will be required to be deployed.
Paragraph (c) provides amplifying information regarding the installation and integration of hazard detectors into PTC systems. Paragraph (c)(1) reiterates FRA's position that any hazard detectors that are currently integrated into an existing signal and train control system must be integrated into mandatory PTC systems and that the PTC system will enforce as appropriate on receipt of a warning from the detector. Paragraph (c)(2) states that each PTCSP submitted by a railroad must identify any additional hazard detectors that will be used to provide warnings to the crew which a railroad may elect to install. If the PTCSP so provides, the PTCSP must clearly define the actions required by the crew upon receipt of the alarm or other warning or alert. FRA does not expect a railroad to install hazard detectors at every location where a hazard might possibly exist.
Paragraph (c)(3) requires, in the case of high-speed service (as described in § 236.1007 as any service operating at speeds greater than 90 miles per hour), that the hazard analysis address any hazards on the route and provide a reason why additional hazard detectors are not required to provide warning and enforcement for hazards not already protected by an existing hazard detector. The hazard analysis must clearly identify the risk associated with the hazard, and the mitigations taken if a hazard detector is not installed and interfacing with a PTC system. For instance, in the past, large motor vehicles with parallel or overhead structures have been left fouling active passenger rail lines. Depending upon the circumstances, such events can cause catastrophic train accidents. Although not every such event can be prevented, detection of such obstacles may make it more likely that the accident could be prevented.
In its comments, Amtrak assumes that on those lines where FRA has previously approved such speeds (e.g., portions of Amtrak's Northeast Corridor (NEC) and Michigan line), a new hazard analysis, which would serve only to allow that which is already allowed, will not be required. If so, it asserts that the rule should make that explicit. FRA has done so in the final rule. No further changes were indicated by the comments.
Under paragraph (d), the final rule requires that each lead locomotive operating with a PTC system be equipped with an operative event recorder that captures safety-critical data routed to the engineer's display that the engineer must obey, including all mandatory directives that have been electronically delivered to the train, maximum authorized speeds, warnings presented to the crew, including countdowns to braking enforcement and warnings indicating that braking enforcement is in effect, and the current system state (“ACTIVE”, “FAILED”, “CUTIN”, “CUTOUT”, etc.)
FRA intends that this information be available in the event of an accident with a PTC-equipped system to determine root causes and the necessary actions that must be taken to prevent reoccurrence. Although FRA expects implemented PTC systems will prevent PTC-preventable accidents, in the event of system failure FRA believes it is necessary to capture available data relating to the event. Further, FRA sees value in capturing information regarding any accident that may occur outside of the control of a PTC system Start Printed Page 2625as it is currently designed—including the prevention of collisions with trains not equipped with PTC systems—and accidents that could otherwise have been prevented by PTC technology, but were unanticipated by the system developers, the employing railroad, or FRA.
The data may be captured in the locomotive event recorder, or a separate memory module. If the locomotive is placed in service on or after October 1, 2009, the event recorder and memory module, if used, shall be crashworthy, otherwise known as crash-hardened, in accordance with § 229.135. For locomotives built prior to that period, the data shall be protected to the maximum extent possible within the limits of the technology being used in the event recorder and memory module.
One commenter stated that paragraph (d) was not clear. The commenter is unsure if FRA is requiring that all of the operator's display be recorded and replicated upon playback. FRA only requires that the railroad capture the safety-critical data routed to the display which the engineer must obey. The choice of format to play back this data has been left to the railroad, keeping in mind that whatever format used for data playback needs to be available to FRA for accident investigations and other investigation activities.
As required by the RSIA08 and by paragraph (a)(1)(iv), as noted above, a PTC system required by subpart I must be designed to prevent the movement of a train through a main line switch in the wrong position. Paragraph (e) provides amplifying information on switch point monitoring, indication, warning of misalignment, and associated enforcement. According to the statute, each PTC system must be designed to prevent “the movement of a train through a switch left in the wrong position.” FRA understands “wrong position” to mean not in the position for the intended movement of the train. FRA believes that Congress' use of the phrase “left in the wrong position” was primarily directed at switches in non-signaled (dark) territory such as the switch involved in the aforementioned accident at Graniteville, South Carolina. FRA also believes that, in order to prevent potential derailment or divergence to an unintended route, it is critical that all associated switches be monitored by a PTC system in some manner to detect whether they are in their proper position for train movements. If a switch is misaligned, the PTC system must provide an acceptable level of safety for train operations.
Prior to the statute, PTC provided for positive train separation, speed enforcement, and work zone protection. The addition of switch point monitoring and run through prevention would have eliminated the Graniteville accident where a misaligned switch resulted in the unintended divergence of a train operating on the main track onto a siding track and the collision of that train with another parked train on the siding. The resulting release of chlorine gas caused nine deaths and required the evacuation of the entire town while remediation efforts were in progress.
As discussed above, FRA considered requiring PTC systems to be interconnected with each main line switch and to individually monitor each switch's point position in such a manner as to provide for a positive stop short of any misalignment condition. However, after further consideration and discussion with the PTC Working Group, FRA believes that such an approach may be overly aggressive and terribly expensive in signaled territory.
Under paragraph (e), FRA instead provides to treat switches differently, depending upon whether they are within a wayside or cab signal system—or are provided other similar safeguards (i.e., distant switch indicators and associated locking circuitry) required to meet the applicable switch position standards and requirements of subparts A through G—within non-signaled (dark) territory.
While a PTC system in dark territory would be required to enforce a positive stop—as discussed in more detail below—a PTC system in signaled territory would require a train to operate at no more than the upper limit of restricted speed between the associated signal, over any switch in the block governed by the signal, and until reaching the next subsequent signal that is displaying a signal indication more permissive than proceed at restricted speed.
Signaled territory includes various types of switches, including power-operated switches, hand-operated switches, spring switches, electrically-locked switches, electro-pneumatic switches, and hydra switches, to name the majority. Each type of switch poses different issues as it relates to PTC system enforcement. We will look at power- and hand-operated switches as examples.
On a territory without a PTC system, if a power-operated switch at an interlocking or control point were in a condition resulting in the display of a stop indication by the signal system, an approaching train would generally have to stop only a few feet from the switch, and in the large majority of cases no more than several hundred feet away from it. In contrast, in PTC territory adhering to the aforementioned overly aggressive requirement, a train would have to stop at the signal, which may be in close proximity to its associated switch, and operate at no more than the upper limit of restricted speed to that switch, where it would have to stop again. FRA believes that, since the train would be required to stop at the signal, and must operate at no more than the upper limit of restricted speed until it completely passes the switch (with the crew by rule watching for and prepared to stop short of, among other concerns, an improperly lined switch), a secondary enforced stop at the switch would be unnecessarily redundant.
Operations using hand-operated switches would provide different, and arguably greater, difficulties and potential risks. Generally, in between each successive interlocking and control point, signal spacing along the right of way can approximately be 1 to 3 miles or more apart, determined by the usual length of track circuits and the sufficient number of indications that would provide optimal use for train operations. Each signal governs the movement through the entire associated block up to the next signal. Thus, a train approaching a hand-operated switch may encounter further difficulties since its governing signal may be much further away than the governing signal for a power-operated switch. If within signaled territory a hand-operated switch outside of an interlocking or control point were in a condition resulting in the display of a restricted speed signal indication by the signal system, an approaching train may be required to stop before entering the block governed by the signal and proceed at restricted speed, or otherwise reduce its speed to restricted speed as it enters the block governed by the signal. The train must then be operated at restricted speed until the train reaches the next signal displaying an indication more permissive than proceed at restricted speed, while passing over any switch within the block. The governing signal, however, may be anywhere from a few feet to more than a mile from the hand-operated switch. For instance, if a signal governs a 3 mile long block, and there is a switch located 1.8 miles after passing the governing signal (stated in advance of the signal), and that switch is misaligned, the train would have to travel that 1.8 miles at restricted speed. Even if the train crew members were able to correct the misaligned switch, Start Printed Page 2626they would need to remain at restricted speed at least until the next signal (absent an upgrade of a cab signal indication).
In signaled territory, to require a PTC system to enforce a positive stop of an approaching train at each individual misaligned switch would be an unnecessary burden on the industry, particularly since movement beyond the governing signal would be enforced by the PTC system to a speed no more than the upper limit of restricted speed. Accordingly, in signaled territory, paragraph (e)(1) requires a PTC system to enforce the upper limit of restricted speed through the block. By definition, at restricted speed, the locomotive engineer must be prepared to stop within one-half the range of vision short of any misaligned switch or broken rail, etc., not to exceed 15 or 20 miles per hour depending on the operating rule of the railroad. Accordingly, if a PTC system is integrated with the signal system, and a train is enforced by the PTC system to move at restricted speed past a signal displaying a restricted speed indication, FRA feels comfortable that the PTC system will meet the statutory mandate of preventing the movement of the train through the switch left in the wrong position by continuously displaying the speed to be maintained (i.e., restricted speed) and by enforcing the upper limit of the railroads' restricted speed rule (but not to exceed 20 mph). While this solution would not completely eliminate human factors associated with movement through a misaligned switch, it would significantly mitigate the risk of a train moving through such a switch and would be much more cost effective.
Moreover, it would be cost prohibitive to require the industry to individually equip each of the many thousands of hand-operated switches with a wayside interface unit (WIU) necessary to interconnect with a PTC system in order to provide a positive stop short of any such switch that may be misaligned. Currently each switch in signaled territory has its position monitored by a switch circuit controller (SCC). When a switch is not in its normal position, the SCC opens a signal control circuit to cause the signal governing movement over the switch location to display its most restrictive aspect (usually red). A train encountering a red signal at the entrance to a block will be required to operate at restricted speed through the entire block, which can be several miles in length depending on signal spacing. The signal system is not capable of informing the train crew which switch, if any, in the block may be in an improper position since none of switches are equipped with an independent WIU. There could be many switches within the same block in a city or other congested area. Thus, there is a possibility that one or more switches may be not in its proper position and the signal system would be unable to transmit which switch or switches are not in normal position. The governing signal could also be displaying a red aspect on account of a broken rail, broken bond wire, broken or wrapped line wire, bad insulated joint, bad insulated switch or gage rods, or other defective condition.
FRA believes that requiring a PTC system to enforce the upper limit of restricted speed in the aforementioned situations is statutorily acceptable. The statute requires each PTC system to prevent “the movement of a train through a switch left in the wrong position.” Under this statutory language, the railroad's intended route must factor into the question of whether a switch is in the “wrong” position. In other words, in order to determine whether a switch is in the “wrong position,” we must know the switch's “right position.” The “right position” is determined by the intended route of the railroad. Thus, when determining whether a switch is in the wrong position, it is necessary to know the railroad's intended route and whether the switch is properly positioned to provide for the train to move through the switch to continue on that route. The intended route is normally determined by the dispatcher.
Under the final rule, when a switch is in the wrong position, the PTC system must have knowledge of that information, must communicate that information to the railroad (e.g., the locomotive engineer or dispatcher), and must control the train accordingly. Once the PTC system or railroad has knowledge of the switch's position, FRA expects the position to be corrected in accordance with part 218 before the train operates through the switch. See, e.g., §§ 218.93, 218.103, 218.105, 218.107.
If the PTC system forces the train to move at no more than the upper limit of restricted speed, the railroad will have knowledge that a misaligned switch may be within the subject block, and the railroad, by rule or dispatcher permission, will then make the decision to move through the switch (i.e., the railroad's intent has changed as indicated by rule or dispatcher instructions), so the switch will no longer be in the “wrong position.” The RSAC PTC Working Group was unanimous in concluding that these arrangements satisfy the safety objectives of RSIA08. Utilization of the signal system to detect misaligned switches and facilitate safe movements also provides an incentive to retain existing signal systems, with substantial additional benefits in the form of broken rail detection and detection of equipment fouling the main line.
Paragraph (e)(2) addresses movements over switches in dark territory and under conditions of excessive risk, even within block signal territory. In dark territory, by definition, there are no signals available to provide any signal indication or to interconnect with the switches or PTC system. Without the benefit of a wayside or cab signal system, or other similar system of equivalent safety, the PTC system will have no signals to obey. In such a case, the PTC system may be designed to allow for virtual signals, which are waypoints in the track database that would correspond to the physical location of the signals had they existed without a switch point monitoring system. Accordingly, paragraph (e)(2)(i) requires that in dark territory where PTC systems are implemented and governed by this subpart, the PTC system must enforce a positive stop for each misaligned switch whereas the lead locomotive must be stopped short of the switch to preclude any fouling of the switch. Once the train stops, the railroad will have an opportunity to correct the switch's positioning and then continue its route as intended.
Unlike in signaled territory, FRA expects that on lines requiring PTC in dark territory, each switch will be equipped with a WIU to monitor the switch's position. A WIU is a device that aggregates control and status information from one or more trackside devices for transmission to a central office and/or an approaching train's onboard PTC equipment, as well as disaggregating received requests for information, and promulgates that request to the appropriate wayside device. Most of the switches in dark territory are hand-operated with a much smaller number of them being spring and hydra switches. In dark territory, usually none of the switches have their position monitored by a SCC and railroads have relied on the proper handling of these switches by railroad personnel. When it is necessary to throw a main line switch from normal to reverse, an obligation arises under the railroad's rules to restore the switch upon completion of the authorized activity. Switch targets or banners are intended to provide minimal visual indication of the switch's position, but in the typical case trains are not required to operate at a speed permitting them to stop short of open switches. As Start Printed Page 2627evidenced by the issuance of Emergency Order No. 24 and the subsequent Railroad Operating Rules Final Rule (73 FR 8,442 (Feb. 13, 2008)), proper handling of main line switches cannot be guaranteed in every case. However, now with the implementation and operation of PTC technology, if a switch is not in the normal position, that information will be transmitted to the locomotive. The PTC system will then know which switch is not in the normal position and require a positive stop at that switch location only.
In the event that movement through a misaligned switch would result in an unacceptable risk, whether in dark or signaled territory, paragraph (e)(2)(ii) requires the PTC system to enforce a positive stop on each train before it crosses the switch in the same manner as described above for trains operating in dark, PTC territory. FRA acknowledges that regardless of a switch's position, and regardless of whether the switch is in dark or signaled territory, movement through certain misaligned switches—even at low speeds—may still create an unacceptable risk of collision with another train.
FRA understands the term “unacceptable risk” to mean risk that cannot be tolerated by the railroad's management (and in this case FRA plays the role of ensuring consistency). It is a type of identified risk that must be eliminated or controlled. For instance, such an unacceptable risk may exist with a hand-operated crossover between two main tracks, between a main track and a siding or auxiliary track, or with a hand-operated switch providing access to another subdivision or branch line. The switches mentioned in paragraph (e)(2)(ii) are in locations where, if the switch is left lined in the wrong position, a train would be allowed to traverse through the crossover or turnout and potentially into the path of another train operating on an adjoining main track, siding, or other route. Even if such switches were located within a signaled territory, the signal governing movements over the switch locations, for both tracks as may be applicable, would be displaying their most restrictive aspect (usually red). This restrictive signal indication would in turn allow both trains to approach the location at restricted speed where one or both of the crossover switches are lined in the reverse position. Since the PTC system is not capable of actually enforcing restricted speed other than its upper limits, the PTC system would enforce a 15 or 20 mile per hour speed limit dependent upon the operating rules of the railroad. However, there is normally up to as much as a 5 mile per hour tolerance allowed for each speed limit before the PTC system will actually enforce the applicable required speed. Thus, in reality, the PTC system would not enforce the restricted speed condition until each train obtained a speed of up to 25 miles per hour. In this scenario, it is conceivable that two trains both operating at a speed of up to 25 miles per hour could collide with each other at a combined impact speed (closing speed) of up to 50 miles per hour. While these examples are provided in the rule text, they are merely illustrative and do not limit the universe of what FRA may consider an unacceptable risk for the purpose of paragraph (e). FRA emphasizes that FRA maintains the final determination as to what constitutes acceptable or unacceptable risk in accordance with paragraph (e)(2)(ii).
Caltrain submitted a comment recommending the removal of the following text from this section: “Unacceptable risk includes conditions when traversing the switch, even at low speeds, could result in direct conflict with the movement of another train (including a hand-operated crossover between main track, a hand-operated crossover between main track and an adjoining siding or auxiliary track, or a hand-operated switch providing access to another subdivision or branch line, etc.)” Caltrain asserted that the PTC Safety Plan is required to, and will address, whether a particular configuration is an acceptable risk. The examples cited can include a non-signaled siding or auxiliary track several feet below the grade of the mainline track. The possibility of the equipment on the auxiliary track conflicting with movement on the main line track is no greater at a crossover than if it is a single switch and turnout. Main to main crossovers are another topic that will be addressed in the risk analysis.
FRA believes it to be important to identify the requirement that a PTC system must enforce a positive stop short of any main line switch, and any switch on a siding where the allowable speed is in excess of 20 miles per hour, if movement of a train over such a switch not in its proper position could create an unacceptable risk. FRA is providing within the language of the rule example of movements through an improperly lined switch that FRA believes would result in unacceptable risk. This unacceptable risk is not related to the potential “roll-out” of equipment from another track onto the main track, which was referenced in the comment submitted by Caltrain, but constitutes any situation where a movement may diverge from one track onto an adjacent track potentially directly in front of a proceeding movement of a separate train on that track.
Furthermore, FRA provides in paragraph (e)(3) that a railroad may submit, with justification, alternative PTC system enforcement associated with unacceptable risk of train movements through improperly aligned switches in their applicable PTCDP or PTCSP for FRA approval. FRA therefore elects to leave the rule text of paragraph (e)(2)(ii) as it was written in the proposed rule.
The PTC system must also enforce a positive stop short of any misaligned switch on a PTC controlled siding in dark territory where the allowable track speed is in excess of 20 miles per hour. Sidings are used for meeting and passing trains and where those siding movements are governed by the PTC system, safety necessitates the position of the switches located on sidings to be monitored in order to protect train movements operating on them. Conversely, on signaled sidings, train movements are governed and protected by the associated signal indications, track circuits, and monitored switches, none of which are present in dark territory.
Paragraph (e)(3) notes that while switch position detection and enforcement must be accomplished, the PTCSP may include a safety analysis for alternative means of PTC system enforcement associated with switch position. Moreover, an identification and justification of any alternate means of protection other than that provided in this section shall be identified and justified. FRA recognizes that, in certain circumstances, this flexibility may allow the reasonable use of a track circuit in lieu of individually monitored switches (addressing rail integrity as well as identification of open switches).
Paragraph (e)(4) provides amplifying information regarding existing standards of subparts A through G of this part related to switches, movable-point frogs, and derails in the route governed that are equally applicable to PTC systems unless otherwise provided in a PTCSP approved under this subpart. This paragraph explains that the FRA required and accepted railroad industry standard types of components used to monitored switch point position and how those devices are required to function. This paragraph allows for some alternative method to be used to accomplish the same level of protection if it is identified and justified in a PTCSP approved under this subpart.Start Printed Page 2628
The AAR submitted comment that the language within paragraph (e)(4), which was presumably derived from subpart C of this part, prescribes conditions under which “movement authorities can only be provided.” (emphasis added). The AAR contends that, in the context of PTC design, this paragraph seems to prescribe a specific method (the withholding of movement authorities) to provide switch position protection per the requirements identified by paragraphs (e)(1) through (e)(3). The AAR asserts that paragraph (e)(4) should be clarified or revised to allow for PTC systems that may meet these requirements by methods other than, or in addition to, those methods prescribed by paragraph (e)(4). Thus, the AAR suggests rewording paragraph (e)(4) to include the language: “unrestricted movement authorities can only be provided”.
FRA agrees with the principle of the AAR's comment. The intention appears to be that the permissiveness of all movement authorities over any switches, movable-point frogs, or derails must be determined by control circuits or their electronic equivalent selected through a circuit controller or functionally equivalent device that is operated directly by the switch points, derail, or switch locking mechanism, or through relay or electronic device controlled by such circuit controller or functionally equivalent device. Unrestricted movement authorities can only be provided when each switch, movable-point frog, or derail in the route governed is in proper position. FRA has therefore revised paragraph (e)(4) to read as follows: “The control circuit or electronic equivalent for all movement authorities over any switches, movable-point frogs, or derails shall be selected through circuit controller or functionally equivalent device operated directly by switch points, derail, or by switch locking mechanism, or through relay or electronic device controlled by such circuit controller or functionally equivalent device, for each switch, movable-point frog, or derail in the route governed. Circuits or electronic equivalents shall be arranged so that any movement authorities less restrictive than those prescribed in paragraphs (e)(1) and (e)(2) of this section can only be provided when each switch, movable-point frog, or derail in the route governed is in proper position, and shall be in accordance with subparts A through G of this part, unless it is otherwise provided in a PTCSP approved under this subpart.”
Paragraph (f) provides amplifying information for determining whether a PTC system is considered to be configured to prevent train-to-train collisions, as required under paragraph (a). FRA will consider the PTC system as providing the required protection if the PTC system enforces the upper limits of restricted speed. These criteria will allow following trains to pass intermediate signals displaying a restricting aspect and will allow for the issuance of joint mandatory directives.
Where a wayside signal displays a “Stop,” “Stop and Proceed,” or “Restricted Proceed” indication, paragraph (f)(1)(i) requires the PTC system to enforce the signal indication accordingly. In the case of a “Stop” or “Stop and Proceed” indication, operating rules require that the train will be brought to a stop prior to passing the signal displaying the indication. The train may then proceed at 15 or 20 miles per hour, as applicable according to the host railroad's operating rule(s) for restricted speed. In the case of a “Restricted Proceed” indication, the train would be allowed to pass the signal at 15 or 20 miles per hour. Some existing PTC systems do not enforce the stop indication under these circumstances, and FRA believes that this is acceptable. However, in either event, the speed restriction would be enforced until the train passes a more favorable signal indication. NJ Transit asserted, and FRA agrees, that in dark territory where trains operate by mandatory directive, the PTC system would be expected to enforce the upper limit of restricted speed on a train when the train was allowed into a block already occupied by another preceding train traveling in the same direction. In freight operations, there may be situations where, in order to accomplish local switching, further latitude would be necessary, so long as the upper limit of restricted speed is enforced.
NJ Transit suggests that the FRA consider modifying the verbiage to more clearly define the expectation of the operating rules and enforcement requirements associated with the Stop and Proceed indication.
FRA fully understands the concern presented by NJ Transit, but suggests that the recommended modification to verbiage is already provided for in the language of paragraph (f)(1)(ii). FRA has therefore elected to retain the language of paragraph (f) in the final rule.
Paragraphs (g) through (k) all concern situations where temporary rerouting may be necessary and would affect application of the operational rules under subpart I. While the final rule attempts to reduce the opportunity for PTC and non-PTC trains to co-exist on the same track, FRA recognizes that this may not always be possible, especially when a track segment is out of service and a train must be rerouted in order to continue to destination. Accordingly, paragraph (g) allows for temporary rerouting of traffic between PTC equipped lines and lines not equipped with PTC systems. FRA anticipates two situations—emergencies and planned maintenance—that would justify such rerouting.
Paragraph (g) provides the preconditions and procedural rules to allow or otherwise effectuate a temporary rerouting in the event of an emergency or planned maintenance that would prevent usage of the regularly used track. Historically, FRA has dealt with temporary rerouting on an ad hoc basis. For instance, on November 12, 1996, FRA granted UP, under its application RS&I-AP-No. 1099, conditional approval for relief from the requirements of § 236.566, which required equipping controlling locomotives with an operative apparatus responsive to all automatic train stop, train control, or cab signal territory equipment. The conditional approval provided for “detour train movements necessitated by catastrophic occurrence such as derailment, flood, fire, or hurricane” on certain listed UP territories configured with automatic cab signals (ACS) or automatic train stop (ATS). Ultimately, the relief would allow trains not equipped with the apparatus required under § 236.566 to enter those ACS and ATS territories. However, the relief was conditional upon establishing an absolute block in advance of each train movement—as prescribed by General Code of Operating Rules (GCOR) 11.1 and 11.2—and notifying the applicable FRA Regional Headquarters. The detour would only be permissible for up to seven days and FRA could modify or rescind the relief for railroad non-compliance.
On February 7, 2006, that relief was temporarily extended to include defined territory where approximately two months of extensive track improvements were necessary. Additional conditions for this relief included a maximum train speed of 65 miles per hour and notification to the FRA Region 8 Headquarters within 24 hours of the beginning of the non-equipped detour train movements and immediately upon any accident or incident. On February 27, 2007, FRA provided similar temporary relief for another three months on the same territory.
While the aforementioned conditional relief was provided on an ad hoc basis, FRA feels that codifying rules regulating temporary rerouting involving PTC system track or locomotive equipment is Start Printed Page 2629necessary due to the potential dangers of allowing mixed PTC and non-PTC traffic on the same track and the inevitable increased presence of PTC and PTC-like technologies. Moreover, FRA believes that the subject railroads and FRA would benefit from more regulatory flexibility to work more quickly and efficiently to provide for temporary rerouting to mitigate the problems associated with emergency situations and infrastructure maintenance.
Under the final rule, FRA is providing for temporary rerouting of non-PTC trains onto PTC track and PTC trains onto non-PTC track. A train will not be considered rerouted for purposes of the conditions set forth in this section if it operates on a PTC line that is other than its “normal route,” which is equipped and functionally responsive to the PTC system over which it is subsequently operated, or if it is a non-PTC train (not a passenger train or a freight train having any PIH materials) operating on a non-PTC line that is other than its “normal route.”
Paragraph (g) effectively provides temporary civil penalty immunity from various applicable requirements of this subpart, including provisions under subpart I relating to controlling locomotives, similar to how waivers from FRA have provided certain railroads immunity from § 236.566.
FRA expects that emergency rerouting will require some flexibility in order to respond to circumstances outside of the railroad's control—most notably changes in the weather, vandalism, and other unexpected occurrences—that would result in potential loss of life or property or prevent the train from continuing on its normal route. While paragraph (g) lists a number of possible emergency circumstances, they are primarily included for illustrative purposes and are not a limiting factor in determining whether an event rises to an emergency. For instance, FRA would also consider allowing rerouting in the event use of the track is prevented by vandalism or terrorism. While these events are not the primary reasons for which paragraph (g) would allow rerouting, FRA recognizes that they may fall outside of the railroad's control.
In the event of an emergency that would prevent usage of the track, temporary rerouting may occur instantly by the railroad without immediate FRA notice or approval. By contrast, the vast majority of maintenance activities can be predicted by railroad operators. While the final rule provides for temporary rerouting for such activities, the lack of exigent circumstances does not require the allowance of instantaneous rerouting without an appropriate request and, in cases where the request is for rerouting to exceed 30 days, FRA approval. Accordingly, under paragraph (g), procedurally speaking, temporary rerouting for emergency circumstances will be treated differently than temporary rerouting for planned maintenance. While FRA continues to have an interest in monitoring all temporary rerouting to ensure that it is occurring as contemplated by FRA and within the confines of the rule, the timing of FRA notification, and the approval procedures, reflects the aforementioned differences.
When an emergency circumstance occurs that would prevent usage of the regularly used track, and would require temporary rerouting, the subject railroad must notify FRA within one business day after the rerouting commences. To provide for communicative flexibility in emergency situations, the final rule provides for such notification to be made in writing or by telephone. FRA provides that written notification may be accomplished via overnight mail, e-mail, or facsimile. In any event, the railroad should take the steps necessary for the method of notification selected to include confirmation that an appropriate person actually on duty with FRA receives the notification and FRA is duly aware of the situation.
While telephone notification may provide for easy communications by the railroad, a mere phone call would not provide for documentation of information required under paragraph (g). Moreover, if for some reason the phone call is made at a time when the designated telephone operator is not on duty or if the caller is only able to leave a message with the FRA voice mail system, the possibility exists that the applicable FRA personnel would not be timely notified of the communication and its contents.
Emergency rerouting can only occur without FRA approval for fourteen (14) consecutive calendar days. If the railroad requires more time, it must make a request to the Associate Administrator. The request must be made directly to the Associate Administrator and separately from the initial notification sometime before the 14-day emergency rerouting period expires. Unless the Associate Administrator notifies the railroad of his or her approval before the end of the allowable emergency rerouting timeframe, the relief provided by paragraph (g) will expire at the end of that timeframe.
While a mere notification is necessary to commence emergency rerouting, a request must be made, with subsequent FRA approval, to perform planned maintenance rerouting. The relative predictability of planned maintenance activities allows railroads to provide FRA with much more advanced request of any necessary rerouting and allows FRA to review that request. FRA requires that the request be made at least 10 calendar days before the planned maintenance rerouting commences.
To ensure a retrievable record, the request must be made in writing. It may be submitted to FRA by fax, e-mail, or courier. Because of security protocols placed in effect after the terrorist attacks of September 11, 2001, regular mail undergoes irradiation to ensure that any pathogens have been destroyed prior to delivery. The irradiation process adds significant delay to FRA's receipt of the document, and the submitted document may be damaged due to the irradiation process. Thus, FRA implores those making a rerouting request in writing to deliver the request through other, more acceptable, means.
The lack of emergency circumstances makes telephonic communication less necessary, since the communication need not be immediate, and less preferable, since it may not be accurately documented for subsequent reference and review. Like notifications for emergency rerouting, the request for planned rerouting must include the number of days that the rerouting should occur. If the planned maintenance will require rerouting up to 30 days, then the request must be made with the Regional Administrator. If it will require rerouting for more than 30 days, then the request must be made with the Associate Administrator. These longer time periods reflects FRA's opportunity to review and approve the request. In other words, since FRA expects that the review and approval process will provide more confidence that a higher level of safety will be maintained, the rerouting period for planned maintenance activities may be more than the 14 days allotted for emergency rerouting.
Regardless of whether the temporary rerouting is the result of an emergency situation or planned maintenance, the communication to FRA required under paragraph (g) must include the information listed under paragraph (i). This information is necessary to provide FRA with context and details of the rerouting. To attempt to provide railroads with the flexibility intended under paragraph (g), and to attempt to prevent enforcement of the rules from which the railroad should be receiving relief, FRA must be able to coordinate with its inspectors and other personnel. Start Printed Page 2630This information may also eventually be important to FRA in developing statistical analyses and models, reevaluating its rules, and determining the actual level of danger inherent in mixing PTC and non-PTC traffic on the same tracks.
For emergency rerouting purposes, the information is also necessary for FRA to determine whether it should order the railroad or railroads to cease rerouting or provide additional conditions that differ from the standard conditions specified in paragraph (i). FRA recognizes the importance of allowing temporary rerouting to occur automatically in emergency circumstances. However, FRA must also maintain its responsibility of ensuring that such rerouting occurs lawfully and as intended by the rules. Accordingly, the final rule provides the opportunity for FRA to review the information required by paragraph (g) to be submitted in accordance with paragraph (i) and order the railroad or railroads to cease rerouting if FRA finds that such rerouting is not appropriate or permissible in accordance with the requirements of paragraphs (g) through (i), and as may be so directed in accordance with paragraph (k), as discussed further below.
For rerouting due to planned maintenance, the information required under paragraph (i) is equally applicable and will be used to determine whether the railroad should not reroute at all. If the request for planned maintenance is for a period of up to 30 days, then the request and information must be sent in writing to the Regional Administrator of the region in which the temporary rerouting will occur. While such a request is self-executing—meaning that it will automatically be considered permissible if not otherwise responded to—the Regional Administrator may prevent the temporary rerouting from starting by simply notifying the railroad or railroads that its request is not approved. The Regional Administrator may otherwise provide conditional approval, request that further information be supplied to the Regional Administrator or Associate Administrator, or disapprove the request altogether. If the railroad still seeks to reroute due to planned maintenance activities, it must provide the Regional Administrator or Associate Administrator, as applicable, the requested information. If the Regional Administrator requests further information, no planned maintenance rerouting may occur until the information is received and reviewed and the Regional Administrator provides his or her approval. Likewise, no planned maintenance rerouting may occur if the Regional Administrator disapproves of the request. If the Regional Administrator does not provide notice preventing the temporary rerouting, then the planned maintenance rerouting may begin and occur as requested. However, once the planned maintenance rerouting begins, the Regional Administrator may at any time order the railroad or railroads to cease the rerouting in accordance with paragraph (k).
Requests for planned maintenance rerouting exceeding 30 days, however, must be made to the Associate Administrator and are not self-executing. No such rerouting may occur without Associate Administrator approval, even if the date passes on which the planned maintenance was scheduled to commence. Under paragraph (h), like the Regional Administrator, the Associate Administrator may provide conditional approval, request further information, or disapprove of the request to reroute. Once approved rerouting commences, the Associate Administrator may also order the rerouting to cease in accordance with paragraph (k).
Where a train rerouted onto a track equipped with a PTC system is, for whatever reason, not compatible and functionally responsive to that PTC system (e.g., an unequipped controlling locomotive, or one equipped but not compatible with the associated wayside, office, or communications system), such train must be operated in accordance with § 236.1029. Where any train is rerouted onto a track segment that is not equipped with a PTC system, such train must be operated in accordance with the operating rules applicable to the track segment on which the train is being rerouted.
Moreover, as referenced in paragraph (g) as it applies to both emergency and planned maintenance circumstances, the track upon which FRA expects the rerouting to occur would require certain mitigating protections listed under paragraph (j) in light of the mixed PTC and non-PTC traffic. While FRA purposefully intends paragraph (j) to apply similarly to § 236.567, FRA recognizes that § 236.567 does not account for the statutory mandates of interoperability and the core PTC safety functions. Accordingly, paragraph (j) must be more restrictive.
Section 236.567, which applies to territories where “an automatic train stop, train control, or cab signal device fails and/or is cut out en route,” requires trains to proceed at either restricted speed or, if an automatic block signal system is in operation according to signal indication, at no more than 40 miles per hour to the next available point of communication where report must be made to a designated officer. Where no automatic block signal system is in use, the train shall be permitted to proceed at restricted speed or where an automatic block signal system is in operation according to signal indication but not to exceed medium speed to a point where absolute block can be established. Where an absolute block is established in advance of the train on which the device is inoperative, the train may proceed at not to exceed 79 miles per hour. Paragraph (j) utilizes that absolute block condition, which more actively engages the train dispatcher in managing movement of the train over the territory (in both signaled and non-signaled territory). Recognizing that re-routes under this section will occur in non-signaled territory, the maximum authorized speeds associated with such territory are used as limitations on the speed of re-routed trains. FRA agrees with the comments of labor representatives in the PTC Working Group who contend that the statutory mandate alters to some extent what would otherwise be considered reasonable for these circumstances.
It should be noted that this paragraph (j) was added by FRA after further consideration of this issue and was not part of the PTC Working Group consensus. FRA received several comments associated with the temporary rerouting requirements and the restrictive operational conditions imposed by paragraphs (j)(1) and (j)(2) as being overly burdensome, unsupported and inappropriate. Specifically, the idea that a train rerouted from a PTC line to a non-PTC line should be treated differently than the existing traffic on the non-PTC line is unjustified. The commenters suggest current FRA operational requirements contained in §§ 236.0(c) and (d) providing for speeds greater than 49 miles per hour for freight and 59 miles per hour for passenger trains where a block signal system and/or an automatic cab signal, automatic train stop, or automatic train control system is in place, is applied safely today and should continue as the applicable regulation for this reroute scenario. Thus, the commenters suggest rewording paragraph (j)(2) to read as follows: “Each rerouted train movement shall operate in accordance with § 236.0.”
When the PTC Working Group was reconvened following the public hearing and the NPRM comment period, the PTC Working Group formed three Start Printed Page 2631separate task forces for the purpose of discussing and resolving several specific issues. One such task force, deemed the Operational Conditions Task Force, was assigned the task of resolving the issues associated with operational limitations presented in the proposed rule associated with temporary rerouting within § 236.1005, unequipped trains operating within a PTC system within § 236.1006, and en route failures within § 236.1029.
Following significant discussion of these issues, a PTC Working Group task force recommended rule text changes that would maintain the intended level of safety in an acceptable manner while recognizing the impractical nature and perhaps even resultant increase in risk associated with restricting the operation of a rerouted train from a PTC-equipped line onto a non-PTC equipped line more than other similarly equipped trains that normally operated on the non-PTC equipped line. Therefore, the task force recommended that paragraph (j) be revised to read as follows: “(j) Rerouting conditions. Rerouting of operations under paragraph (g) of this section may occur according to the following: (1) Where a train not equipped with a PTC system is rerouted onto a track equipped with a PTC system, it shall be operated in accordance with § 236.1029; (2) Where any train is rerouted onto a track not equipped with a PTC system, it shall be operated in accordance with the operating rules applicable to the line on which it is routed.”
This recommended revision to paragraph (j) was presented to the PTC Working Group and gained consensus from the group. However, upon further consideration, FRA has decided to adopt a slight variation of the recommended revised rule text in order to provide additional clarification regarding the applicability of paragraph (j)(1) to either a train not equipped with a PTC system, or one not equipped with a PTC system that is compatible and functionally responsive to the PTC system utilized on the line on which the train is rerouted. Therefore, paragraph (j) has been revised in the final rule to read as follows: “(j) Rerouting conditions. Rerouting of operations under paragraph (g) of this section may occur under the following conditions: (1) Where a train not equipped with a PTC system is rerouted onto a track equipped with a PTC system, or a train not equipped with a PTC system that is compatible and functionally responsive to the PTC system utilized on the line to which the train is being rerouted, the train shall be operated in accordance with § 236.1029; or (2) Where any train is rerouted onto a track not equipped with a PTC system, the train shall be operated in accordance with the operating rules applicable to the line on which the train is rerouted.”
Paragraph (k), as previously noted, provides the Regional Administrator with the ability to order the railroad or railroads to cease rerouting operations that were requested for up to 30 days. The Associate Administrator may order a railroad or railroads to cease rerouting operations regardless of the length of planned maintenance rerouting requested. FRA believes this is an important measure necessary to prevent rerouting performed not in accordance with the rules and FRA's expectations based on the railroad's communications and to ensure the protection of train crews and the public. However, FRA is confident that in the vast majority of cases railroads will utilize the afforded latitude reasonably and only under necessary circumstances.
FRA expects each host railroad to develop a plan to govern operations in the event temporary rerouting is performed in accordance with this section. Thus, as noted further below in § 236.1015, this final rule requires that each PTCSP include a plan accounting for such rerouted operations.
Section 236.1006 Equipping Locomotives Operating in PTC Territory
As reflected by § 236.566, the basic rule for train control operations is that all trains will be equipped with responsive onboard apparatus. Paragraph (a) so provided in the NPRM, and the language is continued in the final rule. Paragraph (a) requires that, as a general rule, all trains operating over PTC territory must be PTC-equipped. In other words, paragraph (a) requires that each controlling locomotive be operated with a PTC onboard apparatus if it is controlling a train operating on a track equipped with a PTC system in accordance with subpart I. The PTC onboard apparatus should operate and function in accordance with the PTCSP governing the particular territory. Accordingly, it must successfully and sufficiently interoperate with the host railroad's PTC system.
In the NPRM, FRA recognized the possibility of controlling locomotives not necessarily being placed in a train's lead position and sought comments on this issue. Comments were filed indicating that the lead locomotive is not always necessarily the controlling locomotive. In light of this information, the final rule reflects a change from “lead locomotive” to “controlling locomotive” as necessary. FRA's understanding of a “controlling locomotive” is the same understanding as it is used in part 232 and as defined in § 232.5. Hence, a definition has been added to § 236.1003 merely cross-referencing to § 232.5.
First, it is understood that during the time PTC technology is being deployed to meet the statutory deadline of December 31, 2015, there will be movements over PTC lines by trains with controlling locomotives not equipped with a PTC onboard apparatus. In general, Class I railroad locomotives are used throughout the owning railroad's system and, under shared power agreements, on other railroads nationally. FRA anticipates that the gradual equipping of locomotives—which will occur at a relatively small number of specialized facilities and which will require a day or two of out of service time as well as time in transit—will extend well into the implementation period that ends on December 31, 2015. It will not be feasible to tie locomotives down to PTC lines, and the RSAC stakeholders fully understood that point. The RLO did urge that railroads make every effort to use equipped locomotives as controlling units, and FRA believes that, in general, railroads will do so in order to obtain the benefits of their investment.
The debate on this point has dealt with the possibility of exceptions, which was addressed in paragraph (b) in the NPRM. The discussion below pertains to the issue of temporary and permanent exceptions to the rule.
The first issue arose under proposed paragraphs (b)(1) and (b)(2), which endeavored to set out the rules for the transitional period during which PTC will be deployed. It is well understood and accepted that it is not feasible to require all trains operating on a PTC line to be PTC-equipped and operative from the first day the system is turned on. Locomotive fleets will be equipped over a multi-year period, and deployment of locomotives will be driven by many factors, of which PTC status is only one. Efficient use of locomotives requires them to be available for use on multiple routes and even under “shared power” agreements with other railroads. In some cases, even when a PTC-equipped locomotive is placed in a consist destined for a PTC line there may be legitimate reasons why it is not placed in the controlling position.
Accordingly, the NPRM provided what FRA thought was a very modest proposal that equipped locomotives placed in the lead on trains bound for PTC territory have their PTC equipment turned on. FRA even made allowance for a declining percentage of such locomotives being dispatched into PTC Start Printed Page 2632territory after having failed “initialization.” The reaction from Class I railroad commenters was startling, to say the least.
The AAR stated that the proposal was beyond FRA's authority and that FRA has no ability to require use of PTC before December 31, 2015. According to AAR, railroads will be required to use PTC-equipped locomotives on PTC routes come December 31, 2015, and AAR does not understand how this obligation could be addressed in the implementation plan other than to state PTC-equipped locomotives would be used on PTC routes. In the AAR's view, requiring PTC-equipped locomotives to be turned on would create a disincentive to equip locomotives early. Limiting the ability of railroads to operate trains with locomotives that fail initialization could result in railroads attempting to avoid rail system congestion by delaying the equipping of locomotives. To avoid such a disincentive for equipping locomotives, AAR believes that FRA should permit, without limitation, the operation of locomotives that fail initialization before December 31, 2015.
CSXT asserted that the requirements contained in paragraph (b)(2)(iii) with respect to the allowable percentage of controlling locomotives operating out of each railroad's initial terminals with failed systems over track segments equipped with PTC will deter early implementation efforts and unfairly punish railroads that are diligently working to implement PTC on designated tracks. In addition, CSXT questioned the usefulness of such a provision, as CSXT argued that there is no meaningful difference between a locomotive that is not equipped with PTC and a locomotive that is equipped with a PTC system that is not fully functioning.
Recognizing that matching PTC lines with PTC-equipped controlling locomotives will be a key factor in obtaining the benefits of this technology in the period up to December 31, 2015, FRA requested comments on whether PTCIPs should be required to include power management elements describing how this will be accomplished to the degree feasible. In response, NJ Transit asserted that the PTCIP does require both the lines risk assessment (to establish the track segment order of PTC commissioning) and the schedule to equip rolling stock and suggests that these schedules can and should indicate the effort of a railroad to assure that vehicles are equipped and available for the PTC equipped lines. According to NJ Transit, inclusion of a power management plan as well within the PTCIP provides an additional effort that has a high probability of requiring updates during the PTC implementation period, while the schedules and a good faith effort alone may serve the purpose most efficiently, especially for the short time period anticipated (this should be recognized as 2012 through 2015 at worst). NJ Transit suggests that FRA should not include this plan as a PTCIP requirement, but require the best good faith effort by each railroad for providing equipped vehicles during the short interim period subject to this concern.
The AAR also stated that, for trains in long-haul service, the train's point of origin or location where the locomotive was added to the train may be many crew districts or hundreds or thousands of miles prior to the location where the locomotive's onboard PTC apparatus is initialized for operation in PTC-equipped territory. In this case, the paragraph is overly restrictive and should be modified to be predicated on the location prior to entering PTC-equipped territory where initialization failed. Accordingly, AAR suggests that paragraph (b)(2)(i) be revised to read: “The subject locomotive failed initialization at the point of crew origin for the train or at the location where the locomotive was added to the PTC initialized train.”
The RLO also urges FRA to adopt a requirement that railroads place equipped engines in the lead or controlling position whenever such equipped engines are in the engine consist during the implementation period. The RLO states that implementing such consist management initiatives will help identify any problems in the interface of the onboard and wayside systems. In the future, states the RLO, railroad operations will come to rely heavily upon the proper function of these PTC systems. According to the RLO, requiring railroads to adopt this approach would require the minor operational maneuver of switching a trailing unit to the train's lead position. Since technical anomalies that go undetected can be catastrophic, the RLO asserts that FRA should not squander the opportunity for discovering them during the implementation period.
During the public hearing conducted on August 13, 2009, FRA specifically asked how the RLO expected a railroad to handle the situation where an engine that is PTC-equipped may be positioned with long hood forward or may have a broken air conditioning system. In its comments dated August 20, 2009, the RLO responded by stating that it is broadly accepted industry practice to operate trains with the short hood in the direction of movement. Operating trains with the long hood forward presents safety concerns because the engineer has a limited view of the track with that configuration. However, if any safety feature or safe practice is impaired, altered, or compromised in any locomotive, it should not be in the lead or operating position of the train. Therefore, if the engine is not equipped with air conditioning or if the long hood is facing forward, the railroad would have three choices: grant the crew the right to switch a fully-compliant locomotive to the lead at the first location where this can be accomplished, do not operate at all, or remove the engine from the engine consist entirely. The RLO asserts that this approach would create the safest possible working environment, as the safest locomotive is the one with PTC, AC, and the short hood forward.
GE asserts that, by using emerging technology, it is possible to operate a PTC system from the lead controlling locomotive using at least some parts of a PTC system on trailing locomotives in the consist if the onboard network is extended through the locomotive consist. According to GE, this can provide a useful contingent operation if some component fails in the locomotive and a backup component on a trailing unit is linked over the network, providing higher overall PTC availability. For example, should the data radio fail on the lead locomotive, PTC could continue to operate through a working radio on the second or third locomotive unit.
FRA agrees that PTC-equipped locomotives should be utilized when available on PTC territory during the implementation period, and it is recognized that it is possible for a unit to serve as the controlling locomotive when not positioned first in the consist. FRA believes that railroads have strong incentives to take advantage of their investments in PTC, but also includes in the final rule a requirement that the PTCIP include goals for PTC-equipped locomotives in PTC territory.
This issue was discussed further in the PTC Working Group during the review of the comments, but no formal resolution was achieved. FRA is not obligated to provide any exception here whatsoever, and the contention that FRA may not require use of PTC prior to December 31, 2015, is utterly without merit. Nevertheless, FRA does not wish to proceed in such a manner as to create even a temporary disincentive to deploy PTC locomotives on PTC-equipped lines. However, clearly leaving the carriers to their own devices without Start Printed Page 2633accountability or oversight appears unwarranted given the tenor of their comments and the known conflicts among departments of the railroad that can arise during any implementation of new technology. Leaving the use of available PTC technology wholly unregulated until December 31, 2015, would not only open the possibility that safety gains would not be made during the period, it would also increase the possibility that PTC systems would not be sufficiently stable and reliable as of the statutory completion date.
Accordingly, FRA has included in the final rule, in lieu of the language initially proposed, a requirement that each railroad include in its PTCIP specific goals for progressively effective use of its equipped locomotives on PTC lines that have been made operational. FRA would review the goals and stated justification as part of its review of the PTCIP. The railroad would then be required to report annually its progress toward achieving its goals, including any adjustments required to remedy shortfalls. Although FRA does not intend to second guess details of power management, FRA does believe it is reasonable to expect results in the form of steadily declining PTC-preventable accidents during the implementation period. The only way to accomplish that is to ensure that PTC onboard apparatus is deployed on PTC lines in reasonable proportion to its deployment elsewhere and that, when so deployed, it is utilized as intended.
The second major issue arose under paragraph (b)(4), which proposed limited exceptions for movements of Class II and III trains over PTC lines of the Class I railroads. The disagreements attendant to that proposal warrant more detailed treatment.
New PTC systems will be like existing train control systems in the sense that they are comprised of onboard and wayside components. They will also involve a more substantial centralized “office” function. The railroad that has the right to control movements over a line of railroad (generally the entity providing or contracting for the dispatching function) will provide for equipping of the wayside and appropriate links to and interface with the office. In preparing the recommendations that led to the NPRM, the PTC Working Group discussed at great length the issues related to operation of PTC-equipped locomotives, and locomotives not equipped with PTC onboard apparatus, over lines equipped with PTC. As explained above, the PTC Working Group recognized that the typical rule with respect to train control territory is that all controlling locomotives must be equipped and operative (see § 236.566). It was also noted in the discussion that the Interstate Commerce Commission (FRA's predecessor agency in the regulation of this subject matter) and FRA have provided some relief from this requirement in discrete circumstances where safety exposure was considered relatively low and the hardship associated with equipping additional locomotives was considered substantial. (For instance, in the case of intermittent automatic train stop installed many years ago on the former Atchison, Topeka and Santa Fe Railroad (now BNSF Railway), only passenger trains were subject to the requirement for onboard apparatus. That arrangement continues to the present day, and it is particularly unusual since none of the host railroad's locomotives are equipped, while all Amtrak locomotives operating over the territory must be equipped.)
The ASLRRA noted that its member railroads conduct limited operations over Class I railroad lines that will be required to be equipped with PTC systems in a substantial number of locations. These operations are principally related to the receipt and delivery of carload traffic in interchange. The small railroad service extends onto the Class I railroad track in order to hold down costs and permit both the small railroad and the Class I railroad to retain traffic that might be priced off the railroad if the Class I had to dispatch a crew to pick up or place the cars. This, in turn, supports competitive transportation options for small businesses, including marginal small businesses in rural areas.
The ASLRRA advocated an exception that would permit the trains of its members and other small railroads to continue use of existing trackage rights and agreements without the necessity for equipping their locomotives with PTC technology. They suggested that any incremental risk be mitigated by requiring that such trains proceed subject to the requirement for an absolute block in advance (similar to operating rules consistent with § 236.567 applicable to trains with failed onboard train control systems). This position was consistently opposed both by the rail labor organizations and the Class I railroads. These organizations took the position that all trains should be equipped with PTC in order to gain the benefits sought by the congressional mandate and to provide the host railroad the full benefit of its investment in safety. Informal discussions suggested that Class I railroads might offer technical or financial assistance to certain small railroads in equipping their locomotives, but that this would, of course, be done based on the corporate interest of the Class I railroad. Although, in general, market forces and the public interest can be expected to correspond over time, this is not always the case. So, for instance, there is a risk that requiring all Class II and Class III railroads operating on Class I PTC lines to be equipped with PTC could be financially unsustainable absent a more generous division of the rate or other assistance (technical or otherwise) from the Class I interchange partner. A Class I railroad might respond to such situations based exclusively on the value of the traffic interchanged with respect to the transportation charge recovered for the long haul less costs. Although that might be a good market decision for the Class I railroad, the result could be loss of rail service for a rural community and diversion of the traffic to the highway—a result that might not be in the public interest. Over the past several decades the federal government and many of the states have made investments in light density rail service (through grants, loans, or tax concessions) that could be undermined should this occur.
In the PTC Working Group and in informal discussions around its activities, Class I railroads indicated that they intended to take a strong position against non-equipped trains operating on their PTC lines, and that in order to enforce this restriction fairly, they understood that they would need to equip their own locomotives, including older road switchers that might venture onto PTC-equipped lines only occasionally. However, during these discussions, FRA was not able to develop a clear understanding regarding the extent to which the Class I railroads, under previously executed private agreements or because of a senior position derived from a prior transaction, enjoy the effective ability to enforce a requirement that all trains be equipped.
Proposed rule. On this question of non-equipped trains on PTC lines, the proposed rule represented a compromise position between the requests of the Class II and III railroads and the Class I railroads and labor organizations. It proposed to permit the practice only on territory where there was no scheduled intercity or commuter passenger service. On any given subject track segment, a particular Class II or III railroad could operate up to 4 trains per day (2 round trips) for up to 20 miles in perpetuity. For hauls in excess of 20 Start Printed Page 2634miles, the practice could continue until the end of 2020.
FRA offered this proposal in order to limit the burden on small entities and to avoid costs that were both avoidable and more greatly disproportionate to anticipated benefits than the basic requirements of the congressional mandate. FRA noted that the exceptions would constitute a small portion of the movements over the PTC-equipped line. FRA asserted that the accident/incident data show that the risk attendant upon these movements is small. As reflected in the NPRM, a review of the last seven years of accident data covering 3,312 accidents that were potentially preventable by PTC showed that there were only two of those accidents that involved a Class I railroad's train and a Class II or III railroad's train. (Left unstated in the NPRM was the fact that the presence of PTC would have prevented one of the accidents even absent equipping of the tenant train, while the other would not be prevented due to limitations of PTC architectures with respect to low-speed rear-end collisions.) FRA believed that the low level of risk revealed by these statistics justified an exception for Class II and III railroad trains traversing a PTC-equipped line for a relatively short distance. FRA noted that the cost of equipping those trains would be high when viewed in the context of the financial strength of the Class II or III railroad and the marginal safety benefits would be relatively low in those cases where a small volume of traffic is moved over the PTC-equipped line.
Comments on the NPRM exceptions; FRA response. None of the commenters responded directly to FRA's safety analysis, but they did take strong and disparate stands. The RLO filed joint comments that protested allowing an unequipped train owned by a Class II or III railroad to move on PTC-required track with only minor restrictions. The RLO believed that there are alternatives that are consistent with safety and the intent of RSIA08, including temporal separation or using the host railroad's equipped locomotives. According to the RLO, simply limiting the number of moves and miles of unequipped locomotives on PTC-required track would not eliminate the risk associated with the hazard or provide compliance with the intent of RSIA08.
The AAR has also expressed concerns with the proposal, stating that “[s]urely Congress did not enact a requirement for the Class I railroads to spend billions of dollars on PTC systems only to permit Class II and III railroads to operate trains unequipped with PTC technology on the PTC routes. AAR asserts that FRA has not shown that there would actually be a financial strain on Class II and III railroads. According to AAR, a Class II or III railroad would not have to equip a locomotive with PTC technology until December 31, 2015. In any event, states AAR, the statute makes no distinction among Class I, II, or III operations on a PTC route.
CSXT disagreed with FRA's interpretation of RSIA08, stating that the statute, on its face, does not exempt Class II and III railroads from the PTC requirements. To the contrary, asserted CSXT, the statute appears to contemplate that Class II and III railroads traveling on PTC lines would be subject to the PTC requirements since each PTCIP for those lines “must provide for interoperability of the system with movements of trains of other railroad carriers,” (emphasis original) which presumably includes Class II and III railroads. CSXT also questioned whether entities that carry a wide variety of commodities, including PIH traffic, but without the financial wherewithal to adopt PTC technologies, should be permitted to impose an arguably increased safety risk on the public and other railroads. In any event, stated CSXT, the Class II and III railroads would only be responsible for outfitting their locomotives, and not wayside units, with PTC technologies.
Moreover, according to CSXT, the exemption under proposed paragraph (b)(4)(B)(ii) was unclear as to its application This section allowed Class II and III railroads to operate on PTC operated track segments to the extent that any single railroad is allowed “less than four such unequipped trains” over any given track segment. CSXT questions whether the number of trains is limited per a common holding company or each railroad subsidiary. (The intent is that the limit will be applied to each separate railroad company, regardless of common ownership.)
Recognizing FRA's concerns with imposing the costs of PTC implementation on Class II and III railroads, AAR believes FRA is mixing up Congress' concern about the ability of Class II and III railroads to finance installation of PTC on their own routes with the ability of Class II and III railroads to operate locomotives equipped with PTC technology over Class I track. The AAR notes that FRA's own analysis shows that the cost of equipping locomotives with PTC technology amounts to less than a third of total PTC development and installation costs. According to AAR, a Class II or III railroad qualifying for the proposed exception likely would only need to equip only one or two locomotives with PTC technology by sometime after 2015.
In any event, AAR asserts that this proposed exemption for Class II and III railroads is inconsistent with the plain language of the statute, which does not distinguish between Class I, II, or III operations on a main line with PIH materials. Congress determined that PTC should be required on Class I routes meeting the statutory criteria regardless of any cost-benefit analysis. The AAR believes that it is inconceivable that Congress intended unequipped locomotives be permitted to operate routinely where PTC is required, thus undercutting the benefit of equipping a PTC route with PTC technology.
The AAR also challenges FRA's conclusion about the “marginal safety benefit,” which seems premised on its analysis of train-to-train collisions, questioning whether FRA has concluded that a train operated by a Class II or III railroad poses less of a risk with respect to each of the core PTC functions than a train operated by a Class I railroad. Leaving aside AAR's objection to any exception permitting Class II and III railroads to conduct routine operations over PTC routes with unequipped locomotives, AAR does not agree with the proposal to wait until December 31, 2020, to impose the twenty-mile limitation. According to AAR, FRA has no factual basis for its concern that Class II and III railroads will be unable to obtain the technology as suppliers seek to equip their bigger Class I customers first. In fact, states AAR, it is more likely that Class I railroads will work with their Class II and III partners to prepare for the 2015 implementation deadline.
The Canadian Pacific Railway does not support the operation of unequipped locomotives on PTC equipped lines after December 31, 2015. It is CP's position that all trains operating on PTC territory after December 31, 2015, must be controlled by a locomotive equipped for PTC operation, regardless of whether or not the locomotive in the controlling position is considered “historic.”
NYSMTA, the parent organization for the Long Island Rail Road and Metro-North Railroad, asserted that subpart I of this part should require all operators on the same trackage as commuter railroads to be fully equipped, as is the case in the existing FRA regulation, and that all trains (including those of all Class II and Class III tenant railroads) operating in cab signal/train control territory must have operative cab signal and ATC. Thus, NYSMTA suggested that subpart Start Printed Page 2635I should not permit any trains to enter or operate in PTC territory that are not equipped with operative PTC systems except where en route failures occur within PTC territory. NYSMTA suggested that the definition of “equipped” for paragraphs (a) through (b)(3) be clarified to mean the onboard PTC system equipment has been fully commissioned, has passed all acceptance tests and has met reliability and availability demonstration tests. In the final rule, FRA continues to make clear that all trains operating on intercity/commuter passenger territory must be equipped.
FRA received a number of comments regarding the operation of historic locomotives over rail lines that will need to be equipped with a PTC system, from commenters such as the San Bernardino Railway Historical Society, the Pacific Southwest Railway Museum, the Railroad Passenger Car Alliance, and J.L. Patterson & Associates. These commenters requested that FRA provide clarification that a historic locomotive, as defined in 49 CFR 229.125(h), which is not equipped with PTC may be operated over rail lines equipped with PTC systems in limited excursion service, provided an excursion operating management plan is included in the PTC railroad's PTCIP that is consistent with the provisions of § 236.1029(b) of this part.
These locomotives might include steam locomotives many decades old. FRA notes that these operations are relatively infrequent, and they normally receive additional oversight by host railroads as a matter of course.
Final rule. The final rule provides exceptions for trains operated by Class II and III railroads, including tourist or excursion railroads. The exceptions are limited to lines not carrying intercity or commuter passenger service, except where the host railroad and the passenger railroad (if different entities) have requested an exception in the PTC Implementation Plan, as further discussed below, and FRA has approved that element of the plan. Examples of potentially acceptable instances concerning non-equipped operations on an intercity/commuter route might include a weekend excursion operation during periods scheduled passenger service is very light or in terminal areas under circumstances where all trains will be operated at reduced speed and risk is otherwise very limited.
FRA presumes for purposes of this final rule that there will be circumstances rooted in previously executed private agreements under which the Class I railroad would be entitled to require the small railroad to use a controlling locomotive equipped with PTC as a condition of operating onto the property. FRA wishes to emphasize that, in issuing this final rule, FRA does not intend to influence the exercise of private rights or to suggest that public policy would disfavor an otherwise legitimate restriction on the use of unequipped locomotives on PTC lines. FRA also notes that, in the absence of clear guidance on this issue, a substantial number of waiver requests could be expected that would have to be resolved without the benefit of decisional criteria previously examined and refined through the rulemaking process.
With respect to limited operations of Class II or III railroads on Class I PTC lines, FRA continues to believe that the risk in question is very small in relation to the direct and indirect costs of equipping locomotives with PTC and maintaining those locomotives over time (including configuration management). FRA has also considered the issues required applicable statutes concerning the affect of regulations on small entities. (See also discussion of de minimis exceptions in the preamble to § 236.1005.) Although FRA does expect that over time Class II and III railroads will participate more fully in the use of PTC technologies, both as tenants and hosts, the initial costs and logistical challenges of PTC system operation will be significantly greater than the costs and challenges after interoperable PTC systems have been demonstrated to be reliable and after the market for PTC equipment and services settles. Mandating that every locomotive leading a Class II or III train be PTC equipped during the initial roll out would create significant incentives to shed marginally profitable traffic with unpredictable societal effects. FRA does believe that, as the end of the initial implementation approaches, smaller railroads can begin the process of joining the PTC community by equipping locomotives used for longer hauls on PTC lines. FRA will also review the experience of Class I railroads as of that general time period (end of 2015, beginning of 2016) to evaluate what additional requirements might be appropriate and sustainable.
FRA has adopted final language sufficiently flexible to permit occasional tourist, historic and excursion service on PTC lines. Much of the subject equipment is used very lightly and in fact may spend the great majority of its time on static display. Ending the educational and recreational role of occasional excursion service is no part of what the Congress was addressing through the mandate underlying this rule.
Paragraph (b)(3) references the fact that operation of trains with failed onboard PTC apparatus is governed by the safeguards of § 236.1029, where applicable; and paragraph (c) applies the same principle to non-equipped trains operating on PTC territory.
Section 236.1007 Additional Requirements for High-Speed Service
Since the early 1990's, there has been an interest centered around designated high-speed corridors for the introduction of high-speed rail, and a number of states have made progress in preparing rail corridors through safety improvements at highway-rail grade crossings, investments in track structure, and other areas. FRA has administered limited programs of assistance using appropriated funds. With the passage of ARRA, which provides $8 billion in capital assistance for high-speed rail corridors and intercity passenger rail service, and the President's announcement in April 2009 of a Vision for High-Speed Rail in America, FRA expects those efforts to increase considerably. FRA believes that railroads conducting high-speed operations in the United States can provide a world class service as safe as, or better than, any high-speed operations conducted elsewhere. In anticipation of such service, and to ensure public safety, FRA proposed three tiers of requirements for PTC systems operating in high-speed service. The proposed performance thresholds were intended to increase safety performance targets as the maximum speed limits increase to compensate for increased risks, including the potential frequency and adverse consequences of a collision or derailment. These thresholds were supported by AASHTO and are adopted as proposed.
Section 236.1007 sets the intervals for the high-speed safety performance targets for operations with: maximum speeds at or greater than 60 and 50 miles per hour for passenger service and freight operations, respectively, under paragraph (a); maximum speeds greater than 90 miles per hour under paragraph (b); maximum speeds greater than 125 miles per hour under paragraph (c); and maximum speeds greater than 150 mph under paragraph (d). The reader should note that the requirements increase as speed rises. Thus, for instance, operations with trains moving above 125 miles per hour must, in addition to the requirements under paragraph (c), adhere to the requirements under paragraphs (a) and (b).Start Printed Page 2636
Paragraph (a) addresses the PTC system requirements for territories where speeds are greater than 59 miles per hour for passenger service and 49 miles per hour for freight service. Under 49 CFR 236.0 as it existed directly previous to the issuance of this final rule, block signal systems were required at these speeds (unless a manual block system was in place, an option that this final rule phases out). The final rule expects covered operations moving at these speeds to have implemented a PTC system that provides, either directly or with another technology, all of the statutory PTC system functions along with the safety-critical functions of a block signal system as defined in the existing standards of subparts A through F of part 236. The safety-critical functions of a block signal system include track circuits, which assist in broken rail detection and unintended track occupancies (equipment rolling out), and fouling circuits, which can identify equipment that is intruding on the clearance envelope and may prevent raking collisions. FRA recognizes that advances in technology may render current block signal, fouling, and broken rail detection systems obsolete and FRA does not want to preclude the introduction of suitable and appropriate advanced technologies. Accordingly, FRA believes that alternative mechanisms providing the same functionality are entirely acceptable and FRA encourages their development and use to the extent they do not have an adverse impact on the level of safety.
Paragraph (b) addresses system requirements for territories where operating speeds are greater than 90 miles per hour, which is currently the maximum allowable operating speed for passenger trains on Class 5 track. At these higher speeds, the implemented PTC system must not only comply with paragraph (a), but also be shown to be fail-safe (as defined in Appendix C) and at all times prevent unauthorized intrusion of rail traffic onto the higher speed line operating with a PTC system. FRA intends this concept of fail-safe application to be understood in its commonplace meaning; i.e., that insofar as feasible the system is designed to fail to a safe state, which normally means that each subject train will be brought to a stop. Further, FRA understands that there are aspects of current system design and operation that may create a remote opportunity for a “wrong-side” or unsafe failure and that these issues would be described in the PTCSP and mitigations would be provided. FRA recognizes that, as applied in the general freight system, this final rule could create a significant challenge related to interoperability of freight equipment operating over the same territory. Accordingly, FRA requested comment on whether, where operations do not exceed 125 miles per hour or some other value, the requirement for compliance with Appendix C safety assurance principles might be limited to the passenger trains involved, with “non-vital” onboard processing permitted for the intermingled freight trains. No comments were received on this issue, apart from the general concern of the RLO that very safe technology be employed in all PTC systems, and the restriction is adopted as proposed.
As speed increases, it also becomes more important that inadvertent incursions on the PTC-equipped track be prevented at switch locations. In this final rule, FRA expects that this be done by effective means that might include use of split-point derails properly placed, equipping of tracks providing entry with PTC, or arrangement of tracks and switches in such a way as to divert an approaching movement which is not authorized to enter onto the PTC line. The protection mechanism on the slower speed line must be integrated with the PTC system on the higher speed line in a manner to provide appropriate control of trains operating on the higher speed line if a violation is not prevented for whatever reason.
Paragraph (c) addresses high-speed rail operations exceeding 125 miles per hour, which is the maximum speed for Class 7 track under § 213.307. At these higher speeds, the consequences of a derailment or collision are significantly greater than at lower speeds due to the involved vehicle's increased kinetic energy. In such circumstances, in addition to meeting the requirements under paragraphs (a) and (b), including having a fail-safe PTC system, the entity operating above 125 miles per hour must provide an additional safety analysis (the HSR-125) providing suitable evidence to the Associate Administrator that the PTC system can support a level of safety equivalent to, or better than, the best level of safety of comparable rail service in either the United States or a foreign country over the 5 year period preceding the submission of the PTCSP. Additionally, PTC systems on these high-speed lines must provide the capability, as appropriate, to detect incursion from outside the right of way and provide warnings to trains. Each subject railroad is free to suggest in its HSR-125 any method to the Associate Administrator that ensures that the subject high-speed lines are corridors effectively sealed and protected from such incursions (see § 213.347 of this title), including such hazards as motor vehicles falling on the track structure from highway bridges.
Paragraph (d) addresses the highest speeds existing or currently contemplated for rail operations exceeding 150 miles per hour. FRA expects these operations to be governed by a Rule of Particular Applicability and the HSR-125 required by paragraph (c) shall be developed as part of an overall system safety plan approved by the Associate Administrator. The quantitative risk showing required for operations above 125 miles per hour is not required to include consideration of acts of deliberate violence. The reason for this exclusion is simply to remove speculative or extraordinary considerations from the analysis. However, FRA and the Department of Homeland Security will certainly expect that security considerations are taken into account in system planning.
AASHTO believed that the proposed rule appropriately addressed the PTC related safety levels for high-speed rail. According to AASHTO, the proposed rule text provided a clear position for the levels of safety required for high-speed rail at speeds that are achieved today, and for speeds that may be achieved in the future, allowing for benchmarking against precedent levels achieved in the U.S. and internationally. AASHTO also commented that, in PTC systems running over federally designated high-speed rail corridors, highway-rail grade crossings should either be eliminated or protected by hazard warning detection systems.
Amtrak notes that it currently operates safely above 90 miles per hour on the Northeast Corridor and on its Michigan line, with the full knowledge, approval, and authorization of the FRA, based on past and remaining safety procedures and equipment. Amtrak also states that it currently operates above 125 mph on portions of the Northeast Corridor. Accordingly, Amtrak asserts that services above 90 and 125 miles per hour that existed as of October 16, 2008, the date of RSIA08, should be exempted or “grandfathered” from the requirements of this section.
FRA agrees that Amtrak has been providing safe passenger service at speeds between 90 and 150 miles per hour on the Northeast Corridor as well as its Michigan line, and that the train control systems in use (ACSES with Cab Signals, and ITCS) have records of safe operations. Given the value of service experience and the extraordinary burden of review and decision making associated with this rule, FRA intends to give full credit to established safety Start Printed Page 2637records in conducting these reviews, simplifying the task for all concerned.
Section 236.1009 Procedural Requirements
Section 236.1009 establishes the regulatory procedures that must be followed by each Class I railroad carrier and each entity providing regularly scheduled intercity or commuter rail passenger transportation to obtain the required FRA certification of PTC systems prior to operating the system or component in revenue service. FRA is implementing these requirements to support more rapid FRA review and decision making, while reducing the administrative burden on the railroads.
While the current subpart H of this part provides a technically sound procedure for obtaining FRA approval of various processor-based signal and train control systems, it was crafted with the presumption that PTC implementation was a strictly voluntary action on the part of railroads. Arguably FRA could have simply amended subpart H to include requirements relating to implementation plans and to modify the language to equate “approval” under subpart H with “certification” under the statute. However, FRA believes that such a resultant amended subpart H would still remain unsuitable to support the RSIA08 implementation schedule. Accordingly FRA has developed the new procedures of this section to avoid redundancy, provide sufficient flexibility to accompany the varying needs of those seeking certification, and to mitigate the financial risk associated with technological investment necessary to comply with the regulatory requirements.
Generally speaking, there are three documents associated with the new procedures of this section: the PTCIP, PTCDP, and PTCSP. The details of each document are set forth in §§ 236.1011, 236.1013, and 236.1015, respectively. To summarize these sections, the PTCIP is the written plan that defines the specific details of how and when the railroad will implement the PTC system. The PTCDP provides a detailed discussion of the proposed technology and product that will be implemented according to the PTCIP. The PTCSP provides the railroad-specific information demonstrating that the PTC system, as implemented by the railroad, meets the required safety performance objectives. Certification of a PTC system by FRA for revenue operations is based on the review and approval of the information provided in these documents.
Paragraph (a) requires that a PTCIP be filed by “host” railroads as defined in § 236.1003 that are required to install a PTC system on one or more main lines in accordance with § 236.1005(b). This generally is each Class I railroad and each entity providing regularly scheduled intercity or commuter rail passenger transportation as defined by statute. However, Class II and III railroads that host intercity or commuter rail service will also need to file implementation plans, whether or not they directly procure or manage installation of the PTC system.
Intercity and commuter railroads that are tenants on Class I, II, or III freight lines must also join with their host railroad in filing these plans. FRA believes that the railroad that maintains operational control over a particular track segment is generally in the best position to develop and submit the PTCIP, since that railroad is more knowledgeable of the conditions of, and operations over, its track. FRA recognizes that, in cases where a tenant passenger railroad operates over a Class II or III railroad, the passenger railroad may be required to take a more active role in planning the PTC system deployment by working with the host railroad. In the case of an intercity or commuter railroad providing service over a Class I railroad, it may be sufficient for the passenger railroad to file a letter associating itself with the Class I railroad's plan to the extent it impacts the passenger service. AAR also expressed some confusion whether the requirement to file joint plans was only required when freight and passenger railroads conduct operations over the same route. The final rule does not levy any requirement for joint filing in the case where another railroad has freight trackage rights over a Class I railroad's PTC line. FRA expects that the host Class I railroad will address these types of operations and discuss the issue of interoperability in its PTCIP as required by law.
The Class I railroads generally opposed the requirement for a host railroad and tenant passenger railroad to file a joint PTCIP as being excessively burdensome and unnecessary because it merely appears to be intended to address interoperability issues. Beyond possibly addressing the interoperability issue, the AAR maintained that nothing further would be gained by requiring the joint filing of a PTCIP.
FRA has taken note of these objections. However, FRA believes that the joint filing requirement provides motivation for the proactive involvement by both parties in the decision-making process, especially with regards to interoperable equipment requirements and operating procedures. This joint filing requirement reflects FRA's position that communication between all parties involved in establishing interoperability is absolutely essential to ensure the implementation of timely, cost effective solutions.
Some railroads have also expressed concern that they will be required to support installation of PTC over Class II and III railroads that would otherwise not be required to implement PTC, were it not for the passenger/commuter railroad presence. Amtrak noted that the requirement for joint filings would, as a practical manner, require Amtrak to take a dominant role in the development and preparation of the required documentation.
While FRA appreciates the difficulties that both the passenger/commuter railroad, as well as the Class II or III railroad may experience, FRA believes that this is essentially a commercial matter between the parties involved, which would be best resolved with government participation only as a last resort. This position is consistent with the underlying philosophy of sections 151 through 188 of title 45 of the United States Code.
Although FRA believes that the resolution of differences between host and tenant railroads is a commercial issue, provisions have been made if a host freight railroad and tenant passenger railroad cannot come to an agreement to jointly file a PTCIP by April 16, 2010. In this situation, each railroad must file an individual PTCIP, together with a notification to the Associate Administrator, indicating that a joint filing was not possible and an explanation of why the subject railroads could not agree upon a final PTCIP for joint filing.
Both the freight and passenger/commuter railroads have strenuously objected to the assessment of civil penalties in the event that agreement cannot be reached. Amtrak claimed that failure to come to agreement did not rise to the level of an act that warranted penalty. AAR asserted that imposition of penalties would not be an appropriate way to resolve good faith disputes over the implementation of PTC. Concern has also been raised that, in the event of a dispute, the resolution process does not appear to have any established milestones. NYSMTA expressed concern related to the ability of railroads to fairly and quickly resolve disputes related to the development of host/tenant interoperability agreements required by RSIA08. NYSMTA asserted that, even though FRA provides for dispute resolution in § 236.1009, there are no time limits or standards to ensure Start Printed Page 2638that disputes are resolved fairly and in a manner that does not affect railroads' ability to comply with the statutory/mandatory implementation of PTC by December 31, 2015.
FRA has taken note of these objections and concerns. FRA believes that the milestones are self-evident. Railroads are required to file implementation plans by April 16, 2010. Thus, failure to file an implementation plan (either jointly or individually) by April 16, 2010, constitutes a violation of the RSIA08. Railroads are also required to complete implementation by December 31, 2015. FRA does not intend to set any specific deadline for completion of mediation or arbitration other than to state that the mediation or arbitration must be resolved in time to allow both parties to complete the timely submission of their PTCIP by April 16, 2010, and to complete PTC installation by December 31, 2015.
FRA will exercise its prosecutorial discretion if railroads have unresolved conflicts, but have filed individual implementation plans in accordance with paragraph (a)(4) of this section and are engaged in good faith mediation or arbitration.
Caltrain requested clarification of the meaning of the term “confer,” as used in paragraph (a)(4)(iv) of this section. During the conference process, FRA will request that all parties to the dispute advise FRA of where their differences arise, so that FRA can evaluate the potential impact on completion of the statutorily-required build out and understand the nature and extent of their disagreement. FRA may propose alternative solutions for consideration by both parties in the dispute. FRA is not, however, obligated to act as either a mediator or arbitrator of essentially commercial disputes. FRA expects that the disputing parties will submit such issues to a mutually acceptable mediator or arbitrator. If the disputing parties are unable to find a mutually agreeable private mediator or arbitrator, FRA may agree to mediate the dispute as a last resort. Otherwise, the disputing parties will need to seek judicial resolution of their issues.
It was also commented that if a PTCIP or request for amendment (RFA), as provided in § 236.1021, is submitted after April 16, 2010, in accordance with this rule, paragraph (a) does not provide the subject railroads with an opportunity to file separately. FRA intends, in such a situation, that if a railroad wishes to use track that would require the installation of a PTC system, and the parties have difficulty reaching agreement, then such usage would be delayed until the parties jointly file a mutually acceptable PTCIP and the jointly-filed PTCIP is approved by FRA.
FRA notes that new passenger railroads are likely to begin operations during the period between issuance of this final rule and the end of the implementation period for PTC (December 31, 2015). Railroads that are required to install PTC, who intend to commence operations after April 16, 2010, but before December 31, 2015, would be expected to file a PTCIP that meets the requirements of paragraph (a) as soon as possible after the decision is made to commence operations. Any railroad commencing operations after December 31, 2015, that is required to install PTC, will not be authorized to commence revenue operations until the PTC installation is complete.
During review of the NPRM, AAR noted that paragraph (a)(2)(i) had not been updated to reflect an RSAC agreement. FRA agrees and has updated paragraph (a)(2)(i) to include the language, “[a] PTCIP if it becomes a host railroad of a main line track segment for which it is required to implement and operate a PTC system in accordance with § 236.1005(b).”
Paragraph (b) in the proposed rule required the submission of a PTCDP when the PTCIP is submitted to FRA for approval. Some railroads, primarily those owned or operated by government agencies, who submitted comments on this issue indicated that, while they would be able to identify the general functional requirements of the PTC system, they expected public procurement regulations would preclude contract award and identification of a particular vendor or supplier and the associated product details in time to meet the statutory submission deadline. They requested that FRA not require submission of the PTCDP at the same time (or before) the PTCIP.
NYSMTA submitted comments asserting that simultaneous submissions would be problematic for LIRR. In view of the complexities and unknown factors associated with developing PTC solutions for LIRR's dark and ABS territories, and in light of its unique signaling applications and operating rules, LIRR was identified as being at high risk of non-compliance with the April 16, 2010, PTCDP submission deadline, despite its best efforts. Inasmuch as the RSIA08 does not explicitly stipulate a timeframe for a PTCDP, NYSMTA requested that the regulation be modified to allow for submission of a PTCDP after the April 16, 2010, deadline, at least with regard to dark territory and ABS territories.
APTA submitted similar comments stating that the inclusion of the PTCDP or PTCSP in the April 2010 submission is problematic. Noting that submittal of these plans implies the selection of specific hardware and systems, APTA asserted that such submission is not possible given the current state of development of industry standards by the Railroad Electronics Standards Committee (RESC). Without available industry standards, APTA asserted that it would be impossible for the vast majority of public agencies that operate passenger rail systems to identify and contract with vendors or suppliers by the April 2010 deadline. Even though the freight railroads may have selected a proprietary technology as a basis for their PTC implementation, the competition standards for publicly funded contracts limit the ability of public agencies to follow a similar procurement strategy. Additionally, the lack of specific hardware and system standards to support interoperability further limits the ability of public agencies to enter into contracts by April 2010. Thus, if required to submit PTCDP and PTCSP documents by April 16, 2010, the documents would, of necessity, be incomplete and unacceptable.
APTA further claimed that the sole legislative requirement tied to April 2010 is for submission of the PTCIP. Thus, APTA believes FRA should allow submission of the PTCIP in a “product neutral” fashion to meet the statutory deadline and should defer submission of the PTCDP and PTCSP to allow flexibility and avoid incomplete submissions and the compilation and review of documents that cannot be approved.
Amtrak similarly expressed concern with the inadequate amount of time necessary to prepare the PTCIPs for its own NEC and Michigan Line and for the Class II and III railroads over which Amtrak operates (to the extent that those lines are not found to constitute other than “main lines”) and to review those PTCIPs submitted by the Class I railroads and develop full PTCDPs. Because of the severe burden on Amtrak's resources, Amtrak recommended that the filing deadline for PTCDPs be extended at least 9 months beyond April 16, 2010.
As a government agency, FRA clearly understands the position faced by these railroads. However, FRA believes that a meaningful implementation plan cannot be created if a railroad has not identified and does not understand the technology it proposes to implement. Without this knowledge, it is not possible to have any informed discourse on system Start Printed Page 2639interoperability and implementation scheduling between railroads, vendors or suppliers, and FRA. Therefore, in this final rule, FRA has provided several mechanisms that eliminate the need for each railroad to submit a PTCDP for a proposed PTC system, while still providing FRA sufficient information to carry out its regulatory responsibilities.
One such mechanism, as specified in paragraph (b) is through the use of a Type Approval. The Type Approval is a number assigned to a particular off-the-shelf or modified PTC system product—described in a PTCDP in accordance with § 236.1013—indicating FRA's belief that the product could fulfill the requirements of subpart I. FRA's issuance of a Type Approval does not mean that the product will meet the requirements of subpart I. The Type Approval applies to the technology designed and developed, but not yet implemented, and does not bestow any ownership or other similar interests or rights to any railroad. Each Type Approval number remains under the control of the FRA, and can be issued or revoked in accordance with this subpart.
FRA expects the Type Approval process to provide a variety of benefits to FRA and the industry. If a railroad submits a PTCDP describing a PTC system, and the PTC system receives a Type Approval, then other railroads intending to use the same PTC system without variances may, in accordance with paragraph (b)(1), simply rely on the Type Approval number without having to file a separate PTCDP. While the railroad filing the PTCDP must expend resources to develop and submit the PTCDP, all other railroads using the same PTC system would not. This should not only provide significant cost and time savings for a number of railroads, but should remove a significant level of redundancy from the approval process that is currently inherent in subpart H.
If, however, a railroad intends to use a modified version of a PTC system that has already received a Type Approval number, and the variances between the two systems are of a safety-critical nature, the railroad must submit a new PTCDP. The railroad may submit a new PTCDP that fully complies with the content requirements under § 236.1013 or supply a Type Approval number for the other PTC system upon which the modified PTC system will rely and a document that fulfills the content requirements under § 236.1013 with respect to the safety-critical variances between the system described within the original PTCDP and the system as modified.
This final rule does not preclude a railroad from submitting its PTCDP before its PTCIP for FRA review and approval. FRA encourages an earlier submission of the PTCDP to further reduce the required regulatory effort necessary to review the PTCIP and PTCDP if submitted together. More importantly, it would present an opportunity for FRA to issue a Type Approval for the proposed PTC system before April 16, 2010, thus providing other railroads intending to use the same or similar PTC system the opportunity to leverage off of the work already performed by simply submitting the Type Approval and—in the event of any variances—a much less burdensome PTCDP. FRA also believes this regulatory procedure may incentivize railroads using the same or similar PTC system to jointly develop and submit a PTCDP, thus further reducing the paperwork burden on FRA and the industry as a whole and increasing confidence in the interoperability between systems.
Vendors believe that FRA should type approve specific components, so the vendor may sell the type approved products. FRA believes that such a request may be based on the mistaken belief that FRA has adopted the FAA aviation model of type certifying aircraft frames, aircraft engines, and propellers (see 14 CFR part 21, subparts B-G). This is not, however, the case. FRA has adopted some elements of the FAA Airworthiness Certificate process (see 14 CFR part 21, subpart H), which addresses the suitability of an entire aircraft for a particular purpose. FRA will apply a similar standard and certify only complete PTC systems.
Another mechanism FRA is adding that will enable railroads to meet their statutory obligations in preparing and submitting a PTCIP, while providing enough information to FRA to facilitate FRA's evaluation of the technical feasibility of the PTCIP, can be found in the provisions of paragraph (c).
Paragraph (c) allows a railroad to file an abbreviated PTCDP, called a Notice of Product Intent (NPI), with their PTCIP. The NPI, detailed in § 236.1013(e), is handled in a manner similar to a full PTCDP, with certain key exceptions. First, a PTCIP may be submitted with a NPI in lieu of either a complete PTCDP (or reference to an approved Type Approval). Any PTCIP submitted with an NPI and approved by FRA will only receive “Provisional Approval.” The Provisional Approval will only be valid for a maximum period of 270 days (approximately 9 months), by which time a railroad must resubmit its PTCIP with a complete PTCDP or reference to an approved Type Approval. If the railroad submits the updated PTCIP within that period, FRA will treat the updated filing in the same manner as FRA would have treated the original PTCIP submission. If the railroad fails to update the PTCIP before the end of that period, the Provisional Approval will automatically be revoked, and the revocation will be considered as retroactive to the original due date. FRA has no intention of extending any Provisional Approval beyond the 270 day period and will not entertain requests to that effect. Each railroad is expected to be capable of fully defining the product they intend to use within the 270 day period. Use of an NPI by a railroad allows for incremental, albeit limited, submission of the PTCDP.
Railroads would still be required to fully describe their plans for the use and completion of the PTCDP in their PTCIPs. Having the PTCDP development extend beyond the PTCIP due date may be beneficial to the entire industry, since it allows for practical development of PTC systems for railroads with unique technical requirements or financing restrictions while potentially increasing the number of viable suppliers, products, and systems. In addition to being practical, this approach would further the industry interests of having a more even distribution of the workload for commuter rail agencies and for FRA staff. Additionally, it enhances the ability of railroads to provide sufficient detail in the PTCDP, due to greater confidence in the overall design solution, thereby reducing the need for revision and the associated burden on FRA and railroad staff.
FRA clearly recognizes, regardless of the approach taken, that a vendor or supplier to the railroad may prepare part, if not all, of the required documentation. Notwithstanding that fact, the railroad remains responsible for the completeness and accuracy of any documentation submitted. For instance, FRA may find that the PTCDP does not adequately conform to this subpart or otherwise has insufficient information to justify approval. FRA may also determine that there are issues raised by the PTCDP that would adversely affect the ability of FRA to eventually certify the system. If such a situation were to arise, the railroad would need to address the issues and resubmit the documentation for FRA approval.
The third mechanism available to railroads is described in paragraph (d). This paragraph allows railroads the opportunity to file a Request for Expedited Certification (REC) in lieu of an approved PTCDP or a Type Start Printed Page 2640Approval, and the subsequent PTCSP developed in accordance with § 236.1015 in order to receive PTC System Certification. A REC applies only to PTC systems that have already been in revenue service and meet the criteria of § 236.1031(a). If a PTC system is not eligible for expedited certification, the railroad will be limited to the options presented in paragraphs (b) and (c).
Paragraph (e) requires that each PTCIP, PTCDP, and PTCSP must comply with the content requirements in §§ 236.1011, 236.1013, and 236.1015, respectively. If the submissions do not comply with their respective regulatory requirements, then they may not be approved. Without approval, a PTC system may not receive a Type Approval or PTC System Certification. Ultimately, PTC System Certification is FRA's formal recognition that the PTC system, as described and implemented, meets the statutory requirements and the provisions of subpart I. It does not imply FRA endorsement or approval of the PTC system itself.
In the interest of an open market, FRA does not want to preclude the ability of PTC system suppliers outside of the United States from manufacturing PTC systems or selling them to the regulated railroads. However, in order to ensure the safety and reliability of those systems, FRA needs to be able to conduct an adequate review of the submitted plans. Accordingly, paragraph (e) requires that all materials submitted in accordance with this subpart be in the English language, or be translated into the English language and attested as true and correct.
Under subpart H of this part, a railroad may seek confidential treatment for what it deems to be trade secrets, commercial, or financial information that is privileged or confidential under Exemption 4 of the Freedom of Information Act (FOIA), 5 U.S.C. 552(b)(4), or the Trade Secrets Act, 18 U.S.C. 1905, and submit such requests in accordance with § 209.11. A railroad may request similar confidential treatment under subpart I. As with subpart H, should a FOIA request be made for information submitted under this rule for which the submitting party has requested confidential treatment, the submitting company will be notified of the request in accordance with the submitter consultation provisions of the Department's FOIA regulations (§ 7.17) and will be afforded the opportunity to submit detailed written objections to the release of information as provided for in § 7.17(a). FRA strongly encourages submitting parties to request confidential treatment only for those portions of documents that truly justify such treatment (i.e., trade secrets and security sensitive information).
While FRA continues to believe that there is no need at this time to substantially revise § 209.11, FRA will require an additional document to assist FRA in efficiently and correctly reviewing requests for confidentiality. Under § 209.11, a redacted and an unredacted copy of the same document must be submitted. When FRA review is required to determine whether confidentiality should be afforded, FRA personnel must painstakingly compare side-by-side the two versions to determine what information has been redacted. This process may result in information for which exemption from disclosure is being requested to be misidentified. To reduce this burden, and ensure that the intellectual property of the railroad and their suppliers is appropriately guarded, FRA requires that any material submitted for confidential treatment under subpart I and § 209.11 include a third version that would indicate, without fully obscuring, the redacted portions for which protection is requested. For instance, in order to indicate without obscuring the plan's redacted portions, the railroad may use the highlighting, underlining, or strikethrough functions of its word processing program. This document will also be treated as confidential under § 209.11. FRA could amend § 209.11 to include this requirement. However, FRA does not believe it to be necessary at this time.
FRA is allowing the submission of an adequate GIS shapefile to fulfill some of the PTCIP content requirements under § 236.1011. However, with respect to requesting confidential treatment of specific information contained in a GIS shapefile, which includes primarily map data, FRA recognizes that visually blocking out the information would defeat the purpose. For instance, a black dot over a particular map location, or a black line over a particular route, would actually reveal the location. Thus, FRA expects that a railroad seeking confidential treatment for portions of a GIS shapefile will submit three versions of the shapefile to comply with paragraph (e). Alternatively, a single shapefile can include three separate layers each representing the three levels of confidentiality, with specific instructions indicating which elements are being displayed and how to handle the file for confidentiality purposes. FRA also expects that the version for public consumption would not include the information for which the railroad is seeking confidential treatment.
NICTD strongly urged FRA to only accept PTCIPs that provided full public disclosure of all the information needed to obtain components from multiple suppliers, including message interface standards, functional allocation for each subsystem, and safety allocation for each subsystem (e.g., identifying which hazards and safety-critical assumptions are made for each subsystem). NICTD asserted that it was not requesting proprietary information for any subsystems, but merely the ability to utilize alternative sources to fulfill the subsystem requirements within the overall PTC system. According to NICTD, this would substantially improve the likelihood of commuter railroads being able to obtain components from the multiple suppliers that are currently more than willing to develop components that will safely operate with other systems. Moreover, NICTD stated that this would facilitate compliance with interoperability requirements, as the knowledge gained would simplify development of interoperable systems and reduce procurement delays. Amtrak agrees on the need for full public disclosure and asserts that it should be able to review and comment on the PTCIPs of the Class I railroads. FRA understands these positions, but FRA will not make any flat pronouncements about the confidentiality of information it has not yet received.
FRA expects that FRA-monitored laboratory or field testing or an independent third party assessment may be necessary to support conclusions made and included in a railroad's submitted PTCDP or PTCSP. This issue is addressed in paragraph (f). The procedural requirements to effectuate either of those requirements can be found in §§ 236.1035 and § 236.1017, respectively.
Paragraph (g) makes clear that FRA approval of a plan submitted under subpart I may be contingent upon any number of factors and that, once the plan is approved, FRA maintains the authority to modify or revoke the resulting Type Approval or PTC System Certification. Under paragraph (g)(1), FRA reserves the right to attach additional requirements as a condition for approval of a PTCIP, or issuance of a Type Approval or PTC System Certification. In the preparation of any of these plans, railroads may have inadvertently failed to fully address hazards and risks associated with all of these components.
FRA believes that paragraph (g)(1) will make the regulatory process more efficient and stable. Rather than reject a railroad's plan completely, and Start Printed Page 2641consequently delay the railroad's implementation of its PTC system, FRA would prefer to add additional conditions during the approval process to address these oversights. When determining whether to attach conditions to plan approval, FRA will consider whether: (1) The plan includes a well-defined and discrete technical or security issue that affects system safety; (2) the risk or safety significance of an issue can be adequately determined; (3) the issue affects public health and safety; (4) the issue is not already being processed under an existing program or process; and (5) the issue cannot be readily addressed through other regulatory programs and processes, existing regulations, policies, guidance, or voluntary industry initiatives.
Paragraph (g)(2) provides FRA the right to reconsider an issued Type Approval or PTC System Certification as a consequence of the discovery of potential error, fraud or new information regarding system safety that was not previously identified. FRA issuance of each Type Approval or PTC System Certification under performance-based regulations assumes that the model of the train control system and its associated probabilistic data adequately accounts for the behavior of all design features of the system that could contribute to system risk. Different system design approaches may result in different levels of detail introducing different approximations or errors associated with the safety performance. There are some characteristics for which modeling methods may not fully capture the behavior of the system, or there may be elements of the system for which historical performance data may not be currently available. These potential inconsistencies in the failure analysis could introduce significant variations between the predicted and actual performances. Because of the design complexity associated with train control systems, FRA recognizes that these inconsistencies may not be the result of deliberate acts by any individuals or organizations, but simply reflect the level of analytical detail, the availability of comprehensive information, the qualification and experience of the analyst team, and the railroad's and FRA's resource limitations.
In paragraph (g)(3), FRA indicates that the railroad may be allowed to continue operations using the system, although such continued operations may have special conditions attached to mitigate any adverse consequences. It is FRA's intent, to the maximum extent possible and when consistent with safety, to assist railroads in keeping the systems in operation. FRA expects that, if it places a condition on PTC system operations, each railroad will have a predefined process and procedure in place that would allow continued railroad operations, albeit under reduced capability, until appropriate mitigations are in place, and the system can be restored to full operation. In certain dire situations, FRA may actually order the suspension or discontinuation of operations until the root cause of the situation is understood and adequate mitigations are in place. FRA believes that suspending a Type Approval or a PTC System Certification pending a more detailed analysis of the situation may be appropriate, and that any such suspension must be done without prejudice. FRA expects to take such an action only in the most extreme circumstances and after consultation with the affected parties.
After reconsidering its issuance of a Type Approval or PTC System Certification, under paragraph (g)(4), FRA may either dismiss its reconsideration and continue to recognize the existing FRA approved Type Approval or PTC System Certification, allow continued operations with certain conditions attached, or order the railroad to cease applicable operations by revoking its Type Approval or PTC System Certification. If FRA dismisses its reconsideration and continues to recognize the Type Approval, any conditions required during the reconsideration period would no longer be applicable. If FRA will allow continued operations, FRA may order the continuation of conditions that were required during the reconsideration period or impose additional conditions. FRA expects that revocation of a Type Approval or PTC System Certification would occur in very narrow circumstances, where the risks to safety appear insurmountable. Regrettably, there may be a few situations in which the inconsistencies are the result of deliberate fraudulent representations. In such situations, FRA may also seek criminal or civil penalties against the entities involved.
APTA submitted comments asserting that the NPRM offered minimal guidance on what criteria FRA will use in accepting or rejecting a railroad's plan. Therefore, APTA asserted that FRA should draft and vet criteria that accomplishes the basic purposes of PTC, while allowing for innovation in meeting the performance requirements envisioned in the proposed regulation. FRA believes that this concern arises from the fact that this regulation, like subpart H of this part, is a performance-based rule. While performance-based rules provide maximum flexibility to railroads and vendors or suppliers, they also introduce a degree of ambiguity.
FRA, in consultation with the RSAC PTC Working Group, has developed and vetted model templates for both the PTCIP and the risk prioritization scheme to provide some degree of specificity without unnecessary constraints. It should be carefully noted that these templates are, by necessity, general in nature and must be customized by the individual railroad to reflect its individual operations. What may be applicable for one railroad may not be applicable to another. FRA has also provided vetted guidance as to acceptable design, verification and validation, and human factors in the appendices to this part. Again, given the wide variety of potential solutions that may be adopted by various railroads, FRA is reluctant to provide more detailed guidance. However, if a PTCIP content requirement under § 236.1011 is fulfilled in a submitted GIS shapefile, then the written PTCIP should simply cross-reference appropriately.
Paragraph (h) relates to FRA's authority to conduct inspections to ensure that a railroad is in compliance with subpart I. FRA inspections may be required to determine whether a particular railroad has implemented a PTC system where necessary. For instance, FRA may need to confirm whether a track segment is subject to five million gross tons or more of annual railroad traffic, PIH materials, or passenger traffic. FRA may also need to inspect locomotives to determine whether they are equipped with a PTC onboard apparatus or to review locomotive logs to determine whether the locomotive has entered PTC territory. Paragraph (h) simply reiterates FRA's statutory authority to inspect the railroads and gather information necessary to enforce its regulations.
In order to maintain an open marketplace, this final rule has been drafted to allow domestic railroads to purchase PTC systems from outside of the United States. FRA recognizes that PTC systems have been used in revenue service across the globe and that acceptable products may be available in other countries. FRA also recognizes that such use may fall under the jurisdiction of a foreign regulatory entity much like FRA. Accordingly, under paragraph (i), in the event information relating to a particular PTC system has been certified under the auspices of a regulatory entity in a foreign government, FRA is willing to consider that information as independently Verified and Validated to support the Start Printed Page 2642railroad's PTCSP development. The phrase “under the auspices” intends to reflect the possibility of certification contractually performed by a private entity on behalf of a foreign government agency. However, the foreign regulatory entity must be recognized by the Associate Administrator. A railroad seeking to enjoy the benefits of paragraph (i) must communicate that interest in its PTCSP, and is strongly encouraged to communicate such a desire well before submission of the PTCSP for approval.
Finally, the AAR noted that, unlike the precedent set by subpart H and the RSIA08, FRA did not include time frames for the agency to respond to the submissions of the PTCDP or PTCSP. The AAR urged FRA to include specific deadlines for these filings to ensure a common understanding of the time allotted to carry out the regulatory responsibilities. Accordingly, AAR proposed that FRA agree to respond within 60 and 120 days of the submission of a PTCDP and PTCSP, respectively. This 180-day approval period for both the development and safety plans is consistent with existing subpart H, which allows 180 days for approval of a product safety plan.
FRA agrees that the railroads need, for their planning purposes, an estimated amount of time within which FRA will provide a response regarding the acceptability of their PTCSP submission. FRA also believes that this information would be appropriately placed in § 236.1009. Accordingly, FRA is adding paragraph (j) to this section, which contains target deadlines for FRA review. FRA will acknowledge receipt of a PTCDP or PTCSP submission within 30 days. Depending upon the complexity of the system and the amount of participation by FRA in the PTCDP or PTCSP development process, FRA will endeavor to approve, approve with conditions, or deny approval of the PTCDP and PTCSP within 60 and 180 days, respectively. If FRA is unable to complete its review of the PTCDP or PTCSP within these estimated time periods, FRA will advise the submitter accordingly.
When reviewing the procedural requirements contained in the proposed rule, the RLO expressed concern that this streamlined process may result in degradation of safety and significant concern with the ability of FRA to adequately staff the oversight process with a sufficient number of people with the requisite skill sets. FRA appreciates these concerns, and is undertaking plans to ensure that this new process does not result in any degradation of safety. FRA will continue to apply the same technical standards as used in earlier PTC system approvals. FRA has also taken steps to ensure that it has sufficient people, with the appropriate skills, to ensure proper safety oversight of this new process. A task analysis to determine the desired skills, as well as appropriate placement within the agency of additional staff members has been completed The RSIA08 authorizes an additional 200 full time positions to FRA, and FRA is ready to recruit the necessary technical staff as appropriations permit.
Section 236.1011 PTC Implementation Plan Content Requirements
This section describes the minimum required contents of a PTC Implementation Plan. A PTCIP is a railroad's plan for complying with the installation of mandatory PTC systems required by RSIA08. The PTCIP consists of implementation schedules, narratives, rules, technical documentation, and relevant excerpts of agreements that an individual railroad will use to complete mandatory PTC implementation. FRA will measure the railroad's progress in meeting the required implementation date based on the schedule and other information in the PTCIP. While the final rule does not specify or mandate any specific organization for the PTCIP, it must at least clearly indicate which portions intend to address compliance with the various plan requirements under this section. The PTCIP must also clearly identify each referenced document and either include a copy of each document (or its applicable excerpt) or indicate where FRA and the public may view that document. Should FRA not be able to readily determine adequate response to the required information, FRA will assume that the information has not been submitted, and will handle the document accordingly. The lack of the required information may result in FRA's disapproval of a PTCIP. To facilitate timely and successful submittals, FRA, through assistance from a PTCIP Task Force drawn from the PTC Working Group, developed a template that can be used to format the documents that must be submitted. FRA, however, wishes to emphasize that the use of such a template is strictly voluntary, and encourages railroads to prepare and submit the documents in the structure most economical for the railroad. FRA does not believe it is necessary to require that the railroads expend their limited resources in reformatting documents when such an activity adds no real value. However, while the template may be a useful tool, in light of the various forms a PTCIP may be required to take and the type of system the railroad intends to implement, complete adherence to the template will not guarantee FRA approval of the submitted PTCIP.
FRA expects each PTCIP to include various highly specific and descriptive elements relating to each railroad's infrastructure and operations. FRA recognizes manual assembly of each piece of data into a PTCIP may be exceptionally onerous and time consuming and may make the PTCIP prone to errors. In light of the foregoing, and due to the statutory requirement that Congress be apprised on the progress of the railroad carriers in implementing their PTC systems, FRA believes that electronic submission of much of this information may be warranted and preferred. To facilitate collection of this data, FRA will accept the submission of this data in electronic format.
FRA believes that the preferred, least costly, and least error-prone method to comply with this section is for railroads to submit an electronic geographic digital system map containing the aforementioned segment attribute information in shapefile format, which is a data format structure compatible with most Geographic Information System (GIS) software packages. Using GIS provides an efficient means for organizing basic transportation-related geographic data to facilitate the input, analysis, and display of transport networks. Railways around the world rely on GIS to manage key information for rail operations, maintenance, asset management, and decision support systems. FRA believes that the railroads may have already identified track segments, and their physical and operational characteristics, in shapefile format. Accordingly, each shapefile document must provide the following identifiable information for each track segment: Owning railroad(s); distance; signal system; track class; subdivision; number and location of sidings; maximum allowable speed; number and location of mainline tracks; annual volume of gross tonnage; annual number of cars carrying hazmat; annual number of cars carrying PIH; passenger traffic volume; average daily through trains; WIUs; switches; and at-grade rail-to-rail crossings.
Paragraph (a) cites the minimum requirements that must be addressed in the PTCIP. However, given the wide diversity of railroads and their operating environments, FRA recognizes that additional factors may arise that reflect the unique operational characteristics of a particular railroad. It is beholden to each railroad to carefully analyze the Start Printed Page 2643circumstances associated with its operations and address any of these elements that may affect implementation planning. During its review of a PTCIP, FRA will carefully evaluate the plan to determine if the submitting railroad(s) have indeed addressed unique railroad issues. FRA wishes to make clear that in those situations, where additional factors that are unique to a railroad have not been addressed, FRA will return the PTCIP unapproved.
Paragraph (a)(1) requires that the railroad describe the functional requirements that the technology will employ in its PTC system. Here, FRA broadly defines the term “technology” to include all applicable tools, machines, methods, and techniques.
Paragraph (a)(2) requires that the railroad describe how it will address fulfilling the requirements associated with the submittal of an NPI (see 49 CFR 236.1009(c)) temporarily in lieu of a PTCDP and the requirements associated with a PTCSP (see 49 CFR 236.1009(d)).
In RSIA08, § 20157(a)(2) requires that a railroad describe how it will “provide for interoperability of the system with movements of trains of other railroad carriers over its lines.”
Practically speaking, this means that each locomotive operating within PTC territory must be able to communicate with, and respond to, the PTC systems installed on each PTC territory's track and signal system, except in those limited situations established elsewhere in this final rule. For this reason, paragraph (a)(3) requires that the PTCIP describe how the PTC system will provide for interoperability of the system between the host and all tenant railroads on the lines required to be equipped with PTC systems under this subpart.
Interoperability means the ability of diverse systems and organizations to work together (inter-operate), taking into account the technical, operational, and organizational factors that may impact system-to-system performance. FRA expects each PTC system required by subpart I to exhibit syntactic interoperability—so that it may successfully communicate and exchange data with other PTC systems—and semantic interoperability—so that it may automatically, accurately, and meaningfully interpret the exchanged information to prove useful to the end user of each communicating PTC system. To achieve semantic interoperability, both sides must defer to a common information exchange reference model. In other words, the content of the information sent must be the same as what is received and understood. Taking syntactic and semantic interoperability together, FRA expects each PTC system to provide services to, and accept services from, other PTC systems and to use those services exchanged to enable the PTC systems to operate effectively together and to provide the intended results. The degree of interoperability should be defined in the PTCIP when referring to specific cases.
Interoperability is achieved through four interrelated means: Product testing, industry and community partnership, common technology and intellectual property, and standard implementation.
Product testing includes conformance testing and product comparison. Conformance testing ensures that the product complies with an appropriate standard. FRA recognizes that certain standards attempt to create a framework that would result in the development of the same end product. However, many standards apply only to core elements and allow developers to enhance or otherwise modify products as long as they adhere to those core elements. Thus, if an end product is developed in different ways to conform to the same standard, there may still be discrepancies between each instantiation of the end product due to the existence of variables outside of the core elements. Accordingly, FRA believes that comparison testing must also occur to ensure that each instantiation of the same product, regardless of the means upon which it is created to meet the same standard, is ultimately identical. In regards to PTC systems, such comparison testing must occur on all portions that relate to each system's interoperability with other systems. Thus, it is also important that the PTC system be formally tested in a production scenario—as they will be finally implemented—to ensure that it will actually intercommunicate and interoperate with other PTC systems as advertised and intended.
To reach interoperability between the various applicable PTC systems, each PTCDP must also show that the systems share common product engineering. Product engineering refers to the common standard, or a sub-profile thereof, as defined by the industry and community partnerships, specifically intended to achieve interoperability. Without common product engineering, the systems will be unable to intercommunicate or otherwise interact as necessary to comply with the proposed rule.
FRA expects that each interoperability standard for PTC systems will be developed by a partnership between various industry participants. Industry and community partnerships, either domestic or international, usually sponsor standard workgroups to define a common standard to provide system intercommunications for a specific purpose. At times, an industry or community will sub-profile an existing standard produced by another organization to reduce options and thus making interoperability more achievable. Thus, in each PTCDP, the railroad must discuss how it developed or adopted a standard commonly accepted by that partnership.
In the proposed rule, FRA noted that means of achieving interoperability include having the various entities involved using the same PTC system product or obtaining its components from the same developer. In its comments, NICTD expressed its belief that this conclusion does not meet RSIA08's interoperability requirements. According to NICTD, while the freight railroads are free to choose their own supplier, their essential monopoly power has the potential to force commuter railroads to use the same supplier and thereby prevent commuter railroads from meeting the requirement to use open competitive bids from multiple suppliers for a system. Since the quantity of units required from the commuter railroads is substantially less than those required for the freight railroads, NICTD asserts this greatly reduces the ability of the commuter railroads to obtain system components that meet their specific operating needs, as the single supplier will not have the resources available to support those needs. NICTD also believes that this is in direct contrast with the FRA statement relating to performance standards: “FRA intends the proposed rule to accelerate the promotion of, and not hinder, cost effective technological innovation by encouraging an efficient utilization of resources, an increased level of competition, and more innovative user applications and technological developments.”
Safetran also believes that each railroad should be free to choose a supplier. According to Safetran, the freight railroads through their implementation and development plans could specify a specific product or supplier preventing other railroads from using open competitive bids from multiple suppliers for a system and achieving the cost savings of competitive bidding. Safetran urges FRA to accept PTCIPs and PTCDPs that require public disclosure of all information needed to enable development of PTC components from multiple suppliers. This does not require disclosure of proprietary Start Printed Page 2644information, but does require disclosure of interface specifications as well as required functional attributes, assigned safety attributes and stimulus/response attributes.
While FRA does not necessarily require this approach—since the agency seeks to maintain an open and competitive marketplace—FRA believes that this is a suitable means to achieve interoperability. This technique may provide similar technical results when using PTC system products from different vendors or suppliers relying on the same intellectual property. FRA recognizes that certain developers with an intellectual property interest in a particular technology may provide a non-exclusive license of its intellectual property to another entity so that the licensee may introduce into the marketplace a substantially similar product reliant on that intellectual property. In such a case, FRA foresees that the use of a common PTC system technology—even if it is proprietary to a single or multiple entities and licensed to railroads—could reduce the variability between components, thus providing for a more efficient means to achieve interoperability.
In order for interoperability to actually occur between multiple entities' PTC systems, there must be some standard to which they all adhere. Thus, FRA also expects that each PTCDP will provide assurances of a common interoperability standard agreed to between all entities using PTC systems that must interoperate.
Since each of these interrelated means has an important role in reducing variability in intercommunication, each railroad's PTCIP must clearly describe the elements required under paragraph (a)(1)-(3).
During review of the NPRM, AAR noted paragraph (a)(3)(i) had not been updated to reflect an RSAC agreement. FRA agrees and has revised paragraph (a)(3)(i) to include the language: “include relevant provisions of agreements, executed by all applicable railroads, in place to achieve interoperability.”
Much of the remaining information required in a PTCIP under this final rule relies on the location, length, and characteristics of each track segment. Therefore, a common understanding of a track segment is necessary. A track is the main designation for describing a physical linear portion of the network. Each line of railroad has a station location referencing system, which serves to locate inventory features and defects along the length of the track. Because some tracks can be very long, track or line segments are established to divide the track into smaller “management units.” Typically, segment's boundaries are established at point of switch (POS) locations, but may also be located at mile markers, grade crossings, or other readily identifiable locations. Inspection, condition assessment, and maintenance planning is performed individually on each segment. After the track network hierarchy is established, the attribute information associated with each track is defined. This attribute information describes the track layout (e.g., curves and grades), the track structure (e.g., rail weights and tie specifications), track clearance issues, and other track related items such as turnouts, rail-to-rail at-grade crossings, highway-rail grade crossings, drainage culverts, and bridges. Inventory information about these track attributes can be quite detailed. The benefits of a complete and accurate track inventory provides a record of the track network's properties and information about the existing track materials at the specific locations when maintenance or repair is necessary.
Paragraphs (a)(4) and (a)(5) require the railroad to put its entire implementation plan into an understandable context, primarily as it relates to the sequence and schedule of track segment implementation events. Under RSIA08, 49 U.S.C. 20157(a)(2), Congress requires each subject railroad to describe in its PTCIP how it shall, to the extent practical, implement the PTC system in a manner that addresses areas of greater risk before areas of lesser risk. Accordingly, under paragraph (a)(4), the PTCIP must discuss the railroad's areas of risk and the criteria by which these risks were evaluated and prioritized for PTC system implementation. To this end, the railroad must clearly identify all track segments that must be equipped, the basis for that decision for each segment (which might be done by categories of segments), and, as provided in paragraph (a)(5), the dates that implementation of each segment will be completed, taking into account the time necessary to fulfill the procedural requirements related to PTCSP submission, review, and approval. At a minimum, the deployment decisions must be based on segment traffic characteristics such as passenger and freight traffic volumes, the quantity of PIH and other hazardous materials, current methods of operations, existence of block signals and other traditional train control technologies, the number and class of tracks, authorized and allowable speeds for each segment, and other unusual characteristics that may adversely impact safety, such as unusual ruling grades and other track geometries. In cases where deployment of the PTC system cannot be accomplished in order of areas with the greatest risk to areas with the least risk, paragraph (a)(9) requires that the railroad explain why such a deployment was not practical and the steps that will be taken to minimize adverse consequences to the public until the track segment can be equipped.
Paragraphs (a)(6) and (a)(7) require the PTCIP to include information regarding the rolling stock and wayside devices that will be equipped with the appropriate PTC technology. For a PTC system to work as intended, PTC system components must be installed and operated in all applicable offices and on all applicable onboard and wayside subsystems. Accordingly, the PTCIP must identify which technologies will be installed on each subsystem and when they are scheduled to be installed.
Under paragraph (a)(6), each host railroad filing the PTCIP must include a comprehensive list of all rolling stock upon which a PTC onboard apparatus must be operative. FRA understands that, in most situations, the rolling stock referenced in paragraph (a)(6) may only apply to controlling locomotives. However, in the interest of not hindering creative technological innovations, FRA presumes the possibility that PTC system technology may also be attached to additional rolling stock to provide other functions, including determining train capacity and length or providing certain acceptable and novel train controls. To be kept apprised of these possibilities, FRA is requiring in paragraph (a)(6) that each PTCIP include a list of all rolling stock equipped with PTC technology. FRA believes that the PTCIP should also identify any risks associated with trains operated by tenant railroads and not equipped with PTC system technology and the efforts that the host railroad has made to establish the extent of that risk. FRA understands that a host railroad may not receive cooperation from a tenant railroad in collecting the necessary rolling stock information. Nevertheless, FRA expects each host railroad to make a good faith effort. Identification of those tenant railroads from whom the host railroad attempted to obtain the requisite and applicable information from, but failed to address a host railroad's written request, may establish a good faith effort by the host railroad.
One railroad has requested that FRA eliminate the requirement for a power (locomotive) equipage plan in the PTCIP to avoid the need for updates to the Start Printed Page 2645PTCIP. Instead of requiring such a plan, the railroad recommends that FRA rely on railroad scheduling and good faith effort to drive installations during the period 2012 through 2015. FRA carefully considered this proposal, but has rejected it. Without an understanding of what portion of the locomotive fleet has been equipped and what portion remains to be equipped, FRA cannot accurately assess the extent to which PTC could be used in revenue service. FRA is required to make regular reports to Congress on the status of industry compliance and the operational capability of existing PTC systems. Since PTC is an integrated system, which requires both wayside and onboard equipment to be installed and operational, evaluation of the state of system deployment requires knowledge of the state of both subsystems.
Furthermore, the elimination of the equipage plan does not appear to provide any significant advantages to the railroad. Regardless of whether the railroad is required to maintain an equipage schedule for the PTCIP, or rely on railroad scheduling and good faith efforts, the railroad will still need to maintain some type of schedule to ensure the completion of required PTC installations by 2015. FRA believes that formalizing the schedule provides a planning tool that should facilitate completion of the installation process. If the equipage plan were unalterable, FRA could understand the railroad's concerns about being locked into an unrealistic and unobtainable schedule. However, FRA believes these concerns are unfounded because any plan in the PTCIP, including the equipage plan, can be adjusted to reflect changing circumstances.
Paragraph (a)(7) requires the railroad to provide the number of wayside devices required for each track segment in its PTCIP and an installation schedule for the completion of wayside equipment installation by December 31, 2015. The selection and identification of a technology discussed in the PTCIP will also, to a great extent, determine the distribution of the functional behaviors of each of the PTC subsystems (e.g., office, wayside, communications, and back office). The WIU is a type of remote terminal unit (RTU) that is part of a larger PTC system, which is a type of SCADA. As a whole, the safe and efficient operation of a SCADA—a centralized system that covers large areas, monitors and control systems, and passes status information from, and operational commands to, RTUs—is largely dependent on the ability of each of its RTUs to accurately receive and distribute the required information. As such, a PTC system cannot properly operate without properly functioning WIUs to provide and receive status information and react appropriately to control information.
It is commonly understood that a WIU device is capable of communicating directly to the office, train, or other wayside unit. FRA recognizes that there may not be the same number of WIUs and devices that they monitor. Depending on the architecture and technology used, a single WIU may communicate the necessary information as it relates to multiple devices. FRA is comfortable with this type of consolidation provided that, in the event of a failure of any one of the devices being monitored, the most restrictive condition will be transmitted to the train or office, except where the system may uniquely identify the failed device in a manner that will provide safe movement of the train when it reaches the subject location.
Because of the critical role that WIU's play in the proper and safe operation of PTC systems, paragraph (a)(7) requires that the railroad identify the number of WIU's required to be installed on any given track segment and the schedule for installing the WIU's associated with that segment. This information is necessary to fully and meaningfully fulfill the RSIA08 requirement that by December 31, 2012, Congress shall receive a report on the progress of the railroad carriers in implementing PTC systems. See 49 U.S.C. 20157(d). To comply with this statutory requirement, each railroad must determine the number of WIUs it will need to procure and the location—as defined by the applicable subdivision—where each WIU will be installed. FRA believes that, if a railroad does not perform these traditional engineering tasks, it will risk exceeding the statutory implementation deadline of December 31, 2015. FRA considers this information an integral part of the PTCIP that must be submitted to FRA for approval.
NYSMTA asserts that the requirement in paragraph (a)(7) to include the quantities of devices for each track segment in the PTCIP requires prior completion of the full design of the PTC system. However, NYSMTA asserts that it is not feasible to complete all of the survey and design necessary to meet this requirement by April 2010. Therefore, NYSMTA suggested that the requirement be reworded to read as follows: “Identification of each PTC subsystem and major assembly, and an estimated number of each required for each line segment.”
FRA recognizes the potential for technological improvements that may modify the number and types of WIUs required. FRA also recognizes that during testing and installation, it may be discovered that additional WIU installations may be necessary. In either case, the railroad will be required to submit an RFA in accordance with § 236.1021 indicating how the railroad intends to appropriately revise its schedule to reflect the resulting necessary changes. Nevertheless, regardless of whether FRA approves or disapproves the RFA, if a railroad is required to submit its PTCIP by April 16, 2010, implementation must still be completed by the statutory deadline of December 31, 2015.
One railroad recommended that paragraph (a)(7) should be revised to require railroads to identify each PTC subsystem and assembly and the estimated number of each subsystem required for each track segment. However, FRA does not believe that this change is required. First, FRA believes that the discussion of WIU requirements in paragraph (a)(7) is already generalized and implementation independent. Second, this final rule already provides for corrections in inventory count by submission of an RFA with the revised count. Therefore, FRA has not adopted this recommendation.
Under paragraph (a)(8), each railroad must also identify in its PTCIP which of its track segments are either main line or not main line. This list must be made based solely on the statutory and regulatory definitions regardless of whether FRA may later deem a track segment as other than main line. If a railroad has a main line that it believes should be considered not main line, it may file with the PTCIP a main line track exception addendum (MTEA) in accordance with § 236.1019, as further discussed below. Each track segment included in the MTEA should be indicated on the list required under paragraph (a)(8), so that the PTCIP accounts for each track segment with an appropriate cross-reference to the subject MTEA.
Paragraph (a)(9) requires that the plan call out the basis for a railroad's determination that risk-based prioritization required by paragraph (a)(4) of this section is not practical. FRA recognizes that there may be situations where risk is somewhat evenly distributed and where other factors related to practical considerations—such as the need to establish reliable operation of the system in less complex environments before installation in more complex Start Printed Page 2646environments—may be the prudent course. However, the burden of establishing the reasonableness of this approach would be on the railroad, starting with a showing that risk does not vary substantially among the track segments in question.
As mentioned elsewhere in this document, various railroads incorrectly asserted that they would not have to “turn on” their respective PTC systems until December 31, 2015. FRA recognizes that, although an approved PTCIP will include a progressive roll-out schedule, a PTC system cannot be operated in revenue service until it receives PTC System Certification. To avoid the possibility of a delayed plan submission that would frustrate the schedule, FRA has added paragraph (a)(10), which requires the railroad(s) to set its own due dates for such submissions. The ultimate due date, of course, is subject to FRA's approval of the PTCIP.
Paragraph (b) of § 236.1011 contains provisions related to further PTC deployment by the Class I railroads. As noted in the NPRM, the specific characteristics of the PTC route structure, with the focus on PIH traffic as an indicator of risk, was a late addition to the bill that would become RSIA08, not having appeared in either the House or Senate bills until the final package was assembled using consultations between the committee staffs in lieu of a formal committee of conference. Although the statutory construct (Class I rail line with 5 million gross tons and some PIH materials) adequately defines most of the core of the national freight rail system, it is a construct that will introduce distortions at both ends of the spectrum of risk.
On one hand, a line with a maximum speed limit of 25 miles per hour ending at a grain elevator that receives a few cars of anhydrous ammonia per year is a “main line” if it has at least 5 million gross tons of traffic (a very low threshold for a Class I railroad). This is not a line without risk, particularly if it lacks wayside signals, but FRA analysis shows that the potential for a catastrophic release from a pressure tank car is very low at an operating speed of 25 miles per hour, and the low tonnage is likely associated with relatively infrequent train movements—limiting the chance of a collision.
On the other end of the spectrum, lines with greater risk may go unaddressed. For instance, a line carrying perhaps a much higher level of train traffic and significant volumes of other hazardous materials at higher speeds, without any PIH or passenger traffic, would not be equipped. This example is not likely to be present to any significant extent under current conditions. However, should the Class I railroads raise freight rates making rail transportation prohibitively expensive and accordingly eliminating PIH traffic, the issue would be presented as a substantial one. Most of the transportation risk—including hazards to train crews and roadway workers and exposure to other hazardous materials if released—would remain, but not the few carloads of PIH. FRA believes that the intent of Congress with respect to deployment of PTC might be defeated, even though the minimum requirements related to passenger and PIH traffic would be satisfied. Other lines carrying very heavy volumes of bulk commodities such as coal and intermodal traffic may or may not include PIH traffic. Putting aside the risk associated with PIH materials, significant risk exists to train crews and persons in the immediate vicinity of the right-of-way if a collision or other PTC-preventable accident occurs. Any place on the national rail system is a potential roadway work zone, but special challenges are presented in providing for on-track safety where train movements are very frequent or operations are conducted on adjacent tracks.
Risk on the larger Class II and III railroads' lines is also a matter of concern, and the presence of significant numbers of Class I railroad trains on some of those properties presents the opportunity for further risk reduction, since over the coming years virtually all Class I railroad locomotives will be equipped with PTC onboard apparatus'. Examples include trackage and haulage rights retained over Class II and III railroads following asset sales in which the Class I railroads divested the subject lines. Other prominent examples involve switching and terminal railroads, the largest of which are owned and controlled by two or more Class I railroads and function, in effect, as extensions of their systems. Conrail Shared Assets, a large regional switching railroad that is owned by NS and CSXT and is comprised of major segments of the former Conrail, then a Class I railroad, is perhaps the classic example.
FRA notes that there has also been a trend, only recently and temporarily abated by the downturn in the economy, toward higher train counts on some non-signaled lines of the Class I railroads. On a train-mile basis, these operations present about twice the risk as similar operations on signalized lines. These safety gaps need to be filled; and, while most will be filled due to the presence of PIH traffic, FRA cannot verify that this is the case in every instance.
FRA concludes that the mandated deployment of PTC will leave some substantial gaps in the Class I route structure, including gaps in some major urban areas. FRA believes that these gaps will, over time, be “filled in” by voluntary actions of the Class I railroads as they establish the reliability of their PTC systems, verify effective interoperability, and begin to enjoy the safety and other business benefits from use of these systems. FRA fully understands both the desire of the labor stakeholders in the PTC Working Group to see a broader build-out of PTC systems than that “minimally” required by RSIA08 and the concerns of the Class I railroads' representatives who noted the extreme challenge associated with equipping tends of thousands of wayside units, some 20,000 locomotives, and their dispatching centers' back offices within the statutory implementation period.
The Congress recognized that all of these issues are legitimate concerns and so mandated the establishment of Risk Reduction Programs under the same legislation. Section 103 of RSIA08 specifically requires, within the Risk Reduction Program, a Technology Implementation Plan to address technology alternatives, including PTC. Accordingly, the PTC and Risk Reduction provisions in RSIA08 are clearly aligned in purpose; and there are also references in the technology plan elements of the Risk Reduction language that address installation of PTC by other railroads. Further, FRA has been charged with a separate rulemaking under section 406 of RSIA08 regarding risk in non-signaled (dark) territory that significantly overlaps the issue set in this rulemaking and the Risk Reduction section. Use of technologies that are integral to PTC systems constitute the best response to hazards associated with non-signaled lines. Switch position monitoring systems, track integrity circuits, digital data links and other technology used to address dark territory issues should be and, as presently conceived, are forward-compatible with PTC. In paragraph (b), FRA intends to dovetail these requirements by requiring that each Class I railroad include in its PTCIP deployment strategies indicating how it will approach the further build-out of full PTC, or partial implementation of PTC (e.g., using PTC technology to prevent train-to-train collisions but perhaps not monitoring all switches in the territory; or using PTC to protect movements of the Class I over a Start Printed Page 2647switching or terminal railroad without initially requiring all controlling locomotives of the switching or terminal railroad to be equipped). These railroads would then be required to include in the technology elements of their initial Risk Reduction plans a specification of which lines will be equipped and with what PTC system elements. Paragraph (b) makes clear that there would be no expectation regarding additional lines being equipped until those mandated by subpart I have been addressed. FRA shares the view of the Class I railroads and the passenger railroads that the December 31, 2015, deadline already presents a substantial challenge for railroads, suppliers, and the employees affected.
One railroad objected to the requirement to describe the strategy and plan for complete build out and characterized it as premature, unwarranted, and inconsistent with the RSIA08. FRA strongly disagrees for the reasons previously set forth and has retained the requirement specified in paragraph (b).
Paragraph (c) codifies in regulation the statutory mandate that FRA review the PTCIP and determine, within 90 days upon receipt of the plan, whether to provide its approval or disapproval. FRA believes that it is also important to provide procedural rules to communicate approval or disapproval. Thus, under paragraph (c), any approval or disapproval of a PTCIP by FRA will be communicated by written notice. In the event that FRA disapproves of the PTCIP, the notice will also include a narrative explaining the reasons for disapproval. Once the railroad receives notification that its PTCIP has been disapproved by FRA, it will have 30 days to resubmit its PTCIP for review and approval. While FRA may provide assistance to remedy a faulty PTCIP, it is ultimately the railroad's responsibility and burden to develop and submit a PTCIP worthy of FRA approval. FRA understands the railroads' desire to extend the period of time for corrections of any issues in the PTCIP, especially in circumstances that the railroad believes are out of its control. However, the 30-day period is a statutory requirement. FRA has little leeway in this regard. FRA will try to work, within the limits of available FRA resources, with railroads in reviewing draft versions of the PTCIP before April 16, 2010. Early identification of potential issues should reduce, and possibly eliminate, rework that a railroad might need to address during the 30-day correction period. However, regardless of any early FRA participation in the document review cycle, the railroad is expected to submit a plan that requires little to no rework.
A number of comments were submitted objecting to the potential assessment of civil penalties based on a railroad's failure to timely file a PTCIP. While FRA is unwilling to revise its position on this issue, FRA will exercise prosecutorial discretion in the assessment of civil penalties.
APTA submitted comments suggesting that the language in paragraph (c) of this section be amended to allow at least 90 days—the time allotted for FRA plan review—for railroads to correct deficiencies and re-submit their plans. In a similar vein, NYSMTA submitted comments asserting that the amount of time allotted to correct deficiencies should be based on to the extent of the needed correction. On the other hand, NYSMTA proposed that penalties could be involved if railroads submit plans deemed to be superfluous. Again, the law requires that both the railroads and FRA work quickly to get plans in place. As the entity at the receiving end of multiple filings, FRA will no doubt have every reason to handle these matters with a spirit of cooperation where best efforts have been made to fulfill the statutory requirements.
As noted previously, subpart I applies to each railroad that has been mandated by Congress and FRA to install a PTC system. A railroad that is not required to install a PTC system may still do so under its own volition. In such a case, it may either seek approval of its system under either subpart H or I. Paragraph (d) intends to make this choice clear.
Paragraph (e) responds to comments by labor organizations in the PTC Working Group. These employee representatives sought the opportunity to comment on major PTC filings. Paragraph (e) provides that, upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA will post on its public Web site notice of receipt and reference to the public docket in which a copy of the filing has been placed. FRA may consider any public comment on these documents to the extent practicable within the time allowed by law and without delaying implementation of PTC systems. The version of any filing initially placed in the public docket, for which confidential treatment has been requested in accordance with § 209.11, would be the redacted copy as filed by the railroad. If FRA later determined that additional material was not deserving of confidential treatment, that material would be subsequently added to the docket.
Paragraph (f) has been added to this section in the final rule to require railroads to maintain their most recent PTC deployment plans in their PTCIPs until all PTC system deployments required under the RSIA08 have been completed.
Section 236.1013 PTC Development Plan Content Requirements and Type Approval
As noted in the discussion above regarding § 236.1009, each PTCSP must be submitted with a Type Approval number identifying a PTC system that FRA believes could fulfill the requirements of subpart I. Under § 236.1009, a railroad may submit an existing Type Approval number in lieu of a PTCDP if the PTC system it intends to implement and operate is identical to the one described in that Type Approval's associated PTCDP. In the event, however, that a railroad intends to install a system for which a Type Approval number has not yet been assigned, or to use a system with an assigned Type Approval number that may have certain variances to its safety-critical functions, then the railroad must submit a PTCDP to obtain a new Type Approval number.
The PTCDP is the core document that provides the Associate Administrator sufficient information to determine whether the PTC system proposed for installation by the railroad could meet the statutory requirements for PTC systems specified by RSIA08 and the regulatory requirements under subpart I. Issuance of a system Type Approval number is contingent upon the approval of the PTCDP by the Associate Administrator. While filing of a PTCDP is optional in the sense that the railroad may proceed directly to submission of the PTCSP by the April 16, 2010, deadline (see § 236.1009), FRA encourages railroads engaged in joint operations to file a PTCDP. Approval of the PTCDP, and issuance of a Type Approval, presents the opportunity for other railroads to reduce the effort required to obtain a PTC System Certification. If a Type Approval for a PTC system exists, another railroad may also use that Type Approval provided there are no variances in the system as described in the Type Approval's PTCDP. In such cases, the other railroad may avoid submitting its own PTCDP by simply incorporating by reference the supporting information in the Type Approval's PTCDP and certifying that no variances in the PTC system have been made.
This section describes the contents of the PTCDP required to obtain FRA approval in the form of issuance of a Type Approval number. This section requires each PTCDP to include all the Start Printed Page 2648elements and practices listed in this section to provide reasonable assurance that the subject PTC system will meet the statutory requirements and are developed consistent with generally-accepted principles and risk-oriented proof of safety methods surrounding this technology. FRA believes that it is necessary to include the provisions contained in this section in order to provide reasonable assurance that the PTC system, when developed and deployed, will have no adverse impact on the safety of railroad employees, the public, and the movement of trains.
FRA recognizes that much of the information required by § 236.1013 normally resides with the PTC system's developer or supplier and not the client railroad. While FRA expects that each railroad and its PTC system supplier may jointly draft a PTCDP, the railroad has the primary responsibility for the safety of its operations and for submitting to FRA the information required under this section. Accordingly, each railroad required to submit a PTCDP under subpart I should make the necessary arrangements to ensure that the requisite information is readily available from the supplier for submission to the agency. FRA believes that suppliers and railroads will develop a PTCDP for most products that adequately address the requirements of the new subpart without substantial additional expense. As part of the design and evaluation process, it is essential to ensure that an adequate analysis of the features and capabilities is made to minimize the possibility of conflicts resulting from any use or feature, including a software fault. Since this analysis is a normal cost of software engineering development, FRA does not believe this requirement imposes any additional significant costs beyond what should already be done when developing safety-critical software.
The passenger and public commuter railroads who submitted comments expressed significant concern that the Class I railroads' choice of a single vendor or supplier for the onboard components of the PTC systems, coupled with the RSIA08 requirement for interoperability, creates a de-facto monopoly, with associated adverse impacts on costs and schedule. These commenters recommended that FRA take positive steps to ensure that sufficient information is made available to allow the railroads to source components from multiple vendors or suppliers. The suggested actions ranged from disapproving any PTCIP/PTCDP that is not based on open standards to expediting Interoperable Train Control (ITC) specification documentation.
FRA appreciates the concerns expressed regarding a de-facto monopoly and the possible adverse consequences on system deployments. FRA, however, must defer to the Departments of Justice and Commerce regarding issues of alleged monopolistic behavior.
In subparts H and I, FRA has encouraged the use of publicly available standards in the design, implementation, and testing of PTC systems. FRA does not mandate the use of any particular standard by a railroad, vendor, or supplier, but rather has adopted a policy of allowing the marketplace to decide what standard(s) should be used, provided the end result—a suitable safe product—is obtained. Specification of government standards is only appropriate where there has been a failure of the marketplace. It has not yet been established that such marketplace failure has occurred. Even if such a marketplace failure were deemed to have occurred, it is extremely unlikely that FRA would be able to complete the development of appropriate standards before current industry efforts with the ITC specifications are finalized and made publicly available. FRA understands the railroads' concerns and will monitor the situation.
FRA hastens to add that, since the publication of the NPRM, it has become clear that ITC standards may not be completed and validated prior to the end of 2010. FRA has requested that the ITC railroads accelerate this process in the interest of compliance with the law, and has added the Notice of Product Intent as a means of bridging to the point where standards are available. Looking forward to mid-2010, FRA will assess the situation with respect to delivery of open standards and their adoption by the AAR. Should it appear that a timely delivery will not be made, FRA reserves the right to take further regulatory action. That action could include a proposal for adoption of mandatory interoperability standards, likely in the form of existing American Railway Engineering and Maintenance Association standards that have already been developed through the leadership of the major international signal suppliers. FRA believes that such action should not be necessary and looks forward to the timely completion of ITC standards.
One vendor pointed out that a significant portion of the work associated with PTC system is commercially sensitive. FRA is committed to appropriate protection of both railroad and vendor intellectual property. Its development is recognized as representing the expenditure of significant resources by the vendor, the railroad, or both. However, interoperability requirements between railroads require some disclosure of information between railroads and vendors or suppliers. This should not require disclosure of proprietary information, but does require disclosure of interface specifications, as well as required functional attributes, assigned safety attributes and stimulus/response attributes. FRA believes such disclosure of the latter is in the best interest of the railroad, vendor, and supplier communities and strongly encourages the free exchange of this information.
In §§ 236.1013 and 236.1015, various adjectives precede several of the requirements. For instance, certain paragraphs require “a complete description,” “a detailed description,” or simply a “description.” These phrases are inherited from subpart H of this part. Their inclusion in subpart I are similarly not to imply that any description should be more or less detailed or complete than any other description required. By contrast, they are included merely for the purposes of emphasis.
Paragraph (a)(1) requires that the PTCDP include system specifications that describe the overall product and identify each component and its physical relationship in the system. FRA will not dictate specific product architectures, but will examine each PTC system to fully understand how its various parts interrelate. Safety-critical functions in particular will be reviewed to determine whether they are designed to be fail-safe. FRA would like to emphasize that the PTCDP information provided in accordance with the requirements of this paragraph should be as railroad independent as possible. This will allow the product's PTCDP, and any associated Type Approval, to be shared by multiple railroads to the maximum extent possible. FRA believes that the PTCDP information provided in accordance with this provision will play an important role in FRA's determination as to whether safety will be maximized and if regulatory compliance of the system is obtainable.
Paragraph (a)(2) requires a description of the operation where the product will be used. Upon receipt of this information within a PTCDP, FRA will have better contextual knowledge of the product as it applies to the type of operation on which it is designed to be used. Where operational behaviors are not applicable to a particular railroad, or the product design is not intended to address a particular operational behavior, FRA would expect a short Start Printed Page 2649statement indicating which operational characteristics do not apply and why they are not applicable.
Paragraph (a)(3) requires that the PTCDP include a concept of operations, a list of the product's functional characteristics, and a description explaining how various components within the system are controlled. FRA expects that the information provided under paragraphs (a)(2) and (a)(3) will together provide a thorough understanding of the PTC system. FRA will review this information—primarily by comparing the subject PTC system's functionalities with those underlying principles contained in standards for existing signal and train control systems—to determine whether the PTC system is designed to account for all relevant safety issues. While FRA does not intend to prescribe PTC system design standards, FRA does expect that each applicant will compare the concepts contained in existing standards to the operational concepts, functionalities, and controls contemplated for the PTC system in order to determine whether a sufficient level of safety will be achieved. For example, existing requirements prescribe that where a track relay is de-energized, a switch or derail is improperly lined, a rail is removed, or a control circuit is opened, each signal governing movements into the subject block occupied by a train, locomotive, or car must display its most restrictive aspect for the safety of train operations. The principle behind the requirement is that, when a condition exists in the operating environment, or with respect to the functioning of the system, that entails a potential hazard, the system will assume its most restrictive state to protect the safety of train operations.
Paragraph (a)(4) requires that each PTCDP include a document that identifies and describes each safety-critical function of the subject PTC system. The product architecture includes both hardware and software aspects that identify the protection developed against random hardware faults and systematic errors. Further, the document should identify the extent to which the architecture is fault tolerant. FRA intends to use this information to determine whether appropriate safety concepts have been incorporated into the proposed PTC system. For example, existing regulations require that when a route has been cleared for a train movement, it cannot be changed until the governing signal has been caused to display its most restrictive indication and a predetermined time interval has expired, in those scenarios where time locking is used or where a train is in approach to the location where approach locking is used. FRA intends to use this information to determine whether all the safety-critical functions have been included. Where such functionalities are not clearly determined to exist as a result of technology development, FRA will expect the reasoning to be stated and a justification provided describing how that technology provides the required level of safety. Where FRA identifies a void in safety-critical functions, FRA may not approve the PTCDP until remedial action is taken to rectify the concern.
FRA recognizes that the information required under paragraph (a)(4) may have already been provided pursuant to paragraph (a)(1). In such a case, the railroad shall cross reference where both paragraphs (a)(1) and (a)(4) have been jointly satisfied in the PTCDP.
Paragraph (a)(4) requires that each PTCDP address the minimum requirements under § 236.1005 for development of safety-critical PTC systems. FRA expects the information provided under paragraph (a)(4) to cover: identification of all safety requirements that govern the operation of a system; evaluation of the total system to identify known or potential safety hazards that may arise over the life-cycle of the system; identification of all safety issues during the design phase of the process; elimination or reduction of the risks posed by the hazards identified; resolution of safety issues presented; development of a process to track progress; and development of a program of testing and analysis to demonstrate that safety requirements are met.
FRA has considered the railroads' concerns, and agrees that the selection of the safety assurance concepts that any particular railroad may impose on its vendor or supplier might possibly differ, based on the railroad's operational philosophy and tolerance for risk. Accordingly, FRA removed proposed paragraph (a)(5) from the final rule as an element of the PTCDP, and has made the requirement to describe the safety assurance concepts an element of the PTCSP (see § 236.1015(d)(2)).
Paragraph (a)(5) requires a submission of a preliminary human factors analysis that addresses each applicable human-machine interface (HMI) and all proposed product functions to be performed by humans to enhance or preserve safety. FRA expects this analysis to place special emphasis on proposed human factors responses—and the result of any failure to perform such a response—to safety-critical hazards, including the consequences of human failure to perform. For each HMI, the PTCDP should address the proposed basis of assumptions used for selecting each such interface, its potential effect upon safety, and all potential hazards associated with each interface. Where more than one employee is expected to perform duties dependent upon HMI input or output, the analysis must address the consequences of failure by one or multiple employees. FRA intends to use this information to determine the proposed HMI's effect upon the safety of railroad operations. The preliminary human factors analysis must propose how the railroad or its PTC system supplier plans to address the HMI criteria listed in Appendix E to this part or any alternatives proposed by the railroad and deemed acceptable by the Associate Administrator. The design criteria for Appendix E were first developed and subsequently adopted by FRA as an element of subpart H of this part. As the criteria in Appendix E are generally technology neutral, FRA has adopted them with minor changes, for use with both subpart H of this part and these proceedings.
Paragraph (a)(5) also requires that the PTCDP explain how the proposed HMI will affect interoperability. RSIA08 requires that each subject railroad explain how it intends to obtain system interoperability. The ability of a train crew member to operate another railroad's PTC system significantly depends upon a commonly understood HMI. The HMI provides the end user with a method of interacting with the underlying system and accessing the PTC functionality. FRA expects that each railroad will adopt an HMI standard that will ensure ease of use of the PTC system both within, and between, railroads.
Paragraph (a)(6) requires an analysis regarding how subparts A through G of part 236 apply, or no longer apply, to the subject PTC system. FRA recognizes that, while a PTC system may be designed in accordance with the underlying safety concepts of subparts A through G, the specific existing requirements contained in those subparts are not necessarily applicable. In any event, the PTCDP must identify each pertinent requirement considered to be inapplicable, fully describe the alternative method used to fulfill that underlying safety concept, and explain how the proposed PTC system supports the underlying safety principle. FRA notes that certain sections in subparts A though G of this part may always be applicable to PTC systems certified under subpart I.
FRA is concerned about all dimensions of system security. Thus, Start Printed Page 2650paragraph (a)(7) requires the PTCDP to include a description of the security measures necessary to meet the specifications for each PTC system and the prioritized restoration and mitigation plan as required under § 236.1033. Security is an important element in the design and development of PTC systems and covers issues such as developing measures to prevent hackers from gaining access to software and to preclude sudden system shutdown, mechanisms to provide message integrity, and means to authenticate the communicating parties. Safety and security are two closely related topics. Both are elements for ensuring that a subject is protected and without risk of harm. In the industrial marketplace, the goals of safety and security are to create an environment protecting assets from hazards or harm. While activities to ensure safety usually relate to the possibility of accidental harm, activities to ensure security usually relate to protecting a subject from intentional malicious acts such as espionage, theft, or attack. Since system performance may be affected by either inadvertent or deliberate hazards or harms, the safety and security involved in the implementation and operation of a PTC system must both be considered.
Integrated security recognizes that optimum protection comes from three mutually supporting elements: Physical security measures, operational procedures, and procedural security measures. Today, the convergence of information and physical security is being driven by several powerful forces, including: interdependency, efficiency and organizational simplification, security awareness, regulations, directives, standards, and the evolving global communications infrastructure. Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media and guidance on how to design structures to resist various hostile acts. Communications security describes measures and controls taken to deny unauthorized persons information derived from telecommunications and ensure the authenticity of such telecommunications. Because of the integrated nature of security, FRA expects that each PTCDP will address security as a holistic concept, and not be restricted to limited or specific aspects.
Paragraph (a)(8) requires documentation of assumptions concerning reliability and availability targets of mechanical, electrical, and electronic components. When building a PTC system, designers may make numerous assumptions that will directly impact specific implementation decisions. These fundamental assumptions usually come in the form of data (e.g., facts collected as the result of experience, observation or experiment, or processes, or premises) that can be randomly sampled. FRA does not expect to audit all of the fundamental assumptions on which a PTC system has been developed. Instead, FRA envisions sampling and reviewing fundamental assumptions prior to product implementation and after operation for some time. FRA expects that the data sampled may vary, depending upon the PTC system. It is not possible to provide a single set of quantitative numbers applicable to all systems, especially when systems have yet to be designed and for which the fundamental assumptions are yet to be determined. Quantification is part of the risk management process for each project. FRA believes that the actual performance of the system observed during the pre-operational testing and post-implementation phases will provide indications of the validity of the fundamental assumptions. FRA requires that this review process occur for the life of the PTC system (i.e., as long as the product is kept in operation). The depth of details required will depend upon what FRA observes. The range of difference between a PTC system's predicted and actual performance may indicate to FRA the validity of the underlying fundamental assumptions. Generally, if the actual performance matches the predicted performance, FRA believes that it will not have to extensively review the fundamental assumptions. If the actual performance does not match predicted performance, FRA may need to more extensively review the fundamental assumptions.
FRA expects each subject railroad to confirm the validity of initial assumptions by comparing them to actual in-service data. FRA is aware that mechanical and electronic component failure rates and times to repair are easily quantified data, and usually are kept as part of the logistical tracking and maintenance management of a railroad. FRA believes that this criterion will enhance the quality of risk assessments conducted pursuant to this subpart by forcing PTC system designers and users to consider the long-term effects of operation over the course of the PTC system's projected life-cycle. If a PTC system can be used beyond its design life-cycle, FRA expects that any continued use would only occur pursuant to a waiver provided in accordance with 49 CFR part 211 or a PTCDP or PTCSP amended in accordance with § 236.1021. In its request for waiver or request for amendment, the railroad should address any new risks associated with the life-cycle extension.
Paragraph (a)(8) also requires specification of the target safety levels. This includes the identity of each potential hazard and how the events leading to a hazard will be identified for each safety-critical subsystem; the proposed safety integrity level of each safety-critical subsystem, and the proposed means that accomplishment of these targets will be evaluated. This paragraph also requires identification of the proposed backup methods of operation and safety-critical assumptions regarding availability of the product. FRA believes this information is essential for making determinations about the safety of a product and both the immediate and long-term effect of its failure. FRA contends that availability is directly related to safety to the extent the backup means of controlling operations involves greater risk (either inherently or because it is infrequently practiced).
Paragraph (a)(9) requires a complete description of how the PTC system will enforce all pertinent authorities and block signal, cab signal, or other signal related indications. FRA appreciates that not all PTC system architectures will seek to enforce the speed restrictions associated with intermediate signals directly, but nevertheless a clear description of these functions is necessary for clarity and evaluation.
Paragraph (a)(10) requires that, if the railroad is seeking to deviate from the requirements of section 236.1029 with respect to movement of trains with onboard equipment that has failed en route using the flexibility provided by paragraph (c) of that section, a justification must be provided in the PTCDP. As proposed, paragraph (c) of § 236.1029 provided that, in order for a PTC train that operates at a speed above 90 miles per hour to deviate from the operating limitations contained in paragraph (b) of that section, the deviation must be described and justified in the FRA approved PTCDP or PTCSP, or by reference to an Order of Particular Applicability, as applicable. For instance, if Amtrak wished to continue to operate at up to 125 miles per hour with cab signals and automatic train control in the case of failure of onboard ACSES equipment, Amtrak would request to do so based on the applicable language of the Order of Particular Applicability that required installation of that system on portions of the Northeast Corridor. Similarly, a railroad wishing more liberal Start Printed Page 2651requirements for a high-speed rail system on a dedicated right-of-way could request that latitude by explaining how the safety of all affected train movements would be maintained. During the comment period and PTC Working Group discussion, Amtrak continued to press its case for greater flexibility, noting the long routes prevalent on its intercity network and the trip time penalty that could be incurred with failed equipment. Paragraph (a)(10) has been revised in the final rule to reflect the fact that the development plan would contain justification for any requested deviation from the requirements of § 236.1029, and that section has been further revised to permit the agency to receive and consider specific requests and supporting information regarding latitude such as that sought by Amtrak without regard to speed. Instead, paragraph (a)(10) requires the railroad to include a justification in its PTCDP, if the railroad is seeking to deviate from the requirements of § 236.1029 with respect to movement of trains with onboard equipment that has failed en route.
Paragraph (a)(11) requires a complete description of how the PTC system will appropriately and timely enforce all hazard detectors that are interconnected with the PTC system in accordance with § 236.1005(c)(3), as may be applicable.
Paragraph (b) specifies the approval standard that will be employed by the Associate Administrator. APTA asserted that the NPRM offered minimal guidance on the criteria FRA will use to accept or reject a system. Thus, APTA suggested that FRA should draft and vet criteria that accomplishes the basic purposes of PTC while allowing for innovation in meeting the performance requirements envisioned in the regulation.
The PTCDP is not expected to provide absolute assurance to the Associate Administrator that every potential hazard will be eliminated with complete certainty. It only needs to establish that the PTC system meets the appropriate statutory and regulatory requirements for a PTC system required under this subpart, and that there is a reasonable chance that once built, it will meet the required safety standards for its intended use. FRA emphasizes that approval of a PTCDP and issuance of a Type Approval does not constitute final approval to operate the product in revenue service. Such approval only comes when the Associate Administrator issues an applicable PTC System Certification.
Paragraph (c) establishes a time limit on the validity of a Type Approval. Provided that at least one product is certified within the 5 year period after issuance of the Type Approval, the Type Approval remains valid until final retirement of the system. The main purpose of this requirement is to incentivize installation, not just creation, of a PTC system. This paragraph would also allow FRA to periodically clean out its records relating to Type Approvals and PTCDPs for obsolete PTC systems.
Former paragraphs (d) and (e) in this section have been moved to § 236.1015 in the final rule. Therefore, former paragraph (f) has been redesignated as paragraph (d) in the final rule. Paragraph (d) discusses the Associate Administrator's ability to impose any conditions necessary to ensure the safety of the public, train crews, and train operations when approving the PTCDP and issuing a Type Approval. While FRA expects that adherence to the remainder of this section's requirements should justify issuance of a Type Approval, FRA also recognizes that there may be situations where other unaccounted for variables may reduce the Associate Administrator's confidence in the PTC system, its manufacturer, supplier, vendor, or operator.
The required contents of the NPI are specified in paragraph (e). As stated earlier, FRA expects submission of an NPI temporarily in lieu of a PTCDP only when the railroad is unable to obtain all of the information required for a PTCDP. This will enable railroads to submit a PTCIP on or before the statutory deadline of April 16, 2010. FRA believes that, given the various options available to the railroads, there are few, if any, valid reasons for not meeting the April 16, 2010, deadline for submission.
The elements that make up the NPI were carefully chosen to strike a balance between the ability of a railroad that is unable to complete a full PTCDP and FRA's need to fully understand the railroad's proposed system and the reasonableness of the PTCIP contents. FRA believes that the NPI information would be required to have been identified by the railroad in order to develop requests for proposal from the vendor or supplier community. Paragraph (e)(1) requires a description of the proposed operating environment. Paragraph (e)(2) requires a description of the concept of operations for any PTC system that will be procured by the railroad. Paragraph (e)(3) requires a description of the target safety levels that the railroad expects the PTC system to meet, while paragraphs (e)(4) and (e)(5) require an explanation of how the proposed system will integrate with the existing signal and train control system.
Section 236.1015 PTC Safety Plan Content Requirements and PTC System Certification
The PTCSP is the core document that provides the Associate Administrator the information necessary to certify that the as-built PTC system fulfills the required statutory PTC functions and is in compliance with the requirements of this subpart. Issuance of a PTC System Certification is contingent upon the approval of the PTCSP by the Associate Administrator. Under this final rule, the filing and approval of the PTCSP and issuance of a PTC System Certification is a mandatory prerequisite for PTC system operation in revenue service. Each PTCSP is unique to each railroad and must addresses railroad-specific implementation issues associated with the PTC system identified by the submitted Type Approval. Paragraph (a) provides language explaining these meanings and limits.
Paragraph (b), which reflects the contents of proposed paragraphs (d) and (e) in proposed § 236.1013, establishes the conditions under which a Type Approval may be used by another railroad. Paragraph (b)(1) requires the railroad to maintain a continually updated PTC Product Vendor List (PTCPVL) pursuant to § 236.1023 to enable the railroad and FRA to determine the appropriate vendor to contact in the unlikely event of a safety critical failure.
The safety critical nature of PTC systems imposes strict quality control requirements on the design and manufacturer of the system. While FRA believes that in the vast majority of cases, the vendor or supplier community from whom the railroads will procure PTC system components have established the appropriate quality control systems, there will be a very small minority who have not. Paragraph (b)(2) is intended to mitigate against any such occurrence, to ensure that PTC system components meet the same, uniformly high, standards. FRA is requiring that the railroad ensure that any vendor from whom they purchase PTC system or components has an acceptable quality assurance program for both design and manufacturing processes.
FRA has considered comments submitted by GE, in which GE suggested language to further clarify paragraph (b)(2) that the vendor quality control processes for PTC systems must include the process for the product supplier to promptly report any safety relevant failure and previously unidentified Start Printed Page 2652hazards to each railroad using the product. FRA believes that this suggested language clearly specifies the importance of this requirement to suppliers who may not already have the appropriate quality control processes in place. Accordingly, FRA has added the recommended language.
Paragraph (b)(3) requires the railroad to provide licensing information. The list should include all applicable vendors or suppliers. Through the requirements set forth in paragraph (b)(3), FRA intends to ensure implementation of the proper technology, as opposed to implementation of an orphan product that uses similar, yet different, technology. When a railroad submits a previously approved Type Approval for its PTC system, FRA expects that all the proper licensing agreements will provide for continued use and maintenance of the PTC system in place. To bolster FRA's confidence in this area, FRA will require each Type Approval submission to include the relevant licensing information. FRA recognizes that there may be various licensing arrangements available relating to the exclusivity and sublicensing of manufacturing or vending of a particular PTC system. There may be other intellectual property variables that may make arrangements even more complex. To adequately capture all applicable arrangements, FRA is requiring the submission of “licensing information.” A more specific request may preclude FRA's ability to collect information necessary to fulfill its intent. If any of this information were to change, either through any type of sale, transfer, or sublicense of any right or ownership, then FRA would expect the railroad to submit a request for amendment of its PTCDP in accordance with § 236.1021. FRA recognizes that this may be difficult for a railroad to accomplish, given the fact that the railroad may not be privy to any intellectual property transactions that may occur outside its control. In any event, FRA would expect that a railroad will ensure, either through contractual obligation or otherwise, that its vendor or supplier will provide it with updated licensing information on a continuing basis.
When filing a PTCSP, paragraph (c) requires each railroad to include the applicable and approved PTCDP or, if applicable, the FRA issued Type Approval. In addition, the railroad must describe any changes subsequently made to the PTC system that would require amendment of the PTCDP or assure FRA that the PTC system built is the same PTC system described in the PTCDP and PTCSP. Some elements of the PTCSP are the same elements as the PTCDP (and are described more fully in the section-by-section analysis of § 236.1013). If the railroad has already submitted, and FRA has already approved, the PTCDP, then attachment of the PTCDP to the PTCSP should fulfill this requirement.
FRA recognizes the possibility that between PTCIP or PTCDP approval, and prior to PTCSP submission, there may be changes to the former two documents. While such changes may only be made in accordance with § 236.1021, documentation of those changes may not be readily apparent to the reader of the PTCSP. Further, changes in the PTCIP may impact the contents of the PTCDP and vice versa. Accordingly, paragraph (c)(1) requires the railroad to submit the approved PTCDP (or Type Approval) with the corresponding PTCSP.
AAR asserted that the main purpose of the PTCIP is to document the deployment plan and that the PTCIP will be of little value once the implementation is complete. Accordingly, AAR asserts that there is no need to include the PTCIP when filing either a PTCDP or PTCSP. The AAR also asserted that since the PTCSP justifies that the PTC system was built in accordance with the PTCDP, submission of the PTCIP information should not be required.
FRA agrees with AAR that the main purpose of the PTCIP is to document the deployment plan and that the PTCIP will essentially become a historical document when the railroad has completed its PTC implementation. Therefore, until all PTC system installations have been completed, FRA will require the PTCIP to be kept current with the railroad's deployment plan. However, in response to the AAR's comments, FRA has revised paragraph (c) by removing the proposed requirement to submit the PTCIP with the PTCDP and PTCSP.
FRA expects that each PTCSP shall include a clear and complete description of any such changes by specifically and rigorously documenting each variance. Paragraph (c)(2) also requires that the PTCSP include an explanation of each variance's significance. To ensure that there are no other existing variances not documented in the PTCSP, the railroad must attest that there are no further variances. For the same reason, paragraph (c)(3) requires that, if there have been no changes to the plans or to the PTC system as intended, the railroad must attest that there are no such variances.
The additional required railroad specific elements are as follows:
Paragraph (d)(1) requires that the PTCSP include a hazard log comprehensively describing all hazards to be addressed during the life-cycle of the product, including maximum threshold limits for each hazard. For unidentified hazards, the threshold shall be exceeded at one occurrence. In other words, if the hazard has not been predicted, then any single occurrence of that hazard is unacceptable. The hazard log addresses safety-relevant hazards, or incidents or failures that affect the safety and risk assumptions of the PTC system. Safety relevant hazards include events such as false proceed signal indications and false restrictive signal indications. If false restrictive signal indications occur with any type of frequency, they could influence train crew members, roadway workers, dispatchers, or other users to develop an apathetic attitude towards complying with signal indications or instructions from the PTC system, creating human factors problems.
Incidents in which stop indications are inappropriately displayed may also necessitate sudden brake applications that may involve risk of derailment due to in-train forces. Other unsafe or wrong-side failures that affect the safety of the product will be recorded on the hazard log. The intent of this paragraph is to identify all possible safety-relevant hazards that would have a negative effect on the safety of the product. Right-side failures, or product failures that have no adverse effect on the safety of the product (i.e., do not result in a hazard) would not be required to be recorded on the hazard log.
Paragraph (d)(2), which has been added to the final rule, requires that each railroad identify the PTC system's safety assurance concepts. When identifying the safety assurance concepts used, FRA expects the information provided pursuant to paragraph (d)(2) will reflect the safety requirements that govern the operation of a system; the identify of known or potential safety hazards that may arise over the life-cycle of the system; safety issues that may arise during the design phase of the process; elimination or reduction of the risks posed by the hazards identified; resolution of safety issues presented; development of a process to track progress; and development of a program of testing and analysis to demonstrate that safety requirements are being met.
In the proposed rule, this information was required as part of the PTCDP. One railroad recommended that this information requirement be completely eliminated as redundant because it is covered as part of the product safety Start Printed Page 2653requirements. FRA agrees that this information should not be a required element of the PTCDP; this information should be provided as an element of the railroad specific PTCSP, since individual railroads may elect to require different safety assurance concepts from their vendors or suppliers. This very same information is an integral element of the railroad specific Product Safety Plan required by subpart H of this part. Accordingly, FRA has revised this requirement. However, FRA does not believe that this information is redundant. The safety assurance concepts imposed on the vendor or supplier are procedural requirements that drive vendor or supplier system design and mitigation strategies. FRA believes that the importance of the safety assurance concepts merits clear identification.
Paragraph (d)(3) requires that a risk assessment be included in the PTCSP. FRA will use this information as a basis to confirm compliance with the appropriate performance standard. A performance standard specifies the outcome required, but leaves the specific measures to achieve that outcome up to the discretion of the regulated entity. In contrast to a design standard or a technology-based standard that specifies exactly how to achieve compliance, a performance standard sets a goal and lets each regulated entity decide how to meet that goal. An appropriate performance standard should provide reasonable assurance of safe and effective performance by making provision for: (1) Considering the construction, components, ingredients, and properties of the device and its compatibility with other systems and connections to such systems; (2) testing of the product on a sample basis or, if necessary, on an individual basis; (3) measurement of the performance characteristics; and (4) requiring that the results of each or of certain of the tests required show that the device is in conformity with the portions of the standard for which the test or tests were required. Typically, the specific process used to design, verify and validate the product is specified in a private or public standard. The Associate Administrator may recognize all or part of an appropriate standard established by a nationally or internationally recognized standard development organization.
Labor expressed concern during this rulemaking regarding FRA's position on the treatment of wrong side failures. Wrong side failures, which occur when a PTC system fails to properly identify the track occupied by a train, should not be considered an acceptable risk. Such failures, which are completely avoidable using current technology, can result in unnecessary and risky penalty brake applications.
FRA agrees that wrong side failures introduce an element of risk in the operation of a system. Therefore, the extent of that risk and the consequences of the failure must be identified and carefully analyzed. It is for that very reason that FRA is requiring that the hazard log identify all such potential failures. The hazard mitigation analysis required in paragraph (d)(4) must identify how each hazard in the hazard log will be mitigated. While FRA agrees the majority of wrong side failures can be eliminated through the application of technology, FRA believes that the generalization that all wrong side failures can be eliminated is not valid.
Paragraph (d)(4) requires that the PTCSP include a hazard mitigation analysis. The hazard mitigation analysis must identify the techniques used to investigate the consequences of various hazards and list all hazards addressed in the system hardware and software including failure mode, possible cause, effect of failure, and remedial actions. A safety-critical system must satisfy certain specific safety requirements specified by the system designer or procuring entity. To determine whether these requirements are satisfied, the safety assessor must determine that: (1) Hazards associated with the system have been comprehensively identified; (2) hazards have been appropriately categorized according to risk (likelihood and severity); (3) appropriate techniques for mitigating the hazards have been identified; and (4) hazard mitigation techniques have been effectively applied. See Leveson, Nancy G., Safeware: System Safety and Computers, (Addison-Wesley Publishing Company, 1995).
FRA does not expect that the safety assessment will prove that a product is absolutely safe. However, the safety assessment should provide evidence that risks associated with the product have been carefully considered and that steps have been taken to eliminate or mitigate them. Hazards associated with product use need to be identified, with particular focus on those hazards found to have significant safety effects. The risk assessment provided under paragraph (d)(4) must include each hazard that cannot be mitigated by system designs (e.g., human over-reliance of the automated systems) no matter how low its probability may be. After the risk assessment, the designer must take steps to remove them or mitigate their effects. Hazard analysis methods are employed to identify, eliminate, and mitigate hazards. Under certain circumstances, FRA may require an independent third party assessment in accordance with proposed § 236.1017 to review these methods as a prerequisite to FRA approval.
Paragraph (d)(5) also requires that the PTCSP address safety Verification and Validation procedures as defined under part 236. FRA believes that Verification and Validation for safety are vital parts of the PTC system development process. Verification and Validation require forward planning. Consequently, the PTCSP should identify the testing to be performed at each stage of development and the levels of rigor applied during the testing process. FRA will use this information to ensure that the adequacy and coverage of the tests are appropriate.
Paragraph (d)(6) requires the railroad to include in its PTCSP the training, qualification, and designation program for workers regardless of whether those railroad employees will perform inspection, testing, and maintenance tasks involving the PTC system. FRA believes many benefits accrue from the investment in comprehensive training programs and are fundamental to creating a safe workforce. Effective training programs can result in fewer instances of human casualties and defective equipment, leading to increased operating efficiencies, less troubleshooting, and decreased costs. FRA expects any training program will include employees, supervisors, and contractors engaged in railroad operations, installation, repair, modification, testing, or maintenance of equipment and structures associated with the product.
Paragraph (d)(7) requires the railroad to identify specific procedures and test equipment necessary to ensure the safe operation, installation, repair, modification and testing of the product in its PTCSP. Requirements for operation of the system must be succinct in every respect. The procedures must be specific about the methodology to be employed for each test to be performed that is required for installation, repair, or modification and the results thereof must be documented. FRA will review and compare the repair and test procedures for adequacy against existing similar requirements prescribed for signal and train control systems. FRA intends to use this information to ascertain whether the product will be properly installed, maintained, tested, and repaired.
Paragraph (d)(8) requires that each railroad develop a manual covering the requirements for the installation, periodic maintenance and testing, Start Printed Page 2654modification, and repair for its PTC system. The railroad's Operations and Maintenance Manual must address the issuance of warnings and describe the warning labels to be placed on each piece of PTC system equipment as necessary. Such warnings include, but are not limited to: Means to prevent unauthorized access to the system; warnings of electrical shock hazards; cautionary notices about improper usage, testing, or operation; and configuration management of memory and databases. The PTCSP should provide an explanation justifying each such warning and an explanation of why there are no alternatives that would mitigate or eliminate the hazard for which the warning will be given.
Paragraph (d)(9) requires that the PTCSP identify the various configurable applications of the product, since this rule mandates use of the product only in the manner described in its PTCDP. Given the importance of proper configuration management in safety-critical systems, FRA believes it is essential that railroads learn of and take appropriate configuration control of hardware and software. FRA believes that a requirement for configuration management control will enhance the safety of these systems and ultimately provide other benefits to the railroad as well. Pursuant to this paragraph, railroads will be responsible—through its applicable Operations and Maintenance Plan and other supporting documentation maintained throughout the system's life-cycle—for all changes to configuration of their products in use, including both changes resulting from maintenance and engineering control changes, which result from manufacturer modifications to the product. Since not all railroads may experience the same software faults or hardware failures, the configuration management and fault reporting tracking system play a crucial role in the ability of the railroad and the FRA to determine and fully understand the risks and their implications. Without an effective configuration management tracking system in place, it is difficult, if not impossible, to fairly evaluate risks associated with a product over its life-cycle.
Paragraph (d)(10) requires the railroad to develop comprehensive plans and procedures for product implementation. Implementation (field validation or cutover) procedures must be prepared in detail and identify the processes necessary to verify that the PTC system is properly installed and documented, including measures to provide for the safety of train operations during installation. FRA will use this information to ascertain whether the product will be properly installed, maintained, and tested. FRA also believes that configuration management should reduce disarrangement issues. Further, configuration management will reduce the cost of troubleshooting by reducing the number of variables and will be more effective in promoting safety.
Paragraph (d)(11) requires the railroad to provide a complete description of the particulars concerning measures required to assure that the PTC system, once implemented, continues to provide the expected safety level without degradation or variation over its life-cycle. The measures specifically provide the prescribed intervals and criteria for the following: testing; scheduled preventive maintenance requirements; procedures for configuration management; and procedures for modifications, repair, replacement and adjustment of equipment. FRA intends to use this information, among other data, to monitor the PTC system to assure it continually functions as intended.
Paragraph (d)(12) requires that each PTCSP include a description of each record concerning safe operation. Recordkeeping requirements for each product are discussed in § 236.1037 of this part.
Paragraph (d)(13) requires a safety analysis of unintended incursions into a work zone. Measuring incursion risks is a key safety risk assumption. Failing to identify incursion risk can have the effect of making a system seem safer on paper than it actually is. The requirements set forth in this paragraph attempt to mandate design consideration of incursion protection at an early stage in the system development process. The totality of the arrangements made to prevent unintended incursions or operation at higher than authorized speed within the work zone must be analyzed. That is, in addition to the functions of the PTC system, the required actions for dispatchers, train crews, and roadway workers in charge must be evaluated. Regardless of whether a PTC system has been previously approved or recognized, FRA will not accept a system that allows a single point human failure to defeat the essential protection intended by the Congress. See NTSB Recommendations R-08-05 and R-08-06. FRA believes that exposure should be identified because increases in risk due to increased exposure could be easily distinguished from increases in risk due solely to implementation and use of the proposed PTC system.
In the past, little attention was given to formalizing incursion protection procedures. Training for crews has also not been uniform among organizations, and has frequently received inadequate attention. As a result, a variety of procedures and techniques evolved based on what has been observed or what just seemed correct at the time. This lack of structure, standardization, and formal training is inconsistent with the goal of increasing safety and regulatory efficiency.
As proposed, paragraph (d)(14) would have required a more detailed description of any alternative arrangements provided under § 236.1011(a)(10), pertaining to at grade rail-to-rail crossings. APTA noted that the reference in this paragraph should be revised, as section 236.1011(a)(10) does not exist. The correct reference is § 236.1005(a)(1)(i).
As previously mentioned, § 236.1005(a) requires each applicable PTC system to be designed to prevent train-to-train collisions. Under that section, FRA has established various requirements that would apply to at-grade rail-to-rail crossings, also known as diamond crossings. While the final rule text includes certain specific technical requirements, it also provides the opportunity for each subject railroad to submit an alternative arrangement providing an equivalent level of safety as specified in an FRA approved PTCSP. Accordingly, under paragraph (d)(14), if the railroad intends to utilize alternative arrangements providing an equivalent level of safety to that of the table provided under § 236.1005(a)(1)(i), each PTCSP must identify those alternative arrangements and methods, with any associated risk reduction measures, in its PTCSP.
Paragraph (d)(15) requires a complete description of how the PTC system will enforce mandatory directives and signal indications, unless already addressed in the PTCDP. Paragraph (d)(16) refers to the requirement of § 236.1019(f) that the PTCSP is aligned with the PTCIP, including any amendments.
Under § 236.1007, FRA requires certain limitations on PTC trains operating over 90 miles per hour, including compliance with § 236.1029(c). Under § 236.1029(c), FRA provides railroads with an opportunity to deviate from those limitations if the railroad describes and justifies the deviation in its PTCDP, PTCSP, or by reference to an Order of Particular Applicability, as applicable. Thus, paragraph (d)(17) reminds railroads that this is one of the optional elements that may be included in a PTCSP. This need Start Printed Page 2655may also be addressed through review of the PTCDP.
Railroads are required under § 236.1005(c) to submit a complete description of their compliance regarding hazard detector integration and under §§ 236.1005(g)-(k) to submit a temporary rerouting plan in the event of emergencies and planned maintenance. Sections 236.1007 and 236.1033 also require the submission of certain documents and information. Paragraphs (d)(18), (d)(19), and (d)(20) remind railroads that such requirements must be fulfilled with the submission of the PTCSP. For example, under paragraph (d)(19), FRA expects each temporary rerouting plan to explain the host railroad's procedure relating to detouring the applicable traffic. In other words, FRA expects that each temporary rerouting plan address how the host railroad will choose the track that traffic will be rerouted onto. The plan should explain the factors that will be considered in determining whether and how the railroad should take advantage of temporary rerouting. FRA remains concerned about the unnecessary commingling of PTC and non-PTC traffic on the same track and expects each temporary rerouting plan to address this possibility. More specifically, each plan should describe how the railroad expects to make decisions to reroute non-PTC train traffic onto a PTC line, especially where another non-PTC line may be available. While FRA recognizes each railroad may seek to use the most cost effective route, FRA expects the railroad to also consider the level of risk associated with that route.
In paragraph (e), FRA states the criteria to which FRA will refer when evaluating the PTCSP, depending upon the underlying technical approach. Whereas in subpart H of this part, the safety case is evaluated to determine whether it demonstrates, with a high degree of confidence, that relevant risk will be no greater under the new product than previously, the statutory mandate for PTC calls for a different approach. In crafting this approach, FRA has attempted to limit requirements for quantitative risk assessment to those situations where the technique is truly needed. Regardless of the type of PTC system, the safety case for the system must demonstrate that it will reliably execute all of the functions required by this subpart (particularly those provided under proposed §§ 236.1005 and 236.1007). With this foundation, the additional criteria that must be met depend upon the type of PTC technology to be employed.
It is FRA's understanding that PTC systems may be categorized as one of the following four system types: non-vital overlay; vital overlay; stand-alone; and mixed. Initially, however, all PTC systems will have some features that are not fully fail-safe in nature, even if onboard processing and certain wayside functions are fully fail-safe. Common causes include surveying errors of the track database, errors in consist weight or makeup from the railroad information technology systems, and the crew input errors of critical operational data. To the extent computer-aided dispatching systems are the only check on potential dispatcher error in the creation or inappropriate cancellation of mandatory directives, some room for undetected wrong-side failure will continue to exist in this function as well.
Paragraph (e)(1) specifies the required behavior for non-vital overlay systems. Based on previous experience with non-vital systems, FRA believes it is well within the technical capability of the railroads to reduce the level of risk on any particular track segment to a level of risk 80% lower than the level of risk prior to installation of PTC on that segment. For subsequent PTC system installations on the same track segment, FRA recognizes that requiring an additional 80% improvement may not be technically or economically practical. Therefore, FRA is only requiring that an entity installing or a modifying an existing PTC system demonstrate that the level of safety is equal to, and preferably greater than, the level of safety of the prior PTC system. The risk that must be reduced is the risk against which the PTC functionalities are directed, assuming a high level of availability. Note that the required functionalities themselves do not call for elimination of all risk of mishaps. It is scope of risk reduction that the functionalities describe that becomes the 100% universe which is the basis of comparison. Although it is understood that the system will endeavor to eliminate 100% of this risk—meaning that if the system worked as intended every time and was always available, 100% of the target risk would be eliminated—the analysis will need to account for cases where wrong side failure of the technology is coincident with a human failure potentially induced by reliance on the technology. Since, within an appropriate conservative engineering analysis (i.e., pro forma analysis), non-vital processing has the theoretical potential to result in more failures than will typically be experienced, a 20% margin is provided. In preparing the PTCSP, the railroad should affirmatively address how training and oversight—including programs of operational testing under 49 CFR 217.9—will reduce the potential for inappropriate reliance by those charged with functioning in accordance with the underlying method of operation.
The 80% reduction in risk for PTC preventable accidents must be demonstrated by an appropriate risk analysis acceptable to the Associate Administrator and must address all intended track segments upon which the system will be installed. Again, FRA does not expect, or require, that these types of systems will prevent all wrong side failures. However, FRA expects that the systems will be designed to be robust, all pertinent risk factors (including human factors) will be fully addressed, and that no corners will be cut to “take advantage” of the nominal allowance provided for non-vital approaches. FRA also encourages those using non-vital approaches to preserve as much as possible the potential for a transition to vital processing.
The Rail Labor Organizations believe that FRA's position is inconsistent with safety. Wrong side failures occur when a PTC system fails to properly identify the track occupied by a train. According to the RLO, such failures, which are completely avoidable using current technology, can result in unnecessary penalty braking applications that risk causing train handling derailments due to in-train forces and may also cause a PTC system to fail to enforce a necessary stop. As such, the RLO believe that wrong side failures should not be considered an acceptable risk. Again, FRA is sympathetic in principle to the RLO concern. However, no signal or train control system is wholly without the potential for a wrong side failure; and the key to limiting their occurrence is identifying the potential and crafting mitigations where possible. Built on the foundation of existing methods of operation, PTC systems will drastically reduce unsafe events by providing a safety net for occasional human errors. It would be unwise to defer the promise of PTC technologies by demanding perfection and thereby permit accidents and casualties to continue.
Paragraph (e)(2) addresses vital overlays. Unlike a non-vital system, the vital system must be designed to address, at a minimum, the factors delineated in Appendix C. The railroad and their vendors or suppliers are encouraged to carry out a more thorough design analysis addressing any other potential product specific hazards. FRA cannot overemphasize that vital overlay system designs must be fully designed to address the factors contained in Start Printed Page 2656Appendix C. The associated risk analysis supporting this design analysis demonstrating compliance may be accomplished using any of the risk analysis approaches in subpart H, including abbreviated risk analysis.
Paragraph (e)(3) addresses stand-alone PTC systems that are used to replace existing methods of operations. The PTCSP design and risk analysis submitted to the Associate Administrator must show that the system does not introduce any new hazards that have not been acceptably mitigated, based upon all proposed changes in railroad operation. GE proffered the suggestion that when the stand-alone system is created using proven principles of vital signaling, assessing the system risk is straightforward and not significantly different than with the vital overlay system. The importance of system availability and risk under operations in contingent mode become more significant factors. FRA agrees, but believes that the one of the fundamental issues that the agency must reconcile is the value of appropriately capturing these principles in new systems and with new technologies without artificially restricting their use. FRA must accordingly exercise great care when evaluating the safety cases presented to it, regardless of the type (overlay, stand-alone, or mixed).
While FRA believes that a comprehensive safety analysis will be required for all systems, since it must provide sufficient information to the Associate Administrator to make a decision with a high degree of confidence, the required analysis for stand-alone systems is much more comprehensive than that required for vital overlay systems because it must provide sufficient information to the Associate Administrator to make a decision with a high degree of confidence. FRA will therefore exercise greater oversight when it uniquely and separately considers each request for stand-alone operations, and will render decisions in the context of the proposed operation and the associated risks. FRA recognizes that application of this standard to a new rail system for which there is no clear North American antecedent could present a conceptual challenge.
Paragraph (e)(4) addresses mixed systems (i.e., systems that include a combination of the systems identified in paragraphs (e)(1) through (e)(3). Because of the inherent complexity of these systems, FRA will determine an appropriate approach for demonstrating compliance after consultation with the railroad. Any approach will, of course, require that the system perform the PTC requirements set forth in §§ 236.1005 and 236.1007.
Paragraph (f) discusses the factors that the Associate Administrator will consider in reviewing the PTCSP. In general, PTC systems will have some features that are not fail-safe in nature. Examples include surveys of the track database, errors in consist data from the railroad such as weight and makeup, and crew input errors. FRA participation in the design and testing of the PTC system product helps FRA to better understand the strengths and weaknesses of the product for which approval is requested, and facilitates the approval process.
The railroad must establish through safety analysis that its assertions are true. This standard places the burden on the railroad to demonstrate that the safety analysis is accurate and sufficiently supports certification of the PTC system. The FRA Associate Administrator will determine whether the railroad's case has been made. As provided in subpart H, FRA believes that final agency determinations under this new subpart I should also be made at the technical level, rather than the policy level, due to the complex and sometimes esoteric subject matters associated with risk analysis and evaluation. This is particularly appropriate in light of the RSIA08's designation of the Associate Administrator for Railroad Safety as the Chief Safety Officer of FRA. When considering the PTC system's compliance with recognized standards in product development, FRA will weigh appropriate factors, including: the use of recognized standards in system design and safety analyses; the acceptable methods in risk estimates; the proven safety records for proposed components; and the overall complexity and novelty of the product design. In those cases where the submission lacks information the Associate Administrator deems necessary to make an informed safety decision, FRA will solicit the data from the railroad. If the railroad does not provide the requested information, FRA may determine that a safety hazard exists. Depending upon the amount and scope of the missing data, PTCSP approval, and the subsequent system certification, may be denied.
While paragraph (f) summarizes how FRA intends to evaluate the risk analysis, paragraph (g) applies specifically to cases where a PTC system has already been installed and the railroad subsequently wants to install in a new PTC system. Paragraph (g) re-emphasizes that FRA policy regarding the safety of PTC systems is not, and cannot expect to be, static. Rather, FRA policy may evolve as railroad operations evolve, operating rules are refined, related hazards are addressed (e.g., broken rails), and other readily available options for risk reduction emerge and become more affordable. FRA embraces the concept of progressive improvement and expects that when new systems are installed to replace existing systems that actual safety outcomes equal or exceed those for the existing systems.
Finally, paragraph (h) emphasizes the need for the PTCSP to carefully document all potential sources of error that can be introduced into the system and their corresponding mitigation strategies. FRA reserves the right to require quantitative, as opposed to qualitative risk assessments, especially in cases where there is significant residual risk or changes to the method of operations.
Section 236.1017 Independent Third Party Review of Verification and Validation
As previously noted in the discussion regarding § 236.1009(e), FRA may require a railroad to engage in an independent assessment of its PTC system. In the event an independent assessment is required, this section describes the applicable rules and procedures.
Paragraph (a) establishes factors considered by FRA when requiring a third-party assessment. FRA will attempt to make a determination of the necessary level of third party assessment as early as possible in the approval process. However, based on issues that may arise during the development and testing processes, or during the detailed technical reviews of the PTCDP and PTCSP, FRA may deem it necessary to require a third party assessment at any time during the review process.
Paragraph (b) is intended to make it clear that it is FRA that will make the determination of the acceptability of the independence of the third party to avoid any potential issues downstream regarding the acceptability of the assessor's independence. If a third party assessment is required, then each railroad is encouraged to identify in writing what entity it proposes to utilize as its third party assessor. Compliance with paragraph (b) is not mandatory. However, if FRA determines that the railroad's choice of a third party does not meet the level of independence contemplated under paragraph (c), then the railroad will be obligated to have the assessment repeated, at its expense, until it has been completed by a third party suitable to FRA.Start Printed Page 2657
Paragraph (c) provides a definition of the term “independent third party” as used in this section. It limits independent third parties to those that are compensated by the railroad or an association on behalf of one or more railroads that is independent of the PTC system supplier. FRA believes that requiring the railroad to compensate a third party will heighten the railroad's interest in obtaining a quality analysis and will avoid ambiguous relationships between suppliers and third parties that could indicate possible conflicts of interest.
Paragraph (d) explains that the minimum requirements of a third party audit are outlined in Appendix F and that FRA has discretion to the limit the extent of the third party assessment. As the criteria in Appendix F are, for the most part, technology neutral, FRA has adopted them with minor changes, for use with both subparts H and I of this part. FRA intends to limit the scope of the assessment to areas of the safety Verification and Validation as much as possible, within the bounds of FRA's regulatory obligations. This will allow reviewers to focus on areas of greatest safety concern and eliminate any unnecessary expense to the railroad. In order to limit the number of third-party assessments, FRA first strives to inform the railroad as to what portions of a submittal could be amended to avoid the necessity and expense of a third-party assessment altogether. However, FRA wishes to make it clear that Appendix F represents minimum requirements and that, if circumstances warrant, FRA may expand upon the Appendix F requirements as necessary to enable FRA to render a decision that is in the public interest (i.e., if FRA is unable to certify the system without the additional information).
Section 236.1019 Main Line Track Exceptions
The RSIA08 generally defines “main line” as “a segment of railroad tracks over which 5,000,000 or more gross tons of railroad traffic is transported annually. See 49 U.S.C. 20157(i)(2). However, FRA may also define “main line” by regulation “for intercity rail passenger transportation or commuter rail passenger transportation routes or segments over which limited or no freight railroad operations occur.” See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes that there may be circumstances where certain statutory PTC system implementation and operation requirements are not practical and provide no significant safety benefits. In those circumstances, FRA will exercise its statutory discretion provided under 49 U.S.C. 20157(i)(2)(B).
In accordance with the authority provided by the statute and with carefully considered recommendations from the RSAC, FRA will consider requests for designation of track over which rail operations are conducted as “other than main line track” for passenger and commuter railroads, or freight railroads operating jointly with passenger or commuter railroads. Such relief may be granted only after request by the railroad or railroads filing a PTCIP and approval by the Associate Administrator.
Paragraph (a), therefore, requires the submittal of a main line track exclusion addendum (MTEA) to any PTCIP filed by a railroad that seeks to have any particular track segment deemed as other than main line. Since the statute only provides for such regulatory flexibility as it applies to passenger transportation routes or segments where limited or no freight railroad operations occur, only a passenger railroad may file an MTEA as part of its PTCIP. This may include a PTCIP jointly filed by freight and passenger railroads. In fact, FRA expects that in the case of joint operations, only one MTEA should be agreed upon and submitted by the railroads filing the PTCIP. After reviewing a submitted MTEA, FRA may provide full or conditional approval for the requested exemptions.
Each MTEA must clearly identify and define the physical boundaries, use, and characterization of the trackage for which exclusion is requested. When describing each track's use and characterization, FRA expects the requesting railroad or railroads to include copies of the applicable track and signal charts. Ultimately, FRA expects each MTEA to include information sufficiently specific to enable easy segregation between main line track and non-main line track. In the event the railroad subsequently requests additional track to be considered for exclusion, a well-defined MTEA should reduce the amount of future information required to be submitted to FRA. Moreover, if FRA decides to grant only certain requests in an MTEA, the portions of track for which FRA has determined should remain considered as main line track can be easily severed from the MTEA. Otherwise, the entire MTEA, and thus its concomitant PTCIP, may be entirely disapproved by FRA, increasing the risk of the railroad or railroads not meeting its statutory deadline for PTC implementation and operation.
For each particular track segment, the MTEA must also provide a justification for such designation in accordance with paragraphs (b) or (c) of this section.
Paragraph (b) specifically addresses the conditions for relief for passenger and commuter railroads with respect to passenger-only terminal areas. As noted previously in the analysis of § 236.1005(b), any track within a yard used exclusively by freight operations moving at restricted speed is excepted from the definition of main line. In those situations, operations are usually limited to preparing trains for transportation and do not usually include actual transportation. This automatic exclusion does not extend to yard or terminal tracks that include passenger operations. Such operations may also include the boarding and disembarking of passengers, heightening FRA's sensitivity to safety. Moreover, while FRA could not expend its limited resources to review whether a freight-only yard should be deemed other than main line track, FRA believes that the relatively lower number of passenger yards and terminals would allow for such review. Accordingly, FRA believes that it is appropriate to review these circumstances on a case-by-case basis.
During the PTC Working Group discussions, the major passenger railroads requested an exception for tracks in passenger terminal areas because of the impracticability of installing PTC. These are locations where signal systems govern movements over very complex special track work divided into short signal blocks. Operating speeds are low (not to exceed 20 miles per hour), and locomotive engineers moving in this environment expect conflicting traffic and restrictive signals. Although low-speed collisions do occasionally occur in these environments, the consequences are low; and the rate of occurrence is very low in relation to the exposure. It is the nature of current-generation PTC systems to use conservative braking algorithms. Requiring PTC to govern short blocks in congested terminals would add to congestion and frustrate efficient passenger service, in the judgment of those who operate these railroads. The density of wayside infrastructure required to effect PTC functions in these terminal areas would also be exceptionally costly in relation to the benefits obtained. FRA agrees that technical solutions to address these concerns are not presently available. FRA does believe that the appropriate role for PTC in this context is to enforce the maximum allowable speed (which is presently accomplished in cab signal territory through use of automatic speed control, a practice which could continue where already in place).Start Printed Page 2658
If FRA grants relief, the conditions of paragraphs (b)(1), (b)(2), or (b)(3), as applicable, as well as conditions attached to the approval, must be strictly adhered to.
Under paragraph (b)(1), relief under paragraph (b) is limited to operations that do not exceed 20 miles per hour. The PTC Working Group agreed upon the 20 miles per hour limitation, instead of requiring restricted speed, because the operations in question will be by signal indication in congested and complex terminals with short block lengths and numerous turnouts. FRA agrees with the PTC Working Group that the use of restricted speed in this environment would unnecessarily exacerbate congestion, delay trains, and diminish the quality of rail passenger service.
Moreover, when trains on the excluded track are controlled by a locomotive with an operative PTC onboard apparatus that PTC system component must enforce the regulatory speed limit or actual maximum authorized speed, whichever is less. While the actual track may not be outfitted with a PTC system in light of an MTEA approval, FRA believes it is nevertheless prudent to require such enforcement when the technology is available on the operating locomotives. This can be accomplished in cab signal territory using existing automatic train stop technology and outside of cab signal territory by mapping the terminal and causing the onboard computer to enforce the maximum speed allowed.
FRA also limits relief under paragraph (b)(2) to operations that enforce interlocking rules. Under interlocking rules, trains are prohibited from moving in reverse directions without dispatcher permission on track where there are no signal indications. FRA believes that such a restriction will minimize the potential for a head-on impact.
Also, under paragraph (b)(3), such operations are only allowed in yard or terminal areas where no freight operations are permitted. While the definition of main line may not include yard tracks used solely by freight operations, FRA is not extending any relief or exception to tracks within yards or terminals shared by freight and passenger operations. The collision of a passenger train with a freight consist is typically a more severe condition because of the greater mass of the freight equipment. However, FRA did receive a comment suggesting some latitude within terminals when passenger trains are moving without passengers (e.g., to access repair and servicing areas). FRA agrees that low-speed operations under those conditions should be acceptable as trains are prepared for transportation. FRA has not included a request by Amtrak (discussed below) to allow movements within major terminals at up to 30 miles per hour in mixed passenger and freight service, which appears in FRA's judgment to fall outside of the authority to provide exclusions conferred on FRA by the law.
Paragraph (c) provides the conditions under which joint limited passenger and freight operations may occur on defined track segments without the requirement for installation of PTC. Under § 236.1003 (Definitions), “limited operations” is defined as “operations on main line track that have limited or no freight operations and are approved to be excepted from this subpart's PTC system implementation and operation requirements in accordance with § 236.1019(c). This paragraph provides five alternative paths to the main line exception, three of which were contained in the proposed rule and a fourth and fifth that responds to comments on the proposed rule.
The three alternatives derived from the NPRM are set forth in paragraph (c)(1). First, under paragraph (c)(1), an exception may be available where both the freight and passenger trains are limited to restricted speed. Such operations are feasible only for short distances, and FRA will examine the circumstances involved to ensure that the exposure is limited and that appropriate operating rules and training are in place.
Second, under paragraph (c)(1)(ii), FRA will consider an exception where temporal separation of the freight and passenger operations can be ensured. A more complete definition of temporal separation is provided in paragraph (e). Temporal separation of passenger and freight services reduces risk because the likelihood of a collision is reduced (e.g., due to freight cars engaged in switching that are not properly secured) and the possibility of a relatively more severe collision between a passenger train and much heavier freight consist is obviated.
Third, under paragraph (c)(1)(iii), FRA will consider commingled freight and passenger operations provided that a jointly agreed risk analysis is provided by the passenger and freight railroads, and the level of safety is the same as that which would be provided under one of the two prior options selected as the base case. FRA requested comments on whether FRA or the subject railroad should determine the appropriate base case, but received none. FRA recognizes that there may be situations where temporal separation may not be possible. In such situations, FRA may allow commingled operations provided the risk to the passenger operation is no greater than if the passenger and freight trains were operating under temporal separation or with all trains limited to restricted speed. For an exception to be made under paragraph (c)(3), FRA requires a risk analysis jointly agreed to and submitted by the applicable freight and passenger services. This ensures that the risks and consequences to both parties have been fully analyzed, understood, and mitigated to the extent practical. FRA would expect that the moving party would elect a base case offering the greatest clarity and justify the selection.
Comments on the proposed rule generally supported the aforementioned exclusions or were silent.
In its comments on the NPRM, Amtrak requested further relief relating to lines requiring the implementation and operation of a PTC system due solely to the presence of light-density passenger traffic. According to Amtrak, the defining characteristic of light-density lines is the nature of the train traffic; light-density patterns on these lines lead to a correspondingly low risk of collision. Amtrak also asserted that, due to relatively limited wear and tear from lower traffic densities, these lines often have fewer track workers on site, further reducing the chance of collisions and incursions into work zones. Thus, states Amtrak, one of the principal reasons for installing PTC—collision avoidance—is a relatively low risk on many light density lines. With only marginal safety benefits anticipated from PTC use in such applications, Amtrak believed that there may be minimal justification for installing PTC on certain light-density lines.
Amtrak further noted that FRA itself had concluded that the costs of PTC generally exceed its benefits, and Amtrak urged that this may be even more so on light-density lines. Amtrak believed that Congress understood this issue and thus created the regulatory flexibility for the definition of “main line” for passenger routes found at 49 U.S.C. 20157(i)(2)(B) as a means to allow the Secretary to exempt certain routes from the PTC mandate. According to Amtrak, this provision essentially allows the Secretary to define certain passenger routes with limited or no freight traffic as other than “main line,” thereby effectively exempting such lines from the reach of the PTC mandate because the mandate only applies to railroad operations over “main line[s].” Said another way, urged Amtrak, the provision allows the Secretary the freedom to decide in what circumstances such routes should be considered “main lines” and thus be Start Printed Page 2659required to install PTC-pursuant to whatever factors the Secretary deems appropriate through the rulemaking process.
Amtrak urged that the Secretary should use this flexibility to limit which passenger routes it defines as “main lines” to those deemed to warrant the use of PTC using the FRA's usual risk-based approach to safety regulation and traditional measures of reasonableness, costs, and benefits. Amtrak posited that such a risk-based analysis by FRA would likely lead to the conclusion that PTC is simply not needed on many light-density lines over which passenger trains currently operate. Amtrak therefore asked that FRA exercise this authority by working with Amtrak and the rail industry to exempt certain light density freight lines which host passenger traffic from the obligation to install PTC where operating and safety conditions do not warrant an advanced signal system.
Should FRA choose not to exempt some of these light density freight lines over which passenger trains operate, Amtrak felt that the high costs of full PTC systems will be passed on to the passenger and freight operators of these routes. According to Amtrak, this obligation could threaten the continuation of intercity passenger rail service on several routes, including lines in California, Colorado, Kansas, Maine, Massachusetts, Michigan, Missouri, New Hampshire, New Mexico, North Dakota, Vermont, and Virginia, on what are potentially light density lines. Additionally, states Amtrak, this obligation, where it can be financed, could force the diversion of significant capital dollars away from essential safety investments in track and other infrastructure improvements, which are typically the leading safety risks for such light-density operations. According to Amtrak, the cost of PTC installation on these lines may be so out of proportion to the benefit that Amtrak's service will need to be rerouted onto a different line (e.g., to a Class I line with PIH materials) if a reroute option exists, or eliminated entirely because there is no feasible alternate route and no party is willing or able to bear the cost of installing PTC on the existing route. The defining characteristic of light-density lines is the nature of the train traffic: Low density patterns on these lines lead to a correspondingly low risk of collision.
According to the Amtrak testimony, the “limited operations exception” in subsection 236.1019(c) of the NPRM did not provide a practical solution to the problem created by defining all light-density routes and terminal areas with passenger service as “main lines.” Amtrak stated that this subsection would arguably require installation of PTC on most of the trackage and locomotives of the Terminal Railroad Association of St. Louis (TRRA) unless: (1) The entire terminal operates at restricted speed (which TRRA is unlikely to agree to); (2) passenger and freight trains are temporally separated (which would not be practical on TRRA, and is unlikely to be practical on any of the light-density lines over which Amtrak operates, due to the 24/7 nature of railroad operations); or (3) a risk mitigation plan can be effected that would achieve a level of safety not less than would pertain if all operations on TRRA were at restricted speed or subject to temporal separation. Accordingly, Amtrak recommended: (a) That the FRA adopt a risk analysis-based definition of “main line” passenger routes that excludes light-density lines on which the installation of PTC is not warranted; and (b) with respect to freight terminal areas in which passenger trains operate, that the FRA modify the limited operations exception in subsection 236.1019(c) to require that all trains be limited to 30 miles per hour rather than to restricted speed, or that non-PTC equipped freight terminals be deemed as other than “main lines” so long as all passenger operations are pursuant to signal indication and at speeds not greater than 30 miles per hour (with speeds reduced to not greater than restricted speed on unsignaled trackage or if the signals should fail).
FRA believes that Amtrak's request is much broader than contemplated by the law. FRA notes that TRRA is a very busy terminal operation. FRA does not believe that the “limited freight operations” concept is in any way applicable under those circumstances. Nor is there any indication in law that FRA was expected to fall back to traditional cost-benefit principles in relation to PTC and scheduled passenger service. However, there are a number of Amtrak routes with limited freight operations that will not otherwise be equipped with PTC because they are operated by other than Class I railroads. Further, there are some Class I lines with less than 5 million gross tons, or no PIH, that also warrant individualized review to the extent Amtrak and the host railroad might elect to propose it.
Accordingly, in response to the Amtrak comments, paragraphs (c)(2) and (c)(3) have been added to the final rule to provide an option by which certain additional types of limited passenger train operations may qualify for a main line track exception where freight operations are also suitably limited and the circumstances could lead to significant hardship and cost that might overwhelm the value of the passenger service provided. Paragraph (c)(2) deals with lines where the host is not a Class I freight railroad, describing characteristics of track segments that might warrant relief from the requirement to install PTC. Paragraph (c)(2)(i) pertains to passenger service involving up to four regularly scheduled passenger trains during a calendar day over a segment of unsignaled track on which less than 15 million gross tons of freight traffic is transported annually. Paragraph (c)(2)(ii) pertains to passenger service involving up to twelve regularly scheduled passenger trains during a calendar day over a segment of signaled track on which less than 15 million gross tons of freight traffic is transported annually. In FRA's experience, four trains per day in unsignaled territory and twelve trains per day in signaled territory can be expected to be handled safely in combination with 15 million gross tons of freight traffic if the operations are carefully scrutinized and appropriate mitigation measures are taken to accommodate the particular operating environment in question. Paragraph (c)(2) derived indirectly from discussions in the RSAC in response to comments by Amtrak set forth above. The PTC Working Group proposed an exception that might have been available anywhere an intercity or commuter railroad operated over a line with 5 million gross tons of freight traffic, including Class I lines and the lines of the intercity or commuter railroad. This would have opened the potential for a considerable exception for lines with very light freight density under circumstances not thoroughly explored in the short time available to the working group (e.g., on commuter rail branch lines, low density track segments on Class I railroads, etc.).
Subsequent to the RSAC activities, Amtrak notified FRA that its conversations with Class II and III railroads, whose lines have been at the root of the Amtrak comments, revealed that some of the situations involved freight traffic exceeding 5 million gross tons, potentially rendering the exception ineffective for this purpose. At the same time, FRA noted that the policy rationale behind the proposed additional exception was related as much to the inherent difficulty associated with PTC installation during the initial period defined by law, given that the railroads identified by Amtrak were for the most part very small operations with limited technical Start Printed Page 2660capacity and limited safety exposure. It was clear that in these cases care would need to be taken to analyze collision risk and potentially require mitigations.[7] Accordingly, FRA has endeavored to address the concern brought forward by Amtrak with a provision that is broad enough to permit consideration of actual circumstances, limit this particular exception to operations over railroads that would not otherwise need to install PTC (e.g., Class II and III freight railroads), provide for a thorough review process, and make explicit reference to the potential requirement for safety mitigations. In this regard, FRA has chosen 15 million gross tons as a threshold that should accommodate situations where Amtrak trains will, in actuality, face few conflicts with freight movements (i.e., requiring trains to clear the main line for meets and passes or to wait at junctions) and where mitigations are in place or could be put in place to establish a high sense of confidence that operations will continue to be conducted safely. FRA believes that less than 15 million gross tons represents a fair test of “limited freight operations” for these purposes, with the further caveat that specific operating arrangements will be examined in each case. FRA emphasizes that this is not an entitlement, but an exclusion for which the affected railroads will need to make a suitable case.
Amtrak also provided to FRA a spreadsheet identifying each of its route segments with attributes such as route length, freight tonnage, number of Amtrak trains, and numbers of commuter trains. FRA further reviewed this information in light of Amtrak's request for main track exceptions. FRA noted a number of segments of the Amtrak system on Class I railroads where the number of Amtrak trains was low and the freight tonnage was also low (less than 15 million gross tons). Each of these lines, with the exception of one 33-mile segment, is signalized. FRA further noted that, with both Amtrak and Class I railroad locomotives equipped for PTC, use of partial PTC technology (e.g., monitoring of switches where trains frequently clear) should be available as a mitigation for collision risk. Accordingly, in paragraph (c)(3), FRA has provided a further narrow exception for Class I lines carrying no more than four intercity or commuter passenger trains per day and cumulative annual tonnage of less than 15 million gross tons, subject to FRA review. The limit of four trains takes into consideration that it is much less burdensome to equip the wayside of a Class I rail line than to install a full PTC system on a railroad that would not otherwise require one. Again, the exception is not automatic, and FRA's approval of a particular line segment would be discretionary. Any Class I line carrying both 5 million gross tons and PIH traffic would, of course, not be eligible for consideration.[8]
The new paragraph (d) makes clear that FRA will carefully review each proposed main track exception and may require that it be supported by appropriate hazard analysis and mitigations. FRA has previously vetted through the RSAC a Collision Hazard Analysis Guide that can be useful for this purpose. If FRA determines that freight operations are not “limited” as a matter of safety exposure or that proposed safety mitigations are inadequate, FRA will deny the exception.
Paragraph (e) (formerly paragraph (d) in the proposed rule) provides the definition of temporal separation with respect to paragraph (c)(2). The temporal separation approach is currently used under the FRA-Federal Transit Administration Joint Policy on Shared Use, which permits co-existence of light rail passenger services (during the day) and local freight service (during the nighttime). See Joint Statement of Agency Policy Concerning Shared Use of the Tracks of the General Railroad System by Conventional Railroads and Light Rail Transit Systems, 65 FR 42,526 (July 10, 2000); FRA Statement of Agency Policy Concerning Jurisdiction Over the Safety of Railroad Passenger Operations and Waivers Related to Shared Use of the Tracks of the General Railroad System by Light Rail and Conventional Equipment, 65 FR 42,529 (July 10, 2000). Conventional rail technology and secure procedures are used to ensure that these services do not commingle. Amtrak representatives in the PTC Working Group were confident that more refined temporal separation strategies could be employed on smaller railroads that carry light freight volumes and few Amtrak trains (e.g., one train per day or one train per day in each direction). The Passenger Task Force agreed. The UTA also supported the temporal separation exception under former paragraph (d), having stated that temporal separation is important in the operations of many commuter and intercity passenger railroad carriers.
Paragraph (f) (paragraph (e) in the proposed rule) ensures that by the time the railroad submits its PTCSP, no unapproved changes have been made to the MTEA and that the PTC system, as implemented, reflects the PTCIP and its MTEA. Under this final rule, the PTCSP must reflect the PTCIP, including its MTEA, as it was approved or how it has been modified in accordance with § 236.1021. FRA believes that it is also important that the railroad attest that no other changes to the documents or to the PTC system, as implemented, have been made.
FRA understands that, as a railroad implements its PTC system in accordance with its PTCIP or even after it receives PTC System Certification, the railroad may decide to modify the scope of which tracks it believes to be other than main line. To effectuate such changes, paragraph (g) requires FRA review. In the case that the railroad believes that such relief is warranted, the railroad may file in accordance with § 236.1021 a request for amendment of the PTCIP, which will eventually be incorporated into or referenced by the PTCSP upon PTCSP submission. Each request, however, must be fully justified to and approved by the Associate Administrator before the requested change can be made to the PTCIP. If such a RFA is submitted simultaneously with the PTCSP, the RFA may not be approved, even if the PTCSP is otherwise acceptable. A change made to an MTEA subsequent to FRA approval of its associated PTCIP that involves removal or reduction in functionality of the PTC system will be treated as a material modification. In keeping with traditional signaling principles, such requests must be formally submitted for review and approval by FRA.
Section 236.1021 Discontinuances, Material Modifications, and Amendments
FRA recognizes that, after submittal of a plan or implementation of a train control system, the subject railroad may have legitimate reasons for making changes in the system design and the locations where the system is installed. In light of the statutory and regulatory mandates, however, FRA believes that the railroad should be required to request FRA approval prior to effectuating certain changes. Section 236.1021 provides the scope and Start Printed Page 2661procedure for requesting and approving those changes. For example, all requests for covered changes must be made in a request for amendment (RFA) of the subject PTC system or plan. While § 236.1021 includes lengthy descriptions of what changes may, or may not, require FRA approval, there are various places elsewhere in subpart I that also require the filing of a RFA.
Paragraph (a) requires FRA approval prior to certain PTC system changes. FRA expects that if a railroad wants to make a PTC system change covered by subpart I, then any such change would result in noncompliance with one of the railroad's plans approved under this subpart. For instance, if a railroad seeks to modify the geographical limits of its PTC implementation, such changes would not be reflected in the PTCIP. Accordingly, under paragraph (a), after a plan is approved by FRA and before any change is made to the PTC system's development, implementation, or operation, the railroad must file a RFA to the subject plan.
FRA considers an amendment to be a formal or official change made to the PTC system or its associated PTCIP, PTCDP, or PTCSP. Amendments can add, remove, or update parts of these documents, which may reflect proposed changes to the development, implementation, or operation of its PTC system. FRA believes that an amending procedure provides a simpler and cleaner option than requiring the railroad to file an entirely new plan.
While the railroad may develop a RFA without FRA input or involvement, FRA believes that it is more advantageous for the railroad to informally confer with FRA before formally submitting its RFA. If FRA is not involved in the drafting process, FRA may not have a complete understanding of the system, making it difficult for FRA to evaluate the impact of the proposed changes on public safety. After RFA submission, all applicable correspondence between FRA and the railroad must be made formally in the associated docket, as further discussed below. In such a situation, FRA's review may take a significantly longer time than usual. If FRA continues to not understand the impact, it may request a third party audit, which would only further delay a decision on the request. Accordingly, FRA believes it is more advantageous for the railroad drafting an RFA to informally confer with FRA before its formal submission of the change request. The railroad would then be provided an opportunity to discuss the details of the change and to assure FRA's understanding of what the railroad wishes to change and of the change's potential impact.
Under paragraph (b), once the RFA is approved, the railroad shall adopt those changes into the subject plan and immediately ensure that its PTC complies with the plan, as amended. FRA expects that each PTC system accurately reflects the information in its associated approved plans. FRA believes that this requirement will also incentivize railroads to make approved changes as quickly as possible. Otherwise, if a railroad delays in implementing the changes reflected in an approved RFA, FRA may find it difficult to enforce its regulations until implementation is completed, since the plans and PTC system do not accurately and adequately reflect each other. In such circumstances, a railroad may be assessed a civil penalty for violating its plan or for falsifying records.
Any change to a PTCIP, PTCDP, or PTCSP, which may include removal or discontinuance of any signal system, may not take effect until after FRA has approved the corresponding submitted or amended PTCIP, PTCDP, or PTCSP. FRA may provide partial or conditional approval. Until FRA has granted appropriate relief or approval, the railroad may not make the change, and once a requested change has been made, the railroad must comply with requested change.
FRA recognizes that a railroad may wish to remove an existing train control system due to new and appropriate PTC system implementation. For train control systems existing prior to promulgation of subpart I, any request for a material modification or discontinuance must be made pursuant to part 235. Paragraph (c), however, provides the railroads with an opportunity to instead request such changes in accordance with proposed § 236.1021. FRA believes that this requirement will reduce the number of required filings and would otherwise simplify the process requesting material modifications or discontinuances.
Paragraph (d) provides the minimum information required to be submitted to FRA when requesting an amendment. While the procedural rules here are different than those in part 235, FRA expects that the same or similar information be provided. Accordingly, under paragraph (d)(1), the RFA must contain the information required in 235.10. Paragraph (d)(1) also requires the railroad to submit, upon FRA request, certain additional information, including the information referenced in § 235.12. Paragraphs (d)(2) through (d)(7) provide further examples of such information. While such information may only be required upon request, FRA urges each railroad to include this information in its RFA to help expedite the review process.
FRA believes that paragraphs (d)(2) through (d)(6) are self-explanatory. However, according to paragraph (d)(7), FRA may require with each RFA an explanation of whether each change to the PTCSP is planned or unplanned. Planned changes are those that the system developer and the railroad have included in the safety analysis associated with the PTC system, but have not yet implemented. These changes provide enhanced functionality to the system, and FRA strongly encourages railroads to include PTC system improvements that further increase safety. A planned change may require FRA approved regression testing to demonstrate that its implementation has not had an adverse affect on the system it is augmenting. Each planned change must be clearly identified as part of the PTCSP, and the PTCSP safety analysis must show the affect that its implementation will have on safety.
Unplanned changes are those either not foreseen by the railroad or developer, but nevertheless necessary to ensure system safety, or are unplanned functional enhancements from the original core system. The scope of any additional work necessary to ensure safety may depend upon when in the development cycle phase the changes are introduced. For instance, if the PTCDP has not yet been submitted to FRA, no FRA involvement is required. However, if the PTCDP has been submitted to FRA, or if the change impacts the safety functionality of the system once a Type Approval has been issued, and a PTCSP has not yet been submitted, the railroad must submit a RFA requesting and documenting that change. Once FRA approves that RFA, FRA expects the subsequently filed PTCSP to account for the change in analysis.
If the change is made after approval of the PTCSP and the system has been certified by FRA, a RFA must be submitted to FRA for approval. Because this requires significant effort by FRA and the railroad, FRA expects that every effort will be made to eliminate the need for unplanned changes. If the railroad and the vendor or supplier submit unplanned safety related changes that FRA believes are a significant amount or inordinately complex, FRA may revoke any approvals previously granted and disallow the use of the product until such time the railroad demonstrates the product is sufficiently mature.
Paragraph (e) provides that if a RFA is submitted for a discontinuance or a Start Printed Page 2662material modification to a portion or all of its PTC system, a notice of its submission shall be published in the Federal Register. Interested parties will be provided an opportunity to comment on the RFA, which will be located in an identified docket.
Paragraph (f) makes it clear that FRA will consider all impacts on public safety prior to approval or disapproval of any request for discontinuance, modification, or amendment of a PTC system and any associated changes in the existing signal system that may have been concurrently submitted. While the economic impact to the affected parties may be considered by FRA, the primary and final deciding factor on any FRA decision is safety. FRA will consider not only how safety is affected by installation of the system, but how safety is impacted by the failure modes of the system.
The Southern California Regional Rail Authority submitted comments requesting “easy streamlined approval” of incremental changes and additions to the plans based on procurement and type approval of vendor or supplier products. However, FRA would like to point out that, where lines change during or subsequent to the railroad's submission of its PTCIP, the railroad merely needs to identify its plan for implementation on such lines in its RFA. This does not appear to be an overly burdensome task.
The purpose of paragraph (g) is to emphasize the right of FRA to unilaterally issue a new Type Approval, with whatever conditions are necessary to ensure safety based on the impact of the proposed changes.
In paragraph (h), FRA makes clear that it considers any implemented PTC system to be a safety device. Accordingly, the discontinuance, modification, or other change of the implemented system or its geographical limits will not be authorized without prior FRA approval. While this requirement primarily applies to safety critical changes, FRA believes that they should also apply to all changes that will affect interoperability. The principles expressed in the paragraph parallel those embodied in part 235, which implements 49 U.S.C. 20502(a). Railroads may need to review § 236.1005(b)(4) and supply the required information in an RFA submission.
That said, FRA recognizes that there are a limited number of situations where changes of the PTC system may not have an adverse impact upon public safety. Specific situations where prior FRA approval is required are provided in paragraphs (h)(1) through (h)(4).
Paragraph (i) provides the exceptions from the requirement for prior approval in cases where the discontinuance of a system or system element will be treated as pre-approved, as when a line of railroad is abandoned.
Paragraph (j) provides exceptions for certain lesser changes that are not expected to materially affect system risk, such as removal of an electric lock from a switch where speed is low and trains are not allowed to clear.
The AAR submitted comment that paragraphs (j)(2) and (j)(3) should be revised to recognize the allowance for removal of a signal used in lieu of an electric or mechanical lock in the same manner as removal of the electric or mechanical lock. These two paragraphs are intended to recognize that where train speed over the switch does not exceed 20 miles per hour, or where trains are not permitted to clear the main track at the switch, removal of the devices intended to provide the necessary protection should not require the submission of a filing for FRA approval.
The regulation requiring the installation of an electric or mechanical lock identifies the allowance for a signal used in lieu thereof (see § 236.410). FRA agrees with the AAR that when the requirement for an electric or mechanical lock, or a signal used in lieu thereof, are eliminated, the removal of any of these devices in their entirety without filing for approval is appropriate. FRA has therefore revised paragraphs (j)(2) and (j)(3) to clarify these allowances.
Paragraph (k) provides additional exceptions consisting of modifications associated with changes in the track structure or temporary construction. FRA notes that only temporary removal of the PTC system without prior FRA approval is allowed to support highway rail separation construction or damage to the PTC system by catastrophic events. In both cases, the PTC system must be restored to operation no later than 6 months after completion of the event.
Caltrain submitted comments stating that proposed paragraph (k)(6) and § 236.1009(a)(2)(ii)(B) appear to address the installation of new track in an inconsistent manner. While proposed paragraph (k)(6) states that it will not be necessary to file an RFA for the installation of new track, § 236.1009(a)(2)(ii)(B) states that an RFA must be filed if railroad intends to add, subtract, or otherwise materially modify one or more lines of railroad for which installation of a PTC system is required.
FRA agrees that there appears to have been a conflict between the provisions contained in paragraph (k)(6) and § 236.1009(a)(2)(ii)(B). In light of the fact that FRA considers it necessary to file an RFA if the railroad intends to install new track for which installation of a PTC system is required, FRA has not included proposed paragraph (k)(6) in the final rule.
Section 236.1023 Errors and Malfunctions
Often it is only after the product has been placed in field service for an extended period of time before the accuracy of the assumptions regarding errors and malfunctions can be validated. Accordingly, the reporting and recording of errors and malfunctions takes on critical importance. If the number of errors and malfunctions exceeds those originally anticipated in the design, or errors and malfunctions that were not predicted are observed to occur, the validity of the system design assumptions and the accuracy of the performance predictions becomes suspect. The requirements of this section provide the process and procedures for tracking, reporting, and correction of errors and malfunctions. The final rule reflects the requirements of the NPRM, but has been reorganized for greater clarity.
Paragraph (a) of this section contains the requirement for all railroads operating a PTC system to establish and maintain a PTCPVL. The PTCPVL list ensures that the railroad can quickly determine the vendor of the product that has experienced an error or malfunctioned, and then be able to report the occurrence of the error or malfunction in a timely and accurate manner to the appropriate entity responsible for the design and manufacture of the product. FRA access to the PTCPVL of each railroad enables FRA to quickly identify all railroads that may potentially be affected by the error malfunction, thereby allowing FRA to better understand the implications of the condition on the industry. Not all railroads using the same product or processes may experience the same software errors or hardware failures, even if the cause of the error or failure is systemic to the design, and an individual railroad may not have the resources to determine if there are any industry-wide implications. The requirement for creating and maintaining the PTCPVL was originally proposed in paragraph (c) of the NPRM.
Paragraph (b)(1) establishes a requirement that the railroad specify in its PTCSP all contractual arrangements with their vendors or suppliers for immediate notification of safety-critical upgrades made to the product by the Start Printed Page 2663vendors or suppliers. FRA is not interested in the commercial terms of any such contractual arrangement, only that the contractual arrangement is in place for notification and provision of safety-critical changes from a vendor or supplier to the railroad. Paragraph (b)(2) levies the requirement on the vendor or supplier to report to all railroads using the product any safety-critical failures reported. Paragraph (b)(3) levies a requirement on the vendor or supplier to provide accurate and adequate information of the circumstances surrounding the reported failure to any potentially affected railroad, as well as recommended mitigating actions that should be taken until the situation is resolved. The text of paragraph (b) has been modified slightly from that of the NPRM to more accurately reflect FRA's expectation in this regard.
Paragraph (c)(1) levies the requirement on the railroad to specify in its PTCSP the process and procedures the railroad will implement when a safety-critical upgrade or failure notification is received from the vendor or supplier. This requirement is necessary regardless of whether the railroad itself discovers the problem or the vendor or supplier notifies the railroad of the problem. Paragraph (c)(2) requires the railroads to identify the associated configuration management process they will use to identify safety-critical failures and mitigations. FRA believes it to be essential, given the potential impact on safety of a safety-critical failure, that the railroads have the necessary planning and mechanisms in place to promptly address the situation. Each railroad's and vendor's or supplier's development processes, configuration management programs, and fault reporting tracking systems play a crucial role in the ability of both parties and the FRA to determine and fully understand the risks and implications. Without an effective configuration management tracking system in place, it is difficult, if not impossible, to fairly evaluate PTC system risks during the system's life-cycle.
Paragraph (d) requires that the railroad provide to its vendor or supplier the railroad's processes and procedures for addressing safety-critical failure, malfunction, and fault issues. FRA believes that by providing this information to the vendor or supplier, the vendor or supplier will be able to more efficiently and effectively provide notification to the appropriate railroad personnel. The net result FRA is seeking is that potential delays in identifying or correcting safety-critical faults will be minimized.
Paragraph (e) requires the railroad to maintain a database of all safety-relevant hazards identified in its PTCSP, as well as all safety-relevant hazards that were not previously identified. FRA believes that the requirement to report any safety-relevant hazard that was not previously identified in the PTCSP is self evident, in that it clearly represents an unknown and unplanned failure mode. Without this database, a railroad will be unable to determine if the number of particular failures has risen to a level above the thresholds set forth in the PTCSP. If the frequency of the safety-relevant hazards exceeds the thresholds set forth in the PTCSP, the railroads shall take the following specific actions as prescribed in this section: Notify the applicable vendor or supplier and the FRA; keep the applicable vendor or supplier and the FRA apprised of the status of any and all subsequent failures; and, take prompt countermeasures to eliminate or reduce the frequency below the threshold identified. Until the corrective action is complete, the railroad is required to take measures to ensure the safety of train operations, roadway workers, on track equipment, and the general public.
While the preceding paragraphs dealt with the establishment of a framework to address errors and malfunctions, paragraphs (f) through (g) deal with the actual handling and reporting of errors and malfunctions within that framework. Paragraph (f) establishes time limits for reporting failures and malfunctions to the product vendor or supplier and the FRA as well as minimum reporting requirements. The period for notification has been lengthened from that proposed in the NPRM to 15 days. FRA wishes to emphasize that it is more interested in timely notifications, and accordingly, has not established a specific format for the reports. FRA will accept any report format, provided it contains at least the minimal information required by this section. FRA will accept delivery of these reports by commercial courier, fax, and e-mail. However, with respect to information that is not immediately available, paragraph (f) has been amended to require railroads to submit supplemental reports with the previously unavailable information. FRA requires this information to determine the full impact of the problem, and to determine if any additional restrictions or limitations on the use of the PTC system may be warranted to ensure the safety of the general public and the railroad personnel. If the correcting or mitigating action were to take a significant amount of time, FRA would expect the railroad to provide FRA with periodic frequent progress reports.
Paragraph (g) establishes a reporting requirement for railroads and vendors or suppliers to provide to the Associate Administrator on request the results of any investigation of an accident or service difficulty report that shows the PTC system, subsystem, or component is unsafe because of a manufacturing or design defect. In addition, the railroad and its vendor or supplier may be required to report on any action taken or proposed to correct the defect.
Paragraph (h) imposes a direct obligation on suppliers to report safety-relevant failures or defective conditions, previously unidentified hazards, and recommended mitigation actions in their PTC system, subsystem, or component to each railroad using its product. Each applicable supplier is also required to notify FRA of the safety-relevant failure, defective condition, or previously unidentified hazard discovered by the vendor or supplier and the identity of each affected and notified railroad. FRA believes that it should be informed to ensure public safety in any case where a commercial dispute (e.g., over liability) might disrupt communication between a railroad and supplier.
GE submitted a comment on this section, in which it raised an objection to the direct imposition by FRA of a reporting obligation on PTC suppliers. GE believes this requirement is unwarranted for three reasons. First, the railroad is the primary entity having knowledge of such a failure and already has the obligation to report a failure within strict guidelines. Second, even if the PTC supplier becomes aware of a failure, the PTC supplier may not have sufficient understanding of the failure to determine whether it is truly safety-related in nature without talking to the railroad. Third, there already exist sufficient legal incentives for a supplier to quickly resolve any safety-related failure that might occur. GE believes that railroads' regulatory compliance responsibilities should not be delegated to suppliers. Ultimately, GE asserts that this requirement unnecessarily complicates the task of deploying PTC and is unwarranted.
GE proposed alternative language at the RSAC PTC Working Group meeting held August 31-September 2, 2009, that removed the supplier's obligation to directly report to FRA by deleting proposed paragraphs (a) and (f) of this section and adding language to § 236.1015(b)(2). In this proposed alternative language, GE recommended Start Printed Page 2664that FRA require suppliers to include a process for promptly reporting any safety relevant failure and previously unidentified hazard to each railroad using the product in the quality control systems maintained by suppliers for PTC system design and manufacturing.
FRA carefully considered GE's recommendation. In § 236.907(d), FRA has previously established for PTC systems that are voluntarily implemented by railroads, under the provisions of subpart H of this part, a requirement that the vendor/supplier and railroads establish mutual reporting relationships for promptly reporting any safety-relevant failures and previously unidentified hazards. FRA seeks to continue this relationship requirement for mandatory PTC system installations under the provisions of this subpart.
As noted in the preamble discussion of § 236.907(d), FRA clearly indicated that if there was “a breakdown in communications that could adversely affect public safety”, FRA would take appropriate action as necessary. See 70 FR 11,052, 11,074. FRA also noted that the language of § 236.907 “place[d] a direct obligation on suppliers to report safety-relevant failures, which would include `wrong-side failures' and failures significantly impacting on availability where the Product Safety Plan indicates availability to be a material issue in the safety performance of the larger railroad system.” 70 FR 11,052, 11,074. This provision was necessary to ensure public safety in the event where a commercial dispute (e.g., over liability) might disrupt communications between a railroad and its supplier.
FRA believes that the requirement that a product supplier notify FRA, in addition to the affected railroads, of safety-relevant failures of the PTC product discovered by the supplier does not add to the complexity or cost of PTC system deployment. The addition of FRA to the list of entities that must be notified in the unlikely event of a product failure that has been identified by the product supplier adds only marginally to the level of effort required of the product supplier. As a condition of providing PTC systems pursuant to subpart H of this part, the product supplier must already maintain a list of parties that require such notification. As GE noted, even if there were no regulatory requirement for a mutual reporting relationship between product suppliers and railroads, there are already legal incentives for a supplier to quickly resolve any safety related failure. FRA believes that these legal incentives should motivate the product supplier to promptly notify product users of safety-related issues and, therefore, to maintain a list of product users.
FRA has also considered GE's argument that the railroad is the primary entity having knowledge of safety-related failures and already has an obligation to report the failure within strict guidelines. Thus, even if the PTC supplier becomes aware of the failure, the supplier may not have sufficient understanding of the failure to determine whether it is safety-related in nature without talking to the railroad. GE's assertion that the supplier may not recognize that a failure is safety related without talking to the railroad also applies equally to the converse situation. A railroad may report a failure to the vendor or supplier that the railroad may not recognize as safety critical, and it is only the vendor's or supplier's detailed knowledge of the product that enables recognition of the failure as safety critical.
FRA is consequently unmoved by the assertion that the imposition of a requirement that a vendor or supplier notify FRA upon discovery of a safety critical problem would be unduly burdensome.
In view of the preceding, FRA has left this paragraph unchanged in principle. FRA has, however, made editorial changes to more clearly define the responsibilities of the parties involved and to clearly indicate the acceptability of incremental reporting as more information becomes available.
RSI made many statements similar to those of GE and also asserts that the notification requirement on suppliers would not enhance safety, but would create the potential for redundant, premature, potentially misleading, and burdensome reports to FRA. RSI cites various statutes and regulations, including RSIA08 and the existing part 236, that apply “exclusively” to “railroads” and “railroad carriers.” However, according to 49 U.S.C. 20103, which continues to be referenced in part 236's Authorities section:
(a) Regulations and orders.—The Secretary of Transportation, as necessary, shall prescribe regulations and issue orders for every area of railroad safety supplementing laws and regulations in effect on October 16, 1970. When prescribing a security regulation or issuing a security order that affects the safety of railroad operations, the Secretary of Homeland Security shall consult with the Secretary.
Thus, FRA has jurisdiction “for every area of railroad safety.” Subpart I supplements the laws and regulations in effect on October 16, 1970. Moreover, while the U.S.C. provisions cited by RSI apply to railroads and railroad carriers, there is nothing in those provisions restricting FRA's jurisdiction over other entities or persons.
FRA has previously applied its jurisdiction over suppliers. Under § 236.907(d), suppliers must perform certain notification responsibilities. While that paragraph concerns notification by the supplier to the railroad, there is nothing preventing FRA from requiring the supplier to also notify FRA. In fact, as a practical matter, FRA believes that reporting failures directly to FRA is necessary here. Under subpart H, the absence of direct and timely access to product notices has continued to be an issue for FRA. This concern will only become greater as the subject technology becomes more complex.
RSI also noted that, “the scope of the signal and train control provision at Part 236 explains that this entire part, which will include the proposed regulations for § 236.1023, applies only to the railroads.” Indeed, § 236.0(a) currently states, “Except as provided in paragraph (b) of this section, this part applies to all railroads.” While that paragraph indicates that the part applies to all railroads, it does not limit application to “only” railroads, as misstated by RSI. In any event, to avoid confusion, FRA is modifying § 236.0(a) to apply to all railroads and persons as indicated in this part. For instance, “person” is defined in § 236.0(f) when referencing 1 U.S.C. 1 (which includes manufacturers and independent contractors) and railroad is defined in subpart G of part 236.
Paragraph (i) addresses situations which are clearly not the result of a design or manufacturing issue, and limits unnecessary reporting. If the failure, malfunction, or defective condition was the result of improper operation of the PTC system outside of the design parameters or of non-compliance with the applicable operating instructions, FRA believes that compliance with paragraph (e) is not necessary. Instead, FRA expects and requires the railroad to engage in more narrow remedial measures, including remedial training by the railroad in the proper operation of the PTC system. Similarly, once a problem has been identified to all stakeholders, FRA does not believe it is necessary for a manufacturer to repeatedly submit a formal report in accordance with paragraph (h). In either situation, however, FRA expects that all users of the equipment will be proactively and timely notified of the misuse that occurred and the corrective actions taken.Start Printed Page 2665
Such reports, however, do not have to be made within fifteen days of occurrence, as required for other notifications under paragraph (f), but within a reasonable time appropriate to the nature and extent of the problem.
Paragraph (j) has been added to the final rule to require that, when any safety-critical PTC system, subsystem, or component fails to perform its intended function, the railroad is required to determine the cause and perform necessary adjustment, repair, or replacement of any faulty product without undue delay. Paragraph (j) also reminds railroads that, until corrective action has been completed, a railroad is required to take appropriate action to ensure safety and reliability as specified within its PTCSP.
In paragraph (k) of the final rule, FRA intends to make it absolutely clear that the reporting requirements of part 233 are not a substitute for the reporting requirements of this subpart, nor are the reporting requirements of this subpart considered to be a substitute for the reporting requirements of part 233. Both sets of reporting requirements apply. FRA would like to clarify that both requirements apply. In the case of a failure meeting the criteria described in § 233.7, FRA would not expect the railroad to wait for the frequency of such occurrences to exceed the threshold reporting level assigned in the hazard log of the PTCSP, but will expect the railroad to report the occurrence as required by § 233.7.
Section 236.1027 PTC System Exclusions
This section retains similarities to, but also establishes contrasts with, § 236.911, which deals with exclusions from subpart H. In particular, § 236.911(c) offers reassurance that a stand-alone computer aided dispatching (CAD) system would not be considered a safety-critical processor-based system within the purview of subpart H. CADs have long been used by large and small railroads to assist dispatchers in managing their workload, tracking information required to be kept by regulation, and—most importantly—providing a conflict checking function designed to alert dispatchers to incipient errors before authorities are delivered. Even § 236.911, however, states that “a subsystem or component of an office system must comply with the requirements of this subpart if it performs safety-critical functions within, or affects the safety performance of, a new or next-generation train control system.” FRA continues to work with a vendor or supplier on a simple CAD that provides authorities in an automated fashion, without the direct involvement of a dispatcher.
For subpart I, FRA intends to retain the exception referred to in § 236.911 for CAD systems not associated with a PTC system. Many smaller railroads use CAD systems to good effect, and there is no reason to impose additional regulations where dispatchers contemporaneously retain the function of issuing mandatory directives. However, in the present context, it is necessary to recognize that PTC systems utilize CAD systems as the “front end” of the logic chain that defines authorities enforced by the PTC system, particularly in non-signaled territory.
Accordingly, paragraph (a) provides for the potential exclusion of certain office systems technologies from subpart I compliance. These existing systems have been implemented voluntarily to enhance productivity and have proven to provide a reasonably high level of safety, reliability, and functionality. FRA recognizes that full application of subpart I to these systems would present the rail industry with a tremendous burden. The burdens of subpart I may discourage voluntary PTC implementation and operation by the smaller railroads.
However, subpart I applies to those subsystems or components that perform safety critical functions or affect the safety performance of the associated PTC system. The level and extent of safety analysis and review of the office systems will vary depending upon the type of PTC system with which the office system interfaces. For example, to prevent the issuance of overlapping and inconsistent authorities, FRA expects that each PTC system demonstrate sufficient credible evidence that the requisite safety-critical, conflict resolution (although not necessarily vital) hardware and software functions of the system will work as intended. FRA also expects that the applicable PTCDP's and PTCSP's risk analysis will identify the associated hazards and describe how they have been mitigated. Particularly where mandatory directives and work authorities are evaluated for use in a PTC system without separate oral transmission from the dispatcher to the train crew or employee in charge—with the opportunity for receiving personnel to evaluate and confirm the integrity of the directive or authority received and the potential for others overhearing the transmission to note conflicting actions by the dispatching center—FRA will insist on explanations sufficient to provide reasonable confidence that additional errors will not be introduced.
Paragraph (b) provides requirements for modifications of excluded PTC systems. At some point when a change results in degradation of safety or in a material increase in safety-critical functionality, changes to excluded PTC systems or subsystems may be significant enough to require application of subpart I's safety assurance processes. FRA believes that all modifications caused by unforeseen implementation factors will not necessarily cause the product to become subject to subpart I. These types of implementation modifications will be minor in nature and be the result of site specific physical constraints. However, FRA expects that implementation modifications that will result in a degradation of safety or a material increase in safety-critical functionality, such as a change in executive software, will cause the PTC system or subsystem to be subject to subpart I and its requirements. FRA is concerned, however, that a series of incremental changes, while each individually not meeting the threshold for compliance with this subpart, may when aggregated result in a product which differs sufficiently so as to be considered a new product. Therefore, FRA reserves the right to require products that have been incrementally changed in this manner to comply with the requirements of this subpart. Prior to FRA making such a determination, the affected railroad will be allowed to present detailed technical evidence why such a determination should not be made. This provision mirrors paragraph (d) of existing § 236.911.
Paragraph (c) addresses the integration of train control systems with other locomotive electronic control systems. The earliest train control systems were electro-mechanical systems that were independent of the discrete pneumatic and mechanical control systems used by the locomotive engineer for normal throttle and braking functions. Examples of these train control systems included cab signals and ACS/ATC appliances. These systems included a separate antenna for interfacing with the track circuit or inductive devices on the wayside. Their power supply and control logic were separate from other locomotive functions, and the cab signals were displayed from a separate special-purpose unit. Penalty brake applications by the train control system bypassed the locomotive pneumatic and mechanical control systems to directly operate a valve that accomplished a service reduction of brake pipe pressure and application of the brakes as well as Start Printed Page 2666reduction in locomotive tractive power. In keeping with this physical and functional separation, train control equipment on board a locomotive came under part 236, rather than the locomotive inspection requirements of part 229.
Advances in hardware and software technology have allowed the various PTC systems' and components' original equipment manufacturers (OEMs) to repackage individual components, eliminating parts and system function control points access. Access to control functions became increasingly restricted to the processor interfaces using proprietary software. While this resulted in significant simplification of the previously complex discrete pneumatic and mechanical control train and locomotive control systems into fewer, more compact and reliable devices, it also creates significant challenges with respect to compatibility of the application programs and configuration management.
FRA encourages such enhancements, and believes that, if properly done, they can result in significant safety, as well as operational, improvements. Locomotive manufacturers can certainly provide secure locomotive and train controls, and it is important that they do so if locomotives are to function safely in their normal service environment. FRA highly encourages the long-term goal of common platform integration. However, when such integration occurs, it must not be done at the expense of decreasing the safe and reliable operation of the train control system. Accordingly, FRA expects that the complete integrated system will be shown to have been designed to fail-safe principles, and then demonstrated that the system operates in a fail-safe mode. Any commingled system must have a manual fail-safe fall back up that allows the engineer to be brought to be a safe stop in the event of an electronic system failure. This analysis must be provided to FRA for approval in the PTCDP and PTCSP as appropriate. This provision mirrors the heightened scrutiny called for by § 236.913(c) of subpart H for commingled systems, but is more explicit with respect to FRA's expectations. The provision in general accords with the requirements for locomotive systems that are currently under development in the RSAC's Locomotive Safety Standards Working Group.
GE generally agreed with the preceding discussion about separate regulatory treatment of PTC and the locomotive control systems. However, they strongly disagree with any implication, if the two systems were interfaced or commingled, that PTC requirements could be extended into the locomotive control system. They assert non-safety-critical data can be passed between the systems using appropriate interfaces without any impact on safety and without triggering a need to extend PTC requirements into the control system.
FRA agrees that there are implementation techniques that allow for locomotive control systems to passively receive information from a train control system, and the train control and locomotive control systems are not tightly coupled. FRA expects that in such situations the safety case for the train control system clearly and unequivocally demonstrates that the train control system is not tightly coupled with the locomotive control system, and that failures in the locomotive control system have absolutely no adverse consequences on the safe operation of the train control system. Likewise, FRA expects that the safety analysis for the locomotive control system clearly and unequivocally demonstrates that the train control system is not tightly coupled with the locomotive control system, and that failures in the train control system have absolutely no adverse consequences on the safe operation of the locomotive control system. If the safety analysis cannot convincingly demonstrate to FRA that the train control and locomotive control systems are loosely coupled, then FRA will require that the safety analysis for the PTC system include the applicable elements of the locomotive control system, and vice versa.
Finally, paragraph (d) clarifies the application of subparts A through H to products excluded from compliance with subpart I. These products are excluded from the requirements of subpart I, but FRA expects that the developing activity demonstrates compliance of products with subparts A through H. FRA believes that railroads not mandated to implement PTC, or that are implementing other non-PTC related processor based products, should be given the option to have those products approved under subpart H by submitting a PSP and otherwise complying with subpart H or by voluntarily complying with subpart I. This provision mirrors § 236.911(e) of subpart H.
Section 236.1029 PTC System Use and En Route Failures
This section provides minimum requirements, in addition to those found in the PTC system's plans, for each PTC system with a PTC System Certification. Railroads are allowed, and encouraged, to adopt more restrictive rules that increase safety.
Paragraph (a) requires that, in the event of the failure of a component essential to the safety of a PTC system to perform as intended, the cause be identified and corrective action taken without undue delay. The paragraph also states that until the corrective action is completed, the railroad is required, at a minimum, to take appropriate measures, including those specified in the PTCSP, to ensure the safety of train movements, roadway workers, and on-track equipment. This requirement mirrors the current requirements of § 236.11, which applies to all signal and train control system components. Under paragraph (a), FRA intends to apply to PTC systems provided PTC System Certification under subpart I the same standard in current § 236.11.
Paragraph (b) provides the circumstance where a PTC onboard apparatus on a controlling locomotive that is operating in or is to be operated within a PTC system fails or is otherwise cut-out while en route. Under paragraph (b), the subject train may only continue such operations in accordance with specific limitations. An en route failure is applicable only in instances after the subject train has departed its initial terminal, having had a successful initialization, and subsequently rendering it no longer responsive to the PTC system. For example, FRA believes that an en route failure may occur when the PTC onboard apparatus incurs an onboard fault or is otherwise cut out.
Under subpart H, existing § 236.567 provides specific limitations on each train failing en route in relation to its applicable automatic cab signal, train stop, and train control system. FRA believes that it would be desirable to impose somewhat more restrictive conditions given the statutory mandate and the desire to have an appropriate incentive to properly maintain the equipment and to timely respond to en route failures. For instance, FRA recognizes that the limitations of § 236.567 do not account for the statutory mandates of the core PTC safety functions.
During the PTC Working Group meetings prior to issuance of the NPRM, no consensus was reached on how to regulate en route failures on PTC territory. However, FRA subsequently received several comments that the en route failure requirements and the restrictive operational conditions imposed by paragraph (b) are burdensome and overly restrictive. When the PTC Working Group was Start Printed Page 2667reconvened following the Public Hearing and the NPRM comment period, the PTC Working Group formed three separate task forces for the purpose of discussing and resolving several specific issues. One such task force, deemed the Operational Conditions Task Force, was assigned the task of resolving the issues associated with operational limitations presented in the proposed rule associated with temporary rerouting within § 236.1005, unequipped trains operating within a PTC system within § 236.1006, and en route failures within § 236.1029.
The proposed rule provided allowances for deviations from the restrictions of operations exceeding 90 miles per hour if such deviations were presented and justified in an FRA approved plan. At the PTC Working Group meeting, it was recommended that the procedure allowing for such deviations equally apply to all other operations, regardless of the speed of the operations.
Upon presentation of these recommended revisions to the PTC Working Group, Amtrak and NJ Transit withheld consensus, requesting rather to state on the record that they believed the requirement for the establishment of an absolute block was overly burdensome and unnecessary, and the operational limitations were too restrictive in areas where an underlying block signal system and/or cab signal system with train stop/train control functions remained in place. They further suggested that the operational restrictions for en route failures should be solely presented and described within a railroad's PTCDP and PTCSP, which would then be applicable to a particular PTC system.
FRA appreciates the concerns presented. However, FRA remains convinced that the rule text must provide a “baseline” for operational restrictions associated with en route failures within all PTC systems, with the recognition of the allowance for a railroad to submit a request for deviation from those requirements, with justification, within their PTCDP and PTCSP for FRA approval. Accordingly, FRA has substantially adopted into paragraphs (b) and (c) the text proposed at the PTC Working Group meeting.
Section 236.1029, and in particular paragraph (b), purposefully parallels the limitations contained in § 236.567. In other words, FRA intends that § 236.567 and paragraph (b) of this section will share the common purpose of maintaining a level of safety generally in accord with that expected with the train control system fully functional. This is accomplished by requiring supplementary procedures to heighten awareness and provide operational control (limiting the frequency of unsafe events) and by restricting the speed of the failed train (reducing the potential severity of any unsafe event).
Paragraph (b)(1) allows the subject train to proceed at restricted speed—or at medium speed if a block signal system is in operation according to signal indication—to the next available point where communication of a report can be made to a designated railroad officer of the host railroad. The intent of this requirement is to ensure that the occurrence of an en route failure may be appropriately recorded and that the necessary alternative protection of absolute block is established.
NYSMTA provided comments recommending that paragraph (b)(1) of this section cite 40 miles per hour as the maximum permissible speed within a failed PTC system where a block signal system is in operation because some railroads, such as the LIRR and Metro-North, have defined medium speed lower than what the FRA regulation would permit. FRA defines medium speed in § 236.811 as “A speed not exceeding 40 miles per hour.” Thus, we believe the rule is clear in terms of the applicable maximum speed limit and consistent with the suggestions made by NYSMTA. While a particular railroad may internally define “medium speed” differently, the definitions contained in part 236 control the meaning of the terms used therein.
After a report is made in accordance with paragraph (b)(1), or made electronically and immediately by the PTC system itself, paragraph (b)(2) allows the train to continue to a point where an absolute block can be established in advance of the train in accordance with the limitations that follow in paragraphs (b)(2)(i) and (ii). Paragraph (b)(2)(i) requires that where no block signal system is in use, the train may proceed at restricted speed. Alternatively, under paragraph (b)(2)(ii), the train may proceed at a speed not to exceed medium speed where a block signal system is in operation according to signal indication.
Paragraph (b)(3) requires that, upon the subject train reaching the location where an absolute block has been established in advance of the train, the train may proceed in accordance with the limitations that follow in paragraphs (b)(3)(i), (ii), or (iii). Paragraph (b)(3)(i) requires that where no block signal system is in use, the train may proceed at medium speed; however, if the involved train is a train which is that of the criteria requiring the PTC system installation (i.e., a passenger train or a train hauling any amount of PIH material), it may only proceed at a speed not to exceed 30 miles per hour. Paragraph (b)(3)(ii) requires that where a block signal system is in use, a passenger train may proceed at a speed not to exceed 59 miles per hour and a freight train may proceed at a speed not to exceed 49 miles per hour. Paragraph (b)(3)(iii) requires that, except as provided in paragraph (c), where a cab signal system with an automatic train control system is in operation, the train may proceed at a speed not to exceed 79 miles per hour.
The Rail Labor Organizations believe that the rule is too permissive for en route failures of a PTC system where an underlying signal system is not governing train movements, as they assert that any train invisible to the PTC system in PTC territory presents an unacceptable risk. Instead, asserts the RLO, treatment of en route failures should parallel the restrictions required when a train experiences a signal failure, such as a switch position that is unknown or when a route is not known to be clear. While the NPRM proposed to allow a passenger or PIH PTC train in dark territory to traverse a switch in an unknown position at medium speed or 30 miles per hour, the RLO asserts that such trains should be limited to restricted speed or other methods, such as temporal separation.
FRA appreciates the RLO's concerns. However, FRA believes that the proposal to limit operations to restricted speed, or employ other protective methods such as temporal separation, would be too burdensome and unwarranted. FRA has elected to keep the language of the NPRM in this final rule for several reasons. First, it is expected that failures en route addressed by this rule, as well as temporary rerouting that could result in its application, will not occur on any frequent basis. Experience and requirements of other portions of this subpart would preclude this from being the case. Second, the assertion that “any train invisible to the PTC system in PTC territory presents an unacceptable risk” is inaccurate. Such a train would not in fact be “invisible” to the PTC system as there remains in place some type of authority for the train's movement, and all authorities of other trains that would be PTC-equipped would be enforced by the system. Additionally, the maximum speed of 30 miles per hour established by FRA for these situations is based on extensive analysis of past accident and incidence data, which has shown that train accidents at or below 30 miles per hour have not resulted in breach or compromise of cars carrying hazardous Start Printed Page 2668materials. FRA has elected to keep this language of the NPRM in this final rule.
Paragraph (c) requires that, in order for a PTC train to deviate from the operating limitations contained in paragraph (b) of this section, the deviation must be described and justified in the FRA approved PTCDP or PTCSP. Amtrak had presented comments regarding the NPRM, as well as within the PTC Working Group task force assigned to address comments received regarding this section, asserting that the operational limitations of failure en route were too restricting and unwarranted. Directly in response to those comments, FRA may allow for deviation from the identified limitations of the rule if that deviation is described and justified in the applicable and FRA approved PTCDP, PTCSP, or Order of Particular Applicability. Furthermore, the speed threshold of 90 miles per hour proposed in the NPRM has been removed. FRA will consider deviation proposals for conventional operations, as well as high-speed operations. FRA continues to anticipate that existing operations on the Northeast Corridor will not be adversely impacted, since failure of one component of the onboard train control system will permit the remaining portion to function and provide for a reasonable level of safety.
Paragraph (d) requires that the railroad operate its PTC system within the design and operational parameters specified in the PTCDP and PTCSP. Railroads will not exceed maximum volumes, speeds, or any other parameter provided for in the PTCDP or PTCSP. On the other hand, a PTCDP or PTCSP could be based upon speed or volume parameters that are broader than the intended initial application, so long as the full range of sensitivity analyses is included in the supporting risk assessment. FRA feels this requirement will help ensure that comprehensive product risk assessments are performed before products are implemented.
Paragraph (e) sets forth the requirement that any testing of the PTC system must not interfere with its normal safety-critical functioning, unless an exception is obtained pursuant to 49 CFR § 236.1035, where special conditions have been established to protect the safety of the public and the train crew. Otherwise, paragraph (e) requires that each railroad ensure that the integrity of the PTC system not be compromised, by prohibiting the normal functioning of such system to be interfered with by testing or otherwise without first taking measures to provide for the safety of train movements, roadway workers, and on-track equipment that depend on the normal safety-critical functioning of the system. This provision parallels current § 236.4, which applies to all systems. By requiring this paragraph, FRA also intends to clarify that the standard in current § 236.4 also applies to subpart I PTC systems.
Paragraph (f) requires that each member of the operating crew has appropriate access to the information and functions necessary to perform his or her job safely when products are implemented and used in revenue service. FRA expects paragraph (f) to automatically require each engineer operating the controlling locomotive to have access to the PTC display providing such information. Paragraph (f) also applies to other crew members assigned duties in the locomotive cab. The rule is a performance standard which can be met in several different ways.
Train crews perform as a team and are required by railroad and FRA rules to do so. The importance of having assigned crew members fully involved in train operations is also clearly the intent of Congress in the RSIA. The Congress mandated the certification of the conductor to work in concert with the already federally-certified locomotive engineer. For the conductor and engineer to fulfill the expectations of Congress, it is necessary for both crewmembers to have sufficient information to perform their duties. For the conductor to be able to fulfill the assigned obligations, the conductor must have ready access to certain information, including the authority information being received from the dispatcher. As described below, FRA believes that safety would be materially diminished if the conductor in freight operations were denied access to the same information in the same format as the engineer.
For instance, under the operating rules or special instructions of the major freight railroads, each train crew member in the performance of his or her duties receives copies of a fair amount of paperwork that includes the train consist, which provides the number, loading, locations, and hazardous materials contents of cars, the length and weight of the train, General Orders, which provide loose footing issues, the safety rules of the day or week, security reminders, temporary speed restrictions, and the locations of maintenance of way crews performing track repairs. This paperwork provides the train crew with the work plan necessary to operate the assigned train during their tour of duty. Once the crew is underway, the conductor receives from the dispatcher, via radio, updates to the above information (and provides acknowledgment back to the dispatcher), transcribes hand written copies, and provides those copies to the engineer and other crew members (in lieu of stopping if engineer only). Each crew member keeps these copies in front of them (usually on a desk) for ready reference to approaching speed restrictions and working limits of roadway workers. Upon these documents, crew members make hand written notes and are required to write “void” across superseded or expired movement authorities. In case any questions pertaining to crew performance arise later, each crewmember keeps these copies. Particularly, in a PTC overlay system, which by definition depends upon continued performance of all of the safety-related functions of the underlying system of operation, all of these functions must continue to be performed either as they are now or in an equivalent manner. Removing or impairing any of those functions will diminish safety.
The conductor is responsible for determining the train consist and for ensuring compliance with hazardous materials train placement requirements. The conductor is also responsible for determining whether one or more cars in the train is restricted (e.g., requirement regarding appropriate placement in the train or speed restriction limiting the train's speed to avoid a derailment hazard).[9] Conductors are regularly disciplined in certain situations, including when the limits of authorities are violated or maximum speed limits are exceeded.
Moreover, in present cab signal territory, multiple crew members rely on the information provided by the cab signal display, typically mounted in the center of the cab or other conspicuous location. ACSES displays have also been centrally mounted in passenger and freight cabs for clear visibility.[10] Under this final rule, cab signals may continue to operate independently of the PTC display of the locomotive cab. However, based upon RSAC discussions, FRA is confident that PTC displays may (and Start Printed Page 2669probably will) supplant current cab signal displays and utilize the cab signal code as an input to the PTC display.[11] Section 236.515 has long provided that “The cab signals shall be plainly visible to a member or members of the locomotive crew from their stations in the cab.” Positive train control systems will play a role very similar to, but in fact even more important than, automatic cab signals have played in the territories where installed. In addition to providing current displays (or “targets”) for signal indications, FRA expects that PTC will also display in graphic form slow orders and other mandatory directives.
FRA recognizes that PTC systems are being designed to move much of this information into an electronic format. The intent of utilizing electronic transmission of authorities is to reduce human error associated with listening, copying, and reading back of updates over voice channels while the train crew is en route. Regardless if the information is transmitted digitally or verbally, the goal is to prevent the train from occupying the main track without authority, to prevent most over-speed issues, and to stop short of misaligned switches if the crew fails to follow the rules. While FRA supports this transition to digital communications, this final rule does not require it.
In the event that a certified PTC system does use digital transmissions to provide communications and acknowledgement of mandatory directives between the dispatcher and conductor, to allow the conductor to electronically input the train consist into the PTC system, or otherwise similarly modify a crew member's responsibilities, FRA expects under paragraph (f) that the subject crew member will be afforded appropriate access to the PTC system display to fulfill those responsibilities.
In its comments, the AAR also indicated that railroads have been planning to put a single display in locomotive cabs for the engineer in systems which FRA has already approved and that this requirement was redundant and excessive, referring to the BNSF ETMS system. The AAR questioned the need for a conductor to have access to a PTC display. The Class I railroads have attempted to present the case that FRA had previously blessed the implementation of PTC technology that would permit electronic delivery of mandatory directives while discontinuing the delivery of printed or voice transmitted directives. However, that is not the case.
The system to which AAR refers—BNSF's ETMS I configuration—was qualified under subpart H, which only requires that the system be at least as safe as existing systems and the approval was limited in material ways the AAR failed to mention. Subpart I, however, requires that non-vital overlay systems reduce the likelihood of PTC preventable accidents by at least 80%. Subpart H does not address or require interoperability, but subpart I requires interoperability.
The BNSF ETMS I configuration concept of operations was a pure non-vital overlay on the existing method of operations. The safety analysis for that system assumed that the conductor would continue to receive mandatory directives in the normal manner. BNSF, the only railroad to obtain authority for use of a first-generation freight PTC system, very heavily justified its safety case on the assumption that crewmembers would intervene should the PTC system experience a wrong-side failure (which could occur due to a software error, hardware malfunction, database error, or combination of these factors). This system was justified as an “overlay” on the existing method of operations; while there would be only one PTC display screen, it was contended that most wrong-side errors would be caught by crewmembers holding mandatory directives in paper form. This type of existing PTC system, which has only been deployed by BNSF on a few lines and with very few locomotives equipped, precludes one-half of the train crew from having any access to the information for which they are held accountable. This has been tolerable only because both crew members do have a full set of printed or written directives.
Note that basic interoperability is potentially a concern with respect to the human-machine interface and the means by which FRA addresses it. To the extent a locomotive from a railroad which uses only voice transmission of mandatory directives were to travel on a railroad using electronic transmission of mandatory directives, it would need to be equipped for the other railroad. Yet none of the major freight railroads has conducted a revenue demonstration of a system that relies exclusively on electronic transmission of authorities; and, after more than two decades of development and demonstrations, the major freight railroads have still not issued interoperability standards. Even if FRA were able to accept some of the arguments proffered in regard to the need for access to PTC information, addressing this issue through review of individual railroad plans would not be feasible. This issue needs to be settled “up front” in order to support an orderly implementation.
The testimony and written filings in this docket reflected a serious misunderstanding regard the distinctions noted above and the posture of the BNSF Product Safety Plan review. The AAR and CSXT both asserted that FRA has approved use of a single screen in the form of BNSF ETMS I configuration. More remarkably, BNSF itself testified at the public hearing that, “As approved by FRA, our locomotive cab configuration includes one display screen, which is positioned on the dashboard of the engineer.” Comment of BNSF Railway Company, Docket FRA-2008-0132.0011.1 (Aug. 19, 2009); Positive Train Control Systems: Hearing Before the Fed. Railroad Admin. (Aug. 13, 2009) (statement of Mark Schulze, Vice President, BNSF Railway Company).
In fact, FRA's decision letter for that system stated as follows:
7. Prior to any further ETMS Configuration I operations, BNSF must either comply with 49 CFR § 236.515 (Visibility of cab signals), or submit a risk-based justification as to why the requirements of this rule should be waived. The justification shall be submitted in accordance with the PSP amendment procedures in 49 CFR § 236.913. (FRA Docket No. 2006-23687, Document No. 0021.)
The subject approval remains contingent as of the date of preparation of this final rule, since the railroad has not submitted the required justification.[12]
Start Printed Page 2670The AAR also misstates the extent of the Volpe Center's review of ETMS. From the Volpe Center's review: “The purpose of the analysis was to assess the extent to which the ETMS system follows accepted human factors design guidelines that are likely to catch and correct potential human performance problems.” Volpe did not perform a “thorough human factors analysis” as posited by AAR. Rather, Volpe focused on the user interface for locomotive engineers, identifying issues within the existing design (which was still under development) and within the concept of operations as defined by the railroad.
Once all of the paperwork is moved into electronic transmissions (which has been neither formally requested nor in any way justified under existing regulations), in the absence of an available display one-half of the train crew would not have the ability to review and receive updates while en-route, or keep records of the movement authorities and restrictions for future use. PTC is currently an imperfect technology fed by databases that can be corrupted. Mandatory directives will continue to be issued by dispatchers with limited conflict checking using non-vital computer-aided dispatching systems. As the point paper orders are no longer provided, and mandatory directives are issued electronically en route, there would be no general broadcast on the “road channel” that could lead to other train crews or roadway workers identifying a defective authority (e.g., a mandatory directive to traverse a track segment already occupied by another train). None of the freight railroads has yet demonstrated how the transition to full electronic delivery of mandatory directives will be accomplished. FRA believes that the transition will eventually be made, but in the initial period it is critical that existing provisions for safety—which work very well a very high percentage of the time—not be prematurely abandoned; these provisions include appropriate access to the PTC system display. Although FRA agrees that transmission of valid authorities should be more secure, and thus the trade-off is likely to be favorable, FRA sees no reason at this time to take a second or third crew member out of the loop or to load on the engineer the responsibility for both receiving mandatory directives and briefing the second or third crew member who will be expected under the railroad's rules to comply.
FRA believes it is important to the risk assessment process that the engineer and conductor perform at a level no less safe than they would have had there not been a PTC system. The PTC systems proposed for freight railroads are overlay systems. In an overlay system, the railroad adds a layer of safety to the existing operation. The risk assessment then is relatively easy, because it is easy to show that the new system adds safety, reducing the risk of certain accidents, while not adding any new risk. The key assumption of the risk assessment is no degradation of the underlying safety system, and the performance of crewmembers is a key element of that safety system.
It is impossible at present to quantify the additional risk associated with adding a task which compromises the safe operation of the train by the engineer or conductor, even if only for a short time. Engineers and conductors have an excellent record of avoiding accidents. PTC seeks to improve upon that excellent record. The existing human factors literature leads one to believe that entering complex acknowledgements into a PTC system while the train is in motion is a very significant risk. To quantify that risk, one would have to put it into the context of comparative safety using a human factors model far more complex and accurate than any of which FRA is aware. Also note that PTC does not address all accident scenarios, many of which are often avoided by timely locomotive engineer intervention. The timeliness of such intervention is dependent on situational awareness, which would be negatively impacted if the engineer were distracted. Reading text on a PTC screen appears to be as distracting as reading text on a cell phone or PDA and texting in reply. In order for FRA to accept the diversion of the engineer's attention which would come from having the engineer review and accept the mandatory directives while the train is motion, FRA would need a process different from the current risk assessment methodology. That in turn would require FRA to impose a specification standard, instead of a performance standard. Were FRA issuing only a specification standard, FRA would require the second display and input unit.
In short, the rule as it stands relies on comparing system risk, which is easy if the engineer is not distracted by the system, but impossible if the engineer might be distracted. What we do know with certainty is that having the engineer read and respond to lengthy written messages on the PTC screen would be a distraction resulting in greater risk exposure which would offset to some extent the risk reduction resulting from PTC systems.
AAR argues that the requirement in § 236.1029(f) pertaining to distraction of the locomotive engineer should be deleted. The AAR claims that FRA does not offer any study showing that safety is jeopardized by assigning the engineer PTC-related duties. FRA has directly observed engineers exceeding authorities while attempting to respond to PTC system requirements on tests of existing PTC systems. In those cases, the engineer was attempting to respond to digitally transmitted authority while the train was in motion and was plainly distracted from safety-critical duties. FRA does not need a study to verify the possibility of that which it has observed directly.
The AAR also raises an issue of accuracy in transmitting and receiving mandatory directives, and appears to make the argument that because electronic transmission of mandatory directives is likely to be much more accurate than voice communication of mandatory directives, that all will be safer if mandatory directives are transmitted electronically. FRA agrees that the electronic transmission is likely to be more accurate, but does not agree that accurate transmission is the only safety issue. FRA is concerned with procedures which might distract the engineer from his duties. There is no problem if the railroad intends to have engineers receive, review, and acknowledge mandatory directives, unless the railroad wants the engineer to perform that task with the train in motion, and provided the engineer can take the time to brief other crew members, who under current railroad operating rules would need to copy and retain the orders.
All systems of which FRA is aware will require the crew to acknowledge the mandatory directives. FRA has seen system designs that would permit acknowledgement by simply pressing a button. There is no reason to believe that simply pressing a button demonstrates understanding of a mandatory directive, and FRA does not intend to approve such systems because they will not provide an adequate level of safety. Simply pressing a button does not provide the evidence of comprehension and mutual understanding currently provided by the practice of reading mandatory directives back to the dispatcher over the radio. Even if this means of acknowledgment is elected and approved by FRA, it would be necessary for an engineer receiving such a directive to read it and consider its relevance to the current situation. This Start Printed Page 2671could distract the engineer from actions needed to address other restrictions or an emerging situation on the railroad (e.g., need to warn equipment or personnel unexpectedly fouling the track ahead, requirement to manage a train over undulating terrain to avoid excessive in-train forces, emergency use of the train horn because of vehicle storage on the tracks in a quiet zone).
FRA believes that simply referencing the default PTC display screen will be consistent with good situational awareness and should not present a problem. However, excessive engagement with the PTC onboard computer while underway can distract a locomotive engineer from current duties. While acknowledgment by use of a single soft key may limit the distraction associated with manipulation of the device, it does not address whether the directive was understood. It is also possible to create greater interaction with the onboard computer while causing distraction and yet still not ensure that the directive is understood. For instance, a system tested by one railroad required an eight digit acknowledgment code to confirm receipt of a mandatory directive. In prototype testing locomotive engineers attempting to enter the code have exceeded their authority, because entering a code is a distraction similar to text messaging (a prohibited practice).[13]
In those cases where train consist information needs to be adjusted and confirmed in the PTC system, having that done by the conductor will eliminate a potential source of error. (Provision of input capability on the conductor's terminal will also (if so elected) avoid delays in train starts associated with multiple crews attempting to work out consist information over the radio or a cell phone link to the central office.) Having the conductor observe displayed PTC system data should also provide an additional opportunity for early identification of problems with mandatory directives and displayed information that may derive from corrupted databases, computational errors, or erroneous mandatory directives.
The purpose of paragraph (f) is to ensure that those assigned tasks in the cab are able to perform those tasks, including constructive engagement with the PTC system. Furthermore, while the train is moving, the locomotive engineer would be prohibited from performing functions related to the PTC system that have the potential to distract the locomotive engineer from performance of other safety-critical duties. According to the public comments, that would make it impractical for certain freight railroads not to equip its locomotives with a second, interactive, display.
AAR says that FRA cannot point to any computer-related activities that could result in distraction of the engineer. The 2009 FRA report entitled Technology Implications of a Cognitive Task Analysis for Locomotive Engineers touches on this. For example, the report states: “Sources of new cognitive demands include constraints imposed by the PTC braking profile that require locomotive engineers to modify train handling strategies; increases in information and alerts provided by the in-cab displays that require locomotive engineers to focus more attention on in-cab displays versus out the window, and requirements for extensive interaction with the PTC systems (e.g., to initialize it—to acknowledge messages and alerts) that impose new sources of workload.” This suggests that, unless task sequencing is managed wisely, interaction with PTC can distract the engineer from looking outside the cab and attending to other duties important in train operation safety.
Over the years, FRA has conducted significant human factors research related to supervisory train control systems such as PTC. In the course of that research, it has been noted that the human-machine interface (HMI) should be configured to avoid task overload and to permit the locomotive engineer to attend to the safe movement of the train during all times when it is in motion. This may require responding to obstacles on the railroad ahead (e.g., vandalism, cars stored on grade crossings, unsecured equipment that has rolled out, personnel in the foul without prior notice to train crews), without regard to risk of collision with other trains. Further, FRA has noted from its experience with the initial freight implementations of PTC systems that having the second crew member, where applicable, directly interact with the PTC system may offer the best likelihood of its safe functioning. For instance, train consist information (number of locomotives and cars, tonnage, length of train) is provided in ETMS from the company's management information system). That information is essential to the braking computation onboard. But this is often the intended consist, and the actual consist may vary. Having the crew member responsible for the accuracy of the consist enter or confirm the consist in the PTC system will avoid one opportunity for error each time this is accomplished (which, in the case of a road switching assignment, may be several times during a duty tour).
The NPRM proposed, and the final rule requires, that the onboard apparatus be arranged so that each crew member assigned to perform duties in the locomotive cab could view a PTC display and execute any functions necessary to that crew member's duties. This provision does not require multiple screens, per se, nor does it require that more than one employee must be assigned to a crew. In fact, the proposed and final rules are technology neutral.
FRA is aware of multiple ways that paragraph (f) may be satisfied in the event multiple crew members are in the cab and need access to the information provided by the PTC system. Each alternative has its own advantages and difficulties. FRA is ultimately concerned that the crew members receive the same information displayed in the same manner. I.e., if an engineer is looking at a graphic on a screen, a conductor in the same cab should be looking at the same graphic on whatever device the conductor is using.
For instance, there can be a single large display placed in a location within the cab making it accessible to all crew members in the cab (as is done by Amtrak in the ACSES system used on the Northeast Corridor). A single display (similar to traditional cab signals) could be used if sufficiently large to provide adequate resolution of details. If the railroad opts to use a PTC system that includes the added functionality of digital transmissions for these purposes, a single screen placed between the crew members may be appropriate.
A configuration may also include two fixed screens; one for the locomotive engineer and another for other crew members. In providing cost estimates for this rulemaking, the Class I railroads have assumed that this approach would be employed and that the display would be associated with an interactive terminal. FRA does not question the rationale in this manner and has approached costs estimates in the Regulatory Impact Analysis with this assumption.Start Printed Page 2672
The railroads have also discussed the possibility that, where the locomotive engineer may have his or her own fixed screen, the other crew members could make use of individual “heads-up” displays or personal hand-held or portable wired or wireless devices with train control software, which could be set up as an interactive terminal. Through its Office of Research and Development, FRA has developed personal digital assistant (PDA) software for management of roadway worker authorities at a reasonable cost (at approximately one-quarter of the cost of a second dash-mounted display), and doing the same for a crew remote terminal should be just as practical. The vendor for the on-board portion of the ITC system already provides a router port, and routers are inexpensive. FRA assumes that there would be some additional costs related to replacement of misplaced or damaged devices and changing of batteries, but those costs should be reasonable. Under paragraph (f), hand-held or portable devices could be implemented and would have the same advantages as a fixed terminal. FRA does not require that the display be permanently affixed to the locomotive. The advantage of this approach would be a lesser initial cost, likely about one-fourth of the fixed terminal. Disadvantages include logistics of handling (loss, damage).
The major freight railroads point to passenger service as evidence that a “second display” is not required, but their arguments are inapposite. Crew responsibilities and interactions on passenger trains are historically different than is the case with freight crews, and thus crew resource management will not be undercut by use of a single display. For instance, in the case of a passenger train with a single locomotive engineer, the engineer will have the opportunity to initialize the system at the point of departure by making a relatively easy selection for class of train (if this is not done automatically). Moreover, unlike in freight operations, crew members for passenger operations do not need to enter or confirm detailed consist information for a heavy train that may have a wide variety of loaded and empty cars. If it is necessary for the locomotive engineer to take a mandatory directive through the PTC terminal, that can be done with the train stopped at a passenger station, as is the case today using the voice radio. Passenger railroads will almost certainly elect to use vital on-board processing, so the relative chance of an on-board computer error will be less.
For all of the systems proposed thus far, crewmembers must actively review and acknowledge mandatory directives in order for the system to provide the required level of safety. Where mandatory directives are transmitted by voice over the radio, which is the current practice for freight railroads, the conductor would typically be able to copy and acknowledge the transmission while the train is in motion. Passenger train engineers would have to be stopped (e.g., at a station) in order to copy and acknowledge the mandatory directive. See 49 CFR 220.61(b)(2).
FRA is aware of three ways to receive, safely review, and acknowledge mandatory directives. First, the engineer could receive, review, and acknowledge authorities while the train is stopped. Second, the conductor could receive, review, and acknowledge voice transmissions of mandatory directives, whether or not the train is moving. Third, the conductor could receive, review, and acknowledge authorities through a device which combines display and data entry capabilities, whether or not the train is moving. The first option is likely how passenger railroads will comply with the requirements. Such railroads have only one crewmember in most cabs. This is likely not to be extremely burdensome on most passenger trains, as the engineer can receive, review, and acknowledge mandatory directives at passenger station stops. Thus, FRA is not being illogical, as AAR asserts, by permitting passenger operations with a single cab occupant. What would be illogical would be to require a second display where only one crewmember is present. Freight locomotives with only one crewmember present would also be likely to use the first option, although the cab may be equipped with a second display. The second option would only require a display be within a conductor's view, but would be much lower cost. The third option, which FRA believes may be the norm for freight locomotives, may require the aforementioned second fixed screen, heads-up display, or handheld or portable device. FRA does not believe it would be practical for one terminal to serve both crewmembers if both may be required to enter or access data.
It should be noted that employing a fourth option, implied in railroad testimony, would be problematic on many fronts. That option would presumably involve a single display in front of the locomotive engineer. The train would receive electronic authorities exclusively through that device, and the engineer would acknowledge receipt using a simple procedure (e.g., pressing a single soft key) that was designed to hasten the task and limit distraction. The problem with such a procedure is that (i) there is no assurance that the engineer would understand what was being received, (ii) there is little chance that the engineer would identify any authority or slow order that was not appropriate to the situation, and (iii) there would be no reasonable way to convey the mandatory directive to the other crew member without stopping the train and copying it off the screen. This would be a perfect prescription for exclusive reliance on technology, which is ill-advised and which the railroads claim will not be done (i.e., these are said to be “overlay” systems that cannot detract from the underlying methods of operation).
Again, the railroads are perhaps correct that safety might still be improved under this fourth option, at least as to the operations under PTC control, but that is not the question here. The question is whether technology will be employed that primarily protects against human error on board, or whether technology will be employed that protects most of the time but induces human error on other occasions. Every day in the United States there are thousands of train starts and hundreds of thousands of opportunities for human error in train operations. Yet well-trained crews rise to these challenges, and as a result each year there are approximately 50 to 60 train collisions on the main lines, a small number of overspeed derailments and work zone violations, and a handful of movements through misaligned main track switches. Accordingly, a relatively small number of wrong-side errors in the operation of the PTC system accompanied by any diminishing of vigilance on the part of train crew members could easily cause results from PTC implementation to fall short of the risk reduction identified in FRA's analysis. With time and refinement of technology and databases, there may be significant adjustments that can be made in current operating rules and procedures. But existing PTC technology for the general freight system has not yet been proven at that level, and it will be some years before that will be the case. In the meantime, it will be crucial that informed and well coordinated crews maintain engagement in the management of mandatory directives and compliance with wayside or cab-displayed signal indications.
Accordingly, FRA remains convinced that each crew member should have access to, and engagement with, information and requirements pertinent Start Printed Page 2673to the operations for which they are responsible. This third option, combined with electronic transmission of mandatory directives, would pay for itself in a very short time. Assuming that a train has to be stopped twice each day for the engineer to acknowledge a directive, and that such a stop results in a cost of at least, and probably a lot more than, $80 to account for additional braking and trip time as well as missed opportunity for meets and passes, the cost of implementing this option would surpass the cost of installing a second terminal in just 50 days of service as the controlling locomotive. Assuming the locomotive is in the lead one-fourth of the time it is in service, the avoided cost of stopping would be $8,000, the cost of an additional terminal, in 200 days. In other words, the device will return its cost in much less than a year.
Of course, the business benefits of a second terminal are not as great if the railroad does not adopt electronic transmission of mandatory directives. However, FRA believes that railroads will adopt electronic transmission of mandatory directives as rapidly as possible. They would benefit from being able to give roadway workers much more rapid access to track, as well as by being able to reduce the dispatchers' workload. Further, the business benefits envisioned in Appendix A require more efficient dispatching, which would rely on electronic transmission of mandatory directives, as well as managerial directives related to train pacing and meet-pass planning.
The railroads have made no convincing argument that providing a second display would be harmful, as such. Rather, they argue that the cost is excessive in relation to any expected benefits. The AAR and several Class I freight railroads commented that the cost to install a second display in the locomotive would be approximately $8,000 per locomotive. According to AAR estimates, 29,461 locomotives would need to be equipped. This would translate into an initial installation cost of $235,688,000. However, AAR overestimated the number of locomotives, based on the document it cites. In that document, FRA estimated that 27,598 freight locomotives would be equipped with VTMS technology only, and an additional 100 freight locomotives would be equipped with both VTMS and ACSES technology, for a total of 27,698 locomotives, which, at a unit cost of $8,000 per terminal type display, implies a total cost of $221,584,000. AAR did not include the locomotives which would have both VTMS and ACSES installed, and included passenger locomotives that will likely not require additional hardware to meet the requirement due to the nature of their operations. FRA does not disagree with the AAR and railroad unit cost estimates, as long as what AAR refers to is the type of unit that has input capabilities. FRA recognizes that the cost is actually for an additional “terminal” versus simply a display and that it must be made rugged for the locomotive cab operating environment. The AAR and other railroads objecting to these requirements maintain that there will be little safety benefit to the requirements, and that the benefits would be far less than the costs. However, in the long run, FRA believes that the additional cost for installing a second terminal would be justified by the aforementioned business benefits as well as the safety assurance.
FRA is not altering the cost estimates for PTC from those in the analysis of the NPRM, because the costs of the second terminal were already reflected.
FRA notes that estimated cost of the second display will be about 4% of the total initial costs of PTC deployment. FRA has narrowly construed the PTC mandate to avoid separate monitoring of switches in signal territory, to avoid significant costs and potential delay related to following train collisions at low speed, and to provide generous exceptions where allowed by law (restricted speed in yards and terminals, passenger exceptions, Class II/III locomotives in limited operations on PTC lines, etc.)—actions that will save one or more billions of dollars during this initial implementation. If FRA believed a deviation from historic train control practice was warranted here to save 4% of the initial cost, we would happily provide it. We do not. FRA believes that the PTC systems contemplated today will, at some point in the future, all accept electronic transmission of mandatory directives. The cost of providing a terminal to the second crewmember, where applicable, reflects that reality. Were railroads not planning to have conductors acknowledge mandatory directives, the railroad could provide the conductor with a screen without input devices, or a clearer view of the engineer's screen, which have a much lower unit cost.
FRA has placed in the docket of this rulemaking a document prepared by FRA's Office of Research and Development, referencing available human factors literature. Although FRA has addressed this issue from the point of view of whether the cost is justified, FRA wishes to emphasize that, at bottom, it is most crucial whether it would be possible to responsibly implement PTC on the national rail system without engaging the participation of each assigned crew member. We conclude that no such possibility has been demonstrated. Further, based upon FRA's knowledge of railroad operations and experience with oversight of existing and emerging train control technologies, FRA determines that it is essential for safety that each assigned crew member be provided the information and access to system inputs required to fulfill the crew member's respective duties.
AAR again raises the issue of single occupant cabs as an issue of “crew resource management” best left to the railroads. FRA maintains that these operators will only be authorized to receive, review, and acknowledge mandatory directives or similarly interact with the PTC systems when their trains are not in motion.
In the NPRM, FRA noted:
[T]he principles of crew resource management and current crew briefing practices in the railroad industry require that all members of a functioning team (e.g., engineer, conductor, dispatcher, roadway worker in charge) have all relevant information available to facilitate constructive interactions and permit incipient errors to be caught and corrected. Retaining and reinforcing this level of cooperation will be particularly crucial during the early PTC implementation as errors in train consist information, errors generated in onboard processing, delays in delivery of safety warnings due to radio frequency congestion, and occasional errors in dispatching challenge the integrity of PTC systems even as the normal reliability of day-to-day functioning supports reductions in vigilance. Loss of crew cooperation could easily spill over to other functions, including switching operations and management of emergency situations.
Commenters generally made scant reference to this point. The AAR did include an attachment to its testimony captioned with reference to this point, but it begins with a summary task analysis to the effect that “the conductor is responsible for assisting in the operation.” How the conductor will assist without a copy of the requisite orders available, when the duty to copy mandatory directives is eliminated (as the AAR assumes it will be), is left unexplained.
This is a “far cry” from section 402 of the RSIA08, which requires that FRA adopt regulations for the certification of train conductors. In FRA's experience as the agency responsible for oversight of railroad operating rules and practices, the conductor plays a key role in rail freight over-the-road operations by, inter alia, determining the train consist, ensuring compliance with hazardous materials placement and documentation Start Printed Page 2674requirement, calling or acknowledging signals, receiving mandatory directives, conducting frequent briefings with the locomotive engineer to ensure compliance with movement restrictions, and intervening through use of the conductor's brake valve if the engineer is unresponsive or incapacitated. A conductor may be disciplined with the locomotive engineer if a signal is violated or if a slow order or other mandatory directive is disobeyed, and this regularly occurs. The conductor plays the determinative role in switching operations, issuing the directions for operation of the locomotive(s) so as to accomplish safely the placement or pick-up of rail cars at customer locations, the making up and breaking up of trains, and the conduct of brake tests when mechanical personnel are not available.
Again, the major freight railroads have said that their PTC systems will “overlay” existing methods of operations. Those existing methods are defined in their books of rules, timetables and special instructions. The General Code of Operating Rules, applicable to most railroad operations in the western U.S., provides at section 1.47 that “The conductor and engineer are responsible for the safety and protection of their train and observance of the rules.” It further provides that “The conductor supervises the operation and administration of the train.” “The conductor must remind the engineer that the train is approaching an area restricted by:
- Limits of authority.
- Track warrant.
- Track bulletin.
or
- Radio speed restriction.”
The rule continues: “To ensure the train is operated safely and rules are observed, all crew members must act responsibly to prevent accidents or rule violations. Crew members in the engine control compartment must communicate to each other any restrictions or other known conditions that affect the safety operation of their train sufficiently in advance of such condition to allow the engineer to take proper action.” The rule further requires communication of signals and enjoins crew members to “take action to ensure safety, using the emergency brake valve to stop the train, if necessary.”
The NORAC Operating Rules, applicable to a number of eastern U.S. railroads, provides at Rule 94 for general crew responsibilities similar to those quoted above. In addition, Rule 941 provides that “Conductors have general charge of the train to which they are assigned, and all persons employed thereon are subject to their instructions.”
Each railroad is free, within the constraints of the Railway Labor Act as to staffing, and subject to oversight by FRA with respect to safety, to determine its operating rules and assignment of responsibilities to its personnel. Nevertheless, FRA remains concerned that railroad operating crews function as a team, discharging their responsibilities on the basis of adequate information and using their knowledge of the operating situation to identify safety concerns and resolve them. Within this framework, each crew member must remain able to respectfully and helpfully question a judgment by another crew member. This general approach is known as “crew resource management” (CRM), a concept perfected in aviation and urgently pressed on the railroad industry by the National Transportation Safety Board and the FRA. See NTSB Recommendation R-99-13 (July 29, 1999). Major railroads have included CRM in their training programs.
The fear with respect to a diminution of crew integrity and efficiency associated with asymmetrical distribution of current operational data is that, not only may opportunities be lost to correct errors within PTC operations, but also that the conductor's lack of engagement will transfer to operations on lines not equipped with PTC. Further, any reduction in ability to function as a team could transfer, as well, to road and yard switching operations. Should this occur, the price paid for PTC would include additional casualties and property damage where PTC is not available as a safety net. A substantial portion of the Class I freight network, and much of the switching and terminal railroad mileage over which Class I crews also operate, will not be equipped under the current mandate and perhaps not for many years. How crews are conditioned to function together will influence their behavior both within and outside of the PTC-equipped network. In summary, FRA believes that maintaining the involvement of all assigned crew members in operating and responding to the PTC system is necessary to achieve the desired risk reduction expected of PTC systems and is also necessary to avoid degrading crew performance outside of PTC territory and during switching operations.
NYSMTA requested clarification that in a multiple unit passenger train consist: (a) A second PTC display in every train operator compartment is not required inasmuch as only the train operator occupies the compartment, and; (b) the PTC operator displays in train operator compartments in a consist, other than those from which the train is operated from, are not to display PTC information while the train is en route. The MTA railroads have been repeatedly reassured on this point, and we are pleased to do so once again here.
As previously noted, on September 25, 2009, FRA entered into the docket to this rulemaking a compendium of human factors literature relevant to the HMI regulations and compiled by FRA's Office of Research and Development. AAR then submitted late-filed supplemental comments—which posted to the docket on October 20, 2009, approximately two months after the closing of the comment period and three weeks after FRA entered the compendium into the docket—addressing various portions of the compendium. FRA believes that this final rule already addresses each one of AAR's substantial concerns in its supplemental comments. AAR also states that it “has been deprived of the opportunity to consider its comments in a deliberative fashion.” Supplemental Comment of the Association of American Railroads, Docket FRA-2008-0132-0055.1, at 3 (Oct. 20, 2009). However, contrary to AAR's suggestion, the Administrative Procedure Act (APA) does not require that FRA provide additional time to comment on the compendium. See, e.g., Credit Union Nat. Ass'n v. National Credit Union Admin., 57 F.Supp.2d 294, 302 (E.D. Va. 1995) (agency complied with the APA's notice and comment requirements, despite not disclosing certain data related to the rulemaking, because the agency had provided a reasonable opportunity to participate in the rulemaking process); see also Appalachian Power Co. v. E.P.A., 579 F.2d 846, 853 (4th Cir. 1978) (despite agency's failure to provide notice of certain data in advance of public hearings, interested parties were sufficiently advised of the scope and basis of the rulemaking to enable them to comment intelligently and meaningfully). Instead, the APA simply states that an agency must publish “the terms or substance of the proposed rule or a description of the subjects or issues involved.” 5 U.S.C. 553(b)(3). To meet the requirements of section 553, an agency “must provide sufficient factual detail and rationale for the rule to permit interested parties to comment meaningfully.” Florida Power & Light Co. v. United States, 846 F.2d 765, 771 (DC Cir. 1988), cert. denied, 490 U.S. 1045 (1989).Start Printed Page 2675
FRA has provided that opportunity in this proceeding. The research recited in the compendium simply provided for the benefit of interested parties additional information that had previously been made public, FRA's views on the import of the research were aired during RSAC meetings and are expressed at various points in the NPRM, and the railroads obviously had sufficient time to prepare 16 pages of comments on the compendium itself. Clearly, the commenters were not prejudiced by the inclusion of the compendium in the docket.
Section 236.1031 Previously Approved PTC Systems
FRA recognizes that substantial effort has been voluntarily undertaken by the railroads to develop, test, and deploy PTC systems prior to the passage of the RSIA08, and that some of the PTC systems have accumulated a significant history of safe and reliable operations. In order to facilitate the ability of the railroads to leverage the results of PTC design, development, and implementation efforts that have been previously approved or recognized by FRA prior to the adoption of this subpart, FRA is proposing an expedited certification process in this section.
Under paragraph (a), each railroad that has a PTC system that may qualify for expedited treatment would have to submit a Request for Expedited Certification (REC) letter. Products that have not received approval under the subpart H, or have that have not been previously recognized by FRA, would be ineligible. The REC letter may be jointly submitted by PTC railroads and suppliers as long as there is at least one PTC railroad. A PTC system may qualify for expedited certification if it fulfills at least one of the descriptions proposed in paragraphs (a)(1) through (a)(3). While these descriptions are objective in nature, FRA intends them to cover ETMS, ITCS, and ACSES, respectively. The versions or configurations recognized would depend upon the status at the time of the request.
Paragraph (a)(1) applies to systems that have been recognized or approved by FRA after submission of a PSP in accordance with subpart H. Subpart I generally reflects the same criteria required for a PSP under subpart H. Thus, FRA believes that most of the PTCDP and PTCSP requirements in subpart I can be fulfilled with the submission of the existing and approved PSP. However, FRA notes that the subject railroad will also need to submit the information required in a PTCDP and PTCSP that is not in the current PSP.
FRA also recognizes that certain PTC systems may currently operate in revenue service with FRA approval through the issuance of a waiver or order. Paragraphs (a)(2) and (a)(3) intend to cover those systems.
If a PTC system complying with paragraph (a)(1) is provided expedited certification, the system plans should ultimately match the criteria required for each PTCDP and PTCSP. As previously noted, a railroad may seek to use a PTC system that has already received a Type Approval. To extend this benefit as it applies to previously used systems for which expedited certification is provided, paragraph (b) gives the Associate Administrator the ability to provide a Type Approval to systems receiving expedited certification in accordance with paragraph (a)(1).
FRA recognizes that certain systems eligible for expedited certification may not entirely comply with the subsequently issued statutory mandate. Accordingly, under paragraph (c), FRA is compelled to require that before any Type Approval or expedited certification may be provided, the PTC system must be shown to reliably execute the same functionalities of every other PTC system required by subpart I. Nothing in this abbreviated process should be construed as implying the automatic granting by FRA of a Type Approval or PTC System Certification. Each expedited request for a Type Approval or PTC System Certification must be submitted by the railroad under this abbreviated process and, as required under subpart I, must demonstrate that the system reliably enforces positive train separation and prevents overspeed derailments, incursions into roadway worker zones, and movements through misaligned switches.
Under paragraph (d), FRA encourages railroads, to the maximum extent possible, to use proven service history data to support their requests for Type Approval and PTC System Certification. While proven service history cannot be considered a complete replacement for an engineering analysis of the risks and mitigations associated with a PTC product, it provides great creditability for the accuracy of the engineering analysis. Testing and operation can only show the absence or mitigation of a particular failure mode, and FRA believes that there will always be some failure modes that may only be determined through analysis. Due to this inherent limitation associated with testing and operation, FRA also strongly encourages the railroads to also submit any available analysis or information.
Paragraph (e) requires that, to the extent that the PTC system proposed for implementation under this subpart is different in significant detail from the system previously approved or recognized, the changes shall be fully analyzed in the PTCDP or PTCSP as would be the case absent prior approval or recognition. FRA understands that the PTC product for which expedited Type Approval and PTC System Certification is sought may differ in terms of functionality or implementation from the PTC product previously approved or recognized by FRA. In such a case, the service history and analysis may not align directly with the new variant of the product. Similarly, the available service history and analysis associated with a PTC product may be inconclusive about the reliability of a particular function. It is because of these possible situations that FRA can not unequivocally promise that all requests for expedited Type Approval and PTC System Certification submitted by a railroad under this subpart will be automatically granted. FRA will, however, apply the available service history and analytical data as credible evidence to the maximum extent possible. FRA believes that this still greatly simplifies each railroad's task in making its safety case, since the additional testing and analysis required need only address those areas for which credible evidence is insufficient. To reduce the overall level of financial resources and effort necessary to obtain sufficient credible evidence to support the claims being made for the safety performance of the product, FRA also encourages each railroad to share with other railroads a system's service history and the results of any analysis, even in the case where the shared information does not fully support a particular railroad's safety analysis.
Paragraph (f) defines terms used only in this section. “Approved” refers to approval of a PSP under subpart H. As this final rule was being prepared, only BNSF ETMS I configuration had been so approved, but other systems were under development. “Recognized” refers to official action permitting a system to be implemented for control of train operations under an order or waiver, after review of safety case documentation for the implementation. As this NPRM was being prepared, only ACSES I had been recognized under an order of particular applicability, and ACSES II was under review for potential approval. Only one system, the ITCS in place on Amtrak's Michigan line, had been approved for unrestricted revenue service under waiver.Start Printed Page 2676
FRA was unable to fashion an outright “grandfathering” of equipment previously used in transit and foreign service. FRA does not have the same degree of direct access to the service history of these systems. Transit systems—except those that are connected to the general railroad system—are not directly regulated by FRA. FRA has had limited positive experience eliciting safety documentation from foreign authorities, particularly given the influence of national industrial policies.
However, FRA believes that, while complete exclusion may not be available in those circumstances, procedural simplification may be possible. FRA is considering a procedure under which the railroad and supplier could establish safety performance at the highest level of analysis for the particular product, relying in part on experience in the other service environments and showing why similar performance should be expected in the U.S. environment. Foreign signal suppliers should be in a good position to marshal service histories for these products and present them as part of the railroad's PTCSP. For any change, the applicant must provide additional information that will enable FRA to make an informed decision regarding the potential impact of the change on safety. This information must include, but is not limited to, the following: (1) A detailed description of the change; (2) a detailed description of the hardware and software impacted by the change; (3) a detailed description of any new functional data flows resulting from the change; (4) the results of the analysis used to verify that the change did not introduce any new safety risks or, if the change did introduce any new safety risks, a detailed description of the new safety risks and the associated risk mitigation actions taken; (5) the results of the tests used to verify and validate the correct functionality of the product after the change has been made; (6) a detailed description of any required modifications in the railroad training plan that are necessary for continued safe operation of the product after the change; and (7) a detailed description of any new test equipment and maintenance procedures required for the continued safe operation of the product.
In the same vein, paragraph (g) encourages re-use of safety case documentation previously reviewed, whether under subpart H or subpart I.
Section 236.1033 Communications and Security Requirements
Subpart I provides specific communications security requirements for PTC system messages. Section 236.1033 originated from the radio and communications task force within the PTC Working Group. The objectives of the requirements are to ensure data integrity and authentication for communications with and within a PTC system.
In data communications, “cleartext” is a message or data in a form that is immediately comprehensible to a human being without additional processing. In particular, it implies that this message is transferred or stored without cryptographic protection. It is related to, but not entirely equivalent to, the term “plaintext.” Formally, plaintext is information that is fed as an input to a cryptographic process, while “ciphertext” is what comes out of that process. Plaintext might be compressed, encrypted, or otherwise manipulated before the cryptographic process is applied, so it is quite common to find plaintext that is not cleartext. Cleartext material is sometimes in plain text form, meaning a sequence of characters without formatting, but this is not strictly required. The security requirements are consistent with the Department of Homeland Security (DHS) guidance for SCADA systems and the National Institute of Standards and Technology guidance. FRA has coordinated this final rule with DHS.
Paragraph (a) establishes the requirement for message integrity and authentication. Integrity is the assurance that data is consistent and correct. Generally speaking, in cryptography and information security, integrity refers to the validity of data. Integrity can be compromised through malicious altering—such as an attacker altering an account number in a bank transaction, or forgery of an identity document—or accidental altering—such as a transmission error, or a hard disk crash. A level of data integrity can be achieved by mechanisms such as parity bits and cyclic redundancy codes. Such techniques, however, are designed only to detect some proportion of accidental bit errors; they are powerless to thwart deliberate data manipulation by a determined adversary whose goal is to modify the content of the data for his or her own gain. To protect data against this sort of attack, cryptographic techniques are required. Thus, appropriate algorithms and keys must be employed and commonly understood between the entity wanting to provide data integrity and the entity wanting to be assured of data integrity.
Authentication is the act of establishing or confirming something (or someone) as authentic. Various systems have been invented to provide a means for readers to reliably authenticate the sender. In any event, the communication must be properly protected; otherwise, an eavesdropper can simply copy the relevant data and later replay it, thereby successfully masquerading as the original, legitimate entity.
Sender authentication typically finds application in two primary contexts. Entity identification serves simply to identify the specific entity involved, essentially in isolation from any other activity that the entity might want to perform. The second context is data origin identification, which identifies a specific entity as the source or origin of a given piece of data. This is not entity identification in isolation, nor is it entity identification for the explicit purpose of enabling some other activity. Rather, this is identification with the intent of statically and irrevocably binding the identified entity to some particular data, regardless of any subsequent activities in which the entity might engage. Cryptographically based signatures provide nearly irrefutable evidence that can be used subsequently to prove to a third party that this entity did originate—or at least possess—the data.
Paragraph (b)(1) requires that cryptographic algorithms and keys used to establish integrity and authenticity be approved by either the National Institute of Standards & Technology (NIST) or a similar standards organization acceptable to FRA. As a practical matter, cryptographic algorithms can be believed secure by competent, experienced, and practicing cryptographers. This requires that the algorithms be publicly known and have been seriously studied by working cryptographers. Algorithms that have been approved by NIST (or similar standards bodies) can be assured of being both publicly known and seriously studied.
Paragraph (b)(2) allows the use of either manual or automated means to distribute keys. Key distribution is the most important component in secure transmissions. The general key distribution problem refers to the task of distributing keys between communicating parties to provide the required security properties. Frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the strength of any cryptographic system Start Printed Page 2677results with the key distribution technique, a term that refers to the means of delivering a key to two parties that wish to exchange data without allowing others to see the key. Key distribution can be achieved in a number of ways. There are various combinations by which a key can be selected manually or in automation amongst one or multiple parties.
Paragraph (b)(3) establishes the conditions under which cryptographic keys must be revoked. Paragraph (b)(3)(i) addresses the situation when a key has actually been found to have been compromised and when the possibility of key compromise exists. Cryptographic algorithms are part of the foundations of the security house, and any house with weak foundations will collapse. Adequate procedures should be foreseen to take an algorithm out of service or to upgrade an algorithm which has been used beyond its lifetime.
Paragraph (d) addresses physical protection as applied to cryptographic equipment. Compliance does not necessitate locking devices within mechanical safes or enclosing their electronics within thick steel or concrete shields (i.e., making them tamper-proof). Compliance does, however, involve using sound design practices to construct a system capable of attack detection by a comprehensive range of sensors (i.e., tamper resistant). The level of physical security suggested should be such that unauthorized attempts at access or use will either be unsuccessful or will have a high probability of being detected during or after the event. Additionally, the cryptographic equipment should be prominently situated in operation so that its condition (outward appearance, indicators, controls, etc.) is easily visible to minimize the possibility of undetected penetration. In any system containing detection and destruction methods as described here, there is naturally a cost penalty for providing very high levels of tamper resistance, due to construction and test requirements by the manufacturer. It is naturally important to analyze the risks of key disclosure against cost of protection and specify a suitable implementation.
Confidentiality has been defined by the International Organization for Standardization (ISO) as “ensuring that information is accessible only to those authorized to have access.” Confidentiality, integrity, and authentication all rely on the same basic cryptographic primitives—algorithms with basic cryptographic properties—and their relationship to other cryptographic problems. These primitives provide fundamental properties, which guarantee one or more of the high-level security properties. In paragraph (e)(1), FRA makes it clear that while providing for confidentiality of message data is not a regulatory requirement, if confidentiality is elected to be implemented by a railroad, that the same protection mechanisms applicable to the cryptographic primitives that support integrity and authentication must also be provided for the cryptographic primitives that support confidentiality.
It is only the difficulty of obtaining the key that determines security of the system, provided that there is no analytic attack (i.e., a “structural weakness” in the algorithms or protocols used), and assuming that the key is not otherwise available (such as via theft, extortion, or compromise of computer systems). A key should therefore be large enough that a brute force attack (possible against any encryption algorithm) is infeasible, whereas the attack would take too long to execute. Under information theory, to achieve perfect secrecy, it is necessary for the key length to be at least as large as the message to be transmitted and only used once (this algorithm is called the one-time pad). In light of this, and the practical difficulty of managing such long keys, modern cryptographic practice has discarded the notion of perfect secrecy as a requirement for encryption, and instead focuses on computational security. Under this definition, the computational requirements of breaking an encrypted text must be infeasible for an attacker. Paragraph (e)(2) requires that in the event that a railroad elects to implement confidentiality, the chosen key length should provide the appropriate level of computational complexity to protect the information being protected, and that this information be included in the PTCSP. Both academic and private organizations provide recommendations and mathematical formulas to approximate the minimum key size requirement for security based on mathematic attacks; they generally do not take algorithmic attacks, hardware flaws, or other such issues into account. Paragraph (e)(2) has been revised in the final rule to correct an erroneous cross-reference to the security requirements set forth in § 236.1013(a)(7).
Key management—the process of handling and controlling cryptographic keys and associated material during their life cycle in a cryptographic system—includes ordering, generating, distributing, storing, loading, escrowing, archiving, auditing, and destroying the different types of material. Paragraph (e) requires that cleartext stored cryptographic keys be protected from unauthorized disclosure, modification, or substitution. During key management, however, it may be necessary to validate the accuracy of the key being entered, especially in cases where the key management process is being done manually. During the key entry process, keys not encrypted to protect against disclosures may be temporarily displayed to allow visual verification. However, if the key has been encrypted to protect against disclosure, then the cleartext version of the key may not be displayed. This does not, however, preclude the display of the encrypted version of the key.
In paragraph (f), FRA requires that each railroad implement a service restoration and mitigation plan to address restoral of communications services in the event of their loss or disruption and to make this plan available to FRA. Loss of communications services reduces or eliminates the effectiveness of a PTC system and FRA requires that these critical safety systems, once implemented, are restored to operation as soon as practical. FRA believes that the restoration plan must include testing and validating the plan, communicating the plan, and validating backup and restoration operations.
To ensure that these or any other procedures work in the railroad's operational environment, the railroad must validate each procedure intended for implementation. The backup and restoration plan should clearly describe who is to implement procedures and how they are to do it. The primary information to be communicated includes: The team or person (specified as an individual or a role) that is responsible for determining when restoration of service is required and the procedures to be used to restore service, as well as the team or person responsible for implementing procedures for each restoration scenario; the criteria for determining which restoration procedures are most appropriate for a specific situation; the time estimates for restoration of service in each restoration scenario; the restoration procedures to be used, including the tools required to complete each procedure; and the information required to restore data and settings.
Finally, paragraph (g) makes clear that railroads are permitted to implement more restrictive security requirements provided the requirements do not adversely impact the interoperability.Start Printed Page 2678
FRA has received no comments on § 236.1033 and has adopted it as proposed.
Section 236.1035 Field Testing Requirements
Initial field or subsequent regression testing of a PTC product on the general rail system is often required before the product has been certified in order to obtain data to support the safety case presented in the PTCSP. To ensure the safety of the public and train crews, prior FRA approval is required to conduct test operations on the general rail system. This paragraph provides an alternative to the waiver process when only part 236 regulations are involved. When regulations concerning track safety grade crossing safety or when operational rules are involved, however, this process would not be available. Such testing may also implicate other safety issues, including adequacy of warning at highway-rail crossings (including part 234 compliance), qualification of passenger equipment (part 238), sufficiency of the track structure to support higher speeds or unbalance (part 213), and a variety of other safety issues, not all of which can be anticipated in any special approval procedure. Approval under this part for testing does not grant relief from other parts of this title and the railroads must still apply for relief from the non-part 236 regulations under the discrete special approval sections of those regulations, the provisions of part 211 related to waivers, or both.
The information required for this filing is described in paragraphs 236.1035(a)(1) through (a)(7). This information is necessary in order for FRA to make informed decisions regarding the safety of testing operations. FRA would prefer that the informational filings to test under this part be accompanied by any requests for relief from non-part 236 regulations so that they may be considered as a whole.
Paragraph (b) provides notification that FRA may—based on the results of the review of the information provided in paragraph (a) and in order to provide additional oversight to ensure the safety of rail operations—impose special conditions on the execution of the testing, including the appointment of an FRA test monitor. When a test monitor is appointed, he or she has the authority to stop testing if unsafe conditions arise, require additional tests as necessary to demonstrate the safe operation of the system, or have tests rerun when the results are in question.
Paragraph (c) reemphasizes the earlier discussion that either temporary or permanent requests for relief for other than requirements of part 236 must be submitted in accordance with the waiver processes specified by part 211.
FRA has received no comments on § 236.1035 and has adopted it as proposed.
Sections 236.1037 Through 236.1049
In subpart H, §§ 236.917 through 236.929 contain various requirements that involve PSPs. FRA believes that these requirements should apply equally to PTC systems governed by subpart I. FRA has included §§ 236.1037 to 236.1049 to inform interested parties how these elements would apply. FRA intends that the meanings of those sections in subpart H, as described in the preamble to its proposed and final rules, would also apply equally in the context of this final rule. While FRA has considered amending these sections in subpart H to incorporate references to subpart I, FRA believes such an attempt and its results would be cumbersome and awkward. Thus, FRA has included the provisions in subpart I for clarity.
The Rail Labor Organizations have expressed support for the training and qualification provisions in §§ 236.1041, 236.1045, 236.1047, and 236.1049 and support an expansion of PTC personnel training requirements, as necessary, based upon experience gained and any training deficiencies identified during operations of these systems. The RLO states that training on the PTC system is essential for all employees who will interface with this technology. While the RLO supports the requirement that employees must maintain the skill level necessary to safely operate trains, they urge FRA to consider that the “4 hour work period” of manual operation of a train should be conducted not less often than once in any given tour of duty. Considering that the maximum workday (except in extreme emergencies) is 12 hours, the locomotive engineer will then be manually operating the train at least 33% of the time. FRA has considered this suggestion for a change in the approach from subpart H. However, FRA believes that this is an issue that should be more specifically addressed in the PTCSP for the system, should automatic operation ever be proposed.
Appendix A to Part 236—Civil Penalties
Appendix A to part 236 contains a schedule of civil penalties for use in connection with this part. FRA is revising this schedule of civil penalties through issuance of the final rule to reflect the addition of subpart I to this part.
Appendix B to Part 236—Risk Assessment Criteria
FRA hereby modifies Appendix B of part 236 to enhance the language for risk assessment criteria in light of the experience gained during the initial stage of PTC system implementation under subpart H and to accommodate the requirements of subpart I regulating the use of mandatory PTC systems. As modified, Appendix B includes certain headings and new language in paragraphs (a) through (h).
Paragraph (a) reflects the change in the required length of time over which the system's risk must be computed. FRA replaces the requirement to assess risk for the system “over the life-cycle of 25 years or greater” with the requirement to assess risk “over the designed life-cycle of the product.” FRA believes that the language is consistent with the preamble discussion of the subpart H final rule inasmuch that they do not specify the length of a system's life cycle, thereby providing flexibility for new processor-based systems to have a life cycle other than 25 years.
FRA hereby modifies paragraph (b) only to clarify FRA's intent.
FRA hereby modifies the heading and content of paragraph (c) to better identify the main purpose of this requirement and to ensure its consistency with the associated requirements of §§ 236.909(c) and (d). FRA believes that previous paragraph (c) and its heading did not fully support or clarify the main intent of subpart H, which requires that the total cost of hazardous events should be the risk measure for a full risk assessment and that the mean time to hazardous event (MTTHE) calculations for all hazardous events should be the risk measure for the abbreviated risk assessment. The existing subpart H text asks for both the base case and the proposed case to be expressed in the same metrics. Paragraph (c) of this appendix, as written prior to the issuance of this final rule, did not fully reflect FRA's intent that the same risk metric is to be used in the risk assessment for both the previous and current conditions (see § 236.913(g)(2)(vii)). FRA believes that the revised title of this paragraph poses the right question and that its new language provides better guidance on how to perform risk assessment for previous and current conditions.
FRA hereby modifies the heading and text of paragraph (d) to create a comprehensive and detailed list of system characteristics that must be included in the risk assessment for each proposed PTC system subject to requirements of subpart H or subpart I, Start Printed Page 2679or both, as applicable. FRA believes that the extended description of system characteristics better suits the risk assessment requirements of subpart H and subpart I. For example, the revisions clarify that the risk assessment must account for the total volume of traffic, the type of transported freight materials (PIH, TIH), and any additional requirements for PTC systems with trains operating at certain speeds.
FRA hereby modifies paragraph (e) to clarify its intent and reflect the industry's experience in risk assessment techniques gained during the initial stage of PTC system implementation under subpart H. In the language of paragraph (e), FRA provides more specific guidance on how to derive the main risk characteristics, MTTHE, and what role reliability and availability parameters, such as mean time to failure (MTTF) or mean time between failures (MTBF), for different system components can play while assessing risk for vital and non-vital hardware or software components of the system. FRA emphasizes that it is critical that each railroad and its vendors or suppliers include the software failure rates into risk assessments for the system. FRA also finds it necessary to advise each railroad and its vendors or suppliers to include reliability and availability characteristics, such as MTTF or MTBF, into its risk assessment to account for potential system exposure to hazards during system failures or malfunctioning when the system operates in its fall back mode—the back-up operation, as described in the PTCSP, when the PTC system fails to operate.
FRA believes that the modifications to paragraph (e) more accurately address the industry's need for clarity in interpretation and execution of the requirements related to risk assessment. FRA received comments from HCRQ/CGI noting that the phrases “frequency of hazardous events” and “failure frequency”, which were contained in paragraph (e) of the proposed rule, are equivalent. HCRQ/CGI therefore recommended that FRA revise the second sentence in paragraph (e) to read as follows: “The MTTHE is to be derived for both fail-safe and non-fail-safe subsystems or components.” FRA agrees with this recommendation and has therefore revised the second sentence of paragraph (e) accordingly.
Several commenters questioned whether additional guidance on acceptable methods for calculating MTTHE values for processor-based subsystems and components can be given by FRA. FRA believes it is inappropriate to provide this guidance in the text of the final rule, especially counting the fact that FRA is not to be involved in all aspects of the design and engineering associated with a product. Any guidance that FRA could provide would not reflect the level of understanding that the vendor(s) or supplier(s) and system integrators of the product should have gained throughout the design and implementation process that would enable them to specify, evaluate and determine such critical measures as MTTF, MTBF, and MTTHE. There is a large body of publicly available work from the research and engineering community that addresses various perspectives on determination of appropriate methods of determining MTTHE and other related parameters. Upon receipt of the risk assessment documentation in the PTCSP, FRA will provide feedback on the appropriateness of a vendor, supplier, or railroad selected methodology for determining MTTHE and the acceptability of the results of calculations based on that methodology with respect to regulatory acceptability. However FRA views the specification and determination of appropriate MTTHE and other design parameters as a fundamental responsibility of the system integrator, vendor, or supplier that neither can nor should be abrogated.
FRA received comments on the last sentence in paragraph (f)(1) from HCRQ/CGI, in which HCRQ/CGI asserted that “permanent” faults would result in an MTTHE of zero. In addition, HCRQ/CGI asserted that “transient” by definition is something that comes and then goes away, which may never be detected. Thus, HCRQ/CGI questioned how one could determine the rate of its occurrence. In order to address these concerns, HCRQ/CGI recommended that FRA revise the last sentence in paragraph (f)(1) to read as follows: “The MTTHE calculation must consider the rates of failures caused by contributory faults accounting for the fault coverage of the integrated hardware/software subsystem or component, phased interval maintenance, and restoration of the detected failures.”
In response to this comment, FRA would like to reiterate that the main intent of the requirement specified in paragraph (f)(1) was to request that the statistics on subsystem or component failures available for MTTHE calculation must be used in its entirety. This means that all types of failures (faults) observed during subsystem or component operation should be accounted for, regardless of the types of failures by their appearance to the observer (permanent, transient or intermittent), and regardless of whether the failure was caused by the fault of the subsystem or component itself or by errors of the operating agent (human factor associated with operation, maintenance or restoration of the subsystem). FRA feels that replacing the enumerated in the original text types of faults “permanent, transient, and intermittent” with the term “contributory faults” will not assure that all types of faults will be accounted for. FRA also notes that the derivation of MTTHE for the operating system, subsystem or component for which the risk assessment is to be performed is a complex process which may require the use of Fault Tree Analysis or other relevant techniques. These techniques will use the probabilities of single point component failures identified for the system. This process cannot lead to MTTHE of zero value. Neither can this process result in MTTHE being equal to infinity. The calculated probability of accidents (the inverse value of MTTHE) may be infinitely small to the extent that the safety requirement of this Part is met (i.e., during the entire life time of the system it is very unlikely for the accident to occur), but rarely will the probability of such events be zero in a practical world. Based on this reasoning, FRA retains the text in proposed paragraph (f)(1).
FRA hereby modifies paragraph (f)(2) to reflect FRA's understanding that a software failure analysis may not necessarily be based on MTTHE “Verification and Validation” processes and that MTTHE characteristics cannot be easily obtained for the system software components. The modification intends to outline the significance of detailed software fault/failure analysis and software testing to demonstrate repeatable predictive results that all software defects are identified and corrected.
FRA received comments from HCRQ/CGI on paragraph (f)(2), in which HCRQ/CGI asserted that “proper” assessment is open to interpretation, while Real Time Operating System (RTOS) “evaluation” is possible. HCRQ/CGI also asserted that the assessment of device driver software would require the source code, which is usually proprietary. Thus, HCRQ/CGI recommended that the assessment should include Commercial Off-The-Shelf (COTS) software, if incorporated, other than the operating system. HCRQ/CGI asserted that FRA could make this change by revising the first sentence in paragraph (f)(2) to read as follows: “Software fault/failure analysis must be based on the assessment of the design and implementation of the application code, an evaluation of the operating/Start Printed Page 2680executive program and other COTS software components.” HCRQ/CGI also commented that it is not possible to demonstrate that all software defects have been identified with a high degree of confidence. HCRQ/CGI quotes a famous statement made years ago (author unknown): “It is common in industry to find a piece of software, which has been subjected to a thorough and disciplined testing regime, has serious flaws.” HCRQ/CGI asserted that it is not clear what “high degree of confidence” implies. Therefore, HCRQ/CGI recommended that the last sentence in paragraph (f)(2) be revised to read as follows: “The software assessment process must demonstrate, through repeatable predictive results, that the software operates as specified without error.”
In response to this comment, FRA revises paragraph (f)(2) to replace the phrase “proper assessment” with the word “assessment,” and to specify that “all safety-related software” should be included in the software fault/failure analysis including COTS software.
However, FRA disagrees with the commenter that, in the requirement for the software defects to be identified and corrected with the “high degree of confidence,” the term “high degree of confidence” requires further clarification. The definition of this term is already given in the preamble discussion for § 236.903 in subpart H of this part. See 70 FR 11,052, 11,067 (Mar. 7, 2005). This term is widely issued in sections of this part related to safety and risk assessment. Therefore, FRA leaves the last sentence of paragraph (f)(2) unchanged.
FRA hereby modifies paragraph (g) to clarify that MMTHE calculations should account for the restoration time after system or component failure and that the system design must be assessed for adequacy through the Verification and Validation process.
HCRQ/CG, in reference to paragraph (g)(1), repeated its comment given for the last sentence in paragraph (f)(1) that relates to the types of faults (permanent, transient).
FRA notes that the explanations provided in FRA's response to this comment for paragraph (f)(1) are also applicable for this paragraph and therefore includes the text of proposed (g)(1) in the final rule.
FRA hereby modifies paragraph (h) to emphasize the need to document all assumptions made during the risk assessment process. FRA believes that the assumptions should be documented while deriving the total cost of potential accident consequences for full risk assessment or MTTHE values for abbreviated risk assessment, rather than only documenting assumptions for other intermediate parameters, such as MTTF and Mean Time To Repair (MTTR), as currently required. These two referenced parameters may or may not be relevant for the risk assessment.
FRA received comments from HCRQ/CGI on paragraph (h)(1), in which HCRQ/CGI asserted that the first sentence should be its own paragraph. However, HCRQ/CGI also asserted that the proposed rule text was unclear as to how the railroad would be expected to comply with this requirement.
FRA disagrees with the commenter that the paragraph (h)(1) should be restructured and that further clarification is required for the process of documenting all assumptions made while deriving the risk metrics that are to be used in the risk assessment for the product. In order for FRA to assess the validity of risk assessment done by railroads for their particular products, all assumptions made by the railroad in regards of deriving chosen risk metrics shall be presented along with the risk assessment. This is critical for the further confirmation that the assumptions made were correct based on the following in-service experience. Documenting assumptions made in the process of risk analysis is rather common procedure recommended by various studies in safety and reliability engineering.
In its comments, HCRQ/CGI also asserted that there is no need to specify an “automated” process for comparing risk assessment assumptions with actual experience. This comment also was made for the similar text in paragraph (h)(3). Thus, HCRQ/CGI recommended that FRA revise the last sentence of paragraph (h)(1) to read as follows: “The railroad shall document these assumptions in such a form as to permit later comparisons with in-service experience.” FRA agrees with this comment and has therefore revised the last sentences of paragraphs (h)(1) and (h)(3) accordingly.
HCRQ/CGI also submitted comments on paragraph (h)(4), asserting that the language in this paragraph seems to imply that a detailed document, separate from the fault trees themselves, is required, which would be very costly. Therefore, HCGI/CGI recommended that FRA revise paragraph (h)(4) to read as follows: “The railroad shall document all of the identified safety critical fault paths to a mishap.”
FRA does not see the need to eliminate the clause in the first sentence “as predicted by the safety analysis methodology,” but finds it necessary to clarify that no additional tool to that chosen by the railroad for the risk assessment is required by this paragraph.
Appendix C to Part 236—Safety Assurance Criteria and Processes
FRA hereby modifies Appendix C to part 236 to enhance and clarify its language, reorganize the existing list of safe system design principles in accordance with the well established models of system safety engineering, and augment the list of safe system design principles with the principles related to safe system software design. A safe state is a system state that the system defaults to in the event of a fault or failure or when unacceptable or dangerous conditions are detected. The safe state is a state when the hazardous event cannot occur. This final rule revises proposed paragraph (a) to reflect the main purpose of this appendix in clear, accurate, and consistent language that will be repeatedly used throughout the appendix. It also outlines that the requirements of this appendix will be applicable to each railroad's PTCIP and PTCSP, as required by subpart I.
This final rule modifies and restructures paragraph (b) to consistently present a complete list of safety assurance principles properly classified or categorized in accordance with well established system safety engineering principles that need to be followed by the designer of the system to assure that all system components perform safely under normal operating conditions and under failures, accounting for human factor impacts, external influencing, and procedures and policies related to maintenance, repair, and modification of the system. FRA also adds language indicating that these principles must also be applicable to PTC systems designed and implemented under the requirements of subpart I. FRA's intent in initially promulgating Appendix C was to ensure that safety principles are followed during the design stage and that Verification and Validation methods are used to assure that the product meets the safety criteria established in § 236.909. The heading of this paragraph and its subparagraphs are changed to more adequately and precisely capture this paragraph's purpose. For instance, FRA hereby modifies the heading of paragraph (b)(1) to better suit the chosen base of classification for all safety principles under paragraph (b).
HCRQ/CGI submitted comments asserting that the third sentence of paragraph (b)(1) implies that the system will operate safely in the presence of human error. Questioning whether this Start Printed Page 2681would be possible, HCRQ/CGI recommended deletion of this sentence.
In order to avoid ambiguity in interpreting the important requirement spelled out in the third sentence of this paragraph, FRA revises it to read as follows: “The system shall operate safely even in the absence of prescribed operator actions or procedures.”
With respect to the fifth sentence in paragraph (b)(1), HCRQ/CGI asserted that it is a rare situation when hazards can be “eliminated.” Therefore, HCRQ/CGI recommended that FRA revise the fifth and sixth sentences of proposed paragraph (b)(1) to read as follows: “The safety order of precedence is to eliminate hazards categorized as unacceptable or undesirable. If this is not possible or practical, these hazards should be mitigated to acceptable levels as required by this part.”
FRA agrees with the commenter that the last clause in this paragraph discussing elimination of unacceptable and undesirable hazards requires modification and revises this clause by adding extra clarifying sentence in the final rule for the entire clause to read as follows: “Hazards categorized as unacceptable, which is determined by hazard analysis, must be eliminated by design. Best effort must be made by the designer to also eliminate by design the hazards categorized as undesirable. Those undesirable hazards that cannot be eliminated should be mitigated to the acceptable level as required by this part.”
HCRQ/CGI submitted comments on the first and second sentences of paragraph (b)(2)(ii), asserting that it is not possible to implement a system that would continue to operate safely in the presence of multiple hardware failures. Therefore, HCRQ/CGI recommended that FRA revise the first and second sentences of paragraph (b)(2)(ii) to read as follows: “The product must be shown to operate safely under conditions of random hardware failure. This includes single failures and multiple hardware failures where one or more failures.”
FRA agrees with the commenter that the paragraph requires modification and revises the first two sentences to read as follows: “The product must be shown to operate safely under conditions of random hardware failures. This includes single hardware failures as well as multiple hardware failures that may occur at different times but remain undetected (latent) and react in combination with a subsequent failure as a later time to cause an unsafe operating situation.”
HCRQ/CGI asserted that the meaning of each of the last sentences in paragraphs (b)(2)(iii) and (b)(2)(iv) was unclear. In order to address this concern, HCRQ/CGI recommended that the last sentence in paragraph (b)(2)(iii) be revised to read as follows: “Occurrence of credible single point failures that can result in hazards must be detected and the product must achieve a known safe state before inadvertently activating any physical appliance.” Similarly, HCRQ/CGI recommended that the last sentence in paragraph (b)(2)(iv) be revised to read as follows: “If one non-self-revealing failure combined with a second failure can cause a hazard that is categorized as unacceptable or undesirable, then the second failure must be detected and the product must achieve a known safe state before inadvertently activating any physical appliance.”
FRA agrees with the commenter and revises the referenced sentences in paragraphs (b)(2)(iii) and (b)(2)(iv) for the sentences to end with the following clause: “* * * the product must achieve a known safe state that eliminates the possibility of false activation of any physical appliance.”
Under paragraph (b)(3), FRA amends the definition of Closed Loop Principle to reflect its industry accepted definition provided by the AREMA Manual. FRA believes that the previous definition was too general and did not reflect the essence of the most significant principles of safe signaling system design.
HCRQ/CGI submitted comments on the last sentence of paragraph (b)(3), asserting that the sentence is confusing because all system operation is a product of actions and decisions. In order to provide clarification, HCRQ/CGI recommended that FRA revise the last sentence of paragraph (b)(3) to read as follows: “In addition, closed loop design requires that failure to perform a single logical operation, or absence of a single logical input, output or decision shall not cause an unsafe condition, i.e. system safety does not depend upon the occurrence of a single action or logical decision.”
FRA has made an effort to perfect the definition of close loop principle in the NPRM and found it satisfactory to adopt the definition given in the 2009 issue of AREMA Communication and Signal Manual of Recommended Practices. FRA does not see the need for further enhancement of this definition.
Under paragraph (b)(4), FRA adds a list of Safety Assurance Concepts that the designer may consider for implementation to assure sail-safe system design and operation. These principles are predominantly applicable for the safe system software design and quoted from the IEEE-1483 standard. Based on this amendment, FRA also renumbers some of the remaining subparagraphs of paragraph (b) to follow the chosen scheme for the proper classification and sequence of safety principles.
GE asserts that more detail is required for the Human Factor Engineering Principle in paragraph (b)(5), which is part of the section on “safety principles during product development.” There are two components to applied Human Factor engineering in system safety: The component of ergonomic design and the system risk contribution of the human interaction with the system, along with the degree of dependency on the operator for safety coverage. According to GE, the latter is missing from the discussion and is most relevant to the safety principles section.
In response to this comment, FRA would like to emphasize that the main purpose of Appendix C is to provide safety criteria and processes for design of safe systems, or fail-safe, or vital signaling systems that by definition must exclude any hazards associated with human errors. The “reliance factor” or, in other words, the possibility of hazards arising due to overreliance of the operator on the proper functioning of the system itself, which the commenter is referring to, is an issue solely relevant to the non-vital overlays complementing existing method of operation. For non-vital signaling systems the designer must adhere to the safety principles of Appendix C only to the extent necessary to satisfy the safety requirements of this part. Therefore FRA does not see a need for further modification of paragraph (b)(5).
This final rule amends paragraph (c) to reflect the changes in recommended standards. For instance, the standard “EN50126: 1999, Railway Applications: Specification and Demonstration of Reliability, Availability, Maintainability and Safety” (RAMS) is superseded by the standard IEC62278: 2002 under the same title. The standard “EN50128 (May 2001), Railway Applications: Software for Railway Control and Protection Systems” is superseded by the Standard IEC62279: 2002 under the same title.
HCRQ/CGI submitted comments asserting that the U.S. Department of Defense Military Standard (MIL-STD) 882C, “System Safety Program Requirements” (January 19, 1993) has been superseded by U.S. Department of Defense Military Standard (MIL-STD) 882C, “System Safety Program Requirements”, Notice 1 (January 19, 1996)”.
In the NPRM, FRA suggested that railroads follow recommendations of MIL-STD-882C of January 19, 1993 Start Printed Page 2682issuance specifically. The notice issued on January 19, 1996 does not contain material necessary for the risk analysis, verification and validation processes. Therefore FRA retains the former reference to MIL-STD-882C of January 19, 1993.
Under paragraph (c)(3)(i), FRA references additional IEEE standards that have become available and will support the designs of PTC systems that are widely using communications as their main component. In addition to existing reference under paragraph (c)(3)(i)(A) for IEEE-1483 Standard, the following standards are added to paragraph (c)(3)(i): IEEE 1474.2-2003, Standard for user interface requirements in communications based train control (CBTC) systems; and IEEE 1474.1-2004, Standard for Communications-Based Train Control (CBTC) Performance and Functional Requirements.
After an analysis of the current applicability of ATCS Specification 130 and 140, FRA believes that they are not being used. Thus, FRA hereby removes these standards from the list of referenced standards. However, FRA also adds the ATCS 200, Data Communication standard that remains relevant for communication segment of PTC system designs.
FRA also considers it necessary to reference several additional sections of the current AREMA 2009 Communications and Signal Manual of Recommended Practices. In addition to Section 17 of this manual referenced in a previous version of Appendix C, FRA hereby adds to the list of references Section 16 Vital Circuit and Software Design; Section 21 Data Transmission; and Section 23 Communication-Based Signaling.
Appendix D to Part 236—Independent Review of Verification and Validation
There has been no change in the underlying engineering principles associated with Appendix D. The changes made in this final rule are cosmetic, simply updating the Appendix so that it is applicable to both subpart H and I, and reducing the workload on the vendor or supplier, the railroad, and FRA. FRA determined that it would have been more burdensome to refer to different Appendices that are functionally identical, and whose only practical difference would be that one referred only to subpart H, and the other to subpart I of this part.
Paragraph (a) discusses the purpose of an independent third-party assessment of product Verification and Validation. FRA's position that the requirement for an independent third-party assessment is reasonably common in the field of safety-critical systems remains unchanged. FRA's recent experience confirms that this approach can enhance the quality of decision making by railroads and FRA. The potential for undergoing a third party audit provides incentives to those who design and produce safety-critical systems to more rigorously create and maintain safety documentation for their systems. FRA acknowledges that documentation, by itself, will not ensure a safe system. However, the absence of documentation will make it virtually impossible to ensure the safety of the system throughout its life-cycle. The third party also brings a level of technical expertise, and a perspective that may not be available on the staff of the railroad (or FRA)—effectively permitting the railroad (and thus FRA) to look behind claims of the vendor or supplier to actual engineering practice. This may be especially appropriate where the system in question utilizes a novel architecture or relies heavily on COTS hardware and software.
Paragraph (b) establishes the requirements for independence of the third-party auditor. The text associated with the underlying principle of independence has simply been clarified to indicate that there must be independence at all levels of the product design and manufacture. This situation has arisen where a third party wished to provide independent safety assessments of the system, but also provide technical support for the design of a component that would be used in the system being reviewed. FRA maintains that such practices, even if the entity in question attempts to firewall the parts of the organization doing the respective tasks, represents a conflict of interest and is unacceptable.
Paragraphs (c) through (f) discuss the substance of the third-party assessment. This assessment should be performed on the system as it is finally configured, before revenue operations commence. The assessor should review the supplier's processes as set forth in the applicable documentation and provide comments to the supplier. The reviewer should be able to determine vulnerabilities in the supplier's processes and the adequacy of the safety analysis (be it in an RSPP and PSP or in a PTCDP and PTCSP) as they apply to the product. “Acceptable methodology” is intended to mean standard industry practice, for example, as contained in MIL-STD-882C. FRA is aware of many other acceptable industry standards, but usage of a less common one in an analysis would most likely require a higher level of FRA scrutiny. In addition, the reviewer considers the completeness and adequacy of the required safety documents.
Paragraph (d) discusses the reviewer's tasks at the functional level. Here, the reviewer will analyze the supplier's methods to establish that they are complete and correct. First, a Preliminary Safety Analysis is performed in the design stage of a product. In addition to describing system requirements within the context of the concept of operations, it attempts, in an early stage, to classify the severity of the hazards and to assign an integrity level requirement to each major function (in conventional terms, a preliminary hazard analysis). Again there are many practices widely accepted within industry such as: Hazard Analysis (HA), Fault Tree Analysis (FTA), Failure Mode and Effects Analysis (FMEA), and Failure Modes, Effects, and Criticality Analysis (FMECA). Other simulation methods may also be used in conjunction with the preceding methods, or by themselves when appropriate. Commonly practiced techniques and methods include fault injection, a technique that evaluates performance by injecting known faults at random times during a simulation period; Markov modeling, a modeling technique that consists of states and transitions that control events; Monte Carlo model, a simulation technique based on randomly-occurring events; and Petri-net, an abstract, formal model of information flow that shows static and dynamic properties of a system.
Paragraphs (e) and (f) address what must be performed at the implementation level. At this stage, the product is beginning to take form. The reviewer typically evaluates the software and, if appropriate or required, the hardware. In the case of software, the software will most likely be in modular form, such that software modules are produced in accordance to a particular function. In the case of hardware, this may be at the component or line replaceable unit level. The reviewer must select a significant number of modules to be able to establish that the product is being developed in a safe manner.
Paragraph (g) discusses the reviewer's tasks at closure. The reviewer's primary task at this stage is to prepare a final report where all product deficiencies are noted in detail. This final report may include material previously presented to the supplier during earlier development stages.
FRA received several comments on Appendix D related to the proper documentation to be reviewed by the third-party reviewer according to Start Printed Page 2683paragraph (d)(1), the scope of hazard analysis required to be reviewed by paragraph (d)(2), and the methods of software development techniques to be reviewed according to paragraph (f)(2)(vii). These comments are the same as those submitted by the commenter on the text of Appendix F. Due to the wider applicability of these comments to the material presented in Appendix F, FRA has provided a response to these comments in the section-by-section analysis for Appendix F.
Appendix E to Part 236—Human-Machine Interface (HMI) Design
Appendix E provides human factors design criteria. Paragraphs (a) through (f) cover the same material as was previously contained in Appendix E. See 70 FR 11,107 (March 7, 2005). However, Appendix E has been reformatted to support its use for subparts H and I of this part and, with a few exceptions, is textually the same. This Appendix still addresses the basic human factors principles for the design and operation of displays, controls, supporting software functions, and other components in processor-based signal or train control systems and subsystems regardless if they are voluntarily implemented (as is the case with systems qualified under subpart H of this part) or mandatorily implemented (as is the case with systems developed under subpart I of this part). The HMI requirements in this Appendix attempt to capture the lessons learned from the research, design, and implementation of similar technology in other modes of transportation and other industries. The rationale for each of the requirements associated with paragraphs (a) through (f) remains the same as was presented in the former version of Appendix E. See 70 FR 11,107, 11,090-11,091 (Mar. 7, 2005).
FRA has noted that products implemented under the requirements of subpart H of this part, or proposed products that will be developed under subpart I of this part, all have been capable of generating electromagnetic radiation. Such emissions are strictly regulated by the Federal Communications Commission for public safety and health, as well as to ensure that the limited electromagnetic spectrum is optimally utilized. FRA is therefore adding a new paragraph (h) to Appendix E, which requires that as part of the HMI design process, the designer must ensure that the product has the appropriate FCC Equipment Authorization, and that the product meets FCC requirements for Maximum Permissible Exposure limits for field strength and power density. Paragraph (g) does not levy any new regulatory requirements. The requirements cited are mandatory FCC requirements for any device that emits electromagnetic radiation that the system designer must comply with. FRA is simply identifying these requirements, as not all railroad product developers may be aware of them.
Appendix F to Part 236—Minimum Requirements of FRA Directed Independent Third-Party Assessment of PTC System Safety Verification and Validation
FRA has revised the title of Appendix F in response to comments submitted by GE, in which GE noted that, while FRA may require a railroad to engage in an independent assessment of its PTC system based on the criteria set forth in § 236.913, FRA is not requiring an independent assessment of every PTCSP.
FRA received several comments from HCRQ/CGI on paragraphs (d), (e), (f), and (i) of Appendix F.
The commenter asserted that the term “acceptable methodology” used in the second sentence of paragraph (d) is not clear and suggested that it be replaced with the term “methodologies typical to safety-critical systems.” If revised in accordance with this recommendation, the second sentence of paragraph (d) would read as follows: “At a minimum, the reviewer shall compare the supplier processes with methodologies typical of safety-critical systems and employ any other such tests or comparisons if they have been agreed to previously with FRA.” In response to this comment, FRA notes that the term “acceptable methodologies,” by its very nature, includes methodologies typical of safety-critical systems. FRA believes that the proposed modification may artificially limit the use of the atypical analysis methodologies that may provide an equivalent, or better, analytical results. Therefore, FRA did not incorporate the proposed change. However, in the interest of providing clarification to reflect the main intent of this paragraph, FRA has modified the second and third sentences in paragraph (d) to read as follows: “At a minimum, the reviewer shall evaluate the supplier design and development process regarding the use of an appropriate design methodology. The reviewer may use the comparison processes and test procedures that have been previously agreed to with FRA.”
The commenter also asserted that, with respect to paragraph (e), the reviewer will be required to analyze a “Hazard Log,” as opposed to a “Preliminary Hazard Analysis” document, since the Hazard Log will supersede the Preliminary Hazard Analysis on the final stage of the system development process.
FRA agrees with the commenter that the Hazard Log more accurately reflects the perceived risk in the as-built condition and, therefore, has modified paragraph (e) to read as follows: “The reviewer shall analyze the Hazard Log and/or any other hazard analysis documents for comprehensiveness and compliance with applicable railroad, vendor, supplier, industry, national, and international standards.” The commenter also suggested that this comment is equally applicable to former paragraph (d)(1) in the prior version of Appendix D. FRA agrees and has modified the various applicable phrases in Appendices D and F accordingly. The commenter further suggested that in paragraph (f) the reviewer should be required to analyze samples of the hazard analyses “for completeness, correctness, and compliance with industry, national, or international standards,” as opposed to the proposed requirement to analyze “all” hazard analyses such as Fault Tree Analyses (FTA), Failure Mode and Effects Criticality Analysis (FMECA). The commenter asserted that it will be “difficult and prohibitive” for both the supplier and the reviewer to analyze “all” of these documents in their entire length. The commenter also noted that these comments are applicable to existing Appendix D, paragraph (d)(2).
In response to this comment, FRA notes that there does not appear to be a need for additional clarification on the depth of the quoted documents analysis by the reviewer. As FRA has already indicated in the section-by-section analysis of § 236.1017, “FRA has the discretion to limit the extent of the third party assessment.” Moreover, the section-by-section analysis of § 236.1017 goes on to state that “Appendix F represents minimum requirements and that if circumstances warrant, FRA may expand upon the Appendix F requirements as necessary to render a decision that is in the public interest.” FRA will, if appropriate, limit the scope of analysis. FRA notes the comment, and will execute its regulatory discretion in this matter.
With respect to paragraph (i)(7), HCRQ/CGI points out that the text of NPRM, while discussing methods of safety-critical software development by the manufacturer, enumerates examples that, according to the commenter, are not particular to the safety-critical systems, which appears to be contrary to the intent of this paragraph. The commenter recommends that FRA Start Printed Page 2684include in the text of the final rule an extended list of examples for methods of software development instead of those cited in NPRM, for example, such methods as “system requirement analysis, requirements traceability to functional and derived safety requirements, design analysis, documented peer review,” etc. The commenter also noted that this comment is equally applicable to Appendix D, paragraph (f)(2)(vii).
FRA understands the commenter's concern. FRA believes that the review should include any documentation associated with the software development that may reflect on, or address, the safety of the system. To address the commenter's concern and to more accurately reflect FRA's position, paragraph (i)(7) has been revised by deleting the list of examples of methods of software development previously proposed in the NPRM. FRA modifies the text of this paragraph to emphasize that the review on any documentation that may reflect on the safety of software design is required. As with the preceding comment, FRA will exercise its regulatory discretion with regards to the specific documentation based on the system in question and public safety. FRA has also modified paragraph (i)(7) in Appendix D that discusses the same issue.
VIII. Regulatory Impact and Notices
A. Executive Order 12866 and DOT Regulatory Policies and Procedures
This final rule has been evaluated in accordance with existing policies and procedures, and determined to be significant under both Executive Order 12866 and DOT policies and procedures. 44 FR 11,034 (Feb. 26, 1979). We have prepared and placed in the docket a regulatory impact analysis (RIA) addressing the economic impact of this final rule.
The costs anticipated to accrue from adopting this final rule would include: (1) Costs associated with developing implementation plans and administrative functions related to the implementation and operation of PTC systems, including the information technology and communication systems that make up the central office; (2) hardware costs for onboard locomotive system components, including installation; (3) hardware costs for wayside system components, including installation; and (4) maintenance costs for all system components.
Two types of benefits are expected to result from the implementation of this final rule—benefits from railroad accident reduction and business benefits from efficiency gains. The first type would include safety benefits or savings expected to accrue from the reduction in the number and severity of casualties arising from train accidents that would occur on lines equipped with PTC systems. Casualty mitigation estimates are based on a value of statistical life of $6 million. In addition, benefits related to accident preventions would accrue from a decrease in damages to property such as: Locomotives, railroad cars, and track; equipment cleanup; environmental damage; train delay resulting from track closures; road closures; emergency response; and evacuations. Benefits more difficult to monetize—such as the avoidance of hazmat accident related costs incurred by federal, state, and local governments and impacts to local businesses—will also result. FRA also expects that once PTC systems are refined, there would likely be substantial additional business benefits resulting from more efficient transportation service; however, such benefits are not included because of significant uncertainties regarding whether and when individual elements will be achieved and given the complicating factor that some benefits might, absent deployment of PTC, be captured using alternative technologies at lower cost. In the NPRM, FRA requested comments on whether the proposed regulation exercised the appropriate level of discretion and flexibility to comply with RSIA08 in the most cost effective and beneficial manner. The FRA received comments, discussed above in the section-by-section analysis, that FRA had exceeded its discretion, in general, in not creating a de minimis exception, in § 236.1005, by designating that the railroad base its system designation on 2008 base year traffic patterns; in § 236.1029, by requiring that each crewmember assigned to a cab have access to a display adequate to perform assigned duties safely, which the railroads claimed meant that they have to install a second display; and in § 236.1006 (b)(4) in permitting Class II and Class III railroads to operate locomotives unequipped with PTC on Class I railroad lines under certain conditions. FRA believes that the agency interpreted RSIA08 correctly in not granting AAR's very broad request for a de minimis exception (however, FRA did craft a new de minimis exception in § 236.1006(b)(4)(ii), discussed above in the section-by-section analysis), in using the 2008 traffic patterns as a basis for designating the system and in requiring that each crewmember in the locomotive cab have access to a display adequate to perform assigned safety-related duties. FRA also believes that it acted with an appropriate level of discretion and flexibility in permitting some operations of unequipped locomotives on PTC equipped routes. All of these responses are discussed in detail above, in the Section-by-Section analysis.
The RIA presents a 20-year analysis of the costs and benefits associated with this rule, using both 7 percent and 3 percent discount rates, and two types of sensitivity analyses. The first is associated with varying cost assumptions used for estimating PTC implementation costs. The second takes into account potential business benefits from realizing service efficiencies and related additional societal benefits from attainment of environmental goals and an overall reduction in transportation risk from modal diversion.
The 20-year total cost estimates are $9.55 billion (PV, 7%) and $13.21 billion (PV, 3%). Annualized costs are $0.87 billion (PV, 7%) and $0.88 billion (PV, 3%). Using high-cost assumptions, the 20-year total cost estimates would be $16.25 billion (PV, 7%) and $22.54 billion (PV, 3%). Using low-cost assumptions, the 20-year cost estimates would be $6.73 billion (PV, 7%) and $9.34 billion (PV, 3%). The later the expenditures are made, the lower the discounted cost impact, which in any event is a very small portion of the total PTC costs. This estimate is lower than the cost estimate presented in the NPRM. It reflects the low freight traffic volume exception for passenger train routes and the de minimis exception for freight railroads. These exceptions result in lower wayside costs than estimated in the NPRM RIA. FRA has not revised its locomotive cost estimates to reflect reduced burden resulting from the additional flexibility granted because the magnitude of the reduction is very small relative to the overall system cost.
Twenty-year railroad safety (railroad accident reduction) benefit estimates associated with implementation of the rule are $440 million (PV, 7%) and $674 million (PV, 3%). Annualized benefits are $42 million (PV, 7%), and $45 million (PV, 3%). This estimate is lower than that estimated at the NPRM stage of the rulemaking. The estimate was lowered as a result of revisions made to a study performed by Volpe Center regarding the cost of PTC-preventable accidents. Some forecasts predict significant growth of both passenger and freight transportation demands, and it is thus possible that greater activity on the system could present the potential for Start Printed Page 2685larger safety benefits than estimated in this analysis. The presence of a very large PTC-equipped freight locomotive fleet also supports the opportunity for introduction of new passenger services of higher quality at less cost to the sponsor of that service. Information is not currently available to quantify that benefit.
The table below presents cost and benefit estimates by element using a 3% discount rate as well as a 7% discount rate.
Total 20-Year Discounted Costs and Discounted Benefits
[At 3% and 7%]
Discount rate 3.00% 7.00% Costs by Category: Central Office and Development $283,025,904 $263,232,675 Wayside Equipment 2,902, 751,825 2,414,794,033 On-Board Equipment 1,613,568,678 1,390,618,364 Maintenance 8,406,267,684 5,478,877,649 Total 13,205,614,091 9,547,522,721 Benefits by Category: Fatalities 268,999,278 175,541,848 Injuries 203,984,196 133,114,717 Train Delay 24,530,630 16,008,043 Property Damage 159,149,846 103,857,000 Emergency Response 431,143 281,353 Equipment Clean Up 2,509,576 1,637,683 Road Closure 580,664 378,926 Environmental Cleanup 6,486,888 4,233,172 Evacuations 7,129,699 4,652,654 Total Railroad Safety Benefits 673,801,919 439,705,397 The Port Authority Trans Hudson (PATH), a commuter railroad, is apparently considering the system used by the New York City Transit Authority on the Canarsie line. This system, which is known as Communication-Based Train Control, is not similar in concept to any of the other PTC systems (including the CSX CBTC, with which its name might easily be confused), and would not be suitable, as FRA understands the system, except on a railroad with operating characteristics similar to a heavy rail mass transit system. FRA believes that, in absence of the statutory mandate or this rulemaking, PATH would have adopted PTC for business reasons.
Although costs associated with implementation of the final rule are significant and such costs would far exceed the benefits, FRA is constrained by the requirements of RSIA08, which do not provide latitude for implementing PTC differently. Nevertheless, FRA has taken several steps to avoid triggering unnecessary costs in the proposed rule. For instance, FRA is not requiring use of separate monitoring of switch position in signal territory or that the system be designed to determine the position of the end of the train. FRA has also minimized costs, such as by requiring the monitoring of derails protecting the mainline, but limiting it to derails connected to the signal system; and by requiring the monitoring of hazard detectors protecting the mainline, but limiting it to hazard detectors connected to the signal system. FRA has also minimized costs related to diamond crossings, where a PTC equipped railroad crosses a non-PTC equipped railroad at grade; included exceptions to main track for passenger train operations, and provisions that would permit some Class III railroad operation of trains not equipped with PTC over Class I railroad freight lines equipped with PTC. FRA has also added provisions to the final rule which will permit passenger railroads to exclude up to roughly 1,900 miles of track from the requirements to install PTC. Finally, FRA has provided for de minimis exceptions for Class I freight lines with not passenger service and negligible risk, avoiding any expenses for right-of-way modifications on about 300 miles, saving about $15 million, and reducing costs by about 80% on about 3,200 additional miles, saving about $127 million.
RSIA08 requires the railroads to have all mandatory PTC systems operational on or before December 31, 2015. Members of the PTC Working Group, especially railroad and supplier representatives, said that the timeframe was very tight, and that the scheduled implementation dates would be difficult to meet. In general, the faster a government agency requires a regulated entity to adopt new equipment of procedures, the more expensive compliance becomes. In part, this is due to supply elasticity being less over shorter time periods.
FRA is unable to estimate the potential savings if Congress provided a longer implementation schedule or provided incentives, rather than mandates, for PTC system installation. In order to estimate the likely reduction in costs in such situations, FRA would need to develop some other schedule for implementation. The element least sensitive to an implementation's schedule appears to be onboard costs. Each PTC system's onboard equipment seems similar and is not very different from existing onboard systems. Further, the 2015 deadline is not so restrictive that it would cause railroads to pull locomotives out of service just to install on board PTC equipment. Locomotives must be inspected thoroughly every 90 and more extensively every 360 days. The inspections can last from one to several days. Railroads usually bring locomotives into their shops to perform these inspections, during which time a skilled and experienced team could install the on board equipment for PTC. System development is much less certain, and more time would enable vendors or suppliers to develop, test, and implement the software at a more reasonable cost. Wayside costs are also sensitive to the installation timetable, as the wayside must be mapped and Start Printed Page 2686measured, and then the railroads must install wayside interface units (WIUs). Wayside mapping and measurement takes a highly skilled workforce. A larger workforce is necessary to timely implement the required PTC systems in a shorter amount of time. WIU installation is likely similar to existing signal or communication systems installation, and is likely to involve use of existing railroad skilled workers. The shorter the installation time period, the more work will be done at overtime rates, which are, of course, higher.
FRA believes that lower costs could result from a longer installation period, but FRA also believes that the differences in costs would be within the range of the low costs provided in the main analysis of the proposed rule. The 2004 report included some lower cost estimates, but, in light of current discussions with railroads, the cost estimates in the 1998 report seem more accurate. The lower estimates FRA received in preparing the 2004 report were both overly optimistic, and excluded installation costs, as well as higher costs which stem from meeting the performance standards.
Some of the costs of PTC implementation, operation, and maintenance may be offset by business benefits, especially in the long run, although there is uncertainty regarding the timing and level of those benefits. Economic and technical feasibility of the necessary system refinements and modifications to yield the potential business benefits has not yet been demonstrated. FRA analyzed business benefits associated with PTC system implementation and presented its findings in the 2004 Report. Due to the aggressive implementation schedule for PTC and the resulting need to issue a rule promptly, FRA has not formally updated this study. Nevertheless, FRA believes that there is opportunity for significant business benefits to accrue several years after implementation once the systems have been refined to the degree necessary. Thus, FRA conducted a sensitivity analysis of potential business benefits based on the 2004 Report.
The 2004 Report included business benefits from improved or enhanced locomotive diagnostics, fuel savings attributable to train pacing, precision dispatching, and capacity enhancement. Although railroads are enhancing locomotive diagnostics using other technologies, FRA believes that PTC could provide the basis for significant gains in the other three areas.
In the years since the 2004 Report, developing technology and rising fuel costs have caused the rail supply industry and the railroads to focus on additional means of conserving diesel fuel while minimizing in-train forces that can lead to derailments and delays from train separations (usually broken coupler knuckles). Software programs exist that can translate information concerning throttle position and brake use, together with consist information and route characteristics, to produce advice for prospective manipulation of the locomotive controls to limit in-train forces. Programs are also being conceived that project arrival at meet points and other locations on the railroad. These types of tools can be consolidated into programs that either coach the locomotive engineer regarding how to handle the train or even take over the controls of the locomotive under the engineer's supervision. The ultimate purpose of integrating this technology is to conserve fuel use while handling the train properly and arriving at a designated location “just in time” (e.g., to meet or pass a train or enter a terminal area in sequence ahead of or behind other traffic). Further integrating this technology with PTC communications platforms and traffic planning capabilities could permit transmittal of “train pacing” information to the locomotive cab in order to conserve fuel. Like the communications backbone, survey data concerning route characteristics can be shared by both systems. The cost of diesel fuel for road operations to the Class I railroads is approximately $3.5 billion annually and is gradually rising. If PTC technology helps to spur the growth and effective use of train pacing, fuel savings of 5% ($175,000,000 annually) or greater could very likely be achieved. Clearly, if the railroads are able to conserve use of fuel, they will also reduce emissions and contribute to attainment of environmental goals, even before modal diversion occurs.
The improvements in dispatch and capacity have further implications. With those improvements, railroads could improve the reliability of shipment arrival time and, thus, dramatically increase the value of rail transportation to shippers, who in turn would divert certain shipments from highway to rail. Such diversion would yield greater overall transportation safety benefits, since railroads have much lower accident risk than highways, on a point-to-point ton-mile basis. The total societal benefits of PTC system implementation and operation, following the analysis, would be much greater than total societal costs, although the costs would fall disproportionately more heavily on the railroads.
At present, the PTC systems contemplated by the railroads, with the possible exception of PATH, would not increase capacity, at least not for some time. If the locomotive braking algorithms need to be made more conservative in order to ensure that each train does not exceed the limits of its authority, PTC system operation may actually decrease rail capacity where applied in the early years. Further investment would be required to bring about the synergy that would result in capacity gains. A more significant business benefit of PTC system operation would be derived from precision dispatching, which decreases the variance of arrival times of delivered freight. To avoid the risk of running out of stock, shippers often overstock their inventory at an annual cost of approximately 25% of its inventory value, regardless of the material being stored. This estimate accounts for shrinkage, borrowing costs, and storage costs. Of course, freight with more value per unit of mass or volume tends to have greater storage costs per unit. At present, no rail precision dispatch system exists. However, if a shipper would take advantage of precision dispatching, thus increasing freight arrival time accuracy, then it could reduce its overstock inventory. Accurate train data is a necessary, but not a sufficient condition, for precision dispatch. At least two of the Class I railroads have unsuccessfully attempted to develop precision dispatch systems. The mandatory installation of PTC systems is likely to divert any resources that might have been devoted to precision dispatch, so these benefits are unlikely during the first several years of this rule.
Applying current factors to the variables used in the 2004 Report to Congress, the resulting analysis indicates that diversion could result in highway annual safety benefits of $744 million by 2022, and $1,148 million by 2032. Of course, these benefits require that the productivity enhancing systems be added to PTC, and are heavily dependent on the underlying assumptions of the 2004 model.
Modal diversion would also yield environmental benefits. The 2004 Report estimated that reduced air pollution costs would have been between $68 million and $132 million in 2010 (assuming PTC would be implemented by 2010), and between $103 million and $198 million in 2020. This benefit would have accrued to the general public. FRA has not broken out the pollution cost benefit of the current Start Printed Page 2687rule, but offers the estimates from the 2004 Report as a guide to the order of magnitude of such benefits.
While railroads argued that many of the benefits identified in FRA's 2004 report were exaggerated, shortly after the publication of the report, several railroads began developing strategies for PTC system development and implementation. This investment by the railroads would seem to illustrate that they believe that there is some potential for PTC to provide a boost to railroad profits, beyond providing any of the aforementioned societal benefits.
Modal diversion is highly sensitive to service quality. Problems with terminal congestion and lengthy dwell times might overwhelm the benefits of PTC or other initiatives which the railroads have been pursuing (reconfiguration of yards, pre-blocking of trains, shared power arrangements, car scheduling, Automatic Equipment Identification, etc.) that might actually work in synergy with PTC. It should also be noted that, in the years since the 2004 Report was developed, the Class I railroads have shown an increased ability to retain operating revenue as profit, rather than surrendering it in the form of reduced rates. This was particularly true during the period prior to the current recession, when strained highway capacity favored the growth of rail traffic. The sensitivity analysis performed by FRA indicates that realization of business benefits could yield benefits sufficient to close the gap between PTC implementation costs and rail accident reduction benefits within the first 18 years of the rule, applying a 3% discount rate, and by year 24 of the rule, applying a discount rate of 7%. Accordingly, the precise partition of business and societal benefits cannot be estimated with any certainty.
FRA recognizes that the likelihood of business benefits is uncertain and that the cost-to-benefit comparison of this rule, excluding any business benefits, is not favorable. However, FRA has taken measures to minimize the rule's adverse impacts and to provide as much flexibility as FRA is authorized to grant under RSIA08.
B. Regulatory Flexibility Act and Executive Order 13272
To ensure potential impacts of rules on small entities are properly considered, we developed this rule in accordance with Executive Order 13272 (“Proper Consideration of Small Entities in Agency Rulemaking”) and DOT's procedures and policies to promote compliance with the Regulatory Flexibility Act (5 U.S.C. 601 et seq.).
The Regulatory Flexibility Act requires an agency to review regulations to assess their impact on small entities. An agency must conduct a Final Regulatory Flexibility Analysis (FRFA) unless it determines and certifies that a rule is not expected to have a significant impact on a substantial number of small entities.
In the NPRM, we published an Initial Regulatory Flexibility Assessment (IRFA) to aid the public in commenting on the potential small business impacts of the proposals. FRA has considered all comments submitted to the docket and at public hearings in response to the NPRM. FRA also worked with the PTC Working Group and its task forces in developing many of the facets of the final rule. We appreciate the information provided by the various parties. The proposed rule, and consequently the IRFA, included as part of the NPRM, have been modified as a result, as described above. Due to the uncertainties associated with new product development and deployment, FRA has prepared a FRFA and will issue a Small Entity Guidance document soon.
In accordance with the Regulatory Flexibility Act, a FRFA must contain:
(1) A succinct statement of the need for, and objectives of the rule;
(2) A summary of the significant issues raised by the public comments in response to the IRFA, a summary of the assessment of the agency of such issues, and a statement of any changes made in the proposed rule as a result of such comments.
(3) A description and an estimate of the number of small entities to which the rule will apply or an explanation of why no such estimate is available;
(4) A description of the projected reporting, recordkeeping and other compliance requirements of the final rule, including an estimate of the classes of small entities that will be subject to the requirement and the type of professional skills necessary for preparation of the report or record; and
(5) A description of the steps the agency has taken to minimize the significant adverse economic impact on small entities consistent with the stated objectives of applicable statutes, including a statement of the factual, policy, and legal reasons for selecting the alternative adopted in the final rule and why each of the other significant alternatives to the rule considered by the agency was rejected. 5 U.S.C. 604(a)(1)-(5).
1. Need for, and Objectives of the Rule
PTC systems will be designed to prevent train-to-train collisions, overspeed derailments, incursions into established work zone limits, and the movement of a train through a switch left in the wrong position.
As discussed in more detail in section I of the preamble, the RSIA08 mandates that widespread implementation of PTC across a major portion of the U.S. rail industry be accomplished by December 31, 2015. RSIA08 requires each Class I carrier and each entity providing regularly scheduled intercity or commuter rail passenger transportation to develop a plan for implementing PTC by April 16, 2010. The Secretary of Transportation is responsible for reviewing and approving or disapproving such plans. The Secretary has delegated this responsibility to FRA. This final rule details the process and procedure for obtaining FRA approval of the plans.
As discussed earlier in the preamble, FRA is issuing this final rule to provide regulatory guidance and performance standards for the development, testing, implementation, and use of Positive Train Control (PTC) systems for railroads mandated by the Rail Safety Improvement Act of 2008 § 104, Public Law 110-432, 122 Stat. 4848, 4856, (Oct. 16, 2008) (codified at 49 U.S.C. 20157).
2. Significant Issues Raised by Public Comment in Response to the IRFA
The only comment which directly referred to the IRFA was a comment from Class I railroad representatives noting that the IRFA implied that Class I railroads would pay for installation of split point derails at railroad-railroad crossings where a PTC equipped line crosses a line not equipped with PTC. FRA agrees with commenters that costs will be borne according to preexisting agreements and any other laws or regulations that might affect which party is responsible for the costs incurred and has modified its analysis accordingly.
Other comments which affect the IRFA related to definition of main track for intercity and commuter operations where freight densities are relatively low. These comments, primarily from Amtrak, not a small entity, directly referred to the proposed rule, and not to the IRFA. In response, FRA provided significant relief to Amtrak for operations over Class II and Class III railroads, thus indirectly providing relief to some of the Class II and III railroads, potentially allowing one or more to avoid PTC system installation. The RSIA08 generally defines “main line” as “a segment of railroad tracks over which 5,000,000 or more gross tons of railroad traffic is transported Start Printed Page 2688annually. See 49 U.S.C. 20157(i)(2). However, FRA may also define “main line” by regulation “for intercity rail passenger transportation or commuter rail passenger transportation routes or segments over which limited or no freight railroad operations occur.” See 49 U.S.C. 20157(i)(2)(B); 49 CFR 1.49(oo). FRA recognizes that there may be circumstances where certain statutory PTC system implementation and operation requirements are not practical and provide no significant safety benefits. In those circumstances, FRA will exercise its statutory discretion provided under 49 U.S.C. 20157(i)(2)(B).
In accordance with the authority provided by the statute and with carefully considered recommendations from the RSAC, FRA will consider requests for designation of track over which rail operations are conducted as “other than main line track” for passenger and commuter railroads, or freight railroads operating jointly with passenger or commuter railroads. Such relief may be granted only after request by the railroad or railroads filing a PTCIP and approval by the Associate Administrator.
In § 236.1019(a), FRA requires the submittal of a main line track exclusion addendum (MTEA) to any PTCIP filed by a railroad that seeks to have any particular track segment deemed as other than main line. Since the statute only provides for such regulatory flexibility as it applies to passenger transportation routes or segments over which limited or no freight railroad operations occur, only a passenger railroad may file an MTEA as part of its PTCIP. This may include a PTCIP jointly filed by freight and passenger railroads. In fact, FRA expects that, in the case of joint operations, only one MTEA should be agreed upon and submitted by the railroads filing the PTCIP. After reviewing a submitted MTEA, FRA may provide full or conditional approval for the requested exemptions.
Each MTEA must clearly identify and define the physical boundaries, use, and characterization of the trackage for which exclusion is requested. When describing each track's use and characterization, FRA expects the requesting railroad or railroads to include copies of the applicable track and signal charts. Ultimately, FRA expects each MTEA to include information sufficiently specific to enable easy segregation between main line track and non-main line track. In the event the railroad subsequently requests additional track to be considered for exclusion, a well-defined MTEA should reduce the amount of future information required to be submitted to FRA. Moreover, if FRA decides to grant only certain requests in an MTEA, the portions of track for which FRA has determined should remain considered as main line track can be easily severed from the MTEA. Otherwise, the entire MTEA, and thus its concomitant PTCIP, may be entirely disapproved by FRA, increasing the risk of the railroad or railroads not meeting its statutory deadline for PTC implementation and operation.
For each particular track segment, the MTEA must also provide a justification for such designation in accordance with paragraphs (b) or (c) of this section.
In § 236.1019(b), FRA specifically addresses the conditions for relief for passenger and commuter railroads with respect to passenger-only terminal areas. As noted previously in the analysis of § 236.1005(b), any track within a yard used exclusively by freight operations moving at restricted speed is excepted from the definition of main line. In those situations, operations are usually limited to preparing trains for transportation and do not usually include actual transportation. This automatic exclusion does not extend to yard or terminal tracks that include passenger operations. Such operations may also include the boarding and disembarking of passengers, heightening FRA's sensitivity to safety. Moreover, while FRA could not expend its resources to review whether a freight-only yard should be deemed other than main line track, FRA believes that the relatively lower number of passenger yards and terminals would allow for such review. Accordingly, FRA believes that it is appropriate to review these circumstances on a case-by-case basis.
During the PTC Working Group discussions, the major passenger railroads requested an exception for tracks in passenger terminal areas because of the impracticability of installing PTC. These are locations where signal systems govern movements over very complex special track work divided into short signal blocks. Operating speeds are low (not to exceed 20 miles per hour), and locomotive engineers moving in this environment expect conflicting traffic and restrictive signals. Although low-speed collisions do occasionally occur in these environments, the consequences are low; and the rate of occurrence is very low in relation to the exposure. It is the nature of current-generation PTC systems that they use conservative braking algorithms. Requiring PTC to short blocks in congested terminals would add to congestion and frustrate efficient passenger service, in the judgment of those who operate these railroads. The density of wayside infrastructure required to effect PTC functions in these terminal areas would also be exceptionally costly in relation to the benefits obtained. FRA agrees that technical solutions to address these concerns are not presently available. FRA does believe that the appropriate role for PTC in this context is to enforce the maximum allowable speed (which is presently accomplished in cab signal territory through use of automatic speed control, a practice which could continue where already in place).
If FRA grants relief, the conditions of paragraphs (b)(1), (b)(2), or (b)(3), as applicable, as well as conditions attached to the approval, must be strictly adhered to.
In § 236.1019(b)(1), FRA specifies that relief under paragraph (b) is limited to operations that do not exceed 20 miles per hour. The PTC Working Group agreed upon the 20 miles per hour limitation, instead of requiring restricted speed, because the operations in question will be by signal indication in congested and complex terminals with short block lengths and numerous turnouts. FRA agrees with the PTC Working Group that the use of restricted speed in this environment would unnecessarily exacerbate congestion, delay trains, and diminish the quality of rail passenger service.
Moreover, when trains on the excluded track are controlled by a locomotive with an operative PTC onboard apparatus that PTC system component must enforce the regulatory speed limit or actual maximum authorized speed, whichever is less. While the actual track may not be outfitted with a PTC system in light of a MTEA approval, FRA believes it is nevertheless prudent to require such enforcement when the technology is available on the operating locomotives. This can be accomplished in cab signal territory using existing automatic train stop technology and outside of cab signal territory by mapping the terminal and causing the onboard computer to enforce the maximum speed allowed.
FRA also limits relief under § 236.1019(b)(2) to operations that enforce interlocking rules. Under interlocking rules, trains are prohibited from moving in reverse directions without dispatcher permission on track where there are no signal indications. FRA believes that such a restriction will minimize the potential for a head-on impact.
Also, under § 236.1019(b)(3), such operations are only allowed in yard or terminal areas where no freight Start Printed Page 2689operations are permitted. While the definition of main line may not include yard tracks used solely by freight operations, FRA is not extending any relief or exception to tracks within yards or terminals shared by freight and passenger operations. The collision of a passenger train with a freight consist is typically a more severe condition because of the greater mass of the freight equipment. However, FRA did receive a comment suggesting some latitude within terminals when passenger trains are moving without passengers (e.g., to access repair and servicing areas). FRA agrees that low-speed operations under those conditions should be acceptable as trains are prepared for transportation. FRA has not included a request by Amtrak (discussed below) to allow movements within major terminals at up to 30 miles per hour in mixed passenger and freight service, which appears in FRA's judgment to fall outside of the authority to provide exclusions conferred on FRA by the law.
In § 236.1019(c), FRA provides the conditions under which joint limited passenger and freight operations may occur on defined track segments without the requirement for installation of PTC. Under § 236.1003 (Definitions), “limited operations” is defined as “operations on main line track that have limited or no freight operations and are approved to be excepted from this subpart's PTC system implementation and operation requirements in accordance with § 236.1019(c).” This paragraph provides five alternative paths to the main line exception, three of which were contained in the proposed rule and a fourth and fifth that respond to comments on the proposed rule.
The three alternatives derived from the NPRM are set forth in § 236.1019(c)(1). First, an exception may be available where both the freight and passenger trains are limited to restricted speed. Such operations are feasible only for short distances, and FRA will examine the circumstances involved to ensure that the exposure is limited and that appropriate operating rules and training are in place.
Second, under § 236.1019(c)(1)(ii), FRA notes that it will consider an exception where temporal separation of the freight and passenger operations can be ensured. A more complete definition of temporal separation is provided in § 236.1019(e). Temporal separation of passenger and freight services reduces risk because the likelihood of a collision is reduced (e.g., due to freight cars engaged in switching that are not properly secured) and the possibility of a relatively more severe collision between a passenger train and much heavier freight consist is obviated.
Third, under § 236.1019(c)(1)(iii), FRA notes that it will consider commingled freight and passenger operations provided that a jointly agreed risk analysis is provided by the passenger and freight railroads, and the level of safety is the same as that which would be provided under one of the two prior options selected as the base case. FRA requested comments on whether FRA or the subject railroad should determine the appropriate base case, but received none. FRA recognizes that there may be situations where temporal separation may not be possible. In such situations, FRA may allow commingled operations provided the risk to the passenger operation is no greater than if the passenger and freight trains were operating under temporal separation or with all trains limited to restricted speed. For an exception to be made under § 236.1019(c)(3), FRA requires a risk analysis jointly agreed to and submitted by the applicable freight and passenger services. This ensures that the risks and consequences to both parties have been fully analyzed, understood, and mitigated to the extent practical. FRA would expect that the moving party would elect a base case offering the greatest clarity and justify the selection.
Comments on the proposed rule generally supported the aforementioned exclusions or were silent.
In its comments on the NPRM, Amtrak requested further relief relating to lines requiring the implementation and operation of a PTC system due solely to the presence of light-density passenger traffic. According to Amtrak, the defining characteristic of light-density lines is the nature of the train traffic; low-density patterns on these lines lead to a correspondingly low risk of collision. Amtrak also asserted that, due to relatively limited wear and tear from lower traffic densities, these lines often have fewer track workers on site, further reducing the chance of collisions and incursions into work zones. Thus, states Amtrak, one of the principal reasons for installing PTC—collision avoidance—is a relatively low risk on many light density lines. With only marginal safety benefits anticipated from PTC use in such applications, Amtrak believed that there may be minimal justification for installing PTC on certain light-density lines.
Amtrak further noted that FRA itself had concluded that the costs of PTC generally exceed its benefits, and Amtrak urged that this may be even more so on light-density lines. Amtrak believed that Congress understood this issue and thus created the regulatory flexibility for the definition of “main line” for passenger routes found at 49 U.S.C. 20157(i)(2)(B) as a means to allow the Secretary to exempt certain routes from the PTC mandate. According to Amtrak, this provision essentially allows the Secretary to define certain passenger routes with limited or no freight traffic as other than “main line,” thereby effectively exempting such lines from the reach of the PTC mandate because the mandate only applies to railroad operations over “main line[s].” Said another way, urged Amtrak, the provision allows the Secretary the freedom to decide in what circumstances such routes should be considered “main lines” and thus be required to install PTC—pursuant to whatever factors the Secretary deems appropriate through the rulemaking process.
Amtrak urged that the Secretary should use this flexibility to limit which passenger routes it defines as “main lines” to those deemed to warrant the use of PTC using the FRA's usual risk-based approach to safety regulation and traditional measures of reasonableness, costs, and benefits. Amtrak posited that such a risk-based analysis by FRA would likely lead to the conclusion that PTC is simply not needed on many light-density lines over which passenger trains currently operate. Amtrak therefore asked that FRA exercise this authority by working with Amtrak and the rail industry to exempt certain light density freight lines which host passenger traffic from the obligation to install PTC where operating and safety conditions do not warrant an advanced signal system.
Should FRA choose not to exempt some of these light density freight lines over which passenger trains operate, Amtrak felt that the high costs of full PTC systems will be passed on to the passenger and freight operators of these routes. According to Amtrak, this obligation could threaten the continuation of intercity passenger rail service on several routes, including lines in California, Colorado, Kansas, Maine, Massachusetts, Michigan, Missouri, New Hampshire, New Mexico, North Dakota, Vermont, and Virginia, on what are potentially light density lines. Additionally, states Amtrak, this obligation, where it can be financed, could force the diversion of significant capital dollars away from essential safety investments in track and other infrastructure improvements, which are typically the leading safety risks for such light-density operations. According to Amtrak, the cost of PTC installation on these lines may be so out Start Printed Page 2690of proportion to the benefit that Amtrak's service will need to be rerouted onto a different line (e.g., to a Class I line with PIH materials) if a reroute option exists, or eliminated entirely because there is no feasible alternate route and no party is willing or able to bear the cost of installing PTC on the existing route. The defining characteristic of light-density lines is the nature of the train traffic: low density patterns on these lines lead to a correspondingly low risk of collision. In its filing, Amtrak noted that it was currently assembling the details (e.g., annual freight tonnage, frequency of freight train operations) “for those lines that it believes may qualify as light-density, and will submit as a supplement to these Comments a recommendation as to what criteria the FRA should adopt in determining what light-density lines are other than ‘main lines.’ ” Amtrak did subsequently file data referred to below, but did not propose criteria.
According to the Amtrak testimony, the “limited operations exception” in subsection 236.1019(c) of the NPRM did not provide a practical solution to the problem created by defining all light-density routes and terminal areas with passenger service as “main lines.” Amtrak stated that this subsection would arguably require installation of PTC on most of the trackage and locomotives of the Terminal Railroad Association of St Louis (TRRA) unless: (1) The entire terminal operates at restricted speed (which TRRA is unlikely to agree to), (2) passenger and freight trains are temporally separated (which would not be practical on TRRA, and is unlikely to be practical on any of the light-density lines over which Amtrak operates, due to the 24/7 nature of railroad operations), or (3) a risk mitigation plan can be effected that would achieve a level of safety not less than would pertain if all operations on TRRA were at restricted speed or subject to temporal separation. Accordingly, Amtrak recommended: (a) That the FRA adopt a risk analysis-based definition of “main line” passenger routes that excludes light-density lines on which the installation of PTC is not warranted; and (b) with respect to freight terminal areas in which passenger trains operate, that FRA modify the limited operations exception in subsection 236.1019(c) to require that all trains be limited to 30 miles per hour rather than to restricted speed, or that non-PTC equipped freight terminals be deemed as other than “main lines” so long as all passenger operations are pursuant to signal indication and at speeds not greater than 30 miles per hour (with speeds reduced to not greater than restricted speed on unsignaled trackage or if the signals should fail).
FRA believes that Amtrak's request is much broader than contemplated by the law. FRA notes that TRRA is a very busy terminal operation. FRA does not believe that the “limited freight operations” concept is in any way applicable under those circumstances. Nor is there any indication in law that FRA was expected to fall back to traditional cost-benefit principles in relation to PTC and scheduled passenger service. However, there are a number of Amtrak routes with limited freight operations that will not otherwise be equipped with PTC because they are operated by other than Class I railroads. Further, there are some Class I lines with less than 5 million gross tons, or no PIH, that also warrant individualized review to the extent Amtrak and the host railroad might elect to propose it.
Accordingly, in response to the Amtrak comments, §§ 236.1019(c)(2) and (c)(3) have been added to the final rule to provide an option by which certain additional types of limited passenger train operations may qualify for a main line track exception where freight operations are also suitably limited and the circumstances could lead to significant hardship and cost that might overwhelm the value of the passenger service provided. In § 236.1019(c)(2), FRA addresses lines where the host is not a Class I freight railroad, describing characteristics of line segments that might warrant relief from PTC. In § 236.1019(c)(2)(i), FRA addresses passenger service involving up to four regularly scheduled passenger trains during a calendar day over a segment of unsignaled track on which less than 15 million gross tons of freight traffic is transported annually. In § 236.1019(c)(2)(ii), FRA addresses passenger service involving up to 12 regularly scheduled passenger trains during a calendar day over a segment of signaled track on which less than 15 million gross tons of freight traffic is transported annually. FRA derived § 236.1019(c)(2) indirectly from discussions in the RSAC in response to comments by Amtrak set forth above. The PTC Working Group proposed an exception that might have been available anywhere an intercity or commuter railroad operated over a line with 5 million gross tons of freight traffic, including Class I lines and the lines of the intercity or commuter railroad. This would have opened the potential for a considerable exception for lines with very light freight density under circumstances not thoroughly explored in the short time available to the working group (e.g., on commuter rail branch lines, low density track segments on Class I railroads, etc.).
Subsequent to the RSAC activities, Amtrak notified FRA that its conversations with Class II and III railroads whose lines had been at the root of the Amtrak comments revealed that some of the situations involved freight traffic exceeding 5 million gross tons, potentially rendering the exception ineffective for this purpose. At the same time, FRA noted that the policy rationale behind the proposed additional exception was related as much to the inherent difficulty associated with PTC installation during the initial period defined by law, given that the railroads identified by Amtrak were for the most part very small operations with limited technical capacity, as well as limited safety exposure. It was clear that in these cases care would need to be taken to analyze collision risk and potentially require mitigations.[14] Accordingly, FRA has endeavored to address the concern brought forward by Amtrak with a provision that is broad enough to permit consideration of actual circumstances, limit this particular exception to operations over railroads that would not otherwise need to install PTC (e.g., Class II and III freight railroads), provide for a thorough review process, and make explicit reference to the potential requirement for safety mitigations. In this regard, FRA has chosen 15 million gross tons as a threshold that should accommodate situations where Amtrak trains will, in actuality, face few conflicts with freight movements (i.e., requiring trains to clear the main line for meets and passes or to wait at junctions) and where mitigations are in place or could be put in place to establish a high sense of confidence that operations will continue to be conducted safely. FRA believes that less than 15 million gross tons represents a fair test of “limited freight operations” for these purposes, with the further caveat that specific operating arrangements will be examined in each case.[15] FRA emphasizes that this is not Start Printed Page 2691an entitlement, but an exclusion for which the affected railroads will need to make a suitable case.
Amtrak also provided to FRA a spreadsheet identifying each of its route segments with attributes such as route length, freight tonnage, number of Amtrak trains, and numbers of commuter trains. FRA further reviewed this information in light of Amtrak's request for main track exceptions. FRA noted a number of segments of the Amtrak system on Class I railroads where the number of Amtrak trains was low and the freight tonnage was also low (less than 15 million gross tons). Each of these lines, with the exception of one 33-mile segment, is signalized. FRA further noted that, with both Amtrak and Class I railroad locomotives equipped for PTC, use of partial PTC technology (e.g., monitoring of switches where trains frequently clear) should be available as a mitigation for collision risk. Accordingly, in § 236.1019(c)(3) FRA has provided a further narrow exception for Class I lines carrying no more than four intercity or commuter passenger trains per day and cumulative annual tonnage of less than 15 million gross tons, subject to FRA review. The limit of four trains takes into consideration that it is much less burdensome to equip the wayside of a Class I rail line than to install a full PTC system on a railroad that would not otherwise require one. Again, the exception is not automatic, and FRA's approval of a particular line segment would be discretionary.
The new § 236.1019(d), FRA makes clear that it will carefully review each proposed main track exception and may require that it be supported by appropriate hazard analysis and mitigations. FRA has previously vetted through the RSAC a Collision Hazard Analysis Guide that can be useful for this purpose. If FRA determines that freight operations are not “limited” as a matter of safety exposure or that proposed safety mitigations are inadequate, FRA will deny the exception.
3. Description and Estimate of Small Entities Affected
“Small entity” is defined in 5 U.S.C. 601. Section 601(3) defines a “small entity” as having the same meaning as “small business concern” under section 3 of the Small Business Act. This includes any small business concern that is independently owned and operated, and is not dominant in its field of operation. Section 601(4) includes not-for-profit enterprises that are independently owned and operated, and are not dominant in their field of operations within the definition of “small entities.” Additionally, section 601(5) defines as “small entities” governments of cities, counties, towns, townships, villages, school districts, or special districts with populations less than 50,000.
The U.S. Small Business Administration (SBA) stipulates “size standards” for small entities. It provides that the largest a for-profit railroad business firm may be (and still classify as a “small entity”) is 1,500 employees for “Line-Haul Operating” railroads, and 500 employees for “Short-Line Operating” railroads. See “Table of Size Standards,” U.S. Small Business Administration, January 31, 1996, 13 CFR part 121; see also NAICS Codes 482111 and 482112.
SBA size standards may be altered by Federal agencies in consultation with SBA, and in conjunction with public comment. Pursuant to the authority provided to it by SBA, FRA has published a final policy, which formally establishes small entities as railroads that meet the line haulage revenue requirements of a Class III railroad. See 68 FR 24,891 (May 9, 2003). Currently, the revenue requirements are $20 million or less in annual operating revenue, adjusted annually for inflation. The $20 million limit (adjusted annually for inflation) is based on the Surface Transportation Board's threshold of a Class III railroad carrier, which is adjusted by applying the railroad revenue deflator adjustment. See also 49 CFR part 1201. The same dollar limit on revenues is established to determine whether a railroad shipper or contractor is a small entity. FRA uses this definition for this rulemaking.
The FRA's “universe” of considered entities generally includes only those small entities that can reasonably be expected to be directly regulated by the final rule. One type of small entity is potentially affected by this final rule: railroads. The level of impact on small railroads will vary from railroad to railroad. Class III railroads will be impacted for one or more of the following reasons: (1) They operate on Class I railroad lines that carry PIH materials and are required to have PTC, in which case they will need to equip the portion of their locomotive fleet that operates on such lines; (2) they operate on Amtrak or commuter rail lines, including freight railroad lines that host such service; (3) they host regularly scheduled intercity or commuter rail transportation; or (4) they have at-grade railroad crossings over lines required by RSIA08 to have PTC.
The final rule will apply to small railroads' tracks over which a passenger railroad conducts intercity or commuter operations and locomotives operating on main lines of Class I freight railroads required to have PTC and on railroads conducting intercity passenger or commuter operations. The impact on Class III railroads that operate on Class I railroad lines required to be equipped with PTC will depend on the nature of such operations. Class III railroads often make short moves on Class I railroad lines for interchange purposes. To the extent that their moves do not exceed four per day or 20 miles in length of haul (one way), Class III railroads will be exempt from the requirement to equip the locomotives. However, some Class III railroads operate much more extensively on Class I railroad lines that will be required to have PTC and will have to equip some of their locomotives. It is likely that Class III railroads will dedicate certain locomotives to such service, if they have not done so already. FRA estimates that approximately 55 small railroads will have to equip locomotives with PTC system components because they have trackage rights on Class I freight railroad PIH lines that will be required to have PTC and will not be able to qualify for any of the operational exceptions discussed.
FRA further estimates that 10 small railroads have trackage rights on intercity passenger or commuter railroads or other freight railroads hosting such operations, and will need to equip some locomotives with PTC systems. Half of these will need to equip locomotives anyway, because they also have trackage rights on Class I railroads that haul PIH and would otherwise be required to have PTC.
Thus, a total of 60 railroads will need to equip locomotives. FRA estimates that the average small railroad will need to equip four locomotives, at a per railroad cost of $55,000 each, totaling $220,000, and that the total cost for all 60 small railroads which will need to equip locomotives will be $13,200,000. FRA further estimates that the annual maintenance cost will be 15% of that total, equaling $33,000 per railroad or $1,980,000 total for all small railroads.
In addition, 15 small railroads host commuter or intercity passenger operations on what might be defined as main line track under the accompanying rulemaking; however, only five of these railroads are neither terminal nor port railroads, which tend to be owned and operated by large railroads or port authorities, or subsidiaries of large short Start Printed Page 2692line holding companies with the expertise and resources across the disciplines comparable to larger railroads. Of those five railroads, only one has trackage exceeding 3.8 miles. The other four railroads may request that FRA define such track as other than main line after ensuring that all trains will be limited to restricted speed. The cost burden on the remaining railroad will likely be reduced by restricting speed, temporally separating passenger train operations, or by passing the cost to the passenger railroad. Thus, the expected burden to small entities hosting passenger operations is minimal. This impact will further be reduced by exclusion of track from the main track under § 236.1019.
At rail-to-rail crossings where at least one of the intersecting tracks allows operating speeds in excess of 40 miles per hour, the approaching non-PTC line must have a permanent maximum speed limit of 20 miles per hour and either have some type of positive stop enforcement or a split-point derail incorporated into the signal system on the non-PTC route. In the IRFA, FRA incorrectly assumed that the cost of the derail would be borne by the PTC-equipped railroad, and that slowing to 20 miles per hour reflects current practice at most diamond crossings. In response to comments from Class I railroad representatives, FRA has revised its assumption and estimates that roughly half of the cost of derails will be borne by small entities. FRA estimates that five small railroads have rail-to-rail crossings, with two such crossings each, where the newly burdened small railroad will be slowing to 20 miles per hour from a higher track speed. FRA estimates that the average traffic on the newly burdened route is two trains per day, and that the cost to slow from a higher track speed is $30 per train, for a total cost of $60 per crossing per day, a per railroad cost of $120 per day, and a total national cost for all ten small railroads of $600 per day and an annual cost of $43,800 per railroad and a total for all small railroads of $219,000 per year. FRA further estimates that small railroads will pay for derails at five of the ten impacted crossings, at a price per crossing of $80,000, for two sets of derails, one on each side of the crossings, and a total cost of $400,000, with annual maintenance costs of $60,000 (15% of installation cost) total. The initial investment will therefore be $400,000 and the total annual cost will be $279,000. FRA estimates that only five Class III railroads will be affected by this provision, and that they will be railroads not affected by the requirement to equip locomotives, because railroads with equipped locomotives could simply use the PTC system and avoid the requirement to slow down.
This analysis yields a total of 65 affected small entities that may be impacted by implementation of the final rule. FRA requested comments regarding this estimate of small entities potentially impacted, and the only comment was that Class I railroads would not necessarily bear the cost of equipping rail-to-rail crossings with derails.
4. Description of Reporting, Recordkeeping, and Other Compliance Requirements and Impacts on Small Entities Resulting From Specific Requirements
Class III railroads that host intercity or commuter rail service will need to file implementation plans, whether or not they directly procure or manage installation of the PTC system. FRA believes that, although the implementation plan must be jointly filed by the small host railroad and passenger tenant railroad, the cost of these plans will be borne by the passenger railroads, because under typical trackage rights agreements, the passenger railroads are responsible for any costs that would not exist in the absence of the passenger operations. Clearly, the Class III railroads would not be required to install PTC in the absence of passenger traffic, so any costs the Class III railroads bear initially will eventually be passed on to the passenger railroads operating on the Class III railroads' lines. FRA believes that only one small entity, as described above, is likely to have PTC installed on its lines. The implementation plan is likely to be an extension of the passenger railroad's plan, and the marginal cost will be the cost of tailoring the plan to the host railroad, which will be borne by the passenger railroad, and maintaining copies of the plan at the host railroad, which FRA estimates to be approximately $1,000 per year.
The total cost to small entities will include the initial cost of equipping locomotives, $13,200,000, and $400,000 to equip diamond crossings; annual costs of $1,980,000 for maintenance of locomotive systems; $219,000 due to operating speed restrictions at diamond crossings; $60,000 to maintain diamond crossings; and $1,000 to maintain a copy of the PTC implementation plan. The total annual costs to small entities after initial acquisition will be $2,260,000 ($1,980,000 + $219,000 + $60,000 + $1,000). Individual railroads affected will either face an initial cost of $220,000 to equip locomotives, and an annual cost of $33,000 to maintain the PTC systems on those locomotives, or will face a per railroad cost of $80,000 to equip a diamond crossing, $12,000 per year to maintain a diamond crossing, and $43,800 per year to slow at diamond crossings. No railroad will face both sets of costs, because if its locomotives are equipped, they will not need to slow down at diamond crossings, nor would the crossings need to be equipped with derails.
5. Steps the Agency Has Taken To Minimize Adverse Economic Impact on Small Entities
FRA is unaware of any significant alternatives that would meet the intent of RSIA08 and that would minimize the economic impact on small entities. FRA is exercising its discretion to provide the greatest flexibility for small entities available under RSIA08 by allowing operations of unequipped trains operated by small entities on the main lines of Class I railroads, and by defining main track on passenger railroads to avoid imposing undue burdens on small entities. The definition of passenger main track was adopted based on PTC Working Group recommendations that were backed strongly by representatives of small railroads. FRA added further, more expansive exclusions from main track for passenger railroads in the final rule. The provisions permitting operations of unequipped trains of Class I railroads exceeded the maximum flexibility for which the PTC Working Group could reach a consensus. FRA requested comments on this finding of no significant alternative related to small entities, but received no such comments.
The process by which this final rule was developed provided outreach to small entities. As noted earlier in the preamble, this notice was developed in consultation with industry representatives via the RSAC, which includes small railroad representatives. From January to April 2009, FRA met with the entire PTC Working Group five times over the course of twelve days. This PTC Working Group established a task force to focus on issues specific to short line and regional railroads. The discussions yielded many insights and this final rule takes into account the concerns expressed by small railroads during the deliberations. The PTC Working Group had further discussions after publication of the NPRM, on August 31, 2009, and September 1 and 2, 2009, related to the impact on small entities and on passenger railroads Start Printed Page 2693(small entities may be affected under the final rule by their operations on passenger railroads or as hosts of passenger operations) and added new exclusions from main track to the RSAC recommendations. FRA extended these exclusions further, based on Amtrak comments, to the benefit of small entities.
C. Paperwork Reduction Act
The information collection requirements in this proposed rule have been submitted for approval to the Office of Management and Budget (OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. The sections that contain the new information collection requirements and the estimated time to fulfill each requirement are as follows:
CFR section Respondent universe Total annual responses Average time per response Total annual burden hours 234.275—Processor-Based Systems—Deviations from Product Safety Plan (PSP)—Letters 20 Railroads 25 letters 4 hours 100 hours. 236.18—Software Mgmt. Control Plan 184 Railroads 184 plans 2,150 hours 395,600 hours. —Updates to Software Mgmt. Control Plan 90 Railroads 20 updates 1.50 hours 30 hours. 236.905—Updates to RSPP 78 Railroads 6 plans 135 hours 810 hours. —Response to Request for Additional Info 78 Railroads 1 updated doc 400 hours 400 hours. —Request for FRA Approval of RSPP Modification 78 Railroads 1 request/modified RSPP 400 hours 400 hours. 236.907—Product Safety Plan (PSP)—Dev 5 Railroads 5 plans 6,400 hours 32,000 hours. 236.909—Minimum Performance Standard —Petitions for Review and Approval 5 Railroads 2 petitions/PSP 19,200 hours 38,400 hours. —Supporting Sensitivity Analysis 5 Railroads 5 analyses 160 hours 800 hours. 236.913—Notification/Submission to FRA of Joint Product Safety Plan (PSP) 6 Railroads 1 joint plan 25,600 hours 25,600 hours. —Petitions for Approval/Informational Filings 6 Railroads 6 petitions 1,928 hours 11,568 hours. —Responses to FRA Request for Further Info. After Informational Filing 6 Railroads 2 documents 800 hours 1,600 hours. —Responses to FRA Request for Further Info. After Agency Receipt of Notice of Product Development 6 Railroads 6 documents 16 hours 96 hours. —Consultations 6 Railroads 6 consults 120 hours 720 hours. —Petitions for Final Approval 6 Railroads 6 petitions 16 hours 96 hours. —Comments to FRA by Interested Parties Public/RRs 7 comments 240 hours 1,680 hours. —Third Party Assessments of PSP 6 Railroads 1 assessment 104,000 hours 104,000 hours. —Amendments to PSP 6 Railroads 15 amendments 160 hours 2,400 hours. —Field Testing of Product—Info. Filings 6 Railroads 6 documents 3,200 hours 19,200 hours. 236.917—Retention of Records. —Results of tests/inspections specified in PSP 6 Railroads 3 documents/records 160,000 hrs.; 160,000 hrs.; 40,000 hrs 360,000 hours. —Report to FRA of Inconsistencies with frequency of safety-relevant hazards in PSP 6 Railroads 1 report 104 hours 104 hours. 236.919—Operations & Maintenance Man. —Updates to O & M Manual 6 Railroads 6 updated docs 40 hours 240 hours. —Plans for Proper Maintenance, Repair, Inspection of Safety-Critical Products 6 Railroads 6 plans 53,335 hours 320,010 hours. —Hardware/Software/Firmware Revisions 6 Railroads 6 revisions 6,440 hours 38,640 hours. 236.921—Training Programs: Development 6 Railroads 6 Tr. Programs 400 hours 2,400 hours. —Training of Signalmen & Dispatchers 6 Railroads 300 signalmen; 20 dispatchers 40 hours; 20 hours 12,400 hours. 236.923—Task Analysis/Basic Requirements: Necessary Documents 6 Railroads 6 documents 720 hours 4,320 hours. —Records 6 Railroads 350 records 10 minutes 58 hours. SUBPART I—NEW REQUIREMENTS 236.1001—RR Development of More Stringent Rules Re: PTC Performance Stds 30 Railroads 3 rules 80 hours 240 hours. 236.1005—Requirements for PTC Systems —Temporary Rerouting: Emergency Requests 30 Railroads 50 requests 8 hours 400 hours. —Written/Telephonic Notification to FRA Regional Administrator 30 Railroads 50 notifications 2 hours 100 hours. —Temporary Rerouting Requests Due to Track Maintenance 30 Railroads 760 requests 8 hours 6,080 hours. —Temporary Rerouting Requests That Exceed 30 Days 30 Railroads 380 requests 8 hours 3,040 hours. 236.1006—Requirements for Equipping Locomotives Operating in PTC Territory. Start Printed Page 2694 —Reports of Movements in Excess of 20 Miles/RR Progress on PTC Locomotives 30 Railroads 45 reports + 45 reports 8 hours + 170 8,010 hours. —PTC Progress Reports 35 Railroads 35 reports 16 hours 560 hours. 236.1007—Additional Requirements for High Speed Service. —Required HSR—125 Documents with approved PTCSP 30 Railroads 11 documents 3,200 hours 35,200 hours. —Requests to Use Foreign Service Data 30 Railroads 2 requests 8,000 hours 16,000 hours. —PTC Railroads Conducting Operations at More than 150 MPH with HSR-125 Documents 30 Railroads 4 documents 3,200 hours 12,800 hours. —Requests for PTC Waiver 30 Railroads 1 request 1,000 hours 1,000 hours. 236.1009—Procedural Requirements. —PTC Implementation Plans (PTCIP) 30 Railroads 25 plans 535 hours 13,375 hours. —Host Railroads Filing PTCIP or Request for Amendment (RFAs) 30 Railroads 1 PCTIP; 15 RFAs 535 hours; 320 hours 5,335 hours. —Jointly Submitted PTCIPs 30 Railroads 5 PTCIPs 267 hours 1,335 hours. —Notification of Failure to File Joint PTCIP 30 Railroads 25 notifications 32 hours 800 hours. —Comprehensive List of Issues Causing Non-Agreement 30 Railroads 25 lists 80 hours 2,000 hours. —Conferences to Develop Mutually Acceptable PCTIP 25 Railroads 3 conf. calls 60 minutes 3 hours. —Type Approval 30 Railroads 10 Type Appr 8 hours 80 hours. —PTC Development Plans Requesting Type Approval 30 Railroads 20 Ltr. + 20 App; 10 Plans 8 hrs/1,600 hrs.; 6,400 hours 96,160 hours. —Notice of Product Intent w/PTCIPs (IPs) 30 Railroads 24 NPI; 24 IPs 1,070 + 535 hrs 38,520 hours. —PTCDPs with PTCIPs (DPs + IPs) 30 Railroads 6 DPs; 6 IPs 2,135 + 535 hrs 16,020 hours. —Updated PTCIPs w/PTCDPs (IPs + DPs) 30 Railroads 24 IPs; 24 DPs 535 + 2,135 hrs 64,080 hours. —Disapproved/Resubmitted PTCIPs/NPIs 30 Railroads 6 IPs + 6 NPIs 135 + 270 hrs 2,430 hours. —Revoked Approvals—Provisional IPs/DP 30 Railroads 6 IPs + 6 DPs 135 + 535 hrs 4,020 hours. —PTCIPs/PTCDPs Still Needing Rework 30 Railroads 2 IPs + 2 DPs 135 + 535 hrs 1,340 hours. —PTCIP/PTCDP/PTCSP Plan Contents—Documents Translated into English 30 Railroads 1 document 8,000 hours 8,000 hours. —Requests for Confidentiality 30 Railroads 30 ltrs; 30 docs 8 hrs.; 800 hrs 24,240 hours. —Field Test Plans/Independent Assessments—Req. by FRA 30 Railroads 150 field tests; 2 assessments 800 hours 121,600 hours. —FRA Access: Interviews with PTC Wrkrs 30 Railroads 60 interviews 30 minutes 30 hours. —FRA Requests for Further Information 30 Railroads 5 documents 400 hours 2,000 hours. 236.1011—PTCIP Requirements—Comment 7 Interested Groups 21 rev.; 60 com 143 + 8 hrs 3,483 hours. 236.1015—PTCSP Content Requirements & PTC System Certification. —Non-Vital Overlay 30 Railroads 2 PTCSPs 16,000 hours 32,000 hours. —Vital Overlay 30 Railroads 16 PTCSPs 22,400 hours 358,400 hours. —Stand Alone 30 Railroads 10 PTCSPs 32,000 hours 320,000 hours. —Mixed Systems—Conference with FRA regarding Case/Analysis 30 Railroads 3 conferences 32 hours 96 hours. —Mixed Sys. PTCSPs (incl. safety case) 30 Railroads 2 PTCSPs 28,800 hours 57,600 hours. —FRA Request for Additional PTCSP Data 30 Railroads 15 documents 3,200 hours 48,000 hours. —PTCSPs Applying to Replace Existing Certified PTC Systems 30 Railroads 15 PTCSPs 3,200 hours 48,000 hours. —Non-Quantitative Risk Assessments Supplied to FRA 30 Railroads 15 assessments 3,200 hours 48,000 hours. 236.1017—PTCSP Supported by Independent Third Party Assessment 30 Railroads 1 assessment 8,000 hours 8,000 hours. —Written Requests to FRA to Confirm Entity Independence 30 Railroads 1 request 8 hours 8 hours. —Provision of Additional Information After FRA Request 30 Railroads 1 document 160 hours 160 hours. —Independent Third Party Assessment: Waiver Requests 30 Railroads 1 request 160 hours 160 hours. Start Printed Page 2695 —RR Request for FRA to Accept Foreign Railroad Regulator Certified Info 30 Railroads 1 request 32 hours 32 hours. 236.1019—Main Line Track Exceptions. —Submission of Main Line Track Exclusion Addendums (MTEAs) 30 Railroads 30 MTEAs 160 hours 4,800 hours. —Passenger Terminal Exception—MTEAs 30 Railroads 23 MTEAs 160 hours 3,680 hours. —Limited Operation Exception—Risk Mit 30 Railroads 23 plans 160 hours 3,680 hours. —Ltd. Exception—Collision Hazard Anal 30 Railroads 12 analyses 1,600 hours 19,200 hours. —Temporal Separation Procedures 30 Railroads 11 procedures 160 hours 1,760 hours. 236.1021—Discontinuances, Material Modifications, Amendments—Requests to Amend (RFA) PTCIP, PTCDP or PTCSP 30 Railroads 15 RFAs 160 hours 2,400 hours. —Review and Public Comment on RFA 7 Interested Groups 7 reviews + 20 comments 3 hours; 16 hours 341 hours. 236.1023—PTC Product Vendor Lists 30 Railroads 30 lists 8 hours 240 hours. —RR Procedures Upon Notification of PTC System Safety-Critical Upgrades, Rev., Etc 30 Railroads 30 procedures 16 hours 480 hours. —RR Notifications of PTC Safety Hazards 30 Railroads 150 notifications 16 hours 2,400 hours. —RR Notification Updates 30 Railroads 150 updates 16 hours 2,400 hours. —Manufacturer's Report of Investigation of PTC Defect 5 System Suppliers 5 reports 400 hours 2,000 hours. —PTC Supplier Reports of Safety Relevant Failures or Defective Conditions 5 System Suppliers 150 reports + 150 rpt. copies 16 hours + 8 hours 3,600 hours. 236.1029—Report of On-Board Lead Locomotive PTC Device Failure 30 Railroads 960 reports 96 hours 92,160 hours. 236.1031—Previously Approved PTC Systems. —Request for Expedited Certification (REC) for PTC System 30 Railroads 3 REC Letters 160 hours 480 hours. —Requests for Grandfathering on PTCSPs 30 Railroads 3 requests 1,600 hours 4,800 hours. 236.1035—Field Testing Requirements 30 Railroads 150 field test plans 800 hours 120,000 hours. —Relief Requests from Regulations Necessary to Support Field Testing 30 Railroads 50 requests 320 hours 16,000 hours. 236.1037—Records Retention. —Results of Tests in PTCSP and PTCDP 30 Railroads 960 records 4 hours 3,840 hours. —PTC Service Contractors Training Records 30 Railroads 9,000 records 30 minutes 4,500 hours. —Reports of Safety Relevant Hazards Exceeding Those in PTCSP and PTCDP 30 Railroads 4 reports 8 hours 32 hours. —Final Report of Resolution of Inconsistency 30 Railroads 4 final reports 160 hours 640 hours. 236.1039—Operations & Maintenance Manual (OMM): Development 30 Railroads 30 manuals 250 hours 7,500 hours. —Positive Identification of Safety-critical components 30 Railroads 75,000 i.d. components 1 hour 75,000 hours. —Designated RR Officers in OMM regarding PTC issues 30 Railroads 60 designations 2 hours 120 hours. 236.1041—PTC Training Programs 30 Railroads 30 programs 400 hours 12,000 hours. 236.1043—Task Analysis/Basic Requirements: Training Evaluations 30 Railroads 30 evaluations 720 hours 21,600 hours. —Training Records 30 Railroads 350 records 10 minutes 58 hours. 236.1045—Training Specific to Office Control Personnel 30 Railroads 20 trained employees 20 hours 400 hours. 236.1047—Training Specific to Loc. Engineers & Other Operating Personnel —PTC Conductor Training 30 Railroads 5,000 trained conductors 3 hours 15,000 hours. All estimates include the time for reviewing instructions; searching existing data sources; gathering or maintaining the needed data; and reviewing the information.
Organizations and individuals desiring to submit comments on the collection of information requirements should direct them to the Office of Management and Budget, Office of Information and Regulatory Affairs, Washington, DC 20503, Attention: FRA Desk Officer. Comments may also be sent via e-mail to the Office of Management and Budget at the following address: oira_submissions@omb.eop.gov. Start Printed Page 2696
OMB is required to make a decision concerning the collection of information requirements contained in this direct final rule between 30 and 60 days after publication of this document in the Federal Register. Therefore, a comment to OMB is best assured of having its full effect if OMB receives it within 30 days of publication.
FRA cannot impose a penalty on persons for violating information collection requirements which do not display a current OMB control number, if required. FRA intends to obtain current OMB control numbers for any new information collection requirements resulting from this rulemaking action prior to the effective date of this direct final rule. The OMB control number, when assigned, will be announced by separate notice in the Federal Register.
D. Federalism Implications
This final rule has been analyzed in accordance with the principles and criteria contained in Executive Order 13132, “Federalism.” See 64 FR 43,255 (Aug. 4, 1999).
As discussed earlier in the preamble, this final rule would provide regulatory guidance and performance standards for the development, testing, implementation, and use of Positive Train Control (PTC) systems for railroads mandated by the Rail Safety Improvement Act of 2008.
Executive Order 13132 requires FRA to develop an accountable process to ensure “meaningful and timely input by State and local officials in the development of regulatory policies that have federalism implications.” Policies that have “federalism implications” are defined in the Executive Order to include regulations that have “substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.” Under Executive Order 13132, the agency may not issue a regulation with Federalism implications that imposes substantial direct compliance costs and that is not required by statute, unless the Federal government provides the funds necessary to pay the direct compliance costs incurred by State and local governments, or the agency consults with State and local government officials early in the process of developing the regulation. Where a regulation has Federalism implications and preempts State law, the agency seeks to consult with State and local officials in the process of developing the regulation.
FRA has determined that this final rule would not have substantial direct effects on the states, on the relationship between the national government and the states, nor on the distribution of power and responsibilities among the various levels of government. In addition, FRA has determined that this final rule, which is required by the Rail Safety Improvement Act of 2008, would not impose any direct compliance costs on state and local governments. Therefore, the consultation and funding requirements of Executive Order 13132 do not apply.
However, this final rule will have preemptive effect. Section 20106 of Title 49 of the United States Code provides that States may not adopt or continue in effect any law, regulation, or order related to railroad safety or security that covers the subject matter of a regulation prescribed or order issued by the Secretary of Transportation (with respect to railroad safety matters) or the Secretary of Homeland Security (with respect to railroad security matters), except when the State law, regulation, or order qualifies under the local safety or security exception to § 20106. The intent of § 20106 is to promote national uniformity in railroad safety and security standards. 49 U.S.C. 20106(a)(1). Thus, subject to a limited exception for essentially local safety or security hazards, this final rule would establish a uniform federal safety standard that must be met, and state requirements covering the same subject matter would be displaced, whether those state requirements are in the form of a state law, regulation, order, or common law. Part 236 establishes federal standards of care which preempt state standards of care, but this part does not preempt an action under state law seeking damages for personal injury, death, or property damage alleging that a party has failed to comply with the federal standard of care established by this part, including a plan or program required by this part. Provisions of a plan or program which exceed the requirements of this part are not included in the federal standard of care. The Locomotive Boiler Inspection Act (49 U.S.C. 20701-20703) has been held by the U.S. Supreme Court to preempt the entire field of locomotive safety; therefore, this part preempts any state law, including common law, covering the design, construction, or material of any part of or appurtenance to a locomotive.
In sum, FRA has analyzed this final rule in accordance with the principles and criteria contained in Executive Order 13132. As explained above, FRA has determined that this final rule has no federalism implications, other than the preemption of state laws covering the subject matter of this final rule, which occurs by operation of law under 49 U.S.C. 20106 whenever FRA issues a rule or order. Accordingly, FRA has determined that preparation of a federalism summary impact statement for this proposed rule is not required.
E. Environmental Impact
FRA has evaluated this final rule in accordance with its “Procedures for Considering Environmental Impacts” (“FRA's Procedures”) (64 FR 28,545 (May 26, 1999)) as required by the National Environmental Policy Act (42 U.S.C. 4321 et seq.), other environmental statutes, Executive Orders, and related regulatory requirements. FRA has determined that this final rule is not a major FRA action (requiring the preparation of an environmental impact statement or environmental assessment) because it is categorically excluded from detailed environmental review pursuant to section 4(c)(20) of FRA's Procedures. In accordance with section 4(c) and (e) of FRA's Procedures, the agency has further concluded that no extraordinary circumstances exist with respect to this regulation that might trigger the need for a more detailed environmental review. As a result, FRA finds that this final rule is not a major federal action significantly affecting the quality of the human environment.
F. Unfunded Mandates Reform Act of 1995
The Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4, 2 U.S.C. 1531) (UMRA) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a federal mandate likely to result in the expenditures by state, local or tribal governments, in the aggregate, or by the private sector, of $100 million (adjusted annually for inflation with base year of 1995) or more in any one year. The value equivalent of $100 million in CY 1995, adjusted annual for inflation to CY 2008 levels by the Consumer Price Index for All Urban Consumers (CPI-U) is $141.3 million. The assessment may be included in conjunction with other assessments, as it is in this rulemaking.
FRA is issuing this final rule to provide regulatory guidance and performance standards for the development, testing, implementation, and use of PTC systems for railroads mandated by the Rail Safety Improvement Act of 2008 § 104, Public Law 110-432, 122 Stat. 4854 (Oct. 16, 2008) (codified at 9 U.S.C. 20157), to Start Printed Page 2697implement PTC systems. The RIA provides a detailed analysis of the costs of implementing PTC systems. This analysis is the basis for determining that, other than to the extent that this regulation incorporates requirements specifically set forth in RSIA08, this rule will not result in total expenditures by state, local or tribal governments, in the aggregate, or by the private sector of $141.3 million or more in any one year. The vast bulk of costs associated with this final rule are directly attributable to the statutory mandate. The only unfunded mandate attributable to this final rule that does not incorporate the requirements specifically set forth in RSIA08 is the cost pertaining to the filing of paperwork to prove compliance with RSIA08. The effects are discussed above and in the Regulatory Impact Analysis, which has been placed in the docket for this rulemaking.
FRA received comments asserting that the rule extends beyond the congressional mandates communicated in RSIA08. Even if this assertion was correct, the final rule alone would not create an unfunded mandate in excess of the threshold amount. For instance, some railroads believe that § 236.1029(f)—which requires PTC screen access to every person in the locomotive cab—exceeds the statutory requirements. Certain freight railroads have said that this provision requires a second display unit, which will cost $8,000. AAR estimates that approximately 29,461 second display units would require installation, resulting in a cost of $235,688,000. FRA, however, believes that only 27,598 screens would require installation, totaling $220,784,000.
Certain railroads have also contested § 236.1005(b)(2), which governs the baseline information necessary to determine whether a Class I railroad's track segment shall be equipped with a PTC system. Under that provision, initial PTC territory shall be determined based on 2008 traffic levels. CSXT asserts that this provision will cause it to install PTC on 844 miles of track which will no longer meet the PIH materials threshold or will no longer meet the 5 million gross tons threshold in 2010. According to CSXT, the installation will cost $45,000 per mile (the RIA uses an estimate of $50,000 per mile) for a CSXT estimated cost of almost $38,000,000.
As noted above, FRA believes that these requirements respond directly to the requirements set forth in RSIA08. For instance, to effectuate Congress' intent to prevent incursions into roadway worker zones, it is necessary to require PTC screen access to all crew members in the locomotive cab so that they may perform their respective duties. Sometimes, this may require installation of a second display unit. In its analysis of § 236.1005(b), FRA provides sufficient justification for the baseline level based on the language in the statute, the context of the legislative process, and Congress' intent. If anything, FRA has reduced railroad expenditures by, inter alia, providing a number of exceptions from the installation requirements and opportunities for plan amendments.
In any event, the aforementioned costs borne by the railroads will not exceed $141.3 million or more in any one year. The costs indicated above—totaling between $258,784,000 and $273,688,000, depending upon whether one relies on AAR's or FRA's second screen estimates—would be incurred over a period of several years. Even if FRA were to add the costs of paperwork filings, which FRA estimates to each have a one time cost of approximately $20,000, the annual monetary threshold will likely not be met.
G. Energy Impact
Executive Order 13211 requires Federal agencies to prepare a Statement of Energy Effects for any “significant energy action.” 66 FR 28,355 (May 22, 2001). Under the Executive Order, a “significant energy action” is defined as any action by an agency (normally published in the Federal Register) that promulgates or is expected to lead to the promulgation of a final rule or regulation, including notices of inquiry, advance notices of proposed rulemaking, and notices of proposed rulemaking: (1)(i) That is a significant regulatory action under Executive Order 12866 or any successor order, and (ii) is likely to have a significant adverse effect on the supply, distribution, or use of energy; or (2) that is designated by the Administrator of the Office of Information and Regulatory Affairs as a significant energy action. FRA has evaluated this final rule in accordance with Executive Order 13211. FRA has determined that this final rule is not likely to have a significant adverse effect on the supply, distribution, or use of energy. Consequently, FRA has determined that this regulatory action is not a “significant regulatory action” within the meaning of Executive Order 13211.
H. Privacy Act
FRA wishes to inform all interested parties that anyone is able to search the electronic form of any written communications and comments received into any of our dockets by the name of the individual submitting the document (or signing the document), if submitted on behalf of an association, business, labor union, etc.). Interested parties may also review DOT's complete Privacy Act Statement in the Federal Register published on April 11, 2000 (65 FR 19,477) or visit http://www.regulations.gov.
Start List of SubjectsList of Subjects
49 CFR Part 229
- Event recorders
- Locomotives
- Railroad safety
49 CFR Part 234
- Highway safety
- Penalties
- Railroad safety
- Reporting and recordkeeping requirements
49 CFR Part 235
- Administrative practice and procedure
- Penalties
- Railroad safety
- Reporting and recordkeeping requirements
49 CFR Part 236
- Penalties
- Positive Train Control
- Railroad safety
- Reporting and recordkeeping requirements
IX. The Rule
Start Amendment PartIn consideration of the foregoing, FRA amends chapter II, subtitle B of title 49, Code of Federal Regulations as follows:
End Amendment Part Start PartPART 229—[AMENDED]
End Part Start Amendment Part1. The authority citation for part 229 continues to read as follows:
End Amendment Part Start Amendment Part2. Section 229.135 is amended by revising paragraphs (b)(3)(xxv) and (b)(4)(xxi) to read as follows:
End Amendment PartEvent recorders.* * * * *(b) * * *
(3) * * *
(xxv) Safety-critical train control data routed to the locomotive engineer's display with which the engineer is required to comply, specifically including text messages conveying mandatory directives and maximum authorized speed. The format, content, and proposed duration for retention of such data shall be specified in the Product Safety Plan or PTC Safety Plan submitted for the train control system under subparts H or I, respectively, of part 236 of this chapter, subject to FRA approval under this paragraph. If it can be calibrated against other data required by this part, such train control data may, at the election of the railroad, be Start Printed Page 2698retained in a separate certified crashworthy memory module.
(4) * * *
(xxi) Safety-critical train control data routed to the locomotive engineer's display with which the engineer is required to comply, specifically including text messages conveying mandatory directives and maximum authorized speed. The format, content, and proposed duration for retention of such data shall be specified in the Product Safety Plan or PTC Safety Plan submitted for the train control system under subparts H or I, respectively, of part 236 of this chapter, subject to FRA approval under this paragraph. If it can be calibrated against other data required by this part, such train control data may, at the election of the railroad, be retained in a separate certified crashworthy memory module.
* * * * *PART 234—[AMENDED]
End Part Start Amendment Part3. The authority citation for part 234 continues to read as follows:
End Amendment Part Start Amendment Part4. In § 234.275 revise paragraphs (b)(1), (b)(2), (c), and (f) to read as follows:
End Amendment PartProcessor-based systems.* * * * *(b) Use of performance standard authorized or required. (1) In lieu of compliance with the requirements of this subpart, a railroad may elect to qualify an existing processor-based product under part 236, subparts H or I, of this chapter.
(2) Highway-rail grade crossing warning systems, subsystems, or components that are processor-based and that are first placed in service after June 6, 2005, which contain new or novel technology, or which provide safety-critical data to a railroad signal or train control system that is governed by part 236, subpart H or I, of this chapter, shall also comply with those requirements. New or novel technology refers to a technology not previously recognized for use as of March 7, 2005.
* * * * *(c) Plan justifications. The Product Safety Plan in accordance with 49 CFR 236.907—or a PTC Development Plan and PTC Safety Plan required to be filed in accordance with 49 CFR 236.1013 and 236.1015—must explain how the performance objective sought to be addressed by each of the particular requirements of this subpart is met by the product, why the objective is not relevant to the product's design, or how the safety requirements are satisfied using alternative means. Deviation from those particular requirements is authorized if an adequate explanation is provided, making reference to relevant elements of the applicable plan, and if the product satisfies the performance standard set forth in § 236.909 of this chapter. (See § 236.907(a)(14) of this chapter.)
* * * * *(f) Software management control for certain systems not subject to a performance standard. Any processor-based system, subsystem, or component subject to this part, which is not subject to the requirements of part 236, subpart H or I, of this chapter but which provides safety-critical data to a signal or train control system shall be included in the software management control plan requirements as specified in § 236.18 of this chapter.
PART 235—[AMENDED]
End Part Start Amendment Part5. The authority citation for part 235 continues to read as follows:
End Amendment Part Start Amendment Part6. In § 235.7, revise paragraph (a)(4), add paragraph (a)(5), and revise paragraphs (b)(2), (b)(3), and (c)(25) to read as follows:
End Amendment PartChanges not requiring filing of application.(a) * * *
(4) Removal from service not to exceed 6 months of block signal system, interlocking, or traffic control system necessitated by catastrophic occurrence such as derailment, flood, fire, or hurricane; or
(5) Removal of an intermittent automatic train stop system in conjunction with the implementation of a positive train control system approved by FRA under subpart I of part 236 of this chapter.
(b) * * *
(2) Removal of electric or mechanical lock, or signal used in lieu thereof, from hand-operated switch in automatic block signal or traffic control territory where train speed over the switch does not exceed 20 miles per hour; or
(3) Removal of electric or mechanical lock, or signal used in lieu thereof, from hand-operated switch in automatic block signal or traffic control territory where trains are not permitted to clear the main track at such switch.
(c) * * *
(25) The temporary or permanent arrangement of existing systems necessitated by highway-rail grade crossing separation construction. Temporary arrangements shall be removed within 6 months following completion of construction.
PART 236—[AMENDED]
End Part Start Amendment Part7. The authority citation for part 236 is revised to read as follows:
End Amendment Part Start Amendment Part8. Section 236.0 is amended by revising paragraphs (a) and (c) through (e) and by adding paragraph (i) to read as follows:
End Amendment PartApplicability, minimum requirements, and penalties.(a) Except as provided in paragraph (b) of this section, this part applies to all railroads and any person as defined in paragraph (f) of this section.
* * * * *(c)(1) Prior to January 17, 2012, where a passenger train is operated at a speed of 60 or more miles per hour, or a freight train is operated at a speed of 50 or more miles per hour—
(i) A block signal system complying with the provisions of this part shall be installed; or
(ii) A manual block system shall be placed permanently in effect that shall conform to the following conditions:
(A) A passenger train shall not be admitted to a block occupied by another train except when absolutely necessary and then only by operating at restricted speed;
(B) No train shall be admitted to a block occupied by a passenger train except when absolutely necessary and then only by operating at restricted speed;
(C) No train shall be admitted to a block occupied by an opposing train except when absolutely necessary and then only while one train is stopped and the other is operating at restricted speed; and
(D) A freight train, including a work train, may be authorized to follow a freight train, including a work train, into a block and then only when the following train is operating at restricted speed.
(2) On and after January 17, 2012, where a passenger train is permitted to operate at a speed of 60 or more miles per hour, or a freight train is permitted to operate at a speed of 50 or more miles per hour, a block signal system complying with the provisions of this part shall be installed, unless an FRA approved PTC system meeting the requirements of this part for the subject speed and other operating conditions is installed.Start Printed Page 2699
(d)(1) Prior to December 31, 2015, where any train is permitted to operate at a speed of 80 or more miles per hour, an automatic cab signal, automatic train stop, or automatic train control system complying with the provisions of this part shall be installed, unless an FRA approved PTC system meeting the requirements of this part for the subject speed and other operating conditions, is installed.
(2) On and after December 31, 2015, where any train is permitted to operate at a speed of 80 or more miles per hour, a PTC system complying with the provisions of subpart I shall be installed and operational, unless FRA approval to continue to operate with an automatic cab signal, automatic train stop, or automatic train control system complying with the provisions of this part has been justified to, and approved by, the Associate Administrator.
(3) Subpart H of this part sets forth requirements for voluntary installation of PTC systems, and subpart I of this part sets forth requirements for mandated installation of PTC systems, each under conditions specified in their respective subpart.
(e) Nothing in this section authorizes the discontinuance of a block signal system, interlocking, traffic control system, automatic cab signal, automatic train stop or automatic train control system, or PTC system, without approval by the FRA under part 235 of this title. However, a railroad may apply for approval of discontinuance or material modification of a signal or train control system in connection with a request for approval of a Positive Train Control Development Plan (PTCDP) or Positive Train Control Safety Plan (PTCSP) as provided in subpart I of this part.
* * * * *(i) Preemptive effect. (1) Under 49 U.S.C. 20106, issuance of these regulations preempts any state law, regulation, or order covering the same subject matter, except an additional or more stringent law, regulation, or order that is necessary to eliminate or reduce an essentially local safety or security hazard; is not incompatible with a law, regulation, or order of the United States Government; and that does not impose an unreasonable burden on interstate commerce.
(2) This part establishes federal standards of care for railroad signal and train control systems. This part does not preempt an action under state law seeking damages for personal injury, death, or property damage alleging that a party has failed to comply with the federal standard of care established by this part, including a plan or program required by this part. Provisions of a plan or program which exceed the requirements of this part are not included in the federal standard of care.
(3) Under 49 U.S.C. 20701-20703, issuance of these regulations preempts the field of locomotive safety, extending to the design, the construction, and the material of every part of the locomotive and tender and all appurtenances thereof.
9. Section 236.410 is amended by removing the Note following paragraph (b), and republishing paragraphs (b) and (c), to read as follows:
End Amendment PartLocking, hand-operated switch; requirements.* * * * *(b) Approach or time locking shall be provided and locking may be released either automatically, or by the control operator, but only after the control circuits of signals governing movement in either direction over the switch and which display aspects with indications more favorable than “proceed at restricted speed” have been opened directly or by shunting of track circuit.
(c) Where a signal is used in lieu of electric or mechanical lock to govern movements from auxiliary track to signaled track, the signal shall not display an aspect to proceed until after the control circuits of signals governing movement on main track in either direction over the switch have been opened, and either the approach locking circuits to the switch are unoccupied or a predetermined time interval has expired.
* * * * *10. Section 236.909 is amended by adding four new sentences directly after the first sentence of paragraph (e)(1) and by revising paragraph (e)(2)(i) to read as follows:
End Amendment PartMinimum performance standards.* * * * *(e) * * *
(1) * * * The total risk assessment must have a supporting sensitivity analysis. The analysis must confirm that the risk metrics of the system are not negatively affected by sensitivity analysis input parameters including, for example, component failure rates, human factor error rates, and variations in train traffic affecting exposure. In this context, “negatively affected” means that the final residual risk metric does not exceed that of the base case or that which has been otherwise established through MTTHE target. The sensitivity analysis must document the sensitivity to worst case failure scenarios. * * *
(2) * * *
(i) In all cases exposure must be expressed as total train miles traveled per year over the relevant railroad infrastructure. Consequences must identify the total cost, including fatalities, injuries, property damage, and other incidental costs, such as potential consequences of hazardous materials involvement, resulting from preventable accidents associated with the function(s) performed by the system.
* * * * *Start Amendment Part11. Add a new subpart I to part 236 to read as follows:
End Amendment Part- 236.1001
- Purpose and scope.
- 236.1003
- Definitions.
- 236.1005
- Requirements for Positive Train Control systems.
- 236.1006
- Equipping locomotives operating in PTC territory.
- 236.1007
- Additional requirements for high-speed service.
- 236.1009
- Procedural requirements.
- 236.1011
- PTC Implementation Plan content requirements.
- 236.1013
- PTC Development Plan and Notice of Product Intent content requirements and Type Approval.
- 236.1015
- PTC Safety Plan content requirements and PTC System Certification.
- 236.1017
- Independent third party Verification and Validation.
- 236.1019
- Main line track exceptions.
- 236.1021
- Discontinuances, material modifications, and amendments.
- 236.1023
- Errors and malfunctions.
- 236.1025
- [Reserved]
- 236.1027
- PTC system exclusions.
- 236.1029
- PTC system use and en route failures.
- 236.1031
- Previously approved PTC systems.
- 236.1033
- Communications and security requirements.
- 236.1035
- Field testing requirements.
- 236.1037
- Records retention.
- 236.1039
- Operations and Maintenance Manual.
- 236.1041
- Training and qualification program, general.
- 236.1043
- Task analysis and basic requirements.
- 236.1045
- Training specific to office control personnel.
- 236.1047
- Training specific to locomotive engineers and other operating personnel.
- 236.1049
- Training specific to roadway workers.
Subpart I—Positive Train Control Systems Subpart I—Positive Train Control Systems
Purpose and scope.(a) This subpart prescribes minimum, performance-based safety standards for PTC systems required by 49 U.S.C. 20157, this subpart, or an FRA order, including requirements to ensure that the development, functionality, Start Printed Page 2700architecture, installation, implementation, inspection, testing, operation, maintenance, repair, and modification of those PTC systems will achieve and maintain an acceptable level of safety. This subpart also prescribes standards to ensure that personnel working with, and affected by, safety-critical PTC system related products receive appropriate training and testing.
(b) Each railroad may prescribe additional or more stringent rules, and other special instructions, that are not inconsistent with this subpart.
(c) This subpart does not exempt a railroad from compliance with any requirement of subparts A through H of this part or parts 233, 234, and 235 of this chapter, unless:
(1) It is otherwise explicitly excepted by this subpart; or
(2) The applicable PTCSP, as defined under § 236.1003 and approved by FRA under § 236.1015, provides for such an exception per § 236.1013.
Definitions.(a) Definitions contained in subparts G and H of this part apply equally to this subpart.
(b) The following definitions apply to terms used only in this subpart unless otherwise stated:
After-arrival mandatory directive means an authority to occupy a track which is issued to a train that is not effective and not to be acted upon until after the arrival and passing of a train, or trains, specifically identified in the authority.
Associate Administrator means the FRA Associate Administrator for Railroad Safety/Chief Safety Officer.
Class I railroad means a railroad which in the last year for which revenues were reported exceeded the threshold established under regulations of the Surface Transportation Board (49 CFR part 1201.1-1 (2008)).
Cleartext means the un-encrypted text in its original, human readable, form. It is the input of an encryption or encipher process, and the output of an decryption or decipher process.
Controlling locomotive means Locomotive, controlling, as defined in § 232.5 of this chapter.
Host railroad means a railroad that has effective operating control over a segment of track.
Interoperability means the ability of a controlling locomotive to communicate with and respond to the PTC railroad's positive train control system, including uninterrupted movements over property boundaries.
Limited operations means operations on main line track that have limited or no freight operations and are approved to be excluded from this subpart's PTC system implementation and operation requirements in accordance with § 236.1019(c);
Main line means, except as provided in § 236.1019 or where all trains are limited to restricted speed within a yard or terminal area or on auxiliary or industry tracks, a segment or route of railroad tracks:
(1) Of a Class I railroad, as documented in current timetables filed by the Class I railroad with the FRA under § 217.7 of this title, over which 5,000,000 or more gross tons of railroad traffic is transported annually; or
(2) Used for regularly scheduled intercity or commuter rail passenger service, as defined in 49 U.S.C. 24102, or both. Tourist, scenic, historic, or excursion operations as defined in part 238 of this chapter are not considered intercity or commuter passenger service for purposes of this part.
Main line track exclusion addendum (“MTEA”) means the document submitted under §§ 236.1011 and 236.1019 requesting to designate track as other than main line.
Medium speed means, Speed, medium, as defined in subpart G of this part.
NPI means a Notice of Product Intent (“NPI”) as further described in § 236.1013.
PTC means positive train control as further described in § 236.1005.
PTCDP means a PTC Development Plan as further described in § 236.1013.
PTCIP means a PTC Implementation Plan as required under 49 U.S.C. 20157 and further described in § 236.1011.
PTCPVL means a PTC Product Vendor List as further described in § 236.1023.
PTCSP means a PTC Safety Plan as further described in § 236.1015.
PTC railroad means each Class I railroad and each entity providing regularly scheduled intercity or commuter rail passenger transportation required to implement or operate a PTC system.
PTC System Certification means certification as required under 49 U.S.C. 20157 and further described in §§ 236.1009 and 236.1015.
Request for Amendment (“RFA”) means a request for an amendment of a plan or system made by a PTC railroad in accordance with § 236.1021.
Request for Expedited Certification (“REC”) means, as further described in § 236.1031, a request by a railroad to receive expedited consideration for PTC System Certification.
Restricted speed means, Speed, restricted, as defined in subpart G of this part.
Safe State means a system state that, when the system fails, cannot cause death, injury, occupational illness, or damage to or loss of equipment or property, or damage to the environment.
Segment of track means any part of the railroad where a train operates.
Temporal separation means that passenger and freight operations do not operate on any segment of shared track during the same period and as further defined under § 236.1019 and the process or processes in place to assure that result.
Tenant railroad means a railroad, other than a host railroad, operating on track upon which a PTC system is required.
Track segment means segment of track.
Type Approval means a number assigned to a particular PTC system indicating FRA agreement that the PTC system could fulfill the requirements of this subpart.
Train means one or more locomotives, coupled with or without cars.
Requirements for Positive Train Control systems.(a) PTC system requirements. Each PTC system required to be installed under this subpart shall:
(1) Reliably and functionally prevent:
(i) Train-to-train collisions—including collisions between trains operating over rail-to-rail at-grade crossings in accordance with the following risk-based table or alternative arrangements providing an equivalent level of safety as specified in an FRA approved PTCSP:
Crossing type Max speed * Protection required (A) Interlocking—one or more PTC routes intersecting with one or more non-PTC routes ≤ 40 miles per hour Interlocking signal arrangement in accordance with the requirements of subparts A-G of this part and PTC enforced stop on PTC routes. Start Printed Page 2701 (B) Interlocking—one or more PTC routes intersecting with one or more non-PTC routes > 40 miles per hour Interlocking signal arrangement in accordance with the requirements of subparts A-G of this part, PTC enforced stop on all PTC routes, and either the use of other than full PTC technology that provides positive stop enforcement or a split-point derail incorporated into the signal system accompanied by 20 miles per hour maximum allowable speed on the approach of any intersecting non-PTC route. (C) Interlocking—all PTC routes intersecting Any speed Interlocking signal arrangements in accordance with the requirements of subparts A-G of this part, and PTC enforced stop on all routes. (ii) Overspeed derailments, including derailments related to railroad civil engineering speed restrictions, slow orders, and excessive speeds over switches and through turnouts;
(iii) Incursions into established work zone limits without first receiving appropriate authority and verification from the dispatcher or roadway worker in charge, as applicable and in accordance with part 214 of this chapter; and
(iv) The movement of a train through a main line switch in the improper position as further described in paragraph (e) of this section.
(2) Include safety-critical integration of all authorities and indications of a wayside or cab signal system, or other similar appliance, method, device, or system of equivalent safety, in a manner by which the PTC system shall provide associated warning and enforcement to the extent, and except as, described and justified in the FRA approved PTCDP or PTCSP, as applicable;
(3) As applicable, perform the additional functions specified in this subpart;
(4) Provide an appropriate warning or enforcement when:
(i) A derail or switch protecting access to the main line required by § 236.1007, or otherwise provided for in the applicable PTCSP, is not in its derailing or protecting position, respectively;
(ii) A mandatory directive is issued associated with a highway-rail grade crossing warning system malfunction as required by §§ 234.105, 234.106, or 234.107;
(iii) An after-arrival mandatory directive has been issued and the train or trains to be waited on has not yet passed the location of the receiving train;
(iv) Any movable bridge within the route ahead is not in a position to allow permissive indication for a train movement pursuant to § 236.312; and
(v) A hazard detector integrated into the PTC system that is required by paragraph (c) of this section, or otherwise provided for in the applicable PTCSP, detects an unsafe condition or transmits an alarm; and
(5) Limit the speed of passenger and freight trains to 59 miles per hour and 49 miles per hour, respectively, in areas without broken rail detection or equivalent safeguards.
(b) PTC system installation. (1) Lines required to be equipped. Except as otherwise provided in this subpart, each Class I railroad and each railroad providing or hosting intercity or commuter passenger service shall progressively equip its lines as provided in its approved PTCIP such that, on and after December 31, 2015, a PTC system certified under § 236.1015 is installed and operated by the host railroad on each:
(i) Main line over which is transported any quantity of material poisonous by inhalation (PIH), including anhydrous ammonia, as defined in §§ 171.8, 173.115 and 173.132 of this title;
(ii) Main line used for regularly provided intercity or commuter passenger service, except as provided in § 236.1019; and
(iii) Additional line of railroad as required by the applicable FRA approved PTCIP, this subpart, or an FRA order requiring installation of a PTC system by that date.
(2) Initial baseline identification of lines. For the purposes of paragraph (b)(1)(i) of this section, the baseline information necessary to determine whether a Class I railroad's track segment shall be equipped with a PTC system shall be determined and reported as follows:
(i) The traffic density threshold of 5 million gross tons shall be based upon calendar year 2008 gross tonnage, except to the extent that traffic may fall below 5 million gross tons for two consecutive calendar years and a PTCIP or an RFA reflecting this change is filed and approved under paragraph (b)(4) of this section and, if applicable, § 236.1021.
(ii) The presence or absence of any quantity of PIH hazardous materials shall be determined by whether one or more cars containing such product(s) was transported over the track segment in calendar year 2008 or prior to the filing of the PTCIP, except to the extent that the PTCIP or RFA justifies, under paragraph (b)(4) of this section, removal of the subject track segment from the PTCIP listing of lines to be equipped.
(3) Addition of track segments. To the extent increases in freight rail traffic occur subsequent to calendar year 2008 that might affect the requirement to install a PTC system on any line not yet equipped, the railroad shall seek to amend its PTCIP by promptly filing an RFA in accordance with § 236.1021. The following criteria apply:
(i) If rail traffic exceeds 5 million gross tons in any year after 2008, the tonnage shall be calculated for the preceding two calendar years and if the total tonnage for those two calendar years exceeds 10 million gross tons, a PTCIP or its amendment is required.
(ii) If PIH traffic is carried on a track segment as a result of a request for rail service or rerouting warranted under part 172 of this title, and if the line carries in excess of 5 million gross tons of rail traffic as determined under this paragraph, a PTCIP or its amendment is required. This does not apply when temporary rerouting is authorized in accordance with paragraph (g) of this section.
(iii) Once a railroad is notified by FRA that its RFA filed in accordance with this paragraph has been approved, the railroad shall equip the line with the applicable PTC system by December 31, 2015, or within 24 months, whichever is later.
(4) Exclusion or removal of track segments from PTC baseline.
(i) Routing changes. In a PTCIP or an RFA, a railroad may request review of the requirement to install PTC on a track segment where a PTC system is otherwise required by this section, but has not yet been installed, based upon changes in rail traffic such as reductions in total traffic volume or cessation of passenger or PIH service. Any such request shall be accompanied by estimated traffic projections for the next 5 years (e.g., as a result of planned rerouting, coordinations, or location of new business on the line). Where the request involves prior or planned rerouting of PIH traffic, the railroad must provide a supporting analysis that takes into consideration the requirements of subpart I, part 172 of Start Printed Page 2702this title, assuming the subject route and each practicable alternative route to be PTC-equipped, and including any interline routing impacts.
(A) FRA will approve the exclusion if, based upon data in the docket of the proceeding, FRA finds that it would be consistent with safety as further provided in this paragraph.
(1) In the case of a requested exclusion based on cessation of passenger service or a decline in gross tonnage below 5 million gross tons as computed over a 2-year period, the removal will be approved absent special circumstances as set forth in writing (e.g., because of anticipated traffic growth in the near future).
(2) In the case of cessation of PIH traffic over a track segment, and absent special circumstances set forth in writing, FRA will approve an exclusion of a line from the PTCIP (determined on the basis of 2008 traffic levels) upon a showing by the railroad that:
(i) There is no remaining local PIH traffic expected on the track segment;
(ii) Either any rerouting of PIH traffic from the subject track segment is justified based upon the route analysis submitted, which shall assume that each alternative route will be equipped with PTC and shall take into consideration any significant interline routing impacts; or the next preferred alternative route in the analysis conducted as set forth in this paragraph is shown to be substantially as safe and secure as the route employing the track segment in question and demonstrated considerations of practicability indicate consolidation of the traffic on that next preferred alternative route; and
(iii) After cessation of PIH traffic on the line, the remaining risk associated with PTC-preventable accidents per route mile on the track segment will not exceed the average comparable risk per route mile on Class I lines in the United States required to be equipped with PTC because of gross tonnage and the presence of PIH traffic (which base case will be estimated as of a time prior to installation of PTC). If the subject risk is greater than the average risk on those PIH lines, and if the railroad making the application for removal of the track segment from the PTCIP offers no compensating extension of PTC or PTC technologies from the minimum required to be equipped, FRA may deny the request.
(B) [Reserved]
(ii) Lines with de minimis PIH risk. (A) In a PTCIP or RFA, a railroad may request review of the requirement to install PTC on a low density track segment where a PTC system is otherwise required by this section, but has not yet been installed, based upon the presence of a minimal quantity of PIH hazardous materials (less than 100 cars per year, loaded and residue). Any such request shall be accompanied by estimated traffic projections for the next 5 years (e.g., as a result of planned rerouting, coordinations, or location of new business on the line). Where the request involves prior or planned rerouting of PIH traffic, the railroad must provide the information and analysis identified in paragraph (b)(4)(i) of this section. The submission shall also include a full description of potential safety hazards on the segment of track and fully describe train operations over the line. This provision is not applicable to lines segments used by intercity or commuter passenger service.
(B) Absent special circumstances related to specific hazards presented by operations on the line segment, FRA will approve a request for relief under this paragraph for a rail line segment:
(1) Consisting exclusively of Class 1 or 2 track as described in part 213 of this title;
(2) That carries less than 15 million gross tons annually;
(3) Has a ruling grade of less than 1 percent; and
(4) On which any train transporting a car containing PIH materials (including a residue car) is operated under conditions of temporal separation from other trains using the line segment as documented by a temporal separation plan accompanying the request. As used in this paragraph, “temporal separation” has the same meaning given by § 236.1019(e), except that the separation addressed is the separation of a train carrying any number of cars containing PIH materials from other freight trains.
(C) FRA will also consider, and may approve, requests for relief under this paragraph for additional line segments where each such segment carries less than 15 million gross tons annually and where it is established to the satisfaction of the Associate Administrator that risk mitigations will be applied that will ensure that risk of a release of PIH materials is negligible.
(D) Failure to submit sufficient information will result in the denial of any request under this paragraph (b)(4)(ii). If the request is granted, on and after the date the line would have otherwise been required to be equipped under the schedule contained in the PTCIP and approved by FRA, operations on the line shall be conducted in accordance with any conditions attached to the grant, including implementation of proposed mitigations as applicable.
(5) Line sales. FRA does not approve removal of a line from the PTCIP exclusively based upon a representation that a track segment will be abandoned or sold to another railroad. In the event a track segment is approved for abandonment or transfer by the Surface Transportation Board, FRA will review at the request of the transferring and acquiring railroads whether the requirement to install PTC on the line should be removed given all of the circumstances, including expected traffic and hazardous materials levels, reservation of trackage or haulage rights by the transferring railroad, routing analysis under part 172 of this chapter, commercial and real property arrangements affecting the transferring and acquiring railroads post-transfer, and such other factors as may be relevant to continue safe operations on the line. If FRA denies the request, the acquiring railroad shall install the PTC system on the schedule provided in the transferring railroad's PTCIP, without regard to whether it is a Class I railroad.
(6) New rail passenger service. No new intercity or commuter rail passenger service shall commence after December 31, 2015, until a PTC system certified under this subpart has been installed and made operative.
(c) Hazard detectors. (1) All hazard detectors integrated into a signal or train control system on or after October 16, 2008, shall be integrated into PTC systems required by this subpart; and their warnings shall be appropriately and timely enforced as described in the applicable PTCSP.
(2) The applicable PTCSP must provide for receipt and presentation to the locomotive engineer and other train crew members of warnings from any additional hazard detectors using the PTC data network, onboard displays, and audible alerts. If the PTCSP so provides, the action to be taken by the system and by the crew members shall be specified.
(3) The PTCDP (as applicable) and PTCSP for any new service described in § 236.1007 to be conducted above 90 miles per hour shall include a hazard analysis describing the hazards relevant to the specific route(s) in question (e.g., potential for track obstruction due to events such as falling rock or undermining of the track structure due to high water or displacement of a bridge over navigable waters), the basis for decisions concerning hazard detectors provided, and the manner in which such additional hazard detectors will be interfaced with the PTC system.
(d) Event recorders. (1) Each lead locomotive, as defined in part 229, of a train equipped and operating with a Start Printed Page 2703PTC system required by this subpart must be equipped with an operative event recorder, which shall:
(i) Record safety-critical train control data routed to the locomotive engineer's display that the engineer is required to comply with;
(ii) Specifically include text messages conveying mandatory directives, maximum authorized speeds, PTC system brake warnings, PTC system brake enforcements, and the state of the PTC system (e.g., cut in, cut out, active, or failed); and
(iii) Include examples of how the captured data will be displayed during playback along with the format, content, and data retention duration requirements specified in the PTCSP submitted and approved pursuant to this paragraph. If such train control data can be calibrated against other data required by this part, it may, at the election of the railroad, be retained in a separate memory module.
(2) Each lead locomotive, as defined in part 229, manufactured and in service after October 1, 2009, that is equipped and operating with a PTC system required by this subpart, shall be equipped with an event recorder memory module meeting the crash hardening requirements of § 229.135 of this chapter.
(3) Nothing in this subpart excepts compliance with any of the event recorder requirements contained in § 229.135 of this chapter.
(e) Switch position. The following requirements apply with respect to determining proper switch position under this section. When a main line switch position is unknown or improperly aligned for a train's route in advance of the train's movement, the PTC system will provide warning of the condition associated with the following enforcement:
(1) A PTC system shall enforce restricted speed over any switch:
(i) Where train movements are made with the benefit of the indications of a wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety proposed to FRA and approved by the Associate Administrator in accordance with this part; and
(ii) Where wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety, requires the train to be operated at restricted speed.
(2) A PTC system shall enforce a positive stop short of any main line switch, and any switch on a siding where the allowable speed is in excess of 20 miles per hour, if movement of the train over the switch:
(i) Is made without the benefit of the indications of a wayside or cab signal system or other similar appliance, method, device, or system of equivalent safety proposed to FRA and approved by the Associate Administrator in accordance with this part; or
(ii) Would create an unacceptable risk. Unacceptable risk includes conditions when traversing the switch, even at low speeds, could result in direct conflict with the movement of another train (including a hand-operated crossover between main tracks, a hand-operated crossover between a main track and an adjoining siding or auxiliary track, or a hand-operated switch providing access to another subdivision or branch line, etc.).
(3) A PTC system required by this subpart shall be designed, installed, and maintained to perform the switch position detection and enforcement described in paragraphs (e)(1) and (e)(2) of this section, except as provided for and justified in the applicable, FRA approved PTCDP or PTCSP.
(4) The control circuit or electronic equivalent for all movement authorities over any switches, movable-point frogs, or derails shall be selected through circuit controller or functionally equivalent device operated directly by the switch points, derail, or by switch locking mechanism, or through relay or electronic device controlled by such circuit controller or functionally equivalent device, for each switch, movable-point frog, or derail in the route governed. Circuits or electronic equivalent shall be arranged so that any movement authorities less restrictive than those prescribed in paragraphs (e)(1) and (e)(2) of this section can only be provided when each switch, movable-point frog, or derail in the route governed is in proper position, and shall be in accordance with subparts A through G of this part, unless it is otherwise provided in a PTCSP approved under this subpart.
(f) Train-to-train collision. A PTC system shall be considered to be configured to prevent train-to-train collisions within the meaning of paragraph (a) of this section if trains are required to be operated at restricted speed and if the onboard PTC equipment enforces the upper limits of the railroad's restricted speed rule (15 or 20 miles per hour). This application applies to:
(1) Operating conditions under which trains are required by signal indication or operating rule to:
(i) Stop before continuing; or
(ii) Reduce speed to restricted speed and continue at restricted speed until encountering a more favorable indication or as provided by operating rule.
(2) Operation of trains within the limits of a joint mandatory directive.
(g) Temporary rerouting. A train equipped with a PTC system as required by this subpart may be temporarily rerouted onto a track not equipped with a PTC system and a train not equipped with a PTC system may be temporarily rerouted onto a track equipped with a PTC system as required by this subpart in the following circumstances:
(1) Emergencies. In the event of an emergency—including conditions such as derailment, flood, fire, tornado, hurricane, earthquake, or other similar circumstance outside of the railroad's control—that would prevent usage of the regularly used track if:
(i) The rerouting is applicable only until the emergency condition ceases to exist and for no more than 14 consecutive calendar days, unless otherwise extended by approval of the Associate Administrator;
(ii) The railroad provides written or telephonic notification to the applicable Regional Administrator of the information listed in paragraph (i) of this section within one business day of the beginning of the rerouting made in accordance with this paragraph; and
(iii) The conditions contained in paragraph (j) of this section are followed.
(2) Planned maintenance. In the event of planned maintenance that would prevent usage of the regularly used track if:
(i) The maintenance period does not exceed 30 days;
(ii) A request is filed with the applicable Regional Administrator in accordance with paragraph (i) of this section no less than 10 business days prior to the planned rerouting; and
(iii) The conditions contained in paragraph (j) of this section are followed.
(h) Rerouting requests. (1) For the purposes of paragraph (g)(2) of this section, the rerouting request shall be self-executing unless the applicable Regional Administrator responds with a notice disapproving of the rerouting or providing instructions to allow rerouting. Such instructions may include providing additional information to the Regional Administrator or Associate Administrator prior to the commencement of rerouting. Once the Regional Administrator responds with a notice under this paragraph, no rerouting may occur until the Regional Administrator or Associate Administrator provides his or her approval.Start Printed Page 2704
(2) In the event the temporary rerouting described in paragraph (g)(2) of this section is to exceed 30 consecutive calendar days:
(i) The railroad shall provide a request in accordance with paragraphs (i) and (j) of this section with the Associate Administrator no less than 10 business days prior to the planned rerouting; and
(ii) The rerouting shall not commence until receipt of approval from the Associate Administrator.
(i) Content of rerouting request. Each notice or request referenced in paragraph (g) and (h) of this section must indicate:
(1) The dates that such temporary rerouting will occur;
(2) The number and types of trains that will be rerouted;
(3) The location of the affected tracks; and
(4) A description of the necessity for the temporary rerouting.
(j) Rerouting conditions. Rerouting of operations under paragraph (g) of this section may occur under the following conditions:
(1) Where a train not equipped with a PTC system is rerouted onto a track equipped with a PTC system, or a train not equipped with a PTC system that is compatible and functionally responsive to the PTC system utilized on the line to which the train is being rerouted, the train shall be operated in accordance with § 236.1029; or
(2) Where any train is rerouted onto a track not equipped with a PTC system, the train shall be operated in accordance with the operating rules applicable to the line on which the train is rerouted.
(k) Rerouting cessation. The applicable Regional Administrator may order a railroad to cease any rerouting provided under paragraph (g) or (h) of this section.
Equipping locomotives operating in PTC territory.(a) Except as provided in paragraph (b) of this section, each train operating on any track segment equipped with a PTC system shall be controlled by a locomotive equipped with an onboard PTC apparatus that is fully operative and functioning in accordance with the applicable PTCSP approved under this subpart.
(b) Exceptions. (1) Prior to December 31, 2015, each railroad required to install PTC shall include in its PTCIP specific goals for progressive implementation of onboard systems and deployment of PTC-equipped locomotives such that the safety benefits of PTC are achieved through incremental growth in the percentage of controlling locomotives operating on PTC lines that are equipped with operative PTC onboard equipment. The PTCIP shall include a brief but sufficient explanation of how those goals will be achieved, including assignment of responsibilities within the organization. The goals shall be expressed as the percentage of trains operating on PTC-equipped lines that are equipped with operative onboard PTC apparatus responsive to the wayside, expressed as an annualized (calendar year) percentage for the railroad as a whole.
(2) Each railroad shall adhere to its PTCIP and shall report, on April 16, of 2011, 2012, 2013, and 2014, its progress toward achieving the goals set under paragraph (b)(1) of this section. In the event any annual goal is not achieved, the railroad shall further report the actions it is taking to ensure achievement of subsequent annual goals.
(3) On and after December 31, 2015, a train controlled by a locomotive with an onboard PTC apparatus that has failed en route is permitted to operate in accordance with § 236.1029.
(4) A train operated by a Class II or Class III railroad, including a tourist or excursion railroad, and controlled by a locomotive not equipped with an onboard PTC apparatus is permitted to operate on a PTC-operated track segment:
(i) That either:
(A) Has no regularly scheduled intercity or commuter passenger rail traffic; or
(B) Has regularly scheduled intercity or commuter passenger rail traffic and the applicable PTCIP permits the operation of a train operated by a Class II or III railroad and controlled by a locomotive not equipped with an onboard PTC apparatus;
(ii) Where operations are restricted to four or less such unequipped trains per day, whereas a train conducting a “turn” operation (e.g., moving to a point of interchange to drop off or pick up cars and returning to the track owned by a Class II or III railroad) is considered two trains for this purpose; and
(iii) Where each movement shall either:
(A) Not exceed 20 miles in length; or
(B) To the extent any movement exceeds 20 miles in length, such movement is not permitted without the controlling locomotive being equipped with an onboard PTC system after December 31, 2020, and each applicable Class II or III railroad shall report to FRA its progress in equipping each necessary locomotive with an onboard PTC apparatus to facilitate continuation of the movement. The progress reports shall be filed not later than December 31, 2017 and, if all necessary locomotives are not yet equipped, on December 31, 2019.
(c) When a train movement is conducted under the exceptions described in paragraph (b)(4) of this section, that movement shall be made in accordance with § 236.1029.
Additional requirements for high-speed service.(a) A PTC railroad that conducts a passenger operation at or greater than 60 miles per hour or a freight operation at or greater than 50 miles per hour shall have installed a PTC system including or working in concert with technology that includes all of the safety-critical functional attributes of a block signal system meeting the requirements of this part, including appropriate fouling circuits and broken rail detection (or equivalent safeguards).
(b) In addition to the requirements of paragraph (a) of this section, a host railroad that conducts a freight or passenger operation at more than 90 miles per hour shall:
(1) Have an approved PTCSP establishing that the system was designed and will be operated to meet the fail-safe operation criteria described in Appendix C to this part; and
(2) Prevent unauthorized or unintended entry onto the main line from any track not equipped with a PTC system compliant with this subpart by placement of split-point derails or equivalent means integrated into the PTC system; and
(3) Comply with § 236.1029(c).
(c) In addition to the requirements of paragraphs (a) and (b) of this section, a host railroad that conducts a freight or passenger operation at more than 125 miles per hour shall have an approved PTCSP accompanied by a document (“HSR-125”) establishing that the system:
(1) Will be operated at a level of safety comparable to that achieved over the 5 year period prior to the submission of the PTCSP by other train control systems that perform PTC functions required by this subpart, and which have been utilized on high-speed rail systems with similar technical and operational characteristics in the United States or in foreign service, provided that the use of foreign service data must be approved by the Associate Administrator before submittal of the PTCSP; and
(2) Has been designed to detect incursions into the right-of-way, including incidents involving motor vehicles diverting from adjacent roads and bridges, where conditions warrant.Start Printed Page 2705
(d) In addition to the requirements of paragraphs (a) through (c) of this section, a host railroad that conducts a freight or passenger operation at more than 150 miles per hour, which is governed by a Rule of Particular Applicability, shall have an approved PTCSP accompanied by a HSR-125 developed as part of an overall system safety plan approved by the Associate Administrator.
(e) A railroad providing existing high-speed passenger service may request in its PTCSP that the Associate Administrator excuse compliance with one or more requirements of this section upon a showing that the subject service has been conducted with a high level of safety.
Procedural requirements.(a) PTC Implementation Plan (PTCIP). (1) By April 16, 2010, each host railroad that is required to implement and operate a PTC system in accordance with § 236.1005(b) shall develop and submit in accordance with § 236.1011(a) a PTCIP for implementing a PTC system required under § 236.1005. Filing of the PTCIP shall not exempt the required filings of an NPI, PTCSP, PTCDP, or Type Approval.
(2) After April 16, 2010, a host railroad shall file:
(i) A PTCIP if it becomes a host railroad of a main line track segment for which it is required to implement and operate a PTC system in accordance with § 236.1005(b); or
(ii) A request for amendment (“RFA”) of its current and approved PTCIP in accordance with § 236.1021 if it intends to:
(A) Initiate a new category of service (i.e., passenger or freight); or
(B) Add, subtract, or otherwise materially modify one or more lines of railroad for which installation of a PTC system is required.
(3) The host and tenant railroad(s) shall jointly file a PTCIP that addresses shared track:
(i) If the host railroad is required to install and operate a PTC system on a segment of its track; and
(ii) If the tenant railroad that shares the same track segment would have been required to install a PTC system if the host railroad had not otherwise been required to do so.
(4) If railroads required to file a joint PTCIP are unable to jointly file a PTCIP in accordance with paragraphs (a)(1) and (a)(3) of this section, then each railroad shall:
(i) Separately file a PTCIP in accordance with paragraph (a)(1);
(ii) Notify the Associate Administrator that the subject railroads were unable to agree on a PTCIP to be jointly filed;
(iii) Provide the Associate Administrator with a comprehensive list of all issues not in agreement between the railroads that would prevent the subject railroads from jointly filing the PTCIP; and
(iv) Confer with the Associate Administrator to develop and submit a PTCIP mutually acceptable to all subject railroads.
(b) Type Approval. Each host railroad, individually or jointly with others such as a tenant railroad or system supplier, shall file prior to or simultaneously with the filing made in accordance with paragraph (a) of this section:
(1) An unmodified Type Approval previously issued by the Associate Administrator in accordance with § 236.1013 or § 236.1031(b) with its associated docket number;
(2) A PTCDP requesting a Type Approval for:
(i) A PTC system that does not have a Type Approval; or
(ii) A PTC system with a previously issued Type Approval that requires one or more variances;
(3) A PTCSP subject to the conditions set forth in paragraph (c) of this section, with or without a Type Approval; or
(4) A document attesting that a Type Approval is not necessary since the host railroad has no territory for which a PTC system is required under this subpart.
(c) Notice of Product Intent (NPI). A railroad may, in lieu of submitting a PTCDP, or referencing an already issued Type Approval, submit an NPI describing the functions of the proposed PTC system. If a railroad elects to file an NPI in lieu of a PTCDP or referencing an existing Type Approval with the PTCIP, and the PTCIP is otherwise acceptable to the Associate Administrator, the Associate Administrator may grant provisional approval of the PTCIP.
(1) A provisional approval of a PTCIP, unless otherwise extended by the Associate Administrator, is valid for a period of 270 days from the date of approval by the Associate Administrator.
(2) The railroad must submit an updated PTCIP with either a complete PTCDP as defined in § 236.1013(a), an updated PTCIP referencing an already approved Type Approval, or a full PTCSP within 270 days after the “Provisional Approval.”
(i) Within 90 days of receipt of an updated PTCIP that was submitted with an NPI, the Associate Administrator will approve or disapprove of the updated PTCIP and notify in writing the affected railroad. If the updated PTCIP is not approved, the notification will include the plan's deficiencies. Within 30 days of receipt of that notification, the railroad or other entity that submitted the plan shall correct all deficiencies and resubmit the plan in accordance with this section and § 236.1011, as applicable.
(ii) If an update to a “Provisionally Approved” PTCIP is not received by the Associate Administrator by the end of the period indicated in this paragraph, the “Provisional Approval” given to the PTCIP is automatically revoked. The revocation is retroactive to the date the original PTCIP and NPI were first submitted to the Associate Administrator.
(d) PTCSP and PTC System Certification. The following apply to each PTCSP and PTC System Certification.
(1) A PTC System Certification for a PTC system may be obtained by submitting an acceptable PTCSP. If the PTC system is the subject of a Type Approval, the safety case elements contained in the PTCDP may be incorporated by reference into the PTCSP, subject to finalization of the human factors analysis contained in the PTCDP.
(2) Each PTCSP requirement under § 236.1015 shall be supported by information and analysis sufficient to establish that the requirements of this subpart have been satisfied.
(3) If the Associate Administrator finds that the PTCSP and supporting documentation support a finding that the system complies with this part, the Associate Administrator may approve the PTCSP. If the Associate Administrator approves the PTCSP, the railroad shall receive PTC System Certification for the subject PTC system and shall implement the PTC system according to the PTCSP.
(4) A required PTC system shall not:
(i) Be used in service until it receives from FRA a PTC System Certification; and
(ii) Receive a PTC System Certification unless FRA receives and approves an applicable:
(A) PTCSP; or
(B) Request for Expedited Certification (REC) as defined by § 236.1031(a).
(e) Plan contents. (1) No PTCIP shall receive approval unless it complies with § 236.1011. No railroad shall receive a Type Approval or PTC System Certification unless the applicable PTCDP or PTCSP, respectively, comply with §§ 236.1013 and 236.1015, respectively.
(2) All materials filed in accordance with this subpart must be in the English language, or have been translated into English and attested as true and correct.Start Printed Page 2706
(3) Each filing referenced in this section may include a request for full or partial confidentiality in accordance with § 209.11 of this chapter. If confidentiality is requested as to a portion of any applicable document, then in addition to the filing requirements under § 209.11 of this chapter, the person filing the document shall also file a copy of the original unredacted document, marked to indicate which portions are redacted in the document's confidential version without obscuring the original document's contents.
(f) Supporting documentation and information. (1) Issuance of a Type Approval or PTC System Certification is contingent upon FRA's confidence in the implementation and operation of the subject PTC system. This confidence may be based on FRA-monitored field testing or an independent assessment performed in accordance with § 236.1035 or § 236.1017, respectively.
(2) Upon request by FRA, the railroad requesting a Type Approval or PTC System Certification must engage in field testing or independent assessment performed in accordance with § 236.1035 or § 236.1017, respectively, to support the assertions made in any of the plans submitted under this subpart. These assertions include any of the plans' content requirements under this subpart.
(g) FRA conditions, reconsiderations, and modifications. (1) As necessary to ensure safety, FRA may attach special conditions to approving a PTCIP or issuing a Type Approval or PTC System Certification.
(2) After granting a Type Approval or PTC System Certification, FRA may reconsider the Type Approval or PTC System Certification upon revelation of any of the following factors concerning the contents of the PTCDP or PTCSP:
(i) Potential error or fraud;
(ii) Potentially invalidated assumptions determined as a result of in-service experience or one or more unsafe events calling into question the safety analysis supporting the approval.
(3) During FRA's reconsideration in accordance with this paragraph, the PTC system may remain in use if otherwise consistent with the applicable law and regulations and FRA may impose special conditions for use of the PTC system.
(4) After FRA's reconsideration in accordance with this paragraph, FRA may:
(i) Dismiss its reconsideration and continue to recognize the existing FRA approved Type Approval or PTC System Certification;
(ii) Allow continued operations under such conditions the Associate Administrator deems necessary to ensure safety; or
(iii) Revoke the Type Approval or PTC System Certification and direct the railroad to cease operations where PTC systems are required under this subpart.
(h) FRA access. The Associate Administrator, or that person's designated representatives, shall be afforded reasonable access to monitor, test, and inspect processes, procedures, facilities, documents, records, design and testing materials, artifacts, training materials and programs, and any other information used in the design, development, manufacture, test, implementation, and operation of the system, as well as interview any personnel:
(1) Associated with a PTC system for which a Type Approval or PTC System Certification has been requested or provided; or
(2) To determine whether a railroad has been in compliance with this subpart.
(i) Foreign regulatory entity verification. Information that has been certified under the auspices of a foreign regulatory entity recognized by the Associate Administrator may, at the Associate Administrator's sole discretion, be accepted as independently Verified and Validated and used to support each railroad's development of the PTCSP.
(j) Processing times for PTCDP and PTCSP.
(1) Within 30 days of receipt of a PTCDP or PTCSP, the Associate Administrator will either acknowledge receipt or acknowledge receipt and request more information.
(2) To the extent practicable, considering the scope, complexity, and novelty of the product or change:
(i) FRA will approve, approve with conditions, or deny the PTCDP within 60 days of the date on which the PTCDP was filed;
(ii) FRA will approve, approve with conditions, or deny the PTCSP within 180 days of the date on which the PTCSP was filed;
(iii) If FRA has not approved, approved with conditions, or denied the PTCDP or PTCSP within the 60-day or 180-day window, as applicable, FRA will provide the submitting party with a statement of reasons as to why the submission has not yet been acted upon and a projected deadline by which an approval or denial will be issued and any further consultations or inquiries will be resolved.
PTC Implementation Plan content requirements.(a) Contents. A PTCIP filed pursuant to this subpart shall, at a minimum, describe:
(1) The functional requirements that the proposed system must meet;
(2) How the PTC railroad intends to comply with §§ 236.1009(c) and (d);
(3) How the PTC system will provide for interoperability of the system between the host and all tenant railroads on the track segments required to be equipped with PTC systems under this subpart and:
(i) Include relevant provisions of agreements, executed by all applicable railroads, in place to achieve interoperability;
(ii) List all methods used to obtain interoperability; and
(iii) Identify any railroads with respect to which interoperability agreements have not been achieved as of the time the plan is filed, the practical obstacles that were encountered that prevented resolution, and the further steps planned to overcome those obstacles;
(4) How, to the extent practical, the PTC system will be implemented to address areas of greater risk to the public and railroad employees before areas of lesser risk;
(5) The sequence and schedule in which track segments will be equipped and the basis for those decisions, and shall at a minimum address the following risk factors by track segment:
(i) Segment traffic characteristics such as typical annual passenger and freight train volume and volume of poison- or toxic-by-inhalation (PIH or TIH) shipments (loads, residue);
(ii) Segment operational characteristics such as current method of operation (including presence or absence of a block signal system), number of tracks, and maximum allowable train speeds, including planned modifications; and
(iii) Route attributes bearing on risk, including ruling grades and extreme curvature;
(6) The following information relating to rolling stock:
(i) What rolling stock will be equipped with PTC technology;
(ii) The schedule to equip that rolling stock by December 31, 2015;
(iii) All documents and information required by § 236.1006; and
(iv) Unless the tenant railroad is filing its own PTCIP, the host railroad's PTCIP shall:
(A) Attest that the host railroad has made a formal written request to each tenant railroad requesting identification of each item of rolling stock to be PTC Start Printed Page 2707system equipped and the date each will be equipped; and
(B) Include each tenant railroad's response to the host railroad's written request made in accordance with paragraph (a)(6)(iii)(A) of this section;
(7) The number of wayside devices required for each track segment and the installation schedule to complete wayside equipment installation by December 31, 2015;
(8) Identification of each track segment on the railroad as mainline or non-mainline track. If the PTCIP includes an MTEA, as defined by § 236.1019, the PTCIP should identify the tracks included in the MTEA as main line track with a reference to the MTEA;
(9) To the extent the railroad determines that risk-based prioritization required by paragraph (a)(4) of this section is not practical, the basis for this determination; and
(10) The dates the associated PTCDP and PTCSP, as applicable, will be submitted to FRA in accordance with § 236.1009.
(b) Additional Class I railroad PTCIP requirements. Each Class I railroad shall include:
(1) In its PTCIP a strategy for full deployment of its PTC system, describing the criteria that it will apply in identifying additional rail lines on its own network, and rail lines of entities that it controls or engages in joint operations with, for which full or partial deployment of PTC technologies is appropriate, beyond those required to be equipped under this subpart. Such criteria shall include consideration of the policies established by 49 U.S.C. 20156 (railroad safety risk reduction program), and regulations issued thereunder, as well as non-safety business benefits that may accrue.
(2) In the Technology Implementation Plan of its Risk Reduction Program, when first required to be filed in accordance with 49 U.S.C. 20156 and any regulation promulgated thereunder, a specification of rail lines selected for full or partial deployment of PTC under the criteria identified in its PTCIP.
(3) Nothing in this paragraph shall be construed to create an expectation or requirement that additional rail lines beyond those required to be equipped by this subpart must be equipped or that such lines will be equipped during the period of primary implementation ending December 31, 2015.
(4) As used in this paragraph, “partial implementation” of a PTC system refers to use, pursuant to subpart H of this part, of technology embedded in PTC systems that does not employ all of the functionalities required by this subpart.
(c) FRA review. Within 90 days of receipt of a PTCIP, the Associate Administrator will approve or disapprove of the plan and notify in writing the affected railroad or other entity. If the PTCIP is not approved, the notification will include the plan's deficiencies. Within 30 days of receipt of that notification, the railroad or other entity that submitted the plan shall correct all deficiencies and resubmit the plan in accordance with § 236.1009 and paragraph (a) of this section, as applicable.
(d) Subpart H. A railroad that elects to install a PTC system when not required to do so may elect to proceed under this subpart or under subpart H of this part.
(e) Upon receipt of a PTCIP, NPI, PTCDP, or PTCSP, FRA posts on its public web site notice of receipt and reference to the public docket in which a copy of the filing has been placed. FRA may consider any public comment on each document to the extent practicable within the time allowed by law and without delaying implementation of PTC systems.
(f) The PTCIP shall be maintained to reflect the railroad's most recent PTC deployment plans until all PTC system deployments required under this subpart are complete.
PTC Development Plan and Notice of Product Intent content requirements and Type Approval.(a) For a PTC system to obtain a Type Approval from FRA, the PTCDP shall be filed in accordance with § 236.1009 and shall include:
(1) A complete description of the PTC system, including a list of all PTC system components and their physical relationships in the subsystem or system;
(2) A description of the railroad operation or categories of operations on which the PTC system is designed to be used, including train movement density (passenger, freight), operating speeds (including a thorough explanation of intended compliance with § 236.1007), track characteristics, and railroad operating rules;
(3) An operational concepts document, including a list with complete descriptions of all functions which the PTC system will perform to enhance or preserve safety;
(4) A document describing the manner in which the PTC system architecture satisfies safety requirements;
(5) A preliminary human factors analysis, including a complete description of all human-machine interfaces and the impact of interoperability requirements on the same;
(6) An analysis of the applicability to the PTC system of the requirements of subparts A through G of this part that may no longer apply or are satisfied by the PTC system using an alternative method, and a complete explanation of the manner in which those requirements are otherwise fulfilled;
(7) A prioritized service restoration and mitigation plan and a description of the necessary security measures for the system;
(8) A description of target safety levels (e.g., MTTHE for major subsystems as defined in subpart H of this part), including requirements for system availability and a description of all backup methods of operation and any critical assumptions associated with the target levels;
(9) A complete description of how the PTC system will enforce authorities and signal indications;
(10) A description of the deviation which may be proposed under § 236.1029(c), if applicable; and
(11) A complete description of how the PTC system will appropriately and timely enforce all integrated hazard detectors in accordance with § 236.1005(c)(3), if applicable.
(b) If the Associate Administrator finds that the system described in the PTCDP would satisfy the requirements for PTC systems under this subpart and that the applicant has made a reasonable showing that a system built to the stated requirements would achieve the level of safety mandated for such a system under § 236.1015, the Associate Administrator may grant a numbered Type Approval for the system.
(c) Each Type Approval shall be valid for a period of 5 years, subject to automatic and indefinite extension provided that at least one PTC System Certification using the subject PTC system has been issued within that period and not revoked.
(d) The Associate Administrator may prescribe special conditions, amendments, and restrictions to any Type Approval as necessary for safety.
(e) If submitted, an NPI must contain the following information:
(1) A description of the railroad operation or categories of operations on which the proposed PTC system is designed to be used, including train movement density (passenger, freight), operating speeds (including a thorough explanation of intended compliance with § 236.1007), track characteristics, and railroad operating rules;
(2) An operational concepts document, including a list with complete descriptions of all functions Start Printed Page 2708that the proposed PTC system will perform to enhance or preserve safety;
(3) A description of target safety levels (e.g., MTTHE for major subsystems as defined in subpart H of this part), including requirements for system availability and a description of all backup methods of operation and any critical assumptions associated with the target levels;
(4) A complete description of how the proposed PTC system will enforce authorities and signal indications; and
(5) A complete description of how the proposed PTC system will appropriately and timely enforce all integrated hazard detectors in accordance with § 236.1005(c)(3), if applicable.
PTC Safety Plan content requirements and PTC System Certification.(a) Before placing a PTC system required under this part in service, the host railroad must submit to FRA a PTCSP and receive a PTC System Certification. If the Associate Administrator finds that the PTCSP and supporting documentation support a finding that the system complies with this part, the Associate Administrator approves the PTCSP and issues a PTC System Certification. Receipt of a PTC System Certification affirms that the PTC system has been reviewed and approved by FRA in accordance with, and meets the requirements of, this part.
(b) A PTCSP submitted under this subpart may reference and utilize in accordance with this subpart any Type Approval previously issued by the Associate Administrator to any railroad, provided that the railroad:
(1) Maintains a continually updated PTCPVL pursuant to § 236.1023;
(2) Shows that the supplier from which they are procuring the PTC system has established and can maintain a quality control system for PTC system design and manufacturing acceptable to the Associate Administrator. The quality control system must include the process for the product supplier or vendor to promptly and thoroughly report any safety-relevant failure and previously unidentified hazards to each railroad using the product; and
(3) Provides the applicable licensing information.
(c) A PTCSP submitted in accordance with this subpart shall:
(1) Include the FRA approved PTCDP or, if applicable, the FRA issued Type Approval;
(2)(i) Specifically and rigorously document each variance, including the significance of each variance between the PTC system and its applicable operating conditions as described in the applicable PTCDP from that as described in the PTCSP, and attest that there are no other such variances; or
(ii) Attest that there are no variances between the PTC system and its applicable operating conditions as described in the applicable PTCDP from that as described in the PTCSP; and
(3) Attest that the system was otherwise built in accordance with the applicable PTCDP and PTCSP and achieves the level of safety represented therein.
(d) A PTCSP shall include the same information required for a PTCDP under § 236.1013(a). If a PTCDP has been filed and approved prior to filing of the PTCSP, the PTCSP may incorporate the PTCDP by reference, with the exception that a final human factors analysis shall be provided. The PTCSP shall contain the following additional elements:
(1) A hazard log consisting of a comprehensive description of all safety-relevant hazards not previously addressed by the vendor or supplier to be addressed during the life-cycle of the PTC system, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);
(2) A description of the safety assurance concepts that are to be used for system development, including an explanation of the design principles and assumptions;
(3) A risk assessment of the as-built PTC system described;
(4) A hazard mitigation analysis, including a complete and comprehensive description of each hazard and the mitigation techniques used;
(5) A complete description of the safety assessment and Verification and Validation processes applied to the PTC system, their results, and whether these processes address the safety principles described in Appendix C to this part directly, using other safety criteria, or not at all;
(6) A complete description of the railroad's training plan for railroad and contractor employees and supervisors necessary to ensure safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system;
(7) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system on the railroad and establish safety-critical hazards are appropriately mitigated. These procedures, including calibration requirements, shall be consistent with or explain deviations from the equipment manufacturer's recommendations;
(8) A complete description of any additional warning to be placed in the Operations and Maintenance Manual in the same manner specified in § 236.919 and all warning labels to be placed on equipment as necessary to ensure safety;
(9) A complete description of the configuration or revision control measures designed to ensure that the railroad or its contractor does not adversely affect the safety-functional requirements and that safety-critical hazard mitigation processes are not compromised as a result of any such change;
(10) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;
(11) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (adjustment, repair, or replacement) is performed;
(12) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, adjustments, repairs, or replacements, and the system's resulting conditions, including records of component failures resulting in safety-relevant hazards (see § 236.1037);
(13) A safety analysis to determine whether, when the system is in operation, any risk remains of an unintended incursion into a roadway work zone due to human error. If the analysis reveals any such risk, the PTCDP and PTCSP shall describe how that risk will be mitigated;
(14) A more detailed description of any alternative arrangements as already provided under § 236.1005(a)(1)(i).
(15) A complete description of how the PTC system will enforce authorities and signal indications, unless already completely provided for in the PTCDP;
(16) A description of how the PTCSP complies with § 236.1019(f), if applicable;
(17) A description of any deviation in operational requirements for en route failures as specified under § 236.1029(c), if applicable and unless already completely provided for in the PTCDP;
(18) A complete description of how the PTC system will appropriately and Start Printed Page 2709timely enforce all integrated hazard detectors in accordance with § 236.1005;
(19) An emergency and planned maintenance temporary rerouting plan indicating how operations on the subject PTC system will take advantage of the benefits provided under § 236.1005(g) through (k); and
(20) The documents and information required under § 236.1007 and § 236.1033.
(e) The following additional requirements apply to:
(1) Non-vital overlay. A PTC system proposed as an overlay on the existing method of operation and not built in accordance with the safety assurance principles set forth in Appendix C of this part must, to the satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in § 236.1005;
(ii) Obtain at least 80 percent reduction of the risk associated with accidents preventable by the functions set forth in § 236.1005, when all effects of the change associated with the PTC system are taken into account. The supporting risk assessment shall evaluate all intended changes in railroad operations coincident with the introduction of the new system; and
(iii) Maintain a level of safety for each subsequent system modification that is equal to or greater than the level of safety for the previous PTC systems.
(2) Vital overlay. A PTC system proposed on a newly constructed track or as an overlay on the existing method of operation and built in accordance with the safety assurance principles set forth in Appendix C of this part must, to the satisfaction of the Associate Administrator, be shown to:
(i) Reliably execute the functions set forth in § 236.1005; and
(ii) Have sufficient documentation to demonstrate that the PTC system, as built, fulfills the safety assurance principles set forth in Appendix C of this part. The supporting risk assessment may be abbreviated as that term is used in subpart H of this part.
(3) Stand-alone. A PTC system proposed on a newly constructed track, an existing track for which no signal system exists, as a replacement for an existing signal or train control system, or otherwise to replace or materially modify the existing method of operation, shall:
(i) Reliably execute the functions required by § 236.1005 and be demonstrated to do so to FRA's satisfaction; and
(ii) Have a PTCSP establishing, with a high degree of confidence, that the system will not introduce new hazards that have not been mitigated. The supporting risk assessment shall evaluate all intended changes in railroad operations in relation to the introduction of the new system and shall examine in detail the direct and indirect effects of all changes in the method of operations.
(4) Mixed systems. If a PTC system combining overlay, stand-alone, vital, or non-vital characteristics is proposed, the railroad shall confer with the Associate Administrator regarding appropriate structuring of the safety case and analysis.
(f) When determining whether the PTCSP fulfills the requirements under paragraph (d) of this section, the Associate Administrator may consider all available evidence concerning the reliability and availability of the proposed system and any and all safety consequences of the proposed changes. In any case where the PTCSP lacks adequate data regarding safety impacts of the proposed changes, the Associate Administrator may request the necessary data from the applicant. If the requested data is not provided, the Associate Administrator may find that potential hazards could or will arise.
(g) If a PTCSP applies to a system designed to replace an existing certified PTC system, the PTCSP will be approved provided that the PTCSP establishes with a high degree of confidence that the new system will provide a level of safety not less than the level of safety provided by the system to be replaced.
(h) When reviewing the issue of the potential data errors (for example, errors arising from data supplied from other business systems needed to execute the braking algorithm, survey data needed for location determination, or mandatory directives issued through the computer-aided dispatching system), the PTCSP must include a careful identification of each of the risks and a discussion of each applicable mitigation. In an appropriate case, such as a case in which the residual risk after mitigation is substantial or the underlying method of operation will be significantly altered, the Associate Administrator may require submission of a quantitative risk assessment addressing these potential errors.
Independent third party Verification and Validation.(a) The PTCSP must be supported by an independent third-party assessment when the Associate Administrator concludes that it is necessary based upon the criteria set forth in § 236.913, with the exception that consideration of the methodology used in the risk assessment (§ 236.913(g)(2)(vii)) shall apply only to the extent that a comparative risk assessment was required. To the extent practicable, FRA makes this determination not later than review of the PTCIP and the accompanying PTCDP or PTCSP. If an independent assessment is required, the assessment may apply to the entire system or a designated portion of the system.
(b) If a PTC system is to undergo an independent assessment in accordance with this section, the host railroad may submit to the Associate Administrator a written request that FRA confirm whether a particular entity would be considered an independent third party pursuant to this section. The request should include supporting information identified in paragraph (c) of this section. FRA may request further information to make a determination or provide its determination in writing.
(c) As used in this section, “independent third party” means a technically competent entity responsible to and compensated by the railroad (or an association on behalf of one or more railroads) that is independent of the PTC system supplier and vendor. An entity that is owned or controlled by the supplier or vendor, that is under common ownership or control with the supplier or vendor, or that is otherwise involved in the development of the PTC system is not considered “independent” within the meaning of this section.
(d) The independent third-party assessment shall, at a minimum, consist of the activities and result in the production of documentation meeting the requirements of Appendix F to this part, unless excepted by this part or by FRA order or waiver.
(e) Information provided that has been certified under the auspices of a foreign railroad regulatory entity recognized by the Associate Administrator may, at the Associate Administrator's discretion, be accepted as having been independently verified.
Main line track exceptions.(a) Scope and procedure. This section pertains exclusively to exceptions from the rule that trackage over which scheduled intercity and commuter passenger service is provided is considered main line track requiring installation of a PTC system. One or more intercity or commuter passenger railroads, or freight railroads conducting joint passenger and freight operation over the same segment of track may file a main line track exclusion addendum (“MTEA”) to its PTCIP requesting to designate track as not main line subject to the conditions set forth in paragraphs Start Printed Page 2710(b) or (c) of this section. No track shall be designated as yard or terminal unless it is identified in an MTEA that is part of an FRA approved PTCIP.
(b) Passenger terminal exception. FRA will consider an exception in the case of trackage used exclusively as yard or terminal tracks by or in support of regularly scheduled intercity or commuter passenger service where the MTEA describes in detail the physical boundaries of the trackage in question, its use and characteristics (including track and signal charts) and all of the following apply:
(1) The maximum authorized speed for all movements is not greater than 20 miles per hour, and that maximum is enforced by any available onboard PTC equipment within the confines of the yard or terminal;
(2) Interlocking rules are in effect prohibiting reverse movements other than on signal indications without dispatcher permission; and
(3) Either of the following conditions exists:
(i) No freight operations are permitted; or
(ii) Freight operations are permitted but no passengers will be aboard passenger trains within the defined limits.
(c) Limited operations exception. FRA will consider an exception in the case of a track segment used for limited operations (at speeds not exceeding those permitted under § 236.0 of this part) under one of the following sets of conditions:
(1) The trackage is used for limited operations by at least one passenger railroad subject to at least one of the following conditions:
(i) All trains are limited to restricted speed;
(ii) Temporal separation of passenger and other trains is maintained as provided in paragraph (e) of this section; or
(iii) Passenger service is operated under a risk mitigation plan submitted by all railroads involved in the joint operation and approved by FRA. The risk mitigation plan must be supported by a risk assessment establishing that the proposed mitigations will achieve a level of safety not less than the level of safety that would obtain if the operations were conducted under paragraph (c)(1) or (c)(2) of this section.
(2) Passenger service is operated on a segment of track of a freight railroad that is not a Class I railroad on which less than 15 million gross tons of freight traffic is transported annually and on which one of the following conditions applies:
(i) If the segment is unsignaled and no more than four regularly scheduled passenger trains are operated during a calendar day, or
(ii) If the segment is signaled (e.g., equipped with a traffic control system, automatic block signal system, or cab signal system) and no more than 12 regularly scheduled passenger trains are operated during a calendar day.
(3) Not more than four passenger trains per day are operated on a segment of track of a Class I freight railroad on which less than 15 million gross tons of freight traffic is transported annually.
(d) A limited operations exception under paragraph (c) is subject to FRA review and approval. FRA may require a collision hazard analysis to identify hazards and may require that specific mitigations be undertaken. Operations under any such exception shall be conducted subject to the terms and conditions of the approval. Any main line track exclusion is subject to periodic review.
(e) Temporal separation. As used in this section, temporal separation means that limited passenger and freight operations do not operate on any segment of shared track during the same period and also refers to the processes or physical arrangements, or both, in place to ensure that temporal separation is established and maintained at all times. The use of exclusive authorities under mandatory directives is not, by itself, sufficient to establish that temporal separation is achieved. Procedures to ensure temporal separation shall include verification checks between passenger and freight operations and effective physical means to positively ensure segregation of passenger and freight operations in accordance with this paragraph.
(f) PTCSP requirement. No PTCSP—filed after the approval of a PTCIP with an MTEA—shall be approved by FRA unless it attests that no changes, except for those included in an FRA approved RFA, have been made to the information in the PTCIP and MTEA required by paragraph (b) or (c) of this section.
(g) Designation modifications. If subsequent to approval of its PTCIP or PTCSP the railroad seeks to modify which track or tracks should be designated as main line or not main line, it shall request modification of its PTCIP or PTCSP, as applicable, in accordance with § 236.1021.
Discontinuances, material modifications, and amendments.(a) No changes, as defined by this section, to a PTC system, PTCIP, PTCDP, or PTCSP, shall be made unless:
(1) The railroad files a request for amendment (“RFA”) to the applicable PTCIP, PTCDP, or PTCSP with the Associate Administrator; and
(2) The Associate Administrator approves the RFA.
(b) After approval of an RFA in accordance with paragraph (a) of this section, the railroad shall immediately adopt and comply with the amendment.
(c) In lieu of a separate filing under part 235 of this chapter, a railroad may request approval of a discontinuance or material modification of a signal or train control system by filing an RFA to its PTCIP, PTCDP, or PTCSP with the Associate Administrator.
(d) An RFA made in accordance with this section will not be approved by FRA unless the request includes:
(1) The information listed in § 235.10 of this chapter and the railroad provides FRA upon request any additional information necessary to evaluate the RFA (see § 235.12), including:
(2) The proposed modifications;
(3) The reasons for each modification;
(4) The changes to the PTCIP, PTCDP, or PTCSP, as applicable;
(5) Each modification's effect on PTC system safety;
(6) An approximate timetable for filing of the PTCDP, PTCSP, or both, if the amendment pertains to a PTCIP; and
(7) An explanation of whether each change to the PTCSP is planned or unplanned.
(i) Unplanned changes that affect the Type Approval's PTCDP require submission and approval in accordance with § 236.1013 of a new PTCDP, followed by submission and approval in accordance with § 236.1015 of a new PTCSP for the PTC system.
(ii) Unplanned changes that do not affect the Type Approval's PTCDP require submission and approval of a new PTCSP.
(iii) Unplanned changes are changes affecting system safety that have not been documented in the PTCSP. The impact of unplanned changes on PTC system safety has not yet been determined.
(iv) Planned changes may be implemented after they have undergone suitable regression testing to demonstrate, to the satisfaction of the Associate Administrator, they have been correctly implemented and their implementation does not degrade safety.
(v) Planned changes are changes affecting system safety in the PTCSP and have been included in all required analysis under § 236.1015. The impact of these changes on the PTC system's safety has been incorporated as an integral part of the approved PTCSP safety analysis.Start Printed Page 2711
(e) If the RFA includes a request for approval of a discontinuance or material modification of a signal or train control system, FRA will publish a notice in the Federal Register of the application and will invite public comment in accordance with part 211 of this chapter.
(f) When considering the RFA, FRA will review the issue of the discontinuance or material modification and determine whether granting the request is in the public interest and consistent with railroad safety, taking into consideration all changes in the method of operation and system functionalities, both within normal PTC system availability and in the case of a system failed state (unavailable), contemplated in conjunction with installation of the PTC system. The railroad submitting the RFA must, at FRA's request, perform field testing in accordance with § 236.1035 or engage in Verification and Validation in accordance with § 236.1017.
(g) FRA may issue at its discretion a new Type Approval number for a PTC system modified under this section.
(h) Changes requiring filing of an RFA. Except as provided by paragraph (i), an RFA shall be filed to request the following:
(1) Discontinuance of a PTC system, or other similar appliance or device;
(2) Decrease of the PTC system's limits (e.g., exclusion or removal of a PTC system on a track segment);
(3) Modification of a safety critical element of a PTC system; or
(4) Modification of a PTC system that affects the safety critical functionality of any other PTC system with which it interoperates.
(i) Discontinuances not requiring the filing of an RFA. It is not necessary to file an RFA for the following discontinuances:
(1) Removal of a PTC system from track approved for abandonment by formal proceeding;
(2) Removal of PTC devices used to provide protection against unusual contingencies such as landslide, burned bridge, high water, high and wide load, or tunnel protection when the unusual contingency no longer exists;
(3) Removal of the PTC devices that are used on a movable bridge that has been permanently closed by the formal approval of another government agency and is mechanically secured in the closed position for rail traffic; or
(4) Removal of the PTC system from service for a period not to exceed 6 months that is necessitated by catastrophic occurrence such as derailment, flood, fire, or hurricane, or earthquake.
(j) Changes not requiring the filing of an RFA. When the resultant change to the PTC system will comply with an approved PTCSP of this part, it is not necessary to file for approval to decrease the limits of a system when it involves the:
(1) Decrease of the limits of a PTC system when interlocked switches, derails, or movable-point frogs are not involved;
(2) Removal of an electric or mechanical lock, or signal used in lieu thereof, from hand-operated switch in a PTC system where train speed over such switch does not exceed 20 miles per hour, and use of those devices has not been part of the considerations for approval of a PTCSP; or
(3) Removal of an electric or mechanical lock, or signal used in lieu thereof, from a hand-operated switch in a PTC system where trains are not permitted to clear the main track at such switch and use of those devices has not been a part of the considerations for approval of a PTCSP.
(k) Modifications not requiring the filing of an RFA. When the resultant arrangement will comply with an approved PTCSP of this part, it is not necessary to file an application for approval of the following modifications:
(1) A modification that is required to comply with an order of the Federal Railroad Administration or any section of part 236 of this title;
(2) Installation of devices used to provide protection against unusual contingencies such as landslide, burned bridges, high water, high and wide loads, or dragging equipment;
(3) Elimination of existing track other than a second main track;
(4) Extension or shortening of a passing siding; or
(5) The temporary or permanent arrangement of existing systems necessitated by highway-rail grade separation construction. Temporary arrangements shall be removed within six months following completion of construction.
Errors and malfunctions.(a) Each railroad implementing a PTC system on its property shall establish and continually update a PTC Product Vendor List (PTCPVL) that includes all vendors and suppliers of each PTC system, subsystem, component, and associated product, and process in use system-wide. The PTCPVL shall be made available to FRA upon request.
(b)(1) The railroad shall specify within its PTCSP all contractual arrangements with hardware and software suppliers or vendors for immediate notification between the parties of any and all safety-critical software failures, upgrades, patches, or revisions, as well as any hardware repairs, replacements, or modifications for their PTC system, subsystems, or components.
(2) A vendor or supplier, on receipt of a report of any safety-critical failure to their product, shall promptly notify all other railroads that are using that product, whether or not the other railroads have experienced the reported failure of that safety-critical system, subsystem, or component.
(3) The notification from a supplier to any railroad shall include explanation from the supplier of the reasons for such notification, the circumstances associated with the failure, and any recommended mitigation actions to be taken pending determination of the root cause and final corrective actions.
(c) The railroad shall:
(1) Specify the railroad's process and procedures in its PTCSP for action upon their receipt of notification of safety-critical failure, as well as receipt of a safety-critical upgrade, patch, revision, repair, replacement, or modification.
(2) Identify configuration/revision control measures in its PTCSP that are designed to ensure the safety-functional requirements and the safety-critical hazard mitigation processes are not compromised as a result of any change and that such a change can be audited.
(d) The railroad shall provide to the applicable vendor or supplier the railroad's procedures for action upon notification of a safety-critical failure, upgrade, patch, or revision for the PTC system, subsystem, component, product, or process, and actions to be taken until the faulty system, subsystem, or component has been adjusted, repaired or replaced.
(e) After the product is placed in service, the railroad shall maintain a database of all safety-relevant hazards as set forth in the PTCSP and those that had not previously been identified in the PTCSP. If the frequency of the safety-relevant hazard exceeds the thresholds set forth in the PTCSP, or has not been previously identified in the appropriate risk analysis, the railroad shall:
(1) Notify the applicable vendor or supplier and FRA of the failure, malfunction, or defective condition that decreased or eliminated the safety functionality;
(2) Keep the applicable vendor or supplier and FRA apprised on a continual basis of the status of any and all subsequent failures; and
(3) Take prompt counter measures to reduce or eliminate the frequency of the Start Printed Page 2712safety-relevant hazards below the threshold identified in the PTCSP.
(f) Each notification to FRA required by this section shall:
(1) Be made within 15 days after the vendor, supplier, or railroad discovers the failure, malfunction, or defective condition. However, a report that is due on a Saturday or a Sunday may be delivered on the following Monday and one that is due on a holiday may be delivered on the next business day;
(2) Be transmitted in a manner and form acceptable to the Associate Administrator and by the most expeditious method available; and
(3) Include as much available and applicable information as possible, including:
(i) PTC system name and model;
(ii) Identification of the part, component, or system involved, including the part number as applicable;
(iii) Nature of the failure, malfunctions, or defective condition;
(iv) Mitigation taken to ensure the safety of train operation, railroad employees, and the public; and
(v) The estimated time to correct the failure.
(4) In the event that all information required by paragraph (f)(3) of this section is not immediately available, the non-available information shall be forwarded to the Associate Administrator as soon as practicable in supplemental reports.
(g) Whenever any investigation of an accident or service difficulty report shows that a PTC system or product is unsafe because of a manufacturing or design defect, the railroad and its vendor or supplier shall, upon request of the Associate Administrator, report to the Associate Administrator the results of its investigation and any action taken or proposed to correct that defect.
(h) PTC system and product suppliers and vendors shall:
(1) Promptly report any safety-relevant failures or defective conditions, previously unidentified hazards, and recommended mitigation actions in their PTC system, subsystem, or component to each railroad using the product; and
(2) Notify FRA of any safety-relevant failure, defective condition, or previously unidentified hazard discovered by the vendor or supplier and the identity of each affected and notified railroad.
(i) The requirements of this section do not apply to failures, malfunctions, or defective conditions that:
(1) Are caused by improper maintenance or improper usage; or
(2) Have been previously identified to the FRA, vendor or supplier, and applicable user railroads.
(j) When any safety-critical PTC system, subsystem, or component fails to perform its intended function, the cause shall be determined and the faulty product adjusted, repaired, or replaced without undue delay. Until corrective action is completed, a railroad shall take appropriate action to ensure safety and reliability as specified within its PTCSP.
(k) Any railroad experiencing a failure of a system resulting in a more favorable aspect than intended or other condition hazardous to the movement of a train shall comply with the reporting requirements, including the making of a telephonic report of an accident or incident involving such failure, under part 233 of this chapter. Filing of one or more reports under part 233 of this chapter does not exempt a railroad, vendor, or supplier from the reporting requirements contained in this section.
[Reserved]PTC system exclusions.(a) The requirements of this subpart apply to each office automation system that performs safety-critical functions within, or affects the safety performance of, the PTC system. For purposes of this section, “office automation system” means any centralized or distributed computer-based system that directly or indirectly controls the active movement of trains in a rail network.
(b) Changes or modifications to PTC systems otherwise excluded from the requirements of this subpart by this section do not exclude those PTC systems from the requirements of this subpart if the changes or modifications result in a degradation of safety or a material decrease in safety-critical functionality.
(c) Primary train control systems cannot be integrated with locomotive electronic systems unless the complete integrated systems:
(1) Have been shown to be designed on fail-safe principles;
(2) Have demonstrated to operate in a fail-safe mode;
(3) Have a manual fail-safe fallback and override to allow the locomotive to be brought to a safe stop in the event of any loss of electronic control; and
(4) Are included in the approved and applicable PTCDP and PTCSP.
(d) PTC systems excluded by this section from the requirements of this subpart remain subject to subparts A through H of this part as applicable.
PTC system use and en route failures.(a) When any safety-critical PTC system component fails to perform its intended function, the cause must be determined and the faulty component adjusted, repaired, or replaced without undue delay. Until repair of such essential components are completed, a railroad shall take appropriate action as specified in its PTCSP.
(b) Where a PTC onboard apparatus on a controlling locomotive that is operating in or is to be operated within a PTC system fails or is otherwise cut-out while en route (i.e, after the train has departed its initial terminal), the train may only continue in accordance with the following:
(1) The train may proceed at restricted speed, or if a block signal system is in operation according to signal indication at medium speed, to the next available point where communication of a report can be made to a designated railroad officer of the host railroad;
(2) Upon completion and communication of the report required in paragraph (b)(1) of this section, or where immediate electronic report of said condition is appropriately provided by the PTC system itself, a train may continue to a point where an absolute block can be established in advance of the train in accordance with the following:
(i) Where no block signal system is in use, the train may proceed at restricted speed, or
(ii) Where a block signal system is in operation according to signal indication, the train may proceed at a speed not to exceed medium speed.
(3) Upon reaching the location where an absolute block has been established in advance of the train, as referenced in paragraph (b)(2) of this section, the train may proceed in accordance with the following:
(i) Where no block signal system is in use, the train may proceed at medium speed; however, if the involved train is a passenger train or a train hauling any amount of PIH material, it may only proceed at a speed not to exceed 30 miles per hour.
(ii) Where a block signal system is in use, a passenger train may proceed at a speed not to exceed 59 miles per hour and a freight train may proceed at a speed not to exceed 49 miles per hour.
(iii) Except as provided in paragraph (c), where a cab signal system with an automatic train control system is in operation, the train may proceed at a speed not to exceed 79 miles per hour.
(c) In order for a train equipped with PTC traversing a track segment equipped with PTC to deviate from the operating limitations contained in paragraph (b) of this section, the deviation must be described and justified in the FRA approved PTCDP or PTCSP, or the Order of Particular Applicability, as applicable.Start Printed Page 2713
(d) Each railroad shall comply with all provisions in the applicable PTCDP and PTCSP for each PTC system it uses and shall operate within the scope of initial operational assumptions and predefined changes identified.
(e) The normal functioning of any safety-critical PTC system must not be interfered with in testing or otherwise without first taking measures to provide for the safe movement of trains, locomotives, roadway workers, and on-track equipment that depend on the normal functioning of the system.
(f) The PTC system's onboard apparatus shall be so arranged that each member of the crew assigned to perform duties in the locomotive can receive the same PTC information displayed in the same manner and execute any functions necessary to that crew member's duties. The locomotive engineer shall not be required to perform functions related to the PTC system while the train is moving that have the potential to distract the locomotive engineer from performance of other safety-critical duties.
Previously approved PTC systems.(a) Any PTC system fully implemented and operational prior to March 16, 2010, may receive PTC System Certification if the applicable PTC railroad, or one or more system suppliers and one or more PTC railroads, submits a Request for Expedited Certification (REC) letter to the Associate Administrator. The REC letter must do one of the following:
(1) Reference a product safety plan (PSP) approved by FRA under subpart H of this part and include a document fulfilling the requirements under §§ 236.1011 and 236.1013 not already included in the PSP;
(2) Attest that the PTC system has been approved by FRA and in operation for at least 5 years and has already received an assessment of Verification and Validation from an independent third party under part 236 or a waiver supporting such operation; or
(3) Attest that the PTC system is recognized under an Order issued prior to March 16, 2010.
(b) If an REC letter conforms to paragraph (a)(1) of this section, the Associate Administrator, at his or her sole discretion, may also issue a new Type Approval for the PTC system.
(c) In order to receive a Type Approval or PTC System Certification under paragraph (a) or (b) of this section, the PTC system must be shown to reliably execute the functionalities required by §§ 236.1005 and 236.1007 and otherwise conform to this subpart.
(d) Previous approval or recognition of a train control system, together with an established service history, may, at the request of the PTC railroad, and consistent with available safety data, be credited toward satisfaction of the safety case requirements set forth in this part for the PTCSP with respect to all functionalities and implementations contemplated by the approval or recognition.
(e) To the extent that the PTC system proposed for implementation under this subpart is different in significant detail from the system previously approved or recognized, the changes shall be fully analyzed in the PTCDP or PTCSP as would be the case absent prior approval or recognition.
(f) As used in this section—
(1) Approved refers to approval of a Product Safety Plan under subpart H of this part.
(2) Recognized refers to official action permitting a system to be implemented for control of train operations under an FRA order or waiver, after review of safety case documentation for the implementation.
(g) Upon receipt of an REC, FRA will consider all safety case information to the extent feasible and appropriate, given the specific facts before the agency. Nothing in this section limits re-use of any applicable safety case information by a party other than the party receiving:
(1) A prior approval or recognition referred to in this section; or
(2) A Type Approval or PTC System Certification under this subpart.
Communications and security requirements.(a) All wireless communications between the office, wayside, and onboard components in a PTC system shall provide cryptographic message integrity and authentication.
(b) Cryptographic keys required under paragraph (a) of this section shall:
(1) Use an algorithm approved by the National Institute of Standards (NIST) or a similarly recognized and FRA approved standards body;
(2) Be distributed using manual or automated methods, or a combination of both; and
(3) Be revoked:
(i) If compromised by unauthorized disclosure of the cleartext key; or
(ii) When the key algorithm reaches its lifespan as defined by the standards body responsible for approval of the algorithm.
(c) The cleartext form of the cryptographic keys shall be protected from unauthorized disclosure, modification, or substitution, except during key entry when the cleartext keys and key components may be temporarily displayed to allow visual verification. When encrypted keys or key components are entered, the cryptographically protected cleartext key or key components shall not be displayed.
(d) Access to cleartext keys shall be protected by a tamper resistant mechanism.
(e) Each railroad electing to also provide cryptographic message confidentiality shall:
(1) Comply with the same requirements for message integrity and authentication under this section; and
(2) Only use keys meeting or exceeding the security strength required to protect the data as defined in the railroad's PTCSP and required under § 236.1013(a)(7).
(f) Each railroad, or its vendor or supplier, shall have a prioritized service restoration and mitigation plan for scheduled and unscheduled interruptions of service. This plan shall be included in the PTCDP or PTCSP as required by §§ 236.1013 or 236.1015, as applicable, and made available to FRA upon request, without undue delay, for restoration of communication services that support PTC system services.
(g) Each railroad may elect to impose more restrictive requirements than those in this section, consistent with interoperability requirements specified in the PTCSP for the system.
Field testing requirements.(a) Before any field testing of an uncertified PTC system, or a product of an uncertified PTC system, or any regression testing of a certified PTC system is conducted on the general rail system, the railroad requesting the testing must provide:
(1) A complete description of the PTC system;
(2) An operational concepts document;
(3) A complete description of the specific test procedures, including the measures that will be taken to protect trains and on-track equipment;
(4) An analysis of the applicability of the requirements of subparts A through G of this part to the PTC system that will not apply during testing;
(5) The date the proposed testing shall begin;
(6) The test locations; and
(7) The effect on the current method of operation the PTC system will or may have under test.
(b) FRA may impose additional testing conditions that it believes may be necessary for the safety of train operations.Start Printed Page 2714
(c) Relief from regulations other than from subparts A through G of this part that the railroad believes are necessary to support the field testing, must be requested in accordance with part 211 of this title.
Records retention.(a) Each railroad with a PTC system required to be installed under this subpart shall maintain at a designated office on the railroad:
(1) A current copy of each FRA approved Type Approval, if any, PTCDP, and PTCSP that it holds;
(2) Adequate documentation to demonstrate that the PTCSP and PTCDP meet the safety requirements of this subpart, including the risk assessment;
(3) An Operations and Maintenance Manual, pursuant to § 236.1039; and
(4) Training and testing records pursuant to § 236.1043(b).
(b) Results of inspections and tests specified in the PTCSP and PTCDP must be recorded pursuant to § 236.110.
(c) Each contractor providing services relating to the testing, maintenance, or operation of a PTC system required to be installed under this subpart shall maintain at a designated office training records required under § 236.1039(b).
(d) After the PTC system is placed in service, the railroad shall maintain a database of all safety-relevant hazards as set forth in the PTCSP and PTCDP and those that had not been previously identified in either document. If the frequency of the safety-relevant hazards exceeds the threshold set forth in either of these documents, then the railroad shall:
(1) Report the inconsistency in writing by mail, facsimile, e-mail, or hand delivery to the Director, Office of Safety Assurance and Compliance, FRA, 1200 New Jersey Ave, SE, Mail Stop 25, Washington, DC 20590, within 15 days of discovery. Documents that are hand delivered must not be enclosed in an envelope;
(2) Take prompt countermeasures to reduce the frequency of each safety-relevant hazard to below the threshold set forth in the PTCSP and PTCDP; and
(3) Provide a final report when the inconsistency is resolved to the FRA Director, Office of Safety Assurance and Compliance, on the results of the analysis and countermeasures taken to reduce the frequency of the safety-relevant hazard(s) below the threshold set forth in the PTCSP and PTCDP.
Operations and Maintenance Manual.(a) The railroad shall catalog and maintain all documents as specified in the PTCDP and PTCSP for the installation, maintenance, repair, modification, inspection, and testing of the PTC system and have them in one Operations and Maintenance Manual, readily available to persons required to perform such tasks and for inspection by FRA and FRA-certified state inspectors.
(b) Plans required for proper maintenance, repair, inspection, and testing of safety-critical PTC systems must be adequate in detail and must be made available for inspection by FRA and FRA-certified state inspectors where such PTC systems are deployed or maintained. They must identify all software versions, revisions, and revision dates. Plans must be legible and correct.
(c) Hardware, software, and firmware revisions must be documented in the Operations and Maintenance Manual according to the railroad's configuration management control plan and any additional configuration/revision control measures specified in the PTCDP and PTCSP.
(d) Safety-critical components, including spare equipment, must be positively identified, handled, replaced, and repaired in accordance with the procedures specified in the PTCDP and PTCSP.
(e) Each railroad shall designate in its Operations and Maintenance Manual an appropriate railroad officer responsible for issues relating to scheduled interruptions of service contemplated by § 236.1029.
Training and qualification program, general.(a) Training program for PTC personnel. Employers shall establish and implement training and qualification programs for PTC systems subject to this subpart. These programs must meet the minimum requirements set forth in the PTCDP and PTCSP in §§ 236.1039 through 236.1045, as appropriate, for the following personnel:
(1) Persons whose duties include installing, maintaining, repairing, modifying, inspecting, and testing safety-critical elements of the railroad's PTC systems, including central office, wayside, or onboard subsystems;
(2) Persons who dispatch train operations (issue or communicate any mandatory directive that is executed or enforced, or is intended to be executed or enforced, by a train control system subject to this subpart);
(3) Persons who operate trains or serve as a train or engine crew member subject to instruction and testing under part 217 of this chapter, on a train operating in territory where a train control system subject to this subpart is in use;
(4) Roadway workers whose duties require them to know and understand how a train control system affects their safety and how to avoid interfering with its proper functioning; and
(5) The direct supervisors of persons listed in paragraphs (a)(1) through (a)(4) of this section.
(b) Competencies. The employer's program must provide training for persons who perform the functions described in paragraph (a) of this section to ensure that they have the necessary knowledge and skills to effectively complete their duties related to operation and maintenance of the PTC system.
Task analysis and basic requirements.(a) Training structure and delivery. As part of the program required by § 236.1041, the employer shall, at a minimum:
(1) Identify the specific goals of the training program with regard to the target population (craft, experience level, scope of work, etc.), task(s), and desired success rate;
(2) Based on a formal task analysis, identify the installation, maintenance, repair, modification, inspection, testing, and operating tasks that must be performed on a railroad's PTC systems. This includes the development of failure scenarios and the actions expected under such scenarios;
(3) Develop written procedures for the performance of the tasks identified;
(4) Identify the additional knowledge, skills, and abilities above those required for basic job performance necessary to perform each task;
(5) Develop a training and evaluation curriculum that includes classroom, simulator, computer-based, hands-on, or other formally structured training designed to impart the knowledge, skills, and abilities identified as necessary to perform each task;
(6) Prior to assignment of related tasks, require all persons mentioned in § 236.1041(a) to successfully complete a training curriculum and pass an examination that covers the PTC system and appropriate rules and tasks for which they are responsible (however, such persons may perform such tasks under the direct onsite supervision of a qualified person prior to completing such training and passing the examination);
(7) Require periodic refresher training and evaluation at intervals specified in the PTCDP and PTCSP that includes classroom, simulator, computer-based, hands-on, or other formally structured Start Printed Page 2715training and testing, except with respect to basic skills for which proficiency is known to remain high as a result of frequent repetition of the task; and
(8) Conduct regular and periodic evaluations of the effectiveness of the training program specified in § 236.1041(a)(1) verifying the adequacy of the training material and its validity with respect to current railroads PTC systems and operations.
(b) Training records. Employers shall retain records which designate persons who are qualified under this section until new designations are recorded or for at least one year after such persons leave applicable service. These records shall be kept in a designated location and be available for inspection and replication by FRA and FRA-certified State inspectors
Training specific to office control personnel.(a) Any person responsible for issuing or communicating mandatory directives in territory where PTC systems are or will be in use shall be trained in the following areas, as applicable:
(1) Instructions concerning the interface between the computer-aided dispatching system and the train control system, with respect to the safe movement of trains and other on-track equipment;
(2) Railroad operating rules applicable to the train control system, including provision for movement and protection of roadway workers, unequipped trains, trains with failed or cut-out train control onboard systems, and other on-track equipment; and
(3) Instructions concerning control of trains and other on-track equipment in case the train control system fails, including periodic practical exercises or simulations, and operational testing under part 217 of this chapter to ensure the continued capability of the personnel to provide for safe operations under the alternative method of operation.
(b) [Reserved]
Training specific to locomotive engineers and other operating personnel.(a) Operating personnel. Training provided under this subpart for any locomotive engineer or other person who participates in the operation of a train in train control territory shall be defined in the PTCDP as well as the PTCSP. The following elements shall be addressed:
(1) Familiarization with train control equipment onboard the locomotive and the functioning of that equipment as part of the system and in relation to other onboard systems under that person's control;
(2) Any actions required of the onboard personnel to enable, or enter data to, the system, such as consist data, and the role of that function in the safe operation of the train;
(3) Sequencing of interventions by the system, including pre-enforcement notification, enforcement notification, penalty application initiation and post-penalty application procedures;
(4) Railroad operating rules and testing (part 217) applicable to the train control system, including provisions for movement and protection of any unequipped trains, or trains with failed or cut-out train control onboard systems and other on-track equipment;
(5) Means to detect deviations from proper functioning of onboard train control equipment and instructions regarding the actions to be taken with respect to control of the train and notification of designated railroad personnel; and
(6) Information needed to prevent unintentional interference with the proper functioning of onboard train control equipment.
(b) Locomotive engineer training. Training required under this subpart for a locomotive engineer, together with required records, shall be integrated into the program of training required by part 240 of this chapter.
(c) Full automatic operation. The following special requirements apply in the event a train control system is used to effect full automatic operation of the train:
(1) The PTCDP and PTCSP shall identify all safety hazards to be mitigated by the locomotive engineer.
(2) The PTCDP and PTCSP shall address and describe the training required with provisions for the maintenance of skills proficiency. As a minimum, the training program must:
(i) As described in § 236.1043(a)(2), develop failure scenarios which incorporate the safety hazards identified in the PTCDP and PTCSP including the return of train operations to a fully manual mode;
(ii) Provide training, consistent with § 236.1047(a), for safe train operations under all failure scenarios and identified safety hazards that affect train operations;
(iii) Provide training, consistent with § 236.1047(a), for safe train operations under manual control; and
(iv) Consistent with § 236.1047(a), ensure maintenance of manual train operating skills by requiring manual starting and stopping of the train for an appropriate number of trips and by one or more of the following methods:
(A) Manual operation of a train for a 4-hour work period;
(B) Simulated manual operation of a train for a minimum of 4 hours in a Type I simulator as required; or
(C) Other means as determined following consultation between the railroad and designated representatives of the affected employees and approved by FRA. The PTCDP and PTCSP shall designate the appropriate frequency when manual operation, starting, and stopping must be conducted, and the appropriate frequency of simulated manual operation.
(d) Conductor training. Training required under this subpart for a conductor, together with required records, shall be integrated into the program of training required under this chapter.
Training specific to roadway workers.(a) Roadway worker training. Training required under this subpart for a roadway worker shall be integrated into the program of instruction required under part 214, subpart C of this chapter (“Roadway Worker Protection”), consistent with task analysis requirements of § 236.1043. This training shall provide instruction for roadway workers who provide protection for themselves or roadway work groups.
(b) Training subject areas. (1) Instruction for roadway workers shall ensure an understanding of the role of processor-based signal and train control equipment in establishing protection for roadway workers and their equipment.
(2) Instruction for all roadway workers working in territories where PTC is required under this subpart shall ensure recognition of processor-based signal and train control equipment on the wayside and an understanding of how to avoid interference with its proper functioning.
(3) Instructions concerning the recognition of system failures and the provision of alternative methods of on-track safety in case the train control system fails, including periodic practical exercises or simulations and operational testing under part 217 of this chapter to ensure the continued capability of roadway workers to be free from the danger of being struck by a moving train or other on-track equipment.
12. Amend Appendix A to part 236 by adding entries for subpart I as follows:
End Amendment PartAppendix A to Part 236—Civil Penalties [1]
Start Printed Page 2716Start Amendment PartSection Violation Willful violation * * * * * * * Subpart I—Positive Train Control Systems 236.1005 Positive Train Control System Requirements: Failure to complete PTC system installation on track segment where PTC is required prior to 12/31/2015 16,000 25,000 Commencement of revenue service prior to obtaining PTC System Certification 16,000 25,000 Failure of the PTC system to perform a safety-critical function required by this section 5,000 7,500 Failure to provide notice, obtain approval, or follow a condition for temporary rerouting when required 5,000 7,500 Exceeding the allowed percentage of controlling locomotives operating out of an initial terminal after receiving a failed initialization 5,000 7,500 236.1006 Equipping locomotives operating in PTC territory: Operating in PTC territory a controlling locomotive without a required and operative PTC onboard apparatus 15,000 25,000 Failure to report as prescribed by this section 5,000 7,500 Non-compliant operation of unequipped trains in PTC territory 15,000 25,000 236.1007 Additional requirements for high-speed service: Operation of passenger trains at speed equal to or greater than 60 mph on non-PTC-equipped territory where required 15,000 25,000 Operation of freight trains at speed equal to or greater than 50 mph on non-PTC-equipped territory where required 15,000 25,000 Failure to fully implement incursion protection where required 5,000 7,500 236.1009 Procedural requirements: Failure to file PTCIP when required 5,000 7,500 Failure to amend PTCIP when required 5,000 7,500 Failure to obtain Type Approval when required 5,000 7,500 Failure to update NPI 5,000 7,500 Operation of PTC system prior to system certification 16,000 25,000 236.1011 PTCIP content requirements: Failure to install a PTC system in accordance with subpart I when so required 11,000 16,000 236.1013 PTCDP content requirements and Type Approval: Failure to maintain quality control system 5,000 7,500 Inappropriate use of Type Approval 5,000 7,500 236.1015 PTCSP content requirements and PTC System Certification: Failure to implement PTC system in accordance with the associated PTCSP and resultant system certification 16,000 25,000 Failure to maintain PTC system in accordance with the associated PTCSP and resultant system certification 16,000 25,000 Failure to maintain required supporting documentation 2,500 5,000 236.1017 Independent third party Verification and Validation: Failure to conduct independent third party Verification and Validation when ordered 11,000 16,000 236.1019 Main line track exceptions: Revenue operations conducted in non-compliance with the passenger terminal exception 16,000 25,000 Revenue operations conducted in non-compliance with the limited operations exception 16,000 25,000 Failure to request modification of the PTCIP or PTCSP when required 11,000 16,000 Revenue operations conducted in violation of (c)(2) 16,000 25,000 Revenue operations conducted in violation of (c)(3) 25,000 25,000 236.1021 Discontinuances, material modifications, and amendments: Failure to update PTCDP when required 5,000 7,500 Failure to update PTCSP when required 5,000 7,500 Failure to immediately adopt and comply with approved RFA 5,000 7,500 Discontinuance or modification of a PTC system without approval when required 11,000 16,000 236.1023 Errors and malfunctions: Railroad failure to provide proper notification of PTC system error or malfunction 5,000 7,500 Failure to maintain PTCPVL 2,500 5,000 Supplier failure to provide proper notification of previously identified PTC system error or malfunction 5,000 7,500 Failure to provide timely notification 5,000 7,500 Failure to provide appropriate protective measures in the event of PTC system failure 15,000 25,000 236.1027 Exclusions: Integration of primary train control system with locomotive electronic system without approval 5,000 7,500 236.1029 PTC system use and en route failures: Failure to determine cause of PTC system component failure without undue delay 5,000 7,500 Failure to adjust, repair, or replace faulty PTC system component without undue delay 5,000 7,500 Failure to take appropriate action pending adjustment, repair, or replacement of faulty PTC system component 15,000 25,000 Non-compliant train operation within PTC-equipped territory with inoperative PTC onboard apparatus 5,000 7,500 Interference with the normal functioning of safety-critical PTC system 15,000 25,000 Improper arrangement of the PTC system onboard apparatus 2,500 5,000 Start Printed Page 2717 236.1033 Communications and security requirements: Failure to provide cryptographic message integrity and authentication 5,000 7,500 Improper use of revoked cryptographic key 5,000 15,000 Failure to protect cryptographic keys from unauthorized disclosure, modification, or substitution 5,000 15,000 Failure to establish prioritized service restoration and mitigation plan for communication services 5,000 7,500 236.1035 Field testing requirements: Field testing without authorization or approval 10,000 20,000 236.1037 Records retention: Failure to maintain records and databases as required 7,500 15,000 Failure to report inconsistency 10,000 20,000 Failure to take prompt countermeasures 10,000 20,000 Failure to provide final report 2,500 5,000 236.1039 Operations and Maintenance Manual: Failure to implement and maintain Operations and Maintenance Manual as required 3,000 6,000 236.1043 Task analysis and basic requirements: Failure to develop and maintain an acceptable training program 10,000 20,000 Failure to train persons as required 2,500 5,000 Failure to conduct evaluation of training program as required 2,500 5,000 Failure to maintain records as required 1,500 3,000 236.1045 Training specific to office control personnel: Failure to conduct training unique to office control personnel 2,500 5,000 236.1047 Training specific to locomotive engineers and other operating personnel: Failure to conduct training unique to locomotive engineers and other operating personnel 2,500 5,000 236.1049 Training specific to roadway workers: Failure to conduct training unique to roadway workers 2,500 5,000 13. Revise Appendix B to part 236 to read as follows:
End Amendment PartAppendix B to Part 236—Risk Assessment Criteria
The safety-critical performance of each product for which risk assessment is required under this part must be assessed in accordance with the following minimum criteria or other criteria if demonstrated to the Associate Administrator for Safety to be equally suitable:
(a) How are risk metrics to be expressed? The risk metric for the proposed product must describe with a high degree of confidence the accumulated risk of a train control system that operates over the designated life-cycle of the product. Each risk metric for the proposed product must be expressed with an upper bound, as estimated with a sensitivity analysis, and the risk value selected must be demonstrated to have a high degree of confidence.
(b) How does the risk assessment handle interaction risks for interconnected subsystems/components? The risk assessment of each safety-critical system (product) must account not only for the risks associated with each subsystem or component, but also for the risks associated with interactions (interfaces) between such subsystems.
(c) What is the main principle in computing risk for the previous and current conditions? The risk for the previous condition must be computed using the same metrics as for the new system being proposed. A full risk assessment must consider the entire railroad environment where the product is being applied, and show all aspects of the previous condition that are affected by the installation of the product, considering all faults, operating errors, exposure scenarios, and consequences that are related as described in this part. For the full risk assessment, the total societal cost of the potential numbers of accidents assessed for both previous and new system conditions must be computed for comparison. An abbreviated risk assessment must, as a minimum, clearly compute the MTTHE for all of the hazardous events identified for both previous and current conditions. The comparison between MTTHE for both conditions is to determine whether the product implementation meets the safety criteria as required by subpart H or subpart I of this part as applicable.
(d) What major system characteristics must be included when relevant to risk assessment? Each risk calculation must consider the total signaling and train control system and method of operation, as subjected to a list of hazards to be mitigated by the signaling and train control system. The methodology requirements must include the following major characteristics, when they are relevant to the product being considered:
(1) Track plan infrastructure, switches, rail crossings at grade and highway-rail grade crossings as applicable;
(2) Train movement density for freight, work, and passenger trains where applicable and computed over a time span of not less than 12 months;
(3) Train movement operational rules, as enforced by the dispatcher, roadway worker/Employee in Charge, and train crew behaviors;
(4) Wayside subsystems and components;
(5) Onboard subsystems and components;
(6) Consist contents such as hazardous material, oversize loads; and
(7) Operating speeds if the provisions of part 236 cite additional requirements for certain type of train control systems to be used at such speeds for freight and passenger trains.
(e) What other relevant parameters must be determined for the subsystems and components? In order to derive the frequency of hazardous events (or MTTHE) applicable for a product, subsystem or component included in the risk assessment, the railroad may use various techniques, such as reliability and availability calculations for subsystems and components, Fault Tree Analysis (FTA) of the subsystems, and results of the application of safety design principles as noted in Appendix C to this part. The MTTHE is to be derived for both fail-safe and non-fail-safe subsystems or components. The lower bounds of the MTTF or MTBF determined from the system sensitivity analysis, which account for all necessary and well justified assumptions, may be used to represent the estimate of MTTHE for the associated non-fail-safe subsystem or component in the risk assessment.
(f) How are processor-based subsystems/components assessed? (1) An MTTHE value must be calculated for each processor-based subsystem or component, or both, indicating the safety-critical behavior of the integrated hardware/software subsystem or component, or both. The human factor impact must be included in the assessment, whenever applicable, to provide the integrated MTTHE value. The MTTHE calculation must consider the rates of failures caused by permanent, transient, and intermittent faults accounting for the fault coverage of the integrated hardware/software subsystem or component, phased-interval maintenance, and restoration of the detected failures.
(2) Software fault/failure analysis must be based on the assessment of the design and implementation of all safety-related software including the application code, its operating/executive program, COTS software, and associated device drivers, as well as historical performance data, analytical methods and experimental safety-critical performance testing performed on the subsystem or component. The software assessment process must demonstrate through repeatable predictive results that all software defects have been identified and Start Printed Page 2718corrected by process with a high degree of confidence.
(g) How are non-processor-based subsystems/components assessed? (1) The safety-critical behavior of all non-processor-based components, which are part of a processor-based system or subsystem, must be quantified with an MTTHE metric. The MTTHE assessment methodology must consider failures caused by permanent, transient, and intermittent faults, phase-interval maintenance and restoration of operation after failures and the effect of fault coverage of each non-processor-based subsystem or component.
(2) MTTHE compliance verification and validation must be based on the assessment of the design for adequacy by a documented verification and validation process, historical performance data, analytical methods and experimental safety-critical performance testing performed on the subsystem or component. The non-processor-based quantification compliance must be demonstrated to have a high degree of confidence.
(h) What assumptions must be documented for risk assessment? (1) The railroad shall document any assumptions regarding the derivation of risk metrics used. For example, for the full risk assessment, all assumptions made about each value of the parameters used in the calculation of total cost of accidents should be documented. For abbreviated risk assessment, all assumptions made for MTHHE derivation using existing reliability and availability data on the current system components should be documented. The railroad shall document these assumptions in such a form as to permit later comparisons with in-service experience.
(2) The railroad shall document any assumptions regarding human performance. The documentation shall be in such a form as to facilitate later comparisons with in-service experience.
(3) The railroad shall document any assumptions regarding software defects. These assumptions shall be in a form that permit the railroad to project the likelihood of detecting an in-service software defect. These assumptions shall be documented in such a form as to permit later comparisons with in-service experience.
(4) The railroad shall document all of the identified safety-critical fault paths to a mishap as predicted by the safety analysis methodology. The documentation shall be in such a form as to facilitate later comparisons with in-service faults.
Start Amendment Part14. Revise Appendix C to part 236 to read as follows:
End Amendment PartAppendix C to Part 236—Safety Assurance Criteria and Processes
(a) What is the purpose of this appendix? This appendix provides safety criteria and processes that the designer must use to develop and validate the product that meets safety requirements of this part. FRA uses the criteria and processes set forth in this appendix to evaluate the validity of safety targets and the results of system safety analyses provided in the RSPP, PSP, PTCIP, PTCDP, and PTCSP documents as appropriate. An analysis performed under this appendix must:
(1) Address each of the safety principles of paragraph (b) of this appendix, or explain why they are not relevant, and
(2) Employ a validation and verification process pursuant to paragraph (c) of this appendix.
(b) What safety principles must be followed during product development? The designer shall address each of the following safety considerations principles when designing and demonstrating the safety of products covered by subpart H or I of this part. In the event that any of these principles are not followed, the PSP or PTCDP or PTCSP shall state both the reason(s) for departure and the alternative(s) utilized to mitigate or eliminate the hazards associated with the design principle not followed.
(1) System safety under normal operating conditions. The system (all its elements including hardware and software) must be designed to assure safe operation with no hazardous events under normal anticipated operating conditions with proper inputs and within the expected range of environmental conditions. All safety-critical functions must be performed properly under these normal conditions. The system shall operate safely even in the absence of prescribed operator actions or procedures. The designer must identify and categorize all hazards that may lead to unsafe system operation. Hazards categorized as unacceptable, which are determined by hazard analysis, must be eliminated by design. Best effort shall also be made by the designer to eliminate by design the hazards categorized as undesirable. Those undesirable hazards that cannot be eliminated should be mitigated to the acceptable level as required by this part.
(2) System safety under failures.
(i) It must be shown how the product is designed to eliminate or mitigate unsafe systematic failures—those conditions which can be attributed to human error that could occur at various stages throughout product development. This includes unsafe errors in the software due to human error in the software specification, design, or coding phases; human errors that could impact hardware design; unsafe conditions that could occur because of an improperly designed human-machine interface; installation and maintenance errors; and errors associated with making modifications.
(ii) The product must be shown to operate safely under conditions of random hardware failures. This includes single hardware failures as well as multiple hardware failures that may occur at different times but remain undetected (latent) and react in combination with a subsequent failure at a later time to cause an unsafe operating situation. In instances involving a latent failure, a subsequent failure is similar to there being a single failure. In the event of a transient failure, and if so designed, the system should restart itself if it is safe to do so. Frequency of attempted restarts must be considered in the hazard analysis required by § 236.907(a)(8).
(iii) There shall be no single point failures in the product that can result in hazards categorized as unacceptable or undesirable. Occurrence of credible single point failures that can result in hazards must be detected and the product must achieve a known safe state that eliminates the possibility of false activation of any physical appliance.
(iv) If one non-self-revealing failure combined with a second failure can cause a hazard that is categorized as unacceptable or undesirable, then the second failure must be detected and the product must achieve a known safe state that eliminates the possibility of false activation of any physical appliance.
(v) Another concern of multiple failures involves common mode failures in which two or more subsystems or components intended to compensate one another to perform the same function all fail by the same mode and result in unsafe conditions. This is of particular concern in instances in which two or more elements (hardware or software, or both) are used in combination to ensure safety. If a common mode failure exists, then any analysis performed under this appendix cannot rely on the assumption that failures are independent. Examples include: The use of redundancy in which two or more elements perform a given function in parallel and when one (hardware or software) element checks/monitors another element (of hardware or software) to help ensure its safe operation. Common mode failure relates to independence, which must be ensured in these instances. When dealing with the effects of hardware failure, the designer shall address the effects of the failure not only on other hardware, but also on the execution of the software, since hardware failures can greatly affect how the software operates.
(3) Closed loop principle. System design adhering to the closed loop principle requires that all conditions necessary for the existence of any permissive state or action be verified to be present before the permissive state or action can be initiated. Likewise the requisite conditions shall be verified to be continuously present for the permissive state or action to be maintained. This is in contrast to allowing a permissive state or action to be initiated or maintained in the absence of detected failures. In addition, closed loop design requires that failure to perform a logical operation, or absence of a logical input, output or decision shall not cause an unsafe condition, i.e. system safety does not depend upon the occurrence of an action or logical decision.
(4) Safety assurance concepts. The product design must include one or more of the following Safety Assurance Concepts as described in IEEE-1483 standard to ensure that failures are detected and the product is placed in a safe state. One or more different principles may be applied to each individual subsystem or component, depending on the safety design objectives of that part of the product.
(i) Design diversity and self-checking concept. This concept requires that all critical functions be performed in diverse ways, using diverse software operations and/or diverse hardware channels, and that critical hardware be tested with Self-Checking routines. Permissive outputs are allowed only if the results of the diverse operations correspond, and the Self-Checking Start Printed Page 2719process reveals no failures in either execution of software or in any monitored input or output hardware. If the diverse operations do not agree or if the checking reveals critical failures, safety-critical functions and outputs must default to a known safe state.
(ii) Checked redundancy concept. The Checked Redundancy concept requires implementation of two or more identical, independent hardware units, each executing identical software and performing identical functions. A means is to be provided to periodically compare vital parameters and results of the independent redundant units, requiring agreement of all compared parameters to assert or maintain a permissive output. If the units do not agree, safety-critical functions and outputs must default to a known safe state.
(iii) N-version programming concept. This concept requires a processor-based product to use at least two software programs performing identical functions and executing concurrently in a cycle. The software programs must be written by independent teams, using different tools. The multiple independently written software programs comprise a redundant system, and may be executed either on separate hardware units (which may or may not be identical) or within one hardware unit. A means is to be provided to compare the results and output states of the multiple redundant software systems. If the system results do not agree, then the safety-critical functions and outputs must default to a known safe state.
(iv) Numerical assurance concept. This concept requires that the state of each vital parameter of the product or system be uniquely represented by a large encoded numerical value, such that permissive results are calculated by pseudo-randomly combining the representative numerical values of each of the critical constituent parameters of a permissive decision. Vital algorithms must be entirely represented by data structures containing numerical values with verified characteristics, and no vital decisions are to be made in the executing software, only by the numerical representations themselves. In the event of critical failures, the safety-critical functions and outputs must default to a known safe state.
(v) Intrinsic fail-safe design concept. Intrinsically fail-safe hardware circuits or systems are those that employ discrete mechanical and/or electrical components. The fail-safe operation for a product or subsystem designed using this principle concept requires a verification that the effect of every relevant failure mode of each component, and relevant combinations of component failure modes, be considered, analyzed, and documented. This is typically performed by a comprehensive failure modes and effects analysis (FMEA) which must show no residual unmitigated failures. In the event of critical failures, the safety-critical functions and outputs must default to a known safe state.
(5) Human factor engineering principle. The product design must sufficiently incorporate human factors engineering that is appropriate to the complexity of the product; the educational, mental, and physical capabilities of the intended operators and maintainers; the degree of required human interaction with the component; and the environment in which the product will be used.
(6) System safety under external influences. The product must be shown to operate safely when subjected to different external influences, including:
(i) Electrical influences such as power supply anomalies/transients, abnormal/improper input conditions (e.g., outside of normal range inputs relative to amplitude and frequency, unusual combinations of inputs) including those related to a human operator, and others such as electromagnetic interference or electrostatic discharges, or both;
(ii) Mechanical influences such as vibration and shock; and
(iii) Climatic conditions such as temperature and humidity.
(7) System safety after modifications. Safety must be ensured following modifications to the hardware or software, or both. All or some of the concerns identified in this paragraph may be applicable depending upon the nature and extent of the modifications. Such modifications must follow all of the concept, design, implementation and test processes and principles as documented in the PSP for the original product. Regression testing must be comprehensive and documented to include all scenarios which are affected by the change made, and the operating modes of the changed product during normal and failure state (fallback) operation.
(c) What standards are acceptable for Verification and Validation? (1) The standards employed for Verification or Validation, or both, of products subject to this subpart must be sufficient to support achievement of the applicable requirements of subpart H and subpart I of this part.
(2) U.S. Department of Defense Military Standard (MIL-STD) 882C, “System Safety Program Requirements” (January 19, 1993), is recognized as providing appropriate risk analysis processes for incorporation into verification and validation standards.
(3) The following standards designed for application to processor-based signal and train control systems are recognized as acceptable with respect to applicable elements of safety analysis required by subpart H and subpart I of this part. The latest versions of the standards listed below should be used unless otherwise provided.
(i) IEEE standards as follows:
(A) IEEE 1483-2000, Standard for the Verification of Vital Functions in Processor-Based Systems Used in Rail Transit Control.
(B) IEEE 1474.2-2003, Standard for user interface requirements in communications based train control (CBTC) systems.
(C) IEEE 1474.1-2004, Standard for Communications-Based Train Control (CBTC) Performance and Functional Requirements.
(ii) CENELEC Standards as follows:
(A) EN50129: 2003, Railway Applications: Communications, Signaling, and Processing Systems-Safety Related Electronic Systems for Signaling; and
(B) EN50155:2001/A1:2002, Railway Applications: Electronic Equipment Used in Rolling Stock.
(iii) ATCS Specification 200 Communications Systems Architecture.
(iv) ATCS Specification 250 Message Formats.
(v) AREMA 2009 Communications and Signal Manual of Recommended Practices, Part 16, Part 17, 21, and 23.
(vi) Safety of High-Speed Ground Transportation Systems. Analytical Methodology for Safety Validation of Computer Controlled Subsystems. Volume II: Development of a Safety Validation Methodology. Final Report September 1995. Author: Jonathan F. Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
(vii) IEC 61508 (International Electrotechnical Commission), Functional Safety of Electrical/Electronic/Programmable/Electronic Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
(A) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 61508-1 Corr. (1999-05) Corrigendum 1—Part 1: General Requirements.
(B) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems.
(C) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC 61508-3 Corr. 1 (1999-04) Corrigendum 1—Part 3: Software requirements.
(D) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations and IEC 61508-4 Corr. 1 (1999-04) Corrigendum 1—Part 4: Definitions and abbreviations.
(E) IEC 61508-5 (1998-12) Part 5: Examples of methods for the determination of safety integrity levels and IEC 61508-5 Corr. 1 (1999-04) Corrigendum 1—Part 5: Examples of methods for determination of safety integrity levels.
(F) IEC 61508-6 (2000-04) Part 6: Guidelines on the applications of IEC 61508-2 and -3.
(G) IEC 61508-7 (2000-03) Part 7: Overview of techniques and measures.
(H) IEC 62278: 2002, Railway Applications: Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS);
(I) IEC 62279: 2002 Railway Applications: Software for Railway Control and Protection Systems;
(4) Use of unpublished standards, including proprietary standards, is authorized to the extent that such standards are shown to achieve the requirements of this part. However, any such standards shall be available for inspection and replication by FRA and for public examination in any public proceeding before the FRA to which they are relevant.
(5) The various standards provided in this paragraph are for illustrative purposes only. Copies of these standards can be obtained in accordance with the following:
(i) U.S. government standards and technical publications may be obtained by contacting the federal National Technical Information Service, 5301 Shawnee Rd, Alexandria, VA 22312.
(ii) U.S. National Standards may be obtained by contacting the American Start Printed Page 2720National Standards Institute, 25 West 43rd Street, 4 Floor, New York, NY 10036.
(iii) IEC Standards may be obtained by contacting the International Electrotechnical Commission, 3, rue de Varembé, P.O. Box 131 CH—1211, GENEVA, 20, Switzerland.
(iv) CENLEC Standards may be obtained by contacting any of one the national standards bodies that make up the European Committee for Electrotechnical Standardization.
(v) IEEE standards may be obtained by contacting the IEEE Publications Office, 10662 Los Vaqueros Circle, P.O. Box 3014, Los Alamitos, CA 90720-1264.
(vi) AREMA standards may be obtained from the American Railway Engineering and Maintenance-of-Way Association, 10003 Derekwood Lane, Suite 210, Lanham, MD 20706.
Start Amendment Part15. Revise Appendix D to part 236 to read as follows:
End Amendment PartAppendix D to Part 236—Independent Review of Verification and Validation
(a) This appendix provides minimum requirements for independent third-party assessment of product safety verification and validation pursuant to subpart H or subpart I of this part. The goal of this assessment is to provide an independent evaluation of the product manufacturer's utilization of safety design practices during the product's development and testing phases, as required by any mutually agreed upon controlling documents and standards and the applicable railroad's:
(1) Railroad Safety Program Plan (RSPP) and Product Safety Plan (PSP) for processor based systems developed under subpart H or,
(2) PTC Product Development Plan (PTCDP) and PTC Safety Plan (PTCSP) for PTC systems developed under subpart I.
(b) The supplier may request advice and assistance of the reviewer concerning the actions identified in paragraphs (c) through (g) of this appendix. However, the reviewer shall not engage in any design efforts associated with the product, the products subsystems, or the products components, in order to preserve the reviewer's independence and maintain the supplier's proprietary right to the product.
(c) The supplier shall provide the reviewer access to any and all documentation that the reviewer requests and attendance at any design review or walkthrough that the reviewer determines as necessary to complete and accomplish the third party assessment. The reviewer may be accompanied by representatives of FRA as necessary, in FRA's judgment, for FRA to monitor the assessment.
(d) The reviewer shall evaluate the product with respect to safety and comment on the adequacy of the processes which the supplier applies to the design and development of the product. At a minimum, the reviewer shall compare the supplier processes with acceptable validation and verification methodology and employ any other such tests or comparisons if they have been agreed to previously with FRA. Based on these analyses, the reviewer shall identify and document any significant safety vulnerabilities which are not adequately mitigated by the supplier's (or user's) processes. Finally, the reviewer shall evaluate and document the adequacy of the railroad's
(1) RSPP, the PSP, and any other documents pertinent to a product being developed under subpart H of this part; or
(2) PTCDP and PTCSP for systems being developed under subpart I of this part.
(e) The reviewer shall analyze the Hazard Log and/or any other hazard analysis documents for comprehensiveness and compliance with applicable railroad, vendor, supplier, industry, national, and international standards.
(f) The reviewer shall analyze all Fault Tree Analyses (FTA), Failure Mode and Effects Criticality Analysis (FMECA), and other hazard analyses for completeness, correctness, and compliance with applicable railroad, vendor, supplier, industry, national and international standards.
(g) The reviewer shall randomly select various safety-critical software, and hardware modules, if directed by FRA, for audit to verify whether the requirements of the applicable railroad, vendor, supplier, industry, national, and international standards were followed. The number of modules audited must be determined as a representative number sufficient to provide confidence that all unaudited modules were developed in compliance with the applicable railroad, vendor, supplier, industry, national, and international standards.
(h) The reviewer shall evaluate and comment on the plan for installation and test procedures of the product for revenue service.
(i) The reviewer shall prepare a final report of the assessment. The report shall be submitted to the railroad prior to the commencement of installation testing and contain at least the following information:
(1) Reviewer's evaluation of the adequacy of the PSP in the case of products developed under subpart H, or PTCSP for products developed under subpart I of this part, including the supplier's MTTHE and risk estimates for the product, and the supplier's confidence interval in these estimates;
(2) Product vulnerabilities, potentially hazardous failure modes, or potentially hazardous operating circumstances which the reviewer felt were not adequately identified, tracked, mitigated, and corrected by either the vendor or supplier or the railroad;
(3) A clear statement of position for all parties involved for each product vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each applicable vendor, supplier, industry, national, or international standard, procedure or process which was not properly followed;
(6) Identification of the software verification and validation procedures, as well as the hardware verification validation procedures if deemed appropriate by FRA, for the product's safety-critical applications, and the reviewer's evaluation of the adequacy of these procedures;
(7) Methods employed by the product manufacturer to develop safety-critical software;
(8) If deemed applicable by FRA, the methods employed by the product manufacturer to develop safety-critical hardware by generally acceptable techniques;
(9) Method by which the supplier or railroad addresses comprehensiveness of the product design which considers the safety elements listed in paragraph (b) of appendix C to this part.
Start Amendment Part16. Revise Appendix E to part 236 to read as follows:
End Amendment PartAppendix E to Part 236—Human-Machine Interface (HMI) Design
(a) This appendix provides human factors design criteria applicable to both subpart H and subpart I of this part. HMI design criteria will minimize negative safety effects by causing designers to consider human factors in the development of HMIs. The product design should sufficiently incorporate human factors engineering that is appropriate to the complexity of the product; the gender, educational, mental, and physical capabilities of the intended operators and maintainers; the degree of required human interaction with the component; and the environment in which the product will be used.
(b) As used in this section, “designer” means anyone who specifies requirements for—or designs a system or subsystem, or both, for—a product subject to subpart H or subpart I of this part, and “operator” means any human who is intended to receive information from, provide information to, or perform repairs or maintenance on a safety-critical product subject to subpart H or I of this part.
(c) Human factors issues the designers must consider with regard to the general function of a system include:
(1) Reduced situational awareness and over-reliance. HMI design must give an operator active functions to perform, feedback on the results of the operator's actions, and information on the automatic functions of the system as well as its performance. The operator must be “in-the-loop.” Designers must consider at a minimum the following methods of maintaining an active role for human operators:
(i) The system must require an operator to initiate action to operate the train and require an operator to remain “in-the-loop” for at least 30 minutes at a time;
(ii) The system must provide timely feedback to an operator regarding the system's automated actions, the reasons for such actions, and the effects of the operator's manual actions on the system;
(iii) The system must warn operators in advance when it requires an operator to take action;
(iv) HMI design must equalize an operator's workload; and
(v) HMI design must not distract from the operator's safety related duties.
(2) Expectation of predictability and consistency in product behavior and communications. HMI design must accommodate an operator's expectation of logical and consistent relationships between actions and results. Similar objects must behave consistently when an operator performs the same action upon them.Start Printed Page 2721
(3) End user limited ability to process information. HMI design must therefore minimize an operator's information processing load. To minimize information processing load, the designer must:
(i) Present integrated information that directly supports the variety and types of decisions that an operator makes;
(ii) Provide information in a format or representation that minimizes the time required to understand and act; and
(iii) Conduct utility tests of decision aids to establish clear benefits such as processing time saved or improved quality of decisions.
(4) End user limited memory. HMI design must therefore minimize an operator's information processing load.
(i) To minimize short-term memory load, the designer shall integrate data or information from multiple sources into a single format or representation (“chunking”) and design so that three or fewer “chunks” of information need to be remembered at any one time.
(ii) To minimize long-term memory load, the designer shall design to support recognition memory, design memory aids to minimize the amount of information that must be recalled from unaided memory when making critical decisions, and promote active processing of the information.
(d) Design systems that anticipate possible user errors and include capabilities to catch errors before they propagate through the system;
(1) Conduct cognitive task analyses prior to designing the system to better understand the information processing requirements of operators when making critical decisions; and
(2) Present information that accurately represents or predicts system states.
(e) When creating displays and controls, the designer must consider user ergonomics and shall:
(1) Locate displays as close as possible to the controls that affect them;
(2) Locate displays and controls based on an operator's position;
(3) Arrange controls to minimize the need for the operator to change position;
(4) Arrange controls according to their expected order of use;
(5) Group similar controls together;
(6) Design for high stimulus-response compatibility (geometric and conceptual);
(7) Design safety-critical controls to require more than one positive action to activate (e.g., auto stick shift requires two movements to go into reverse);
(8) Design controls to allow easy recovery from error; and
(9) Design display and controls to reflect specific gender and physical limitations of the intended operators.
(f) The designer shall also address information management. To that end, HMI design shall:
(1) Display information in a manner which emphasizes its relative importance;
(2) Comply with the ANSI/HFS 100-1988 standard;
(3) Utilize a display luminance that has a difference of at least 35cd/m2 between the foreground and background (the displays should be capable of a minimum contrast 3:1 with 7:1 preferred, and controls should be provided to adjust the brightness level and contrast level);
(4) Display only the information necessary to the user;
(5) Where text is needed, use short, simple sentences or phrases with wording that an operator will understand and appropriate to the educational and cognitive capabilities of the intended operator;
(6) Use complete words where possible; where abbreviations are necessary, choose a commonly accepted abbreviation or consistent method and select commonly used terms and words that the operator will understand;
(7) Adopt a consistent format for all display screens by placing each design element in a consistent and specified location;
(8) Display critical information in the center of the operator's field of view by placing items that need to be found quickly in the upper left hand corner and items which are not time-critical in the lower right hand corner of the field of view;
(9) Group items that belong together;
(10) Design all visual displays to meet human performance criteria under monochrome conditions and add color only if it will help the user in performing a task, and use color coding as a redundant coding technique;
(11) Limit the number of colors over a group of displays to no more than seven;
(12) Design warnings to match the level of risk or danger with the alerting nature of the signal; and
(13) With respect to information entry, avoid full QWERTY keyboards for data entry.
(g) With respect to problem management, the HMI designer shall ensure that the:
(1) HMI design must enhance an operator's situation awareness;
(2) HMI design must support response selection and scheduling; and
(3) HMI design must support contingency planning.
(h) Ensure that electronics equipment radio frequency emissions are compliant with appropriate Federal Communications Commission regulations. The FCC rules and regulations are codified in Title 47 of the Code of Federal Regulations (CFR).
(1) Electronics equipment must have appropriate FCC Equipment Authorizations. The following documentation is applicable to obtaining FCC Equipment Authorization:
(i) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987 issue) FCC Equipment Authorization Program for Radio Frequency Devices. This document provides an overview of the equipment authorization program to control radio interference from radio transmitters and certain other electronic products and an overview of how to obtain an equipment authorization.
(ii) OET Bulletin 63: (October 1993) Understanding The FCC Part 15 Regulations for Low Power, Non-Licensed Transmitters. This document provides a basic understanding of the FCC regulations for low power, unlicensed transmitters, and includes answers to some commonly-asked questions. This edition of the bulletin does not contain information concerning personal communication services (PCS) transmitters operating under Part 15, Subpart D of the rules.
(iii) 47 Code of Federal Regulations Parts 0 to 19. The FCC rules and regulations governing PCS transmitters may be found in 47 CFR, Parts 0 to 19.
(iv) OET Bulletin 62 (December 1993) Understanding The FCC Regulations for Computers and other Digital Devices. This document has been prepared to provide a basic understanding of the FCC regulations for digital (computing) devices, and includes answers to some commonly-asked questions.
(2) Designers must comply with FCC requirements for Maximum Permissible Exposure limits for field strength and power density for the transmitters operating at frequencies of 300 kHz to 100 GHz and specific absorption rate (SAR) limits for devices operating within close proximity to the body. The Commission's requirements are detailed in parts 1 and 2 of the FCC's Rules and Regulations (47 CFR 1.1307(b), 1.1310, 2.1091, 2.1093). The following documentation is applicable to demonstrating whether proposed or existing transmitting facilities, operations or devices comply with limits for human exposure to radiofrequency RF fields adopted by the FCC:
(i) OET Bulletin No. 65 (Edition 97-01, August 1997), “Evaluating Compliance With FCC Guidelines For Human Exposure To Radiofrequency Electromagnetic Fields”,
(ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August 1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997) and
(iii) OET Bulletin No 65 Supplement C (Edition 01-01, June 2001).
(3) The bulletin and supplements offer guidelines and suggestions for evaluating compliance. However, they are not intended to establish mandatory procedures. Other methods and procedures may be acceptable if based on sound engineering practice.
Start Amendment Part17. Add an Appendix F to part 236 to read as follows:
End Amendment Part Start AppendixAppendix F to Part 236—Minimum Requirements of FRA Directed Independent Third-Party Assessment of PTC System Safety Verification and Validation
(a) This appendix provides minimum requirements for mandatory independent third-party assessment of PTC system safety verification and validation pursuant to subpart H or I of this part. The goal of this assessment is to provide an independent evaluation of the PTC system manufacturer's utilization of safety design practices during the PTC system's development and testing phases, as required by the applicable PSP, PTCDP, and PTCSP, the applicable requirements of subpart H or I of this part, and any other previously agreed-upon controlling documents or standards.
(b) The supplier may request advice and assistance of the independent third-party reviewer concerning the actions identified in paragraphs (c) through (g) of this appendix. However, the reviewer should not engage in design efforts in order to preserve the reviewer's independence and maintain the Start Printed Page 2722supplier's proprietary right to the PTC system.
(c) The supplier shall provide the reviewer access to any and all documentation that the reviewer requests and attendance at any design review or walkthrough that the reviewer determines as necessary to complete and accomplish the third party assessment. The reviewer may be accompanied by representatives of FRA as necessary, in FRA's judgment, for FRA to monitor the assessment.
(d) The reviewer shall evaluate with respect to safety and comment on the adequacy of the processes which the supplier applies to the design and development of the PTC system. At a minimum, the reviewer shall evaluate the supplier design and development process regarding the use of an appropriate design methodology. The reviewer may use the comparison processes and test procedures that have been previously agreed to with FRA. Based on these analyses, the reviewer shall identify and document any significant safety vulnerabilities which are not adequately mitigated by the supplier's (or user's) processes. Finally, the reviewer shall evaluate the adequacy of the railroad's applicable PSP or PTCSP, and any other documents pertinent to the PTC system being assessed.
(e) The reviewer shall analyze the Hazard Log and/or any other hazard analysis documents for comprehensiveness and compliance with railroad, vendor, supplier, industry, national, or international standards.
(f) The reviewer shall analyze all Fault Tree Analyses (FTA), Failure Mode and Effects Criticality Analysis (FMECA), and other hazard analyses for completeness, correctness, and compliance with railroad, vendor, supplier, industry, national, or international standards.
(g) The reviewer shall randomly select various safety-critical software modules, as well as safety-critical hardware components if required by FRA for audit to verify whether the railroad, vendor, supplier, industry, national, or international standards were followed. The number of modules audited must be determined as a representative number sufficient to provide confidence that all unaudited modules were developed in compliance with railroad, vendor, supplier, industry, national, or international standards
(h) The reviewer shall evaluate and comment on the plan for installation and test procedures of the PTC system for revenue service.
(i) The reviewer shall prepare a final report of the assessment. The report shall be submitted to the railroad prior to the commencement of installation testing and contain at least the following information:
(1) Reviewer's evaluation of the adequacy of the PSP or PTCSP including the supplier's MTTHE and risk estimates for the PTC system, and the supplier's confidence interval in these estimates;
(2) PTC system vulnerabilities, potentially hazardous failure modes, or potentially hazardous operating circumstances which the reviewer felt were not adequately identified, tracked or mitigated;
(3) A clear statement of position for all parties involved for each PTC system vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each applicable vendor, supplier, industry, national or international standard, process, or procedure which was not properly followed;
(6) Identification of the hardware and software verification and validation procedures for the PTC system's safety-critical applications, and the reviewer's evaluation of the adequacy of these procedures;
(7) Methods employed by PTC system manufacturer to develop safety-critical software; and
(8) If directed by FRA, methods employed by PTC system manufacturer to develop safety-critical hardware.
End Appendix Start SignatureIssued in Washington, DC, on December 30, 2009.
Joseph C. Szabo,
Administrator.
Footnotes
1. Here we recognize the interest of railroads that will be making very costly investments to meet the requirements of the statute and this rule. The “Signal Inspection Act,” as codified, makes it explicit that the presence of a signal or train control system on one line may not be considered in a civil action with respect to an accident on another line. This law is also explicit that, once installed, such a system may not be removed without approval. 49 U.S.C. 20501-20505. It should have been cited in the NPRM.
Back to Citation2. Unique among these events, the Texarkana collision may not have been prevented by PTC technology now being perfected. However, the consequences which ensued, including the fatality, destruction of two residences and a highway bridge, and a significant evacuation are illustrative of the consequences that can result from release of flammable compressed gases in train accidents. There are approximately 100,000 carloads of PIH commodities shipped each year. There are approximately 228,000 carloads of flammable compressed gases (other than those classified as PIH) shipped each year.
Back to Citation3. At least one Class I railroad consolidated some of its PIH traffic on signalized lines prior to adoption of the Rail Route Analysis Rule. This reflects a recognition that method of operations matters, but that is not the same thing as having completed a fully mature routing analysis against the 27 factors—something that will occur only over time in the face of great complexity.
Back to Citation4. This is not to say that there are independent justifications for each of these decisions. Yard operations involve a mix of switching movements and train movements and have never been within public expectations for PTC because of issues of impracticability and inapplicability, as well as greatly reduced safety concerns. Movement of trains with inoperative PTC equipment has historically been allowed for and governed within Interstate Commerce Commission and FRA regulations, and proceeding otherwise would be a virtual impossibility. FRA does not understand RSIA08 to specify whether all trains operating on PTC lines must be PTC equipped, and accordingly FRA believes that it is required to make discretionary decisions in that regard. That said, the de minimis concept clearly offers an alternative justification for each of these decisions.
Back to Citation5. See Engineering Studies on Structural Integrity of Railroad Tank Cars Under Accident Conditions (DOT/FRA/ORD-9/18; October 2009); see also 78 FR 17,818, 17,821 (Apr. 1, 2008) (discussion of proposed limitation on PIH train speeds in non-signaled territory prior to introduction of fully crashworthy tank cars, which was later withdrawn for other reasons).
Back to Citation6. Friends of the Earth also made detailed comments regarding administration of the Rail Route Analysis Rule that are beyond the scope of this proceeding.
Back to Citation7. An example of an existing mitigation, which is provided to support service quality but also supports safety, is the practice of one Class III Amtrak host and its connecting freight partner to hold out fleeted empty coal trains off the Class III property during the period that Amtrak is running. While not constituting strict “temporal separation,” it does significantly reduce collision risk over the route.
Back to Citation8. Freight tonnage on Amtrak lines varies from zero on two segments to over 150 million gross tons. On a per-mile basis, 15 million gross tons falls into the twenty-first percentile of Amtrak track miles. The candidate lines on the Class I system comprise about 6% of Amtrak's route structure.
Back to Citation9. Enforcement of a speed restriction associated with a particular car is not a mandated PTC function, but is an important function that will be provided within the Interoperable Train Control architecture for the general freight system.
Back to Citation10. ITCS displays in freight locomotives have not been mounted so as to be clearly visible to freight crews. The subject line is principally used for passenger service, and the number of freight locomotives involved has been very small. ITCS has been permitted to operate under waiver, and FRA freely concedes that the issue of freight crew display visibility had not been clearly joined to this point.
Back to Citation11. In vital applications, reliance on these displays will be authorized and required. Although initially in-block signal upgrades may not be permitted to be acted upon, except in cab signal territory, FRA has no doubt that the ability to upgrade between wayside signals will be requested as the technology is proven reliable. According to the major railroads involved in the Interoperable Train Control effort, most Class I locomotives will need to be configured to operate essentially in any territory on the system.
Back to Citation12. Prior to enactment of the RSIA08, FRA had taken significant steps to encourage voluntary PTC deployment, including offering the inducement of exceptions from traditional train control requirements. Had BNSF submitted a detailed justification for the single display visible only to the locomotive engineer, it is entirely possible that it would have been approved, since the performance standard under subpart H presents a very low bar for a reasonably competent train control system when applied in non-signaled or traffic control territory and since under the ETMS PSP the conductor would either continue to receive mandatory directives in writing or would copy mandatory directives transmitted verbally by the dispatcher via radio. 49 CFR 236.909(a). The point here is that, if the railroad had indeed conducted adequate human factors analysis, it had not been submitted to FRA; and no implications should be drawn with respect to this very different context, wherein interline operation of locomotives is at stake and several major railroads clearly wish to abandon traditional means of delivering authorities.
Back to Citation13. The response to this kind of concern is typically that the PTC system will enforce, which was its purpose to start with. However, even vital electronics sometimes fail in other than a safe mode, and in that case the crew performance is relied upon to backstop the system (rather than the opposite)—assuming that the crew has information that it needs to do so. Further, if the engineer is distracted even for relatively few seconds the danger exists that the engineer will not take other necessary actions (sounding the horn at a crossing, monitoring the condition of the brake pipe and setting the train up for an upcoming slow order to avoid excessive in-train forces, etc.).
Back to Citation14. An example of an existing mitigation, which is provided to support service quality but also supports safety, is the practice of one Class III Amtrak host and its connecting freight partner to hold out fleeted empty coal trains off the Class III property during the period that Amtrak is running. While not constituting strict “temporal separation,” it does significantly reduce collision risk over the route.
Back to Citation15. Freight tonnage on Amtrak lines varies from zero on two segments to over 150 million gross tons. On a per-mile basis, 15 million gross tons falls into the twenty first percentile of Amtrak track miles. The candidate lines on the Class I system comprise about 6.8% of Amtrak's route structure.
Back to Citation1. The Administrator reserves the right to assess a civil penalty of up to $100,000 per day for any violation where circumstances warrant. See 459 CFR part 209, Appendix A.
Back to Citation[FR Doc. E9-31362 Filed 1-12-10; 11:15 am]
BILLING CODE 4910-06-P
Document Information
- Comments Received:
- 0 Comments
- Effective Date:
- 3/16/2010
- Published:
- 01/15/2010
- Department:
- Federal Railroad Administration
- Entry Type:
- Rule
- Action:
- Final rule; request for comment on specific issues.
- Document Number:
- E9-31362
- Dates:
- This final rule is effective March 16, 2010. Petitions for reconsideration must be received on or before March 16, 2010. Comments must be received on or before February 16, 2010.
- Pages:
- 2597-2722 (126 pages)
- Docket Numbers:
- Docket No. FRA-2008-0132, Notice No. 3
- RINs:
- 2130-AC03: Positive Train Control
- RIN Links:
- https://www.federalregister.gov/regulations/2130-AC03/positive-train-control
- Topics:
- Administrative practice and procedure, Highway safety, Penalties, Railroad safety, Reporting and recordkeeping requirements
- PDF File:
- e9-31362.pdf
- CFR: (32)
- 49 CFR 229.135
- 49 CFR 234.275
- 49 CFR 235.7
- 49 CFR 236.0
- 49 CFR 236.410
- More ...