683 Part 236—Rules, Standards, And

Federal Railroad Administration, DOT Pt. 236

PART 236—RULES, STANDARDS, 236.56 Shunting sensitivity. 236.57 Shunt and fouling wires. AND INSTRUCTIONS GOVERNING 236.58 Turnout, fouling section. THE INSTALLATION, INSPECTION, 236.59 Insulated rail joints. MAINTENANCE, AND REPAIR OF 236.60 Switch shunting circuit; use re- SIGNAL AND TRAIN CONTROL stricted. SYSTEMS, DEVICES, AND APPLI- WIRES AND CABLES ANCES 236.71 Signal wires on pole line and aerial cable. Sec. 236.72 [Reserved] 236.0 Applicability, minimum requirements, 236.73 Open-wire transmission line; clear- and penalties. ance to other circuits. 236.74 Protection of insulated wire; splice in Subpart A—Rules and Instructions: All underground wire. Systems 236.75 [Reserved] 236.76 Tagging of wires and interference of GENERAL wires or tags with signal apparatus.

236.1 Plans, where kept. INSPECTIONS AND TESTS; ALL SYSTEMS 236.2 Grounds. 236.3 Locking of signal apparatus housings. 236.101 Purpose of inspection and tests; re- 236.4 Interference with normal functioning moval from service of relay or device of device. failing to meet test requirements. 236.5 Design of control circuits on closed 236.102 Semaphore or searchlight signal circuit principle. mechanism. 236.6 Hand-operated switch equipped with 236.103 Switch circuit controller or point switch circuit controller. detector. 236.7 Circuit controller operated by switch- 236.104 Shunt fouling circuit. and-lock movement. 236.105 Electric lock. 236.8 Operating characteristics of electro- 236.106 Relays. magnetic, electronic, or electrical appa- 236.107 Ground tests. ratus. 236.108 Insulation resistance tests, wires in 236.9 Selection of circuits through indi- trunking and cables. cating or annunciating instruments. 236.109 Time releases, timing relays and 236.10 Electric locks, force drop type; where timing devices. required. 236.110 Results of tests. 236.11 Adjustment, repair, or replacement of component. Subpart B—Automatic Block Signal 236.12 Spring switch signal protection; Systems where required. 236.13 Spring switch; selection of signal con- STANDARDS trol circuits through circuit controller. 236.201 Track-circuit control of signals. 236.14 Spring switch signal protection; re- 236.202 Signal governing movements over quirements. hand-operated switch. 236.15 Timetable instructions. 236.203 Hand operated crossover between 236.16 Electric lock, main track releasing main tracks; protection. circuit. 236.204 Track signaled for movements in 236.17 Pipe for operating connections, re- both directions, requirements. quirements. 236.205 Signal control circuits; require- 236.18 Software management control plan. ments. 236.206 Battery or power supply with respect OADWAY SIGNALS AND CAB SIGNALS R to relay; location. 236.21 Location of roadway signals. 236.207 Electric lock on hand-operated 236.22 Semaphore signal arm; clearance to switch; control. other objects. 236.23 Aspects and indications. Subpart C—Interlocking 236.24 Spacing of roadway signals. 236.25 [Reserved] STANDARDS 236.26 Buffing device, maintenance. 236.301 Where signals shall be provided. 236.302 Track circuits and route locking. TRACK CIRCUITS 236.303 Control circuits for signals, selec- 236.51 Track circuit requirements. tion through circuit controller operated 236.52 Relayed cut-section. by switch points or by switch locking 236.53 Track circuit feed at grade crossing. mechanism. 236.54 Minimum length of track circuit. 236.304 Mechanical locking or same protec- 236.55 Dead section; maximum length. tion effected by circuits.

683

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00693 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236 49 CFR Ch. II (10–1–11 Edition)

236.305 Approach or time locking. Subpart D—Traffic Control Systems 236.306 Facing point lock or switch-and-lock movement. STANDARDS 236.307 Indication locking. 236.401 Automatic block signal system and 236.308 Mechanical or electric locking or interlocking standards applicable to traf- electric circuits; requisites. fic control systems. 236.309 Loss of shunt protection; where re- 236.402 Signals controlled by track circuits quired. and control operator. 236.310 Signal governing approach to home 236.403 Signals at controlled point. signal. 236.404 Signals at adjacent control points. 236.311 Signal control circuits, selection 236.405 Track signaled for movements in through track relays or devices func- both directions, change of direction of tioning as track relays and through sig- traffic. nal mechanism contacts and time re- 236.406 [Reserved] leases at automatic interlocking. 236.407 Approach or time locking; where re- 236.312 Movable bridge, interlocking of sig- quired. nal appliances with bridge devices. 236.408 Route locking. 236.313 [Reserved] 236.409 [Reserved] 236.314 Electric lock for hand-operated 236.410 Locking, hand-operated switch; re- switch or derail. quirements.

RULES AND INSTRUCTIONS RULES AND INSTRUCTIONS 236.326 Mechanical locking removed or dis- 236.426 Interlocking rules and instructions arranged; requirement for permitting applicable to traffic control systems. train movements through interlocking. 236.327 Switch, movable-point frog or split- INSPECTION AND TESTS point derail. 236.476 Interlocking inspections and tests 236.328 Plunger of facing-point lock. applicable to traffic control systems. 236.329 Bolt lock. 236.330 Locking dog of switch-and-lock Subpart E—Automatic Train Stop, Train movement. 236.331–236.333 [Reserved] Control and Cab Signal Systems 236.334 Point detector. STANDARDS 236.335 Dogs, stops and trunnions of mechanical locking. 236.501 Forestalling device and speed con- 236.336 Locking bed. trol. 236.337 Locking faces of mechanical lock- 236.502 Automatic brake application, initi- ing; fit. ation by restrictive block conditions 236.338 Mechanical locking required in ac- stopping distance in advance. cordance with locking sheet and dog 236.503 Automatic brake application; initi- chart. ation when predetermined rate of speed 236.339 Mechanical locking; maintenance re- exceeded. quirements. 236.504 Operation interconnected with auto- 236.340 Electromechanical interlocking ma- matic block-signal system. chine; locking between electrical and 236.505 Proper operative relation between mechanical levers. parts along roadway and parts on loco- 236.341 Latch shoes, rocker links, and motive. quandrants. 236.506 Release of brakes after automatic 236.342 Switch circuit controller. application. 236.507 Brake application; full service. INSPECTION AND TESTS 236.508 Interference with application of brakes by means of brake valve. 236.376 Mechanical locking. 236.509 Two or more locomotives coupled. 236.377 Approach locking. 236.510 [Reserved] 236.378 Time locking. 236.511 Cab signals controlled in accordance 236.379 Route locking. with block conditions stopping distance 236.380 Indication locking. in advance. 236.381 Traffic locking. 236.512 Cab signal indication when loco- 236.382 Switch obstruction test. motive enters block where restrictive 236.383 Valve locks, valves, and valve conditions obtain. magnets. 236.513 Audible indicator. 236.384 Cross protection. 236.514 Interconnection of cab signal system 236.385 [Reserved] with roadway signal system. 236.386 Restoring feature on power switches. 236.515 Visibility of cab signals. 236.387 Movable bridge locking. 236.516 Power supply.

684

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00694 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236

RULES AND INSTRUCTIONS; ROADWAY 236.590 Pneumatic apparatus.

236.526 Roadway element not functioning Subpart F—Dragging Equipment and Slide properly. Detectors and Other Similar Protective 236.527 Roadway element insulation resist- Devices ance. 236.528 Restrictive condition resulting from STANDARDS open hand-operated switch; requirement. 236.601 Signals controlled by devices; loca- 236.529 Roadway element inductor; height tion. and distance from rail. 236.530 [Reserved] Subpart G—Definitions 236.531 Trip arm; height and distance from rail. 236.700 Definitions. 236.532 Strap iron inductor; use restricted. 236.701 Application, brake; full service. 236.702 Arm, semaphore. 236.533 [Reserved] 236.703 Aspect. 236.534 Entrance to equipped territory; re- 236.704 [Reserved] quirements. 236.705 Bar, locking. 236.706 Bed, locking. RULES AND INSTRUCTIONS; LOCOMOTIVES 236.707 Blade, semaphore. 236.551 Power supply voltage; requirement. 236.708 Block. 236.552 Insulation resistance; requirement. 236.709 Block, absolute. 236.553 Seal, where required. 236.710 Block, latch. 236.711 Bond, rail joint. 236.554 Rate of pressure reduction; equal- 236.712 Brake pipe. izing reservoir or brake pipe. 236.713 Bridge, movable. 236.555 Repaired or rewound receiver coil. 236.714 Cab. 236.556 Adjustment of relay. 236.715–236.716 [Reserved] 236.557 Receiver; location with respect to 236.717 Characteristics, operating. rail. 236.718 Chart, dog. 236.558–236.559 [Reserved] 236.719 Circuit, acknowledgment. 236.560 Contact element, mechanical trip 236.720 Circuit, common return. type; location with respect to rail. 236.721 Circuit, control. 236.561 [Reserved] 236.722 Circuit, cut-in. 236.723 Circuit, double wire; line. 236.562 Minimum rail current required. 236.724 Circuit, shunt fouling. 236.563 Delay time. 236.725 Circuit, switch shunting. 236.564 Acknowledging time. 236.726 Circuit, track. 236.565 Provision made for preventing oper- 236.727 Circuit, track; coded. ation of pneumatic break-applying appa- 236.728 Circuit, trap. ratus by double-heading cock; require- 236.729 Cock, double heading. ment. 236.730 Coil, receiver. 236.566 Locomotive of each train operating 236.731 Controller, circuit. in train stop, train control or cab signal 236.732 Controller, circuit; switch. territory; equipped. 236.733 Current, foreign. 236.567 Restrictions imposed when device 236.734 Current of traffic. 236.735 Current, leakage. fails and/or is cut out en route. 236.736 Cut-section. 236.568 Difference between speeds author- 236.737 Cut-section, relayed. ized by roadway signal and cab signal; 236.738 Detector, point. action required. 236.739 Device, acknowledging. 236.740 Device, reset. INSPECTION AND TESTS; ROADWAY 236.741 Distance, stopping. 236.576 Roadway element. 236.742 Dog, locking. 236.577 Test, acknowledgement, and cut-in 236.743 Dog, swing. circuits. 236.744 Element, roadway. 236.745 Face, locking. INSPECTION AND TESTS; LOCOMOTIVE 236.746 Feature, restoring. 236.747 Forestall. 236.586 Daily or after trip test. 236.748 [Reserved] 236.587 Departure test. 236.749 Indication. 236.588 Periodic test. 236.750 Interlocking, automatic. 236.589 Relays. 236.751 Interlocking, manual. 236.752 Joint, rail, insulated. 236.753 Limits, interlocking. 236.754 Line, open wire. 236.755 Link, rocker.

685

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00695 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236 49 CFR Ch. II (10–1–11 Edition)

236.756 Lock, bolt. 236.820 Switch, interlocked. 236.757 Lock, electric. 236.820a Switch, power-operated. 236.758 Lock, electric, forced drop. 236.821 Switch, sectionalizing. 236.759 Lock, facing point. 236.822 Switch, spring. 236.760 Locking, approach. 236.823 Switch, trailing point. 236.761 Locking, electric. 236.824 System, automatic block signal. 236.762 Locking, indication. 236.825 System, automatic train control. 236.763 Locking, latch operated. 236.826 System, automatic train stop. 236.764 Locking, lever operated. 236.827 System, block signal. 236.765 Locking, mechanical. 236.828 System, traffic control. 236.766 Locking, movable bridge. 236.829 Terminal, initial. 236.767 Locking, route. 236.830 Time, acknowledging. 236.768 Locking, time. 236.831 Time, delay. 236.769 Locking, traffic. 236.831a Track, main. 236.770 Locomotive. 236.832 Train. 236.771 Machine, control. 236.833 Train, opposing. 236.772 Machine, interlocking. 236.834 Trip. 236.773 Movements, conflicting. 236.835 Trunking. 236.774 Movement, facing. 236.836 Trunnion. 236.775 Movement, switch-and-lock. 236.837 Valve, electro-pneumatic. 236.776 Movement, trailing. 236.838 Wire, shunt. 236.777 Operator, control. 236.778 Piece, driving. Subpart H—Standards for Processor-Based 236.779 Plate, top. Signal and Train Control Systems 236.780 Plunger, facing point lock. 236.781 [Reserved] 236.901 Purpose and scope. 236.782 Point, controlled. 236.903 Definitions. 236.783 Point, stop-indication. 236.905 Railroad Safety Program Plan 236.784 Position, deenergized. (RSPP). 236.785 Position, false restrictive. 236.907 Product Safety Plan (PSP). 236.786 Principle, closed circuit. 236.909 Minimum performance standard. 236.787 Protection, cross. 236.911 Exclusions. 236.913 Filing and approval of PSPs. 236.787a Railroad. 236.915 Implementation and operation. 236.788 Receiver. 236.917 Retention of records. 236.789 Relay, timing. 236.919 Operations and Maintenance Man- 236.790 Release, time. ual. 236.791 Release, value. 236.921 Training and qualification program, 236.792 Reservoir, equalizing. general. 236.793 Rod, lock. 236.923 Task analysis and basic require- 236.794 Rod, up-and-down. ments. 236.795 Route. 236.925 Training specific to control office 236.796 Routes, conflicting. personnel. 236.797 Route, interlocked. 236.927 Training specific to locomotive engi- 236.798 Section, dead. neers and other operating personnel. 236.799 Section, fouling. 236.929 Training specific to roadway work- 236.800 Sheet, locking. ers. 236.801 Shoe, latch. 236.802 Shunt. Subpart I—Positive Train Control Systems 236.802a Siding. 236.803 Signal, approach. 236.1001 Purpose and scope. 236.804 Signal, block. 236.1003 Definitions. 236.805 Signal, cab. 236.1005 Requirements for Positive Train 236.806 Signal, home. Control systems. 236.807 Signal, interlocking. 236.1006 Equipping locomotives operating in 236.808 Signals, opposing. PTC territory. 236.809 Signal, slotted mechanical. 236.1007 Additional requirements for high- 236.810 Spectacle, semaphore arm. speed service. 236.811 Speed, medium. 236.1009 Procedural requirements. 236.812 Speed, restricted. 236.1011 PTC Implementation Plan content 236.813 Speed, slow. requirements. 236.813a State, most restrictive. 236.1013 PTC Development Plan and Notice 236.814 Station, control. of Product Intent content requirements 236.815 Stop. and Type Approval. 236.816 Superiority of trains. 236.1015 PTC Safety Plan content require- 236.817 Switch, electro-pneumatic. ments and PTC System Certification. 236.818 Switch, facing point. 236.1017 Independent third party 236.819 Switch, hand operated. Verification and Validation.

686

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00696 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.0

236.1019 Main line track exceptions. (c)(1) Prior to January 17, 2012, where 236.1020 Exclusion of track segments for im- a passenger train is operated at a speed plementation due to cessation of PIH of 60 or more miles per hour, or a materials service or rerouting. 236.1021 Discontinuances, material modi- freight train is operated at a speed of fications, and amendments. 50 or more miles per hour— 236.1023 Errors and malfunctions. (i) A block signal system complying 236.1025 [Reserved] with the provisions of this part shall be 236.1027 PTC system exclusions. installed; or 236.1029 PTC system use and en route fail- (ii) A manual block system shall be ures. placed permanently in effect that shall 236.1031 Previously approved PTC systems. 236.1033 Communications and security re- conform to the following conditions: quirements. (A) A passenger train shall not be ad- 236.1035 Field testing requirements. mitted to a block occupied by another 236.1037 Records retention. train except when absolutely necessary 236.1039 Operations and Maintenance Man- and then only by operating at re- ual. stricted speed; 236.1041 Training and qualification program, (B) No train shall be admitted to a general. 236.1043 Task analysis and basic require- block occupied by a passenger train ex- ments. cept when absolutely necessary and 236.1045 Training specific to office control then only by operating at restricted personnel. speed; 236.1047 Training specific to locomotive en- (C) No train shall be admitted to a gineers and other operating personnel. block occupied by an opposing train ex- 236.1049 Training specific to roadway work- cept when absolutely necessary and ers. then only while one train is stopped APPENDIX A TO PART 236—CIVIL PENALTIES and the other is operating at restricted APPENDIX B TO PART 236—APPENDIX B TO PART 236—RISK ASSESSMENT CRITERIA speed; and APPENDIX C TO PART 236—SAFETY ASSURANCE (D) A freight train, including a work CRITERIA AND PROCESSES train, may be authorized to follow a APPENDIX D TO PART 236—INDEPENDENT RE- freight train, including a work train, VIEW OF VERIFICATION AND VALIDATION into a block and then only when the APPENDIX E TO PART 236—HUMAN-MACHINE following train is operating at re- INTERFACE (HMI) DESIGN stricted speed. APPENDIX F TO PART 236—MINIMUM REQUIRE- MENTS OF FRA DIRECTED INDEPENDENT (2) On and after January 17, 2012, THIRD-PARTY ASSESSMENT OF PTC SYS- where a passenger train is permitted to TEM SAFETY VERIFICATION AND VALIDA- operate at a speed of 60 or more miles TION per hour, or a freight train is permitted AUTHORITY: 49 U.S.C. 20102–20103, 20107, to operate at a speed of 50 or more 20133, 20141, 20157, 20301–20303, 20306, 20501– miles per hour, a block signal system 20505, 20701–20703, 21301–21302, 21304; 28 U.S.C. complying with the provisions of this 2461, note; and 49 CFR 1.49. part shall be installed, unless an FRA SOURCE: 33 FR 19684, Dec. 25, 1968, unless approved PTC system meeting the re- otherwise noted. quirements of this part for the subject speed and other operating conditions is § 236.0 Applicability, minimum re- installed. quirements, and penalties. (d)(1) Prior to December 31, 2015, (a) Except as provided in paragraph where any train is permitted to operate (b) of this section, this part applies to at a speed of 80 or more miles per hour, all railroads and any person as defined an automatic cab signal, automatic in paragraph (f) of this section. train stop, or automatic train control (b) This part does not apply to— system complying with the provisions (1) A railroad that operates only on of this part shall be installed, unless an track inside an installation that is not FRA approved PTC system meeting the part of the general railroad system of requirements of this part for the sub- transportation; or ject speed and other operating condi- (2) Rapid transit operations in an tions, is installed. urban area that are not connected to (2) On and after December 31, 2015, the general railroad system of trans- where any train is permitted to operate portation. at a speed of 80 or more miles per hour,

687

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00697 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.0 49 CFR Ch. II (10–1–11 Edition)

a PTC system complying with the pro- part for a statement of agency civil visions of subpart I shall be installed penalty policy. and operational, unless FRA approval (g) A person may also be subject to to continue to operate with an auto- criminal penalties for knowingly and matic cab signal, automatic train stop, wilfully making a false entry in a or automatic train control system record or report required to be made complying with the provisions of this under this part, filing a false record or part has been justified to, and approved report, or violating any of the provi- by, the Associate Administrator. sions of 49 U.S.C. 21311. (3) Subpart H of this part sets forth (h) The requirements of subpart H of requirements for voluntary installa- this part apply to safety-critical proc- tion of PTC systems, and subpart I of this part sets forth requirements for essor-based signal and train control mandated installation of PTC systems, systems, including subsystems and each under conditions specified in their components thereof, developed under respective subpart. the terms and conditions of that sub- (e) Nothing in this section authorizes part. the discontinuance of a block signal (i) Preemptive effect. (1) Under 49 system, interlocking, traffic control U.S.C. 20106, issuance of these regula- system, automatic cab signal, auto- tions preempts any state law, regula- matic train stop or automatic train tion, or order covering the same sub- control system, or PTC system, with- ject matter, except an additional or out approval by the FRA under part 235 more stringent law, regulation, or of this title. However, a railroad may order that is necessary to eliminate or apply for approval of discontinuance or reduce an essentially local safety or se- material modification of a signal or curity hazard; is not incompatible with train control system in connection a law, regulation, or order of the with a request for approval of a Posi- United States Government; and that tive Train Control Development Plan does not impose an unreasonable bur- (PTCDP) or Positive Train Control den on interstate commerce. Safety Plan (PTCSP) as provided in (2) This part establishes federal subpart I of this part. standards of care for railroad signal (f) Any person (an entity of any type and train control systems. This part covered under 1 U.S.C. 1, including but not limited to the following: a railroad; does not preempt an action under state a manager, supervisor, official, or law seeking damages for personal in- other employee or agent of a railroad; jury, death, or property damage alleg- any owner, manufacturer, lessor, or ing that a party has failed to comply lessee of railroad equipment, track, or with the federal standard of care estab- facilities; any independent contractor lished by this part, including a plan or providing goods or services to a rail- program required by this part. Provi- road; and any employee of such owner, sions of a plan or program which ex- manufacturer, lessor, lessee, or inde- ceed the requirements of this part are pendent contractor) who violates any not included in the federal standard of requirement of this part or causes the care. violation of any such requirement is (3) Under 49 U.S.C. 20701–20703, subject to a civil penalty of at least issuance of these regulations preempts $650 and not more than $25,000 per vio- the field of locomotive safety, extend- lation, except that: Penalties may be ing to the design, the construction, and assessed against individuals only for the material of every part of the loco- willful violations, and, where a grossly motive and tender and all appur- negligent violation or a pattern of re- tenances thereof. peated violations has created an immi- nent hazard of death or injury to per- [49 FR 3382, Jan. 26, 1984, as amended at 53 sons, or has caused death or injury, a FR 52936, Dec. 29, 1988; 63 FR 11624, Mar. 10, penalty not to exceed $100,000 per viola- 1998; 69 FR 30595, May 28, 2004; 70 FR 11095, tion may be assessed. Each day a viola- Mar. 7, 2005; 72 FR 51198, Sept. 6, 2007; 73 FR tion continues shall constitute a sepa- 79704, Dec. 30, 2008; 75 FR 2698, Jan. 15, 2010] rate offense. See appendix A to this

688

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00698 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.10

Subpart A—Rules and Instructions: the point, or with facing-point lock and All Systems circuit controller, shall be so maintained that when point is open one- GENERAL fourth inch or more on facing-point switch and three-eights inch or more § 236.1 Plans, where kept. on trailing-point switch, track or con- As required for maintenance, plans trol circuits will be opened or shunted shall be kept at all interlockings, auto- or both, and if equipped with facing- matic signals and controlled points. point lock with circuit controller, Plans shall be legible and correct. switch cannot be locked. On such hand- [49 FR 3382, Jan. 26, 1984] operated switch, switch circuit controllers, facing-point locks, switch-and- § 236.2 Grounds. lock movements, and their connections Each circuit, the functioning of shall be securely fastened in place, and which affects the safety of train oper- contacts maintained with an opening ations, shall be kept free of any ground of not less than one-sixteenth inch or combination of grounds which will when open. permit a flow of current equal to or in excess of 75 percent of the release value § 236.7 Circuit controller operated by of any relay or other electromagnetic switch-and-lock movement. device in the circuit, except circuits Circuit controller operated by which include any track rail and ex- switch-and-lock movement shall be cept the common return wires of sin- maintained so that normally open con- gle-wire, single-break, signal control circuits using a grounded common, and tacts will remain closed and normally alternating current power distribution closed contacts will remain open until circuits which are grounded in the in- the switch is locked. terest of safety. § 236.8 Operating characteristics of § 236.3 Locking of signal apparatus electromagnetic, electronic, or elec- housings. trical apparatus. Signal apparatus housings shall be Signal apparatus, the functioning of secured against unauthorized entry. which affects the safety of train oper- [49 FR 3382, Jan. 26, 1984] ation, shall be maintained in accordance with the limits within which the § 236.4 Interference with normal func- device is designed to operate. tioning of device. [49 FR 3382, Jan. 26, 1984] The normal functioning of any device shall not be interfered with in testing § 236.9 Selection of circuits through in- or otherwise without first taking meas- dicating or annunciating instru- ures to provide for safety of train oper- ments. ation which depends on normal func- Signal control and electric locking tioning of such device. circuits shall not be selected through [49 FR 3382, Jan. 26, 1984] the contacts of instruments designed primarily for indicating or annun- § 236.5 Design of control circuits on closed circuit principle. ciating purposes in which an indicating element attached to the armature is All control circuits the functioning arranged so that it can in itself cause of which affects safety of train oper- improper operation of the armature. ation shall be designed on the closed circuit principle, except circuits for § 236.10 Electric locks, force drop type; roadway equipment of intermittent where required. automatic train stop system. Electric locks on new installations § 236.6 Hand-operated switch equipped and new electric locks applied to exist- with switch circuit controller. ing installations shall be of the forced Hand-operated switch equipped with drop type. switch circuit controller connected to

689

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00699 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.11 49 CFR Ch. II (10–1–11 Edition)

§ 236.11 Adjustment, repair, or replace- § 236.14 Spring switch signal protec- ment of component. tion; requirements. When any component of a signal sys- (a) The indication of signal governing tem, the proper functioning of which is movements from siding to main track essential to the safety of train oper- with the current of traffic on track sig- ation, fails to perform its intended signaled for movements in only one direc- naling function or is not in correspond- tion through a spring switch in auto- ence with known operating conditions, matic block signal territory shall be the cause shall be determined and the not less restrictive than ‘‘Proceed at faulty component adjusted, repaired or Restricted Speed’ when the block, into replaced without undue delay. which movements are governed by the signal, is occupied, and shall be ‘‘Stop’’ [49 FR 3382, Jan. 26, 1984] when the main track is occupied by a train approaching the switch within at § 236.12 Spring switch signal protection; where required. least 1,500 feet in approach of the approach signal located stopping distance Signal protection shall be provided from the main track signal governing for facing and trailing movements trailing movements over switch, except through spring switch within inter- that the indication may be caused to locking limits and through spring be less restrictive if approach or time switch installed in automatic block locking is used. signal, train stop, train control or cab (b) The indication of signal governing signal territory where train move- movements against the current of traf- ments over the switch are made at a fic from the reverse main of main speed exceeding 20 miles per hour, ex- tracks to a single track, or signal gov- cept that signal protection shall be re- erning movements from a siding to a quired only with the current of traffic main track signaled for movements in on track signaled for movement in only either direction, through a spring one direction. switch, in automatic block signal terri-

NOTE: Does not apply to spring switch in- tory, shall be not less restrictive than stalled prior to October 1, 1950 in automatic ‘‘Proceed at Restricted Speed’’ when block signal, automatic train stop, or auto- the block, into which movements are matic train control territory. governed by the signal, is occupied by a preceding train, and shall be ‘‘Stop’’ [49 FR 3383, Jan. 26, 1984] when the block on the single track into § 236.13 Spring switch; selection of sig- which the signal governs is occupied by nal control circuits through circuit an opposing train. controller. (c) The indication of signal governing The control circuits of signals gov- movements against the current of traffic from the reverse main of main erning facing movements over a main tracks to a single track or signal gov- track spring switch shall be selected erning movements from a siding to a through the contacts of a switch cir- main track signaled for movements in cuit controller, or through the con- either direction through a spring tacts of relay repeating the position of switch in automatic block signal terri- such circuit controller, which, when tory shall be ‘‘Stop’’ when the normal normally closed switch point is open direction main track of the double one-fourth inch or more, will cause track or the single track signaled for such signals to display their most re- movements in both directions is occu- strictive aspects, except that where a pied by a train approaching the switch separate aspect is displayed for facing within at least 1,500 feet in approach of movements over the switch in the re- the approach signal located stopping verse position the signal shall display distance from the main track signal its most restrictive aspect when the governing trailing movements over switch points are open one-fourth inch switch, except that indication may be or more from either the normal or re- caused to be less restrictive if approach verse position. or time locking is used.

690

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00700 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.23

§ 236.15 Timetable instructions. railroad commencing operations after Automatic block, traffic control, June 6, 2005, shall adopt a software train stop, train control and cab signal management control plan for its signal territory shall be designated in time- and train control systems prior to com- table instructions. mencing operations. (b) Within 30 months of the comple- § 236.16 Electric lock, main track re- tion of the software management con- leasing circuit. trol plan, each railroad shall have fully When an electric lock releasing cir- implemented such plan. cuit is provided on the main track to (c) For purposes of this section, permit a train or an engine to diverge ‘‘software management control plan’’ from the main track without time means a plan designed to ensure that delay, the circuit shall be of such the proper and intended software length to permit occupancy of the cir- version for each specific site and loca- cuit to be seen by a crew member station is documented (mapped) and main- tioned at the switch. When the releas- tained through the life-cycle of the sys- ing circuit extends into the fouling cir- tem. The plan must further describe cuit, a train or engine on the siding shall be prevented from occupying the how the proper software configuration releasing circuit by a derail either is to be identified and confirmed in the pipe-connected to switch point or event of replacement, modification, or equipped with an independently oper- disarrangement of any part of the sys- ated electric lock. tem. [49 FR 3383, Jan. 26, 1984] [70 FR 11095, Mar. 7, 2005]

§ 236.17 Pipe for operating connec- ROADWAY SIGNALS AND CAB SIGNALS tions, requirements. (a) Steel or wrought-iron pipe one § 236.21 Location of roadway signals. inch or larger, or members of equal Each roadway signal shall be posi- strength, shall be used for operating tioned and aligned so that its aspects connections for switches, derails, mov- can be clearly associated with the able-point frogs, facing-point locks, track it governs. rail-locking devices of movable bridge protected by interlocking, and me- [49 FR 3383, Jan. 26, 1984] chanically operated signals, except up- and-down rod which may be three- § 236.22 Semaphore signal arm; clear- fourths inch pipe or solid rod. Pipe ance to other objects. shall be fully screwed into coupling and At least one-half inch clearance shall both ends of each pipe shall be riveted be provided between semaphore signal to pipe plug with 2 rivets. arm, and any object that may interfere (b) Pipeline shall not be out of align- with its operation. ment sufficiently to interfere with proper operation, shall be properly § 236.23 Aspects and indications. compensated for temperature changes, (a) Aspects shall be shown by the po- and supported on carriers spaced not sition of semaphore blades, color of more than 8 feet apart on tangent and lights, position of lights, flashing of curve of less than 2° and not more than lights, or any combination thereof. 7 feet apart on curve of 2° or more. With lever in any position, couplings in They may be qualified by marker plate, pipe line shall not foul carriers. number plate, letter plate, marker light, shape and color of semaphore [49 FR 3383, Jan. 26, 1984] blades or any combination thereof, subject to the following conditions: § 236.18 Software management control plan. (1) Night aspects of roadway signals, except qualifying appurtenances, shall (a) Within 6 months of June 6, 2005, be shown by lights; day aspects by each railroad shall develop and adopt a software management control plan for lights or semaphore arms. A single its signal and train control systems. A white light shall not be used.

691

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00701 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.24 49 CFR Ch. II (10–1–11 Edition)

(2) Reflector lenses or buttons or playing a restrictive aspect can be other devices which depend for visi- complied with by means of a brake ap- bility upon reflected light from an ex- plication, other than an emergency ap- ternal source shall not be used here- plication, initiated at such signal, ei- after in night aspects, except quali- ther by stopping at the signal where a fying appurtenances. stop is required, or by a reduction in (b) The aspects of cab signals shall be speed to the rate prescribed by the next shown by lights or by illuminated let- signal in advance where reduced speed ters or numbers. is required. (c) Each aspect displayed by a signal shall be identified by a name and shall § 236.25 [Reserved] indicate action to be taken. Only one name and indication shall apply to § 236.26 Buffing device, maintenance. those aspects indicating the same ac- Buffing device shall be maintained so tion to be taken; the same aspect shall as not to cause the signal to display a not be used with any other name and less restrictive aspect than intended. indication. (d) The fundamental indications of TRACK CIRCUITS signal aspects shall conform to the following: § 236.51 Track circuit requirements. (1) A red light, a series of horizontal lights or a semaphore blade in a hori- Track relay controlling home signals zontal position shall be used to indi- shall be in deenergized position, or de- cate stop. vice that functions as a track relay (2) A yellow light, a lunar light, or a controlling home signals shall be in its series of lights or a semaphore blade in most restrictive state, and the track the upper or lower quadrant at an circuit of an automatic train stop, angle of approximately 45 degrees to train control, or cab signal system the vertical, shall be used to indicate shall be deenergized in the rear of the that speed is to be restricted and stop point where any of the following condi- may be required. tions exist: (3) A green light, a series of vertical (a) When a rail is broken or a rail or lights, or a semaphore blade in a switch-frog is removed except when a vertical position in the upper quadrant rail is broken or removed in the shunt or 60° or 90° in the lower quadrant shall fouling circuit of a turnout or cross- be used to indicate proceed at author- over, provided, however, that shunt ized speed. fouling circuit may not be used in a (e) The names, indications, and as- turnout through which permissible pects of roadway and cab signals shall speed is greater than 45 miles per hour. be defined in the carrier’s Operating It shall not be a violation of this re- Rule Book or Special Instructions. quirement if a track circuit is ener- Modifications shall be filed with the gized: FRA within thirty days after such (1) When a break occurs between the modifications become effective. end of rail and track circuit connector; (f) The absence of a qualifying appur- within the limits of rail-joint bond, ap- tenance, the failure of a lamp in a light pliance or other protective device, signal, or a false restrictive position of which provides a bypath for the elec- an arm of a semaphore signal shall not tric current, or cause the display of a less restrictive (2) As result of leakage current or aspect than intended. foreign current in the rear of a point [33 FR 19684, Dec. 25, 1968, as amended at 49 where a break occurs. FR 3383, Jan. 26, 1984] (b) When a train, locomotive, or car occupies any part of a track circuit, in- § 236.24 Spacing of roadway signals. cluding fouling section of turnout ex- Each roadway signal shall be located cept turnouts of hand-operated main with respect to the next signal or sig- track crossover. It shall not be a viola- nals in advance which govern train tion of this requirement where the movements in the same direction so presence of sand, rust, dirt, grease, or that the indication of a signal dis- other foreign matter prevents effective

692

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00702 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.60

shunting, except that where such con- § 236.56 Shunting sensitivity. ditions are known to exist adequate Each track circuit controlling home measures to safeguard train operation signal or approach locking shall be so must be taken. maintained that track relay is in deen- (c) Where switch shunting circuit is ergized position, or device that func- used: tions as a track relay shall be in its (1) Switch point is not closed in nor- most restrictive state if, when track mal position. circuit is dry, a shunt of 0.06 ohm re- (2) A switch is not locked where fac- sistance is connected across the track ing-point lock with circuit controller rails of the circuit, including fouling is used. (3) An independently operated foul- sections of turnouts. ing-point derail equipped with switch [49 FR 3383, Jan. 26, 1984] circuit controller is not in derailing position. § 236.57 Shunt and fouling wires. [33 FR 19684, Dec. 25, 1968, as amended at 49 (a) Except as provided in paragraph FR 3383, Jan. 26, 1984] (b) of this section, shunt wires and fouling wires hereafter installed or re- § 236.52 Relayed cut-section. placed shall consist of at least two dis- Where relayed cut-section is used in crete conductors, and each shall be of territory where noncoded direct-cur- sufficient conductivity and maintained rent track circuits are in use the en- in such condition that the track relay ergy circuit to the adjoining track will be in deenergized position, or de- shall be open and the track circuit vice that functions as a track relay shunted when the track relay at such will be in its most restrictive state, cut-section is in deenergized position. when the circuit is shunted. (b) This rule does not apply to shunt § 236.53 Track circuit feed at grade wires where track or control circuit is crossing. opened by the switch circuit controller. At grade crossing with an electric [49 FR 3383, Jan. 26, 1984] railroad where foreign current is present, the electric energy for § 236.58 Turnout, fouling section. noncoded direct current track circuit shall feed away from the crossing. Rail joints within the fouling section shall be bonded, and fouling section § 236.54 Minimum length of track cir- shall extend at least to a point where cuit. sufficient tract centers and allowance When a track circuit shorter than for maximum car overhang and width maximum inner wheelbase of any loco- will prevent interference with train, lo- motive or car operated over such track comotive, or car movement on the ad- circuit is used for control of signaling jacent track. facilities, other means shall be used to [49 FR 3383, Jan. 26, 1984] provide the equivalent of track circuit protection. § 236.59 Insulated rail joints. [49 FR 3383, Jan. 26, 1984] Insulated rail joints shall be maintained in condition to prevent suffi- § 236.55 Dead section; maximum cient track circuit current from flow- length. ing between the rails separated by the Where dead section exceeds 35 feet, a insulation to cause a failure of any special circuit shall be installed. Where track circuit involved. shortest outer wheelbase of a locomotive operating over such dead sec- § 236.60 Switch shunting circuit; use tion is less than 35 feet, the maximum restricted. length of the dead section shall not ex- Switch shunting circuit shall not be ceed the length of the outer wheelbase hereafter installed, except where tract of such locomotive unless special cir- or control circuit is opened by the circuit is used. cuit controller. [49 FR 3383, Jan. 26, 1984] [49 FR 3384, Jan. 26, 1984]

693

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00703 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.71 49 CFR Ch. II (10–1–11 Edition)

WIRES AND CABLES tended function. Electronic device, relay, or other electromagnetic device § 236.71 Signal wires on pole line and which fails to meet the requirements of aerial cable. specified tests shall be removed from Signal wire on pole line shall be se- service, and shall not be restored to curely tied in on insulator properly fas- service until its operating characteris- tened to crossarm or bracket supported tics are in accordance with the limits by pole or other support. Signal wire within which such device or relay is de- shall not interfere with, or be inter- signed to operate. fered by, other wires on the pole line. [49 FR 3384, Jan. 26, 1984] Aerial cable shall be supported by mes- senger. § 236.102 Semaphore or searchlight signal mechanism. [49 FR 3384, Jan. 26, 1984] (a) Semaphore signal mechanism § 236.72 [Reserved] shall be inspected at least once every six months, and tests of the operating § 236.73 Open-wire transmission line; characteristics of all parts shall be clearance to other circuits. made at least once every two years. Open-wire transmission line oper- (b) Searchlight signal mechanism ating at voltage of 750 volts or more shall be inspected, and the mechanical shall be placed not less than 4 feet movement shall be observed while op- above the nearest crossarm carrying erating the mechanism to all positions, signal or communication circuits. at least once every six months. Tests of the operating characteristics shall be § 236.74 Protection of insulated wire; made at least once every two years. splice in underground wire. [49 FR 3384, Jan. 26, 1984] Insulated wire shall be protected from mechanical injury. The insulation § 236.103 Switch circuit controller or shall not be punctured for test pur- point detector. poses. Splice in underground wire shall Switch circuit controller, circuit have insulation resistance at least controller, or point detector operated equal to the wire spliced. by hand-operated switch or by power- operated or mechanically-operated § 236.75 [Reserved] switch-and-lock movement shall be inspected and tested at least once every § 236.76 Tagging of wires and interference of wires or tags with signal three months. apparatus. [49 FR 3384, Jan. 26, 1984] Each wire shall be tagged or otherwise so marked that it can be identi- § 236.104 Shunt fouling circuit. fied at each terminal. Tags and other Shunt fouling circuit shall be in- marks of identification shall be made spected and tested at least once every of insulating material and so arranged three months. that tags and wires do not interfere with moving parts of apparatus. § 236.105 Electric lock. Electric lock, except forced-drop [49 FR 3384, Jan. 26, 1984] type, shall be tested at least once every INSPECTIONS AND TESTS; ALL SYSTEMS two years.

§ 236.101 Purpose of inspection and § 236.106 Relays. tests; removal from service of relay Each relay, the functioning of which or device failing to meet test re- affects the safety of train operations, quirements. shall be tested at least once every four The following inspections and tests years except: shall be made in accordance with speci- (a) Alternating current centrifugal fications of the carrier, subject to ap- type relay shall be tested at least once proval of the FRA, to determine if the every 12 months; apparatus and/or equipment is main- (b) Alternating current vane type tained in condition to perform its in- relay and direct current polar type

694

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00704 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.110

relay shall be tested at least once be maintained at not less than 90 per- every 2 years; and cent of the predetermined time inter- (c) Relay with soft iron magnetic val, which shall be shown on the plans structure shall be tested at least once or marked on the time release, timing every 2 years. relay, or timing device. [49 FR 3384, Jan. 26, 1984] [49 FR 3384, Jan. 26, 1984]

§ 236.107 Ground tests. § 236.110 Results of tests. (a) Except as provided in paragraph (a) Results of tests made in compli- (b) of this section, a test for grounds on ance with §§ 236.102 to 236.109, inclusive; each energy bus furnishing power to 236.376 to 236.387, inclusive; 236.576; circuits, the functioning of which af- 236.577; 236.586 to 236.589, inclusive; and fects the safety of train operation, 236.917(a) must be recorded on shall be made when such energy bus is preprinted forms provided by the rail- placed in service, and shall be made at road or by electronic means, subject to least once every three months there- approval by the FRA Associate Admin- after. istrator for Safety. These records must (b) The provisions of this rule shall show the name of the railroad, place not apply to track circuit wires, com- and date, equipment tested, results of mon return wires of grounded common tests, repairs, replacements, adjust- single-break circuits, or alternating ments made, and condition in which current power distribution circuits the apparatus was left. Each record grounded in the interest of safety. must be: (1) Signed by the employee making [49 FR 3384, Jan. 26, 1984] the test, or electronically coded or § 236.108 Insulation resistance tests, identified by number of the automated wires in trunking and cables. test equipment (where applicable); (2) Unless otherwise noted, filed in (a) Insulation resistance of wires and the office of a supervisory official hav- cables, except wires connected directly ing jurisdiction; and to track rails, shall be tested when (3) Available for inspection and rep- wires, cables, and insulation are dry. lication by FRA and FRA-certified Insulation resistance tests shall be State inspectors. made between all conductors and (b) Results of tests made in compli- ground, and between conductors in ance with § 236.587 must be retained for each multiple conductor cable, and be- 92 days. tween conductors in trunking, when (c) Results of tests made in compli- wires or cables are installed and at ance with § 236.917(a) must be retained least once every ten years thereafter. as follows: (b) Then insulation resistance of wire (1) Results of tests that pertain to in- or cable is found to be less than 500,000 stallation or modification must be re- ohms, prompt action shall be taken to tained for the life-cycle of the equip- repair or replace the defective wire or ment tested and may be kept in any of- cable and until such defective wire or fice designated by the railroad; and cable is replaced, insulation resistance (2) Results of periodic tests required test shall be made annually. for maintenance or repair of the equip- (c) In no case shall a circuit be per- ment tested must be retained until the mitted to function on a conductor hav- next record is filed but in no case less ing an insulation resistance to ground than one year. or between conductors of less than (d) Results of all other tests listed in 200,000 ohms during the period required this section must be retained until the for repair or replacement. next record is filed but in no case less [49 FR 3384, Jan. 26, 1984] than one year. (e) Electronic or automated tracking § 236.109 Time releases, timing relays systems used to meet the requirements and timing devices. contained in paragraph (a) of this sec- Time releases, timing relays and tim- tion must be capable of being reviewed ing devices shall be tested at least once and monitored by FRA at any time to every twelve months. The timing shall ensure the integrity of the system.

695

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00705 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.201 49 CFR Ch. II (10–1–11 Edition)

FRA’s Associate Administrator for (a) An arrangement of one or more Safety may prohibit or revoke a rail- track circuits and switch circuit con- road’s authority to utilize an elec- trollers, tronic or automated tracking system (b) Facing point locks on both in lieu of preprinted forms if FRA finds switches of the crossover, with both that the electronic or automated locks operated by a single lever, or tracking system is not properly se- (c) Electric locking of the switches of cured, is inaccessible to FRA, FRA-cer- the crossover. Signals governing move- tified State inspectors, or railroad em- ments over either switch shall display ployees requiring access to discharge their most restrictive aspect when any their assigned duties, or fails to ade- of the following conditions exist: quately track and monitor the equip- (1) Where protection is provided by ment. The Associate Administrator for one or more track circuits and switch Safety will provide the affected rail- circuit controllers, and either switch is road with a written statement of the open or the crossover is occupied by a basis for his or her decision prohibiting train, locomotive or car in such a man- or revoking the railroad from utilizing ner as to foul the main track. It shall an electronic or automated tracking not be a violation of this requirement system. where the presence of sand, rust, dirt, grease or other foreign matter on the [70 FR 11095, Mar. 7, 2005] rail prevents effective shunting; (2) Where facing point locks with a Subpart B—Automatic Block single lever are provided, and either Signal Systems switch is unlocked; (3) Where the switches are elec- STANDARDS trically locked, before the electric locking releases. § 236.201 Track-circuit control of signals. § 236.204 Track signaled for movements in both directions, require- The control circuits for home signal ments. aspects with indications more favorable than ‘‘proceed at restricted speed’’ On track signaled for movements in shall be controlled automatically by both directions, a train shall cause one track circuits extending through the or more opposing signals immediately ahead of it to display the most restric- entire block. tive aspect, the indication of which § 236.202 Signal governing movements shall be not more favorable than ‘‘pro- over hand-operated switch. ceed at restricted speed.’’ Signals shall be so arranged and controlled that if Signal governing movements over opposing trains can simultaneously hand-operated switch in the facing di- pass signals displaying proceed aspects rection shall display its most restric- and the next signal in advance of each tive aspect when the points are open such signal then displays an aspect re- one-fourth inch or more and, in the quiring a stop, or its most restrictive trailing direction, three-eighths inch aspect, the distance between opposing or more, except that where a separate signals displaying such aspects shall be aspect is displayed for facing move- not less than the aggregate of the stop- ments over the switch in the normal ping distances for movements in each and in the reverse position, the signal direction. Where such opposing signals shall display its most restrictive aspect are spaced stopping distance apart for when the switch points are open one- movements in one direction only, sig- fourth inch or more from either the nals arranged to display restrictive as- normal or reverse position. pects shall be provided in approach to at least one of the signals. Where such § 236.203 Hand operated crossover be- opposing signals are spaced less than tween main tracks; protection. stopping distance apart for movements At hand-operated crossover between in one direction, signals arranged to main tracks, protection shall be pro- display restrictive aspects shall be provided by one of the following: vided in approach to both such signals.

696

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00706 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.303

In absolute permissive block signaling, Subpart C—Interlocking when a train passes a head block signal, it shall cause the opposing head STANDARDS block signal to display an aspect with an indication not more favorable than § 236.301 Where signals shall be pro- ‘‘stop.’’ vided. Signals shall be provided to govern [33 FR 19684, Dec. 25, 1968, as amended at 49 FR 3384, Jan. 26, 1984] train movements into and through interlocking limits, except that a sig- § 236.205 Signal control circuits; re- nal shall not be required to govern quirements. movements over a hand-operated switch into interlocking limits if the The circuits shall be so installed that switch is provided with an electric lock each signal governing train movements and a derail at the clearance point, ei- into a block will display its most re- ther pipe-connected to the switch or strictive aspect when any of the fol- independently locked, electrically. lowing conditions obtain within the Electric locks installed under this rule block: must conform to the time and ap- (a) Occupancy by a train, locomotive, proach locking requirements of Rule or car, 314 (without reference to the 20-mile (b) When points of a switch are not exceptions), and those of either Rule closed in proper position, 760 or Rule 768, as may be appropriate. (c) When an independently operated fouling point derail equipped with § 236.302 Track circuits and route switch circuit controller is not in de- locking. railing position, Track circuits and route locking (d) When a track relay is in de-ener- shall be provided and shall be effective gized position or a device which func- when the first pair of wheels of a loco- tions as a track relay is in its most re- motive or a car passes a point not more strictive state; or when signal control than 13 feet in advance of the signal circuit is deenergized. governing its movement, measured from the center of the mast, or if there [33 FR 19684, Dec. 25, 1968, as amended at 49 is no mast, from the center of the sig- FR 3385, Jan. 26, 1984] nal. § 236.206 Battery or power supply with [49 FR 3385, Jan. 26, 1984] respect to relay; location. § 236.303 Control circuits for signals, The battery or power supply for each selection through circuit controller signal control relay circuit, where an operated by switch points or by open-wire circuit or a common return switch locking mechanism. circuit is used, shall be located at the The control circuit for each aspect end of the circuit farthest from the with indication more favorable than relay. ‘‘proceed at restricted speed’’ of power operated signal governing movements § 236.207 Electric lock on hand-oper- over switches, movable-point frogs and ated switch; control. derails shall be selected through cir- Electric lock on hand-operated cuit controller operated directly by switch shall be controlled so that it switch points or by switch locking cannot be unlocked until control cir- mechanism, or through relay con- cuits of signals governing movements trolled by such circuit controller, for over such switch have been opened. Ap- each switch, movable-point frog, and proach or time locking shall be pro- derail in the routes governed by such vided. signal. Circuits shall be arranged so that such signal can display an aspect [49 FR 3385, Jan. 26, 1984] more favorable than ‘‘proceed at restricted speed,’’ only when each switch, movable-point frog, and derail in the route is in proper position.

697

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00707 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.304 49 CFR Ch. II (10–1–11 Edition)

§ 236.304 Mechanical locking or same showing by an individual carrier to allow op- protection effected by circuits. posing signals on the same track simultaneously to display aspects to proceed Mechanical locking, or the same pro- through an interlocking which is unat- tection effected by means of circuits, tended, provided that train movements in shall be provided. opposite directions on the same track between stations on either site of the inter- § 236.305 Approach or time locking. locking are not permitted at the same time. Approach or time locking shall be provided in connection with signals § 236.309 Loss of shunt protection; displaying aspects with indications where required. more favorable than ‘‘proceed at re- (a) A loss of shunt of 5 seconds or less stricted speed.’’ shall not permit an established route to be changed at an automatic inter- § 236.306 Facing point lock or switch- locking. and-lock movement. (b) A loss of shunt of 5 seconds or less Facing point lock or switch-and-lock shall not permit the release of the movement shall be provided for me- route locking circuit of each power-op- chanically operated switch, movable- erated switch hereafter installed. point frog, or split-point derail. [49 FR 3385, Jan. 26, 1984] § 236.307 Indication locking. Indication locking shall be provided § 236.310 Signal governing approach to home signal. for operative approach signals of the semaphore type, power-operated home A signal shall be provided on main signals, power-operated switches, mov- track to govern the approach with the able-point frogs and derails, and for all current of traffic to any home signal approach signals except light signals, except where the home signal is the all aspects of which are controlled by first signal encountered when leaving polar or coded track circuits or line yards or stations and authorized speed circuits so arranged that a single fault approaching such signal is not higher will not permit a more favorable aspect than slow speed. When authorized than intented to be displayed. speed between home signals on route governed is 20 miles per hour or less, an [49 FR 3385, Jan. 26, 1984] inoperative signal displaying an aspect § 236.308 Mechanical or electric lock- indicating ‘‘approach next signal pre- ing or electric circuits; requisites. pared to stop’’ may be used to govern the approach to the home signal. Mechanical or electric locking or electric circuits shall be installed to § 236.311 Signal control circuits, selec- prevent signals from displaying aspects tion through track relays or devices which permit conflicting movements functioning as track relays and except that opposing signals may dis- through signal mechanism contacts play an aspect indicating proceed at re- and time releases at automatic stricted speed at the same time on a interlocking. track used for switching movements (a) The control circuits for aspects only, by one train at a time. Manual with indications more favorable than interlocking in service as of the date of ‘‘proceed at restricted speed’’ shall be this part at which opposing signals on selected through track relays, or the same track are permitted simulta- through devices that function as track neously to display aspects authorizing relays, for all track circuits in the conflicting movements when inter- route governed. locking is unattended, may be contin- (b) At automatic interlocking, signal ued, provided that simultaneous train control circuits shall be selected (1) movements in opposite directions on through track relays, or devices that the same track between stations on ei- function as track relays, for all track ther side of the interlocking are not circuits in the route governed and in permitted. all conflicting routes within the inter- NOTE: Relief from the requirement of this locking; (2) through signal mechanism section will be granted upon an adequate contacts or relay contacts closed when

698

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00708 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.334

signals for such conflicting routes dis- locking is provided by electric locking play ‘‘stop’’ aspects; and (3) through or electric circuits, train movements normal contacts of time releases, time through the interlocking shall not be element relays, or timing devices for permitted until each switch, movable- such conflicting routes, or contacts of point frog or derail in the route is relays repeating the normal position or spiked, clamped or blocked in proper normal state of such time releases, position so that it cannot be moved by time element relays, or timing devices. its controlling lever, and then train movements shall not exceed restricted [49 FR 3385, Jan. 26, 1984] speed until the interlocking is restored § 236.312 Movable bridge, interlocking to normal operation. It will not be nec- of signal appliances with bridge de- essary to comply with this requirement vices. at interlockings where protection is in service in accordance with section 303, When movable bridge is protected by provided that the signal controls are interlocking the signal appliances shall arranged so that the signals cannot be so interlocked with bridge devices display an aspect the indication of that before a signal governing move- which is less restrictive than ‘‘proceed ments over the bridge can display an at restricted speed.’’ aspect to proceed the bridge must be locked and the track alined, with the § 236.327 Switch, movable-point frog or bridge locking members within one split-point derail. inch of their proper positions and with Switch, movable-point frog, or split- the track rail on the movable span point derail equipped with lock rod within three-eighths inch of correct shall be maintained so that it can not surface and alinement with rail seating be locked when the point is open three- device on bridge abutment or fixed eighths inch or more. span. Emergency bypass switches and devices shall be locked or sealed. [49 FR 3385, Jan. 26, 1984] [33 FR 19684, Dec. 25, 1968, as amended at 49 § 236.328 Plunger of facing-point lock. FR 3385, Jan. 26, 1984] Plunger of lever operated facing- § 236.313 [Reserved] point lock shall have at least 8-inch stroke. When lock lever is in unlocked § 236.314 Electric lock for hand-oper- position the end of the plunger shall ated switch or derail. clear the lock rod not more than one Electric lock shall be provided for inch. each hand-operated switch or derail § 236.329 Bolt lock. within interlocking limits, except where train movements are made at Bolt lock shall be so maintained that not exceeding 20 miles per hour. At signal governing movements over manually operated interlocking it switch or derail and displaying an as- shall be controlled by operator of the pect indicating stop cannot be operated machine and shall be unlocked only to display a less restrictive aspect after signals governing movements while derail is in derailing position, or over such switch or derail display as- when switch point is open one-half inch pects indicating stop. Approach or time or more. locking shall be provided. § 236.330 Locking dog of switch-and- RULES AND INSTRUCTIONS lock movement. Locking dog of switch-and-lock § 236.326 Mechanical locking removed movement shall extend through lock or disarranged; requirement for rod one-half inch or more in either nor- permitting train movements mal or reverse position. through interlocking. When mechanical locking of inter- §§ 236.331–236.333 [Reserved] locking machine is being changed or is removed from the machine, or locking § 236.334 Point detector. becomes disarranged or broken, unless Point detector shall be maintained so protection equivalent to mechanical that when switch mechanism is locked

699

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00709 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.335 49 CFR Ch. II (10–1–11 Edition)

in normal or reverse position, contacts nine-sixteenths inch when in reverse cannot be opened by manually applying position. force at the closed switch point. Point (2) Lever moving in arc. Moving lever detector circuit controller shall be more than 5 degrees. maintained so that the contacts will (c) Power machine—(1) Latch-operated not assume the position corresponding locking. Raising lever latch block to to switch point closure if the switch that bottom thereof is within seven point is prevented by an obstruction, thirty-seconds inch of top of quadrant. from closing to within one-fourth inch (2) Lever moving in horizontal plane. where latch-out device is not used, and Moving lever more than five-sixteenths to within three-eighths inch where latch-out device is used. inch when in normal position or more than nine-sixteenths inch when in re- § 236.335 Dogs, stops and trunnions of verse position. mechanical locking. (3) Lever moving in arc. Moving lever Driving pieces, dogs, stops and more than 5 degrees. trunnions shall be rigidly secured to locking bars. Swing dogs shall have full § 236.340 Electromechanical inter- and free movement. Top plates shall be locking machine; locking between maintained securely in place. electrical and mechanical levers. In electro-mechanical interlocking § 236.336 Locking bed. machine, locking between electric and The various parts of the locking bed, mechanical levers shall be maintained locking bed supports, and tappet stop so that mechanical lever cannot be op- rail shall be rigidly secured in place erated except when released by electric and alined to permit free operation of lever. locking. § 236.341 Latch shoes, rocker links, § 236.337 Locking faces of mechanical and quadrants. locking; fit. Latch shoes, rocker links, and quad- Locking faces shall fit squarely rants of Saxby and farmer machines against each other with a minimum en- shall be maintained so that locking gagement when locked of at least one- will not release if a downward force not half the designed locking face. exceeding a man’s weight is exerted on § 236.338 Mechanical locking required the rocker while the lever is in the in accordance with locking sheet mid-stroke position. and dog chart. § 236.342 Switch circuit controller. Mechanical locking shall be in accordance with locking sheet and dog Switch circuit controller connected chart currently in effect. at the point to switch, derail, or movable-point frog, shall be maintained so § 236.339 Mechanical locking, mainte- that its contacts will not be in position nance requirements. corresponding to switch point closure Locking and connections shall be when switch point is open one-fourth maintained so that, when a lever or inch or more. latch is mechanically locked the following will be prevented: INSPECTION AND TESTS (a) Mechanical machine—(1) Latch-operated locking. Raising lever latch block § 236.376 Mechanical locking. so that bottom thereof is within three- Mechanical locking in interlocking eighths inch of top of quadrant. machine shall be tested when new lock- (2) Lever-operated locking. Moving ing is installed; and thereafter when lever latch block more than three- change in locking is made, or locking eighths inch on top of quadrant. becomes disarranged, or tested at least (b) Electromechanical machine—(1) once every two years, whichever shall Lever moving in horizontal plant. Moving occur first. lever more than five-sixteenths inch when in normal position or more than [49 FR 3385, Jan. 26, 1984]

700

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00710 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.403

§ 236.377 Approach locking. valve magnets shall be tested at least once every year. Approach locking shall be tested when placed in service and thereafter [49 FR 3385, Jan. 26, 1984] when modified, disarranged, or at least once every two years, whichever shall § 236.384 Cross protection. occur first. Cross protection shall be tested at [49 FR 3385, Jan. 26, 1984] least once every six months.

§ 236.378 Time locking. [49 FR 3385, Jan. 26, 1984] Time locking shall be tested when § 236.385 [Reserved] placed in service and thereafter when modified, disarranged, or at least once § 236.386 Restoring feature on power every two years, whichever shall occur switches. first. Restoring feature on power switches [49 FR 3385, Jan. 26, 1984] shall be tested at least once every three months. § 236.379 Route locking. Route locking or other type of switch § 236.387 Movable bridge locking. locking shall be tested when placed in Movable bridge locking shall be test- service and thereafter when modified, ed at least once a year. disarranged, or at least once every two years, whichever shall occur first. Subpart D—Traffic Control Systems [49 FR 3385, Jan. 26, 1984] STANDARDS § 236.380 Indication locking. § 236.401 Automatic block signal sys- Indication locking shall be tested tem and interlocking standards ap- when placed in service and thereafter plicable to traffic control systems. when modified, disarranged, or at least once every two years, whichever shall The standards prescribed in §§ 236.201, occur first. to 236.203, inclusive, §§ 236.205, 236.206, 236.303, 236.307 and 236.309 to 236.311, in- [49 FR 3385, Jan. 26, 1984] clusive, shall apply to traffic control systems. § 236.381 Traffic locking. Traffic locking shall be tested when [49 FR 3385, Jan. 26, 1984] placed in service and thereafter when § 236.402 Signals controlled by track modified, disarranged, or at least once circuits and control operator. every two years, whichever shall occur first. The control circuits for home signal aspects with indications more favor- [49 FR 3385, Jan. 26, 1984] able than ‘‘proceed at restricted speed’’ shall be controlled by track circuits § 236.382 Switch obstruction test. extending through entire block. Also in Switch obstruction test of lock rod of addition, at controlled point they may each power-operated switch and lock be controlled by control operator, and, rod of each hand-operated switch at manually operated interlocking, equipped with switch-and-lock-move- they shall be controlled manually in ment shall be made when lock rod is cooperation with control operator. placed in service or changed out, but not less than once each month. § 236.403 Signals at controlled point. [49 FR 3385, Jan. 26, 1984] Signals at controlled point shall be so interconnected that aspects to pro- § 236.383 Valve locks, valves, and valve ceed cannot be displayed simulta- magnets. neously for conflicting movements, ex- Valve locks on valves of the non-cut- cept that opposing signals may display off type shall be tested at least once an aspect indicating ‘‘proceed at re- every three months, and valves and stricted speed’’ at the same time on a

701

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00711 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.404 49 CFR Ch. II (10–1–11 Edition)

track used for switching movements § 236.409 [Reserved] only, by one train at a time. § 236.410 Locking, hand-operated [49 FR 3386, Jan. 26, 1984] switch; requirements. § 236.404 Signals at adjacent control (a) Each hand-operated switch in points. main track shall be locked either elec- Signals at adjacent controlled points trically or mechanically in normal po- shall be so interconnected that aspects sition, except: to proceed on tracks signaled for move- (1) Where train speeds over the ments at greater than restricted speed switch do not exceed 20 miles per hour; cannot be displayed simultaneously for (2) Where trains are not permitted to conflicting movements. clear the main track; (3) Where a signal is provided to gov- § 236.405 Track signaled for move- ern train movements from the auxil- ments in both directions, change of iary track to the signaled track; or direction of traffic. (4) On a signaled siding without in- On track signaled for movements in termediate signals where the max- both directions, occupancy of the track imum authorized speed on the siding between opposing signals at adjacent does not exceed 30 miles per hour. controlled points shall prevent chang- (b) Approach or time locking shall be ing the direction of traffic from that provided and locking may be released which obtained at the time the track either automatically, or by the control became occupied, except that when a operator, but only after the control cir- train having left one controlled point cuits of signals governing movement in reaches a section of track immediately either direction over the switch and adjacent to the next controlled point which display aspects with indications at which switching is to be performed, more favorable than ‘‘proceed at re- an aspect permitting movement at not stricted speed’’ have been opened di- exceeding restricted speed may be dis- rectly or by shunting of track circuit. played into the occupied block. (c) Where a signal is used in lieu of electric or mechanical lock to govern § 236.406 [Reserved] movements from auxiliary track to signaled track, the signal shall not dis- § 236.407 Approach or time locking; play an aspect to proceed until after where required. the control circuits of signals gov- Approach or time locking shall be erning movement on main track in ei- provided for all controlled signals ther direction over the switch have where route or direction of traffic can been opened, and either the approach be changed. locking circuits to the switch are unoc- [49 FR 3386, Jan. 26, 1984] cupied or a predetermined time interval has expired.

§ 236.408 Route locking. NOTE: Railroads shall bring all hand-oper- Route locking shall be provided ated switches that are not electrically or where switches are power-operated. mechanically locked and that do not con- Route locking shall be effective when form to the requirements of this section on the first pair of wheels of a locomotive the effective date of this part into con- formity with this section in accordance with or car passes a point not more than 13 the following schedule: feet in advance of the signal governing Not less than 33% during calendar year its movement, measured from the cen- 1984. ter of the signal mast or, if there is no Not less than 66% during calendar year mast, from the center of the signal. 1985. The remainder during calendar year 1986. [49 FR 3386, Jan. 26, 1984] [33 FR 19684, Dec. 25, 1968, as amended at 49 FR 3386, Jan. 26, 1984; 75 FR 2699, Jan. 15, 2010]

702

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00712 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.504

RULES AND INSTRUCTIONS individual carrier where automatic train control systems now in service enforce speed § 236.426 Interlocking rules and in- restrictions higher than those required by structions applicable to traffic con- definitions in §§ 236.700 to 236.838 inclusive. trol systems. (3) Maximum-speed restriction, ef- The rules and instructions prescribed fecting an automatic brake application in §§ 236.327 and 236.328, § 236.330 to whenever the predetermined maximum § 236.334, inclusive, and § 236.342 shall speed limit is exceeded. apply to traffic control systems.

INSPECTION AND TESTS § 236.502 Automatic brake application, initiation by restrictive block condi- § 236.476 Interlocking inspections and tions stopping distance in advance. tests applicable to traffic control An automatic train-stop or train- systems. control system shall operate to initiate The inspections and tests prescribed an automatic brake application at in §§ 236.377 to 236.380, inclusive, and least stopping distance from the en- §§ 236.382, 236.383, and 236.386 shall apply trance to a block, wherein any condi- to traffic control systems. tion described in § 236.205 obtains, and [49 FR 3386, Jan. 26, 1984] at each main track signal requiring a reduction in speed. Subpart E—Automatic Train Stop, § 236.503 Automatic brake application; Train Control and Cab Signal initiation when predetermined rate Systems of speed exceeded. STANDARDS An automatic train control system shall operate to initiate an automatic § 236.501 Forestalling device and brake application when the speed of speed control. the train exceeds the predetermined (a) An automatic train stop system rate as required by the setting of the may include a device by means of speed control mechanism. which the automatic application of the brakes can be forestalled. § 236.504 Operation interconnected (b) Automatic train control system with automatic block-signal system. shall include one or more of the fol- (a) A continuous inductive automatic lowing features: train stop or train control system shall (1) Low-speed restriction, requiring operate in connection with an auto- the train to proceed under slow speed matic block signal system and shall be after it has either been stopped by an automatic application of the brakes, or so interconnected with the signal sys- under control of the engineman, its tem as to perform its intended function speed has been reduced to slow speed, in event of failure of the engineer to until the apparatus is automatically acknowledge or obey a restrictive way- restored to normal because the condi- side signal or a more restrictive cab tion which caused the restriction no signal. longer affects the movement of the (b) An intermittent inductive auto- train. matic train stop system shall operate (2) Medium-speed restriction, requir- in connection with an automatic block ing the train to proceed under medium signal system and shall be so inter- speed after passing a signal displaying connected with the signal system that an approach aspect or when approach- the failure of the engineer to acknowl- ing a signal requiring a stop, or a stop edge a restrictive wayside signal will indication point, in order to prevent an cause the intermittent inductive auto- automatic application of the brakes. matic train stop system to perform its NOTE: Relief from the requirements of intended function. paragraphs (b) (1) and (2) of this section will be granted, insofar as speed limits fixed by [49 FR 3386, Jan. 26, 1984] definitions of Slow and Medium speeds are concerned, upon an adequate showing by an

703

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00713 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.505 49 CFR Ch. II (10–1–11 Edition)

§ 236.505 Proper operative relation be- § 236.510 [Reserved] tween parts along roadway and parts on locomotive. § 236.511 Cab signals controlled in ac- Proper operative relation between cordance with block conditions stopping distance in advance. the parts along the roadway and the parts on the locomotive shall obtain The automatic cab signal system under all conditions of speed, weather, shall be arranged so that cab signals wear, oscillation, and shock. will be continuously controlled in accordance with conditions described in § 236.506 Release of brakes after auto- § 236.205 that obtain at least stopping matic application. distance in advance. The automatic train stop or train control apparatus shall prevent release § 236.512 Cab signal indication when locomotive enters block where re- of the brakes after automatic applica- strictive conditions obtain. tion until a reset device has been operated, or the speed of the train has been The automatic cab signal system reduced to a predetermined rate, or the shall be arranged so that when a loco- condition that caused the brake appli- motive enters or is within a block, cation no longer affects the movement wherein any condition described in of the train. If reset device is used it § 236.205 obtains, the cab signals shall shall be arranged so that the brakes indicate ‘‘Proceed at Restricted cannot be released until the train has Speed.’’ been stopped, or it shall be located so § 236.513 Audible indicator. that it cannot be operated by engineman without leaving his accus- (a) The automatic cab signal system tomed position in the cab. shall be so arranged that when the cab signal changes to display a more re- § 236.507 Brake application; full serv- strictive aspect, an audible indicator ice. will sound continuously until silenced The automatic train stop or train by manual operation of an acknowl- control apparatus shall, when operated, edging device. cause a full service application of the (b) The audible cab indicator of auto- brakes. matic cab signal, automatic train stop, or automatic train control system § 236.508 Interference with application shall have a distinctive sound and be of brakes by means of brake valve. clearly audible throughout the cab The automatic train stop, train con- under all operating conditions. trol, or cab signal apparatus shall be so [49 FR 3386, Jan. 26, 1984] arranged as not to interfere with the application of the brakes by means of § 236.514 Interconnection of cab signal the brake valve and not to impair the system with roadway signal system. efficiency of the brake system. The automatic cab signal system [49 FR 3386, Jan. 26, 1984] shall be interconnected with the roadway-signal system so that the cab sig- § 236.509 Two or more locomotives nal indication will not authorize oper- coupled. ation of the train at a speed higher The automatic train stop, train con- than that authorized by the indication trol or cab signal apparatus shall be ar- of the roadway signal that governed ranged so that when two or more loco- the movement of a train into a block motives are coupled, or a pushing or except when conditions affecting move- helping locomotive is used, it can be ment of trains in the block change made operative only on the locomotive after the train passes the signal. from which the brakes are controlled.

704

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00714 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.551

§ 236.515 Visibility of cab signals. inductor pole faces at a height above The cab signals shall be plainly visi- the plane of the tops of the rails, and ble to member or members of the loco- with its inner edge at a hmrizontal dis- motive crew from their stations in the tance from the gage side of the nearest cab. running rail, in accordance with specifications of the carrier. [49 FR 3386, Jan. 26, 1984] [49 FR 3386, Jan. 26, 1984] § 236.516 Power supply. Automatic cab signal, train stop, or § 236.530 [Reserved] train control device hereafter installed shall operate from a separate or iso- § 236.531 Trip arm; height and dis- lated power supply. tance from rail. Trip arm of automatic train stop de- [49 FR 3386, Jan. 26, 1984] vice when in the stop position shall be RULES AND INSTRUCTIONS; ROADWAY maintained at a height above the plane of the tops of the rails, and at a hori- § 236.526 Roadway element not func- zontal distance from its center line to tioning properly. gage side of the nearest running rail, in When a roadway element except accordance with specifications of the track circuit of automatic train stop, carrier. train control or cab signal system is not functioning as intended, the signal [49 FR 3386, Jan. 26, 1984] associated with such roadway element shall be caused manually to display its § 236.532 Strap iron inductor; use re- most restrictive aspect until such ele- stricted. ment has been restored to normal oper- No railroad shall use strap iron in- ative condition. ductor or other roadway element with characteristics differing from its § 236.527 Roadway element insulation standard type on track where speed resistance. higher than restricted speed is per- Insulation resistance between road- mitted. way inductor and ground shall be maintained at not less than 10,000 [49 FR 3386, Jan. 26, 1984] ohms. § 236.533 [Reserved] [49 FR 3386, Jan. 26, 1984] § 236.534 Entrance to equipped terri- § 236.528 Restrictive condition result- tory; requirements. ing from open hand-operated switch; requirement. Where trains are not required to stop When a facing point hand-operated at the entrance to equipped territory, switch is open one-fourth inch or more, except when leaving yards and stations a trailing point hand-operated switch and speed until entering equipped terri- three-eighths inch or more, or hand-op- tory does not exceed restricted speed, erated switch is not locked where fac- the automatic train stop, train control, ing point lock with circuit controller is or cab signal device shall be operative used, the resultant restrictive condi- at least stopping distance from the en- tion of an automatic train stop or train trance to such territory except where control device of the continuous type the approach thereto is governed by or the resultant restrictive cab signal automatic approach signal. indication of an automatic cab signal device on an approaching locomotive RULES AND INSTRUCTIONS; LOCOMOTIVES shall be maintained to within 300 feet of the points of the switch. § 236.551 Power supply voltage; requirement. § 236.529 Roadway element inductor; The voltage of power supply shall be height and distance from rail. maintained within 10 percent of rated Inductor of the inert roadway ele- voltage. ment type shall be maintained with the

705

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00715 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.552 49 CFR Ch. II (10–1–11 Edition)

§ 236.552 Insulation resistance; re- § 236.557 Receiver; location with requirement. spect to rail. When periodic test prescribed in (a) Receiver of intermittent induc- § 236.588 is performed, insulation resist- tive automatic train stop device of the ance between wiring and ground of con- inert roadway element type shall be tinuous inductive automatic cab signal maintained with bottom of the receiver system, automatic train control sys- at a height above the plane of the tops tem, or automatic train stop system of the rails, and with its outer edge at shall be not less than one megohm, and a horizontal distance from the gage that of an intermittent inductive auto- side of the nearest rail, in accordance matic train stop system, not less than with specifications of the carrier. 250,000 ohms. Insulation resistance val- (b) Receiver of continuous inductive ues between periodic tests shall be not automatic cab signal, train stop, or less than 250,000 ohms for a continuous train control device of locomotive inductive automatic cab signal system, equipped with onboard test equipment, automatic train control system, or shall be maintained with the bottom of automatic train stop system, and 20,000 the receiver at a height above the ohms for an intermittent inductive plane of the tops of the rails, and with automatic train stop system. its outer edge at a horizontal distance from the gage side of the nearest rail, [49 FR 3387, Jan. 26, 1984] in accordance with specifications of the carrier. § 236.553 Seal, where required. Seal shall be maintained on any de- [49 FR 3387, Jan. 26, 1984] vice other than brake-pipe cut-out §§ 236.558–236.559 [Reserved] cock (double-heading cock), by means of which the operation of the pneu- § 236.560 Contact element, mechanical matic portion of automatic train-stop trip type; location with respect to or train-control apparatus can be cut rail. out. Contact element of automatic train § 236.554 Rate of pressure reduction; stop device of the mechanical trip type equalizing reservoir or brake pipe. shall be maintained at a height above the plane of the tops of the rails, and The equalizing-reservoir pressure or at a horizontal distance from the gage brake-pipe pressure reduction during side of the rail, in accordance with an automatic brake application shall specifications of the carrier. be at a rate not less than that which results from a manual service applica- [49 FR 3387, Jan. 26, 1984] tion. § 236.561 [Reserved] § 236.555 Repaired or rewound receiver coil. § 236.562 Minimum rail current required. Receiver coil which has been repaired or rewound shall have the same oper- The minimum rail current required ating characteristics which it pos- to restore the locomotive equipment of sessed originally or as currently speci- continuous inductive automatic train fied for new equipment. stop or train control device to normal condition or to obtain a proceed indica- § 236.556 Adjustment of relay. tion of automatic cab signal device (pick-up) shall be in accordance with Change in adjustment of relay shall specifications of the carrier. be made only in a shop equipped for that purpose except when receiver [49 FR 3387, Jan. 26, 1984] coils, electro-pneumatic valve, or other essential part of the equipment is re- § 236.563 Delay time. placed. Irregularities in power-supply Delay time of automatic train stop voltage or other variable factors in the or train control system shall not ex- circuit shall not be compensated for by ceed 8 seconds and the spacing of sig- adjustment of the relay. nals to meet the requirements of

706

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00716 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.586

§ 236.24 shall take into consideration device is inoperative train may proceed the delay time. at not to exceed 79 miles per hour.

§ 236.564 Acknowledging time. § 236.568 Difference between speeds Acknowledging time of intermittent authorized by roadway signal and automatic train-stop device shall be cab signal; action required. not more than 30 seconds. If for any reason a cab signal authorizes a speed different from that author- § 236.565 Provision made for pre- ized by a roadway signal, when a train venting operation of pneumatic brake-applying apparatus by dou- enters the block governed by such ble-heading cock; requirement. roadway signal, the lower speed shall Where provision is made for pre- not be exceeded. venting the operation of the pneumatic INSPECTION AND TESTS; ROADWAY brake-applying appartus of an automatic train stop or train control device § 236.576 Roadway element. when the double-heading cock is placed in double-heading position, the auto- Roadway elements, except track cir- matic train stop or train control device cuits, including those for test purposes, shall not be cut out before communica- shall be gaged monthly for height and tion is closed between the engineman’s alinement, and shall be tested at least automatic brake valve and the brake every 6 months. pipe, when operating double-heading cock toward double-heading position. § 236.577 Test, acknowledgement, and cut-in circuits. § 236.566 Locomotive of each train operating in train stop, train control Test, acknowledgement, and cut-in or cab signal territory; equipped. circuits shall be tested at least once every twelve months. The locomotive from which brakes are controlled, of each train operating [49 FR 3387, Jan. 26, 1984] in automatic train stop, train control, or cab signal territory shall be INSPECTION AND TESTS; LOCOMOTIVE equipped with apparatus responsive to the roadway equipment installed on all § 236.586 Daily or after trip test. or any part of the route traversed, and (a) Except where tests prescribed by such apparatus shall be in operative § 236.588 are performed at intervals of condition. not more than 2 months, each loco- § 236.567 Restrictions imposed when motive equipped with an automatic cab device fails and/or is cut out en signal or train stop or train control de- route. vice operating in equipped territory Where an automatic train stop, train shall be inspected for damage to the control, or cab signal device fails and/ equipment and tested at least once or is cut out enroute, train may pro- each calendar day or within 24 hours ceed at restricted speed or if an auto- before departure upon each trip. matic block signal system is in oper- (b) Each equipped locomotive shall be ation according to signal indication tested to determine the locomotive but not to exceed medium speed, to the equipment is responsive to the wayside next available point of communication equipment and shall be cycled to deter- where report must be made to a des- mine the device functions as intended. ignated officer. Where no automatic (c) Each locomotive equipped with block signal system is in use train intermittent inductive automatic train shall be permitted to proceed at re- stop or non-coded continuous inductive stricted speed or where automatic automatic train stop or non-coded con- block signal system is in operation ac- tinuous inductive automatic train con- cording to signal indication but not to trol device shall be tested to determine exceed medium speed to a point where that the pickup of the device is within absolute block can be established. specified limits. Where an absolute block is established in advance of the train on which the [49 FR 3387, Jan. 26, 1984]

707

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00717 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.587 49 CFR Ch. II (10–1–11 Edition)

§ 236.587 Departure test. ified by the carrier, subject to approval by the FRA. (a) The automatic train stop, train control, or cab signal apparatus on [49 FR 3387, Jan. 26, 1984] each locomotive, except a locomotive or a multiple-unit car equipped with § 236.589 Relays. mechanical trip stop, shall be tested (a) Each relay shall be removed from using one of the following methods: service, subjected to thorough test, (1) Operation over track elements; necessary repairs and adjustments (2) Operation over test circuit; made, and shall not be replaced in serv- (3) Use of portable test equipment; or ice unless its operating characteristics (4) Use of onboard test device. are in accordance with the limits with- (b) The test shall be made on depar- in which such relay is designed to oper- ture of the locomotive from its initial ate, as follows: terminal unless that apparatus will be (1) Master or primary relays of cut out between the initial terminal torque type depending on spring ten- and the equipped territory. If the appa- sion to return contacts to deenergized ratus is cut out between the initial ter- position in noncoded continuous induc- minal and the equipped territory the tive automatic train stop or train con- test shall be made prior to entering trol system, at least once every two equipped territory. years; and (c) If a locomotive makes more than (2) All other relays, at least once one trip in any 24-hour period, only one every six years. departure test is required in such 24- (b) [Reserved] hour period. [49 FR 3387, Jan. 26, 1984] (d)(1) Whoever performs the test shall certify in writing that such test was § 236.590 Pneumatic apparatus. properly performed. The certification and the test results shall be posted in Automatic train stop, train control, the cab of the locomotive and a copy of or cab signal pneumatic apparatus the certification and test results left at shall be inspected, cleaned, and the re- the test location for filing in the office sults of such inspection recorded as of the supervisory official having juris- provided by § 229.29(a). When a loco- diction. motive with automatic train stop, (2) If it is impractical to leave a copy train control, or cab signal pneumatic of the certification and test results at apparatus receives out-of-use credit the location of the test, the test results pursuant to § 229.33, the automatic shall be transmitted to either (i) the train stop, train control, or cab signal dispatcher or (ii) one other designated apparatus shall be tested in accordance individual at each location, who shall with § 236.588 prior to the locomotive keep a written record of the test re- being placed in service. sults and the name of the person per- [61 FR 33873, July 1, 1996] forming the test. These records shall be retained for at least 92 days. Subpart F—Dragging Equipment [49 FR 3387, Jan. 26, 1984, as amended at 53 and Slide Detectors and Other FR 37313, Sept. 26, 1988] Similar Protective Devices EFFECTIVE DATE NOTE: At 49 FR 3387, Jan. 26, 1984, § 236.587 was revised. This section STANDARDS contains information collection and record- keeping requirements and will not become § 236.601 Signals controlled by devices; effective until approval has been given by location. the Office of Management and Budget. Signals controlled by devices used to provide protection against unusual § 236.588 Periodic test. contingencies, such as landslides, drag- Except as provided in § 236.586, peri- ging equipment, burned bridges or tres- odic test of the automatic train stop, tles and washouts shall be located so train control, or cab signal apparatus that stopping distance will be provided shall be made at least once every 92 between the signal and the point where days, and on multiple-unit cars as spec- it is necessary to stop the train.

708

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00718 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.719

Subpart G—Definitions § 236.709 Block, absolute. A block in which no train is per- § 236.700 Definitions. mitted to enter while it is occupied by For the purpose of these rules, stand- another train. ards, and instructions, the following definitions will apply. § 236.710 Block, latch. The lower extremity of a latch rod § 236.701 Application, brake; full serv- which engages with a square shoulder ice. of the segment or quadrant to hold the An application of the brakes result- lever in position. ing from a continuous or a split reduction in brake pipe pressure at a service § 236.711 Bond, rail joint. rate until maximum brake cylinder A metallic connection attached to pressure is developed. As applied to an adjoining rails to insure electrical con- automatic or electro-pneumatic brake ductivity. with speed governor control, an application other than emergency which de- § 236.712 Brake pipe. velops the maximum brake cylinder A pipe running from the engineman’s pressure, as determined by the design brake valve through the train, used for of the brake equipment for the speed at the transmission of air under pressure which the train is operating. to charge and actuate the automatic brake equipment and charge the res- § 236.702 Arm, semaphore. ervoirs of the electro-pneumatic brake The part of a semaphore signal dis- equipment on each vehicle of the train. playing an aspect. It consists of a blade fastened to a spectacle. § 236.713 Bridge, movable. That section of a structure bridging a § 236.703 Aspect. navigable waterway so designed that it The appearance of a roadway signal may be displaced to permit passage of conveying an indication as viewed from traffic on the waterway. the direction of an approaching train; the appearance of a cab signal con- § 236.714 Cab. veying an indication as viewed by an The compartment of a locomotive observer in the cab. from which the propelling power and power brakes of the train are manually § 236.704 [Reserved] controlled.

§ 236.705 Bar, locking. §§ 236.715–236.716 [Reserved] A bar in an interlocking machine to which the locking dogs are attached. § 236.717 Characteristics, operating. The measure of electrical values at § 236.706 Bed, locking. which electrical or electronic appa- That part of an interlocking machine ratus operate (e.g., drop-away, pick-up, that contains or holds the tappets, maximum and minimum current, and locking bars, crosslocking, dogs and working value). other apparatus used to interlock the [49 FR 3387, Jan. 26, 1984] levers. § 236.718 Chart, dog. § 236.707 Blade, semaphore. A diagrammatic representation of The extended part of a semaphore the mechanical locking of an inter- arm which shows the position of the locking machine, used as a working arm. plan in making up, assembling and fit- ting the locking. § 236.708 Block. A length of track of defined limits, § 236.719 Circuit, acknowledgment. the use of which by trains is governed A circuit consisting of wire or other by block signals, cab signals, or both. conducting material installed between

709

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00719 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.720 49 CFR Ch. II (10–1–11 Edition)

the track rails at each signal in terri- § 236.729 Cock, double heading. tory where an automatic train stop A manually operated valve by means system or cab signal system of the con- of which the control of brake operation tinuous inductive type with 2-indica- is transferred to the leading loco- tion cab signals is in service, to enforce motive. acknowledgement by the engineman at each signal displaying an aspect requir- § 236.730 Coil, receiver. ing a stop. Concentric layers of insulated wire wound around the core of a receiver of § 236.720 Circuit, common return. an automatic train stop, train control A term applied where one wire is or cab signal device on a locomotive. used for the return of more than one electric circuit. § 236.731 Controller, circuit. A device for opening and closing elec- § 236.721 Circuit, control. tric circuits. An electrical circuit between a source of electric energy and a device § 236.732 Controller, circuit; switch. which it operates. A device for opening and closing electric circuits, operated by a rod con- § 236.722 Circuit, cut-in. nected to a switch, derail or movable- point frog. A roadway circuit at the entrance to automatic train stop, train control or § 236.733 Current, foreign. cab signal territory by means of which locomotive equipment of the contin- A term applied to stray electric cur- rents which may affect a signaling sys- uous inductive type is actuated so as to tem, but which are not a part of the be in operative condition. system.

§ 236.723 Circuit, double wire; line. § 236.734 Current of traffic. An electric circuit not employing a The movement of trains on a speci- common return wire; a circuit formed fied track in a designated direction. by individual wires throughout. § 236.735 Current, leakage. § 236.724 Circuit, shunt fouling. A stray electric current of relatively The track circuit in the fouling sec- small value which flows through or tion of a turnout, connected in mul- across the surface of insulation when a tiple with the track circuit in the main voltage is impressed across the insula- track. tion.

§ 236.725 Circuit, switch shunting. § 236.736 Cut-section. A shunting circuit which is closed A location other than a signal loca- through contacts of a switch circuit tion where two adjoining track circuits controller. end within a block.

§ 236.726 Circuit, track. § 236.737 Cut-section, relayed. An electrical circuit of which the A cut-section where the energy for rails of the track form a part. one track circuit is supplied through front contacts or through front and § 236.727 Circuit, track; coded. polar contacts of the track relay for the adjoining track circuit. A track circuit in which the energy is varied or interrupted periodically. § 236.738 Detector, point. A circuit controller which is part of § 236.728 Circuit, trap. the switch operating mechanism and A term applied to a circuit used operated by a rod connected to a where it is desirable to provide a track switch, derail or movable point frog to circuit but where it is impracticable to indicate that the point is within a maintain a track circuit. specified distance of the stock rail.

710

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00720 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.753

§ 236.739 Device, acknowledging. § 236.746 Feature, restoring. A manually operated electric switch An arrangement on an electro-pneu- or pneumatic valve by means of which, matic switch by means of which power on a locomotive equipped with an auto- is applied to restore the switch move- matic train stop or train control de- ment to full normal or to full reverse vice, an automatic brake application position, before the driving bar creeps can be forestalled, or by means of sufficiently to unlock the switch, with which, on a locomotive equipped with control level in normal or reverse posi- an automatic cab signal device, the tion. sounding of the cab indicator can be si- [49 FR 3388, Jan. 26, 1984] lenced. § 236.747 Forestall. § 236.740 Device, reset. As applied to an automatic train stop A device whereby the brakes may be or train control device, to prevent an released after an automatic train con- automatic brake application by oper- trol brake application. ation of an acknowledging device or by manual control of the speed of the § 236.741 Distance, stopping. train. The maximum distance on any portion of any railroad which any train § 236.748 [Reserved] operating on such portion of railroad § 236.749 Indication. at its maximum authorized speed, will travel during a full service application The information conveyed by the as- of the brakes, between the point where pect of a signal. such application is initiated and the CROSS REFERENCE: Inductor, see § 236.744. point where the train comes to a stop. § 236.750 Interlocking, automatic. § 236.742 Dog, locking. An arrangement of signals, with or A steel block attached to a locking without other signal appliances, which bar or tappet of an interlocking ma- functions through the exercise of in- chine, by means of which locking be- herent powers as distinguished from tween levers is accomplished. those whose functions are controlled manually, and which are so inter- § 236.743 Dog, swing. connected by means of electric circuits A locking dog mounted in such a that their movements must succeed each other in proper sequence, train manner that it is free to rotate on a movements over all routes being gov- trunnion which is riveted to a locking erned by signal indication. bar.

CROSS REFERENCE: Element, contact. See § 236.751 Interlocking, manual. receiver, § 236.788. An arrangement of signals and signal appliances operated from an inter- § 236.744 Element, roadway. locking machine and so interconnected That portion of the roadway appa- by means of mechanical and/or electric ratus of automatic train stop, train locking that their movements must control, or cab signal system, such as succeed each other in proper sequence, electric circuit, inductor, or trip arm train movements over all routes being to which the locomotive apparatus of governed by signal indication. such system is directly responsive. § 236.752 Joint, rail, insulated. [49 FR 3387, Jan. 26, 1984] A joint in which electrical insulation § 236.745 Face, locking. is provided between adjoining rails. The locking surface of a locking dog, § 236.753 Limits, interlocking. tappet or cross locking of an inter- The tracks between the opposing locking machine. home signals of an interlocking.

711

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00721 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.754 49 CFR Ch. II (10–1–11 Edition)

§ 236.754 Line, open wire. § 236.761 Locking, electric. An overhead wire line consisting of The combination of one or more elec- single conductors as opposed to mul- tric locks and controlling circuits by tiple-conductor cables. means of which levers of an interlocking machine, or switches or other § 236.755 Link, rocker. units operated in connection with sig- That portion of an interlocking ma- naling and interlocking, are secured chine which transmits motion between against operation under certain condi- the latch and the universal link. tions.

§ 236.756 Lock, bolt. § 236.762 Locking, indication. A mechanical lock so arranged that Electric locking which prevents manipulation of levers that would result if a switch, derail or movable-point in an unsafe condition for a train frog is not in the proper position for a movement if a signal, switch, or other train movement, the signal governing operative unit fails to make a move- that movement cannot display an as- ment corresponding to that of its con- pect to proceed; and that will prevent a trolling lever, or which directly pre- movement of the switch, derail or mov- vents the operation of a signal, switch, able-point frog unless the signal dis- or other operative unit, in case another plays its most restrictive aspect. unit which should operate first fails to make the required movement. § 236.757 Lock, electric. A device to prevent or restrict the § 236.763 Locking, latch operated. movement of a lever, a switch or a The mechanical locking of an inter- movable bridge, unless the locking locking machine which is actuated by member is withdrawn by an electrical means of the lever latch. device, such as an electromagnet, sole- noid or motor. § 236.764 Locking, lever operated. § 236.758 Lock, electric, forced drop. The mechanical locking of an interlocking machine which is actuated by An electric lock in which the locking means of the lever. member is mechanically forced down to the locked position. § 236.765 Locking, mechanical. An arrangement of locking bars, § 236.759 Lock, facing point. dogs, tappets, cross locking and other A mechanical lock for a switch, de- apparatus by means of which inter- rail, or movable-point frog, comprising locking is effected between the levers a plunger stand and a plunger which of an interlocking machine and so engages a lock rod attached to the interconnected that their movements switch point to lock the operated unit. must succeed each other in a predetermined order. § 236.760 Locking, approach. Electric locking effective while a § 236.766 Locking, movable bridge. train is approaching, within a specified The rail locks, bridge locks, bolt distance, a signal displaying an aspect locks, circuit controllers, and electric to proceed, and which prevents, until locks used in providing interlocking after the expiration of a predetermined protection at a movable bridge. time interval after such signal has been caused to display its most restric- § 236.767 Locking, route. tive aspect, the movement of any Electric locking, effective when a interlocked or electrically locked train passes a signal displaying an as- switch, movable-point frog, or derail in pect for it to proceed, which prevents the route governed by the signal, and the movement of any switch, movable- which prevents an aspect to proceed point frog, or derail in advance of the from being displayed for any con- train within the route entered. It may flicting route. be so arranged that as a train clears a

712

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00722 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.786

track section of the route, the locking § 236.776 Movement, trailing. affecting that section is released. The movement of a train over the § 236.768 Locking, time. points of a switch which face in the direction in which the train is moving. A method of locking, either mechanical or electrical, which, after a signal § 236.777 Operator, control. has been caused to display an aspect to proceed, prevents, until after the expi- An employee assigned to operate the ration of a predetermined time interval control machine of a traffic control after such signal has been caused to system. display its most restrictive aspect, the operation of any interlocked or elec- § 236.778 Piece, driving. trically locked switch, movable-point A crank secured to a locking shaft by frog, or derail in the route governed by means of which horizontal movement that signal, and which prevents an as- is imparted to a longitudinal locking pect to proceed from being displayed bar. for any conflicting route. § 236.779 Plate, top. § 236.769 Locking, traffic. Electric locking which prevents the A metal plate secured to a locking manipulation of levers or other devices bracket to prevent the cross locking for changing the direction of traffic on from being forced out of the bracket. a section of track while that section is occupied or while a signal displays an § 236.780 Plunger, facing point lock. aspect for a movement to proceed into That part of a facing point lock that section. which secures the lock rod to the plunger stand when the switch is § 236.770 Locomotive. locked. A self-propelled unit of equipment which can be used in train service. § 236.781 [Reserved]

§ 236.771 Machine, control. § 236.782 Point, controlled. An assemblage of manually operated A location where signals and/or other devices for controlling the functions of functions of a traffic control system a traffic control system; it may include are controlled from the control ma- a track diagram with indication lights. chine.

§ 236.772 Machine, interlocking. § 236.783 Point, stop-indication. An assemblage of manually operated As applied to an automatic train stop levers or other devices for the control or train control system without the of signals, switches or other units. use of roadway signals, a point where a CROSS REFERENCE: Magnet, track, see signal displaying an aspect requiring a § 236.744. stop would be located.

§ 236.773 Movements, conflicting. § 236.784 Position, deenergized. Movements over conflicting routes. The position assumed by the moving § 236.774 Movement, facing. member of an electromagnetic device when the device is deprived of its oper- The movement of a train over the ating current. points of a switch which face in a direction opposite to that in which the train § 236.785 Position, false restrictive. is moving. A position of a semaphore arm that § 236.775 Movement, switch-and-lock. is more restrictive than it should be. A device, the complete operation of which performs the three functions of § 236.786 Principle, closed circuit. unlocking, operating and locking a The principle of circuit design where switch, movable-point frog or derail. a normally energized electric circuit

713

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00723 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.787 49 CFR Ch. II (10–1–11 Edition)

which, on being interrupted or deener- § 236.791 Release, value. gized, will cause the controlled func- The electrical value at which the tion to assume its most restrictive con- movable member of an electromagnetic dition. device will move to its deenergized por- § 236.787 Protection, cross. tion. An arrangement to prevent the im- § 236.792 Reservoir, equalizing. proper operation of a signal, switch, An air reservoir connected with and movable-point frog, or derail as the re- adding volume to the top portion of the sult of a cross in electrical circuits. equalizing piston chamber of the auto- CROSS REFERENCE: Ramp, see § 236.744. matic brake valve, to provide uniform service reductions in brake pipe pres- § 236.787a Railroad. sure regardless of the length of the Railroad means any form of non- train. highway ground transportation that runs on rails or electromagnetic guide- CROSS REFERENCE: Rocker, see § 236.755. ways and any entity providing such transportation, including— § 236.793 Rod, lock. (a) Commuter or other short-haul A rod, attached to the front rod or railroad passenger service in a metro- lug of a switch, movable-point frog or politan or suburban area and com- derail, through which a locking plung- muter railroad service that was oper- er may extend when the switch points ated by the Consolidated Rail Corpora- or derail are in the normal or reverse tion on January 1, 1979; and position. (b) High speed ground transportation systems that connect metropolitan § 236.794 Rod, up-and-down. areas, without regard to whether those A rod used for connecting the sema- systems use new technologies not asso- phore arm to the operating mechanism ciated with traditional railroads; but of a signal. does not include rapid transit operations in an urban area that are not § 236.795 Route. connected to the general railroad sys- The course or way which is, or is to tem of transportation. be, traveled. [70 FR 11095, Mar. 7, 2005] § 236.796 Routes, conflicting. § 236.788 Receiver. Two or more routes, opposing, con- A device on a locomotive, so placed verging or intersecting, over which that it is in position to be influenced movements cannot be made simulta- inductively or actuated by an auto- neously without possibility of colli- matic train stop, train control or cab sion. signal roadway element. § 236.797 Route, interlocked. § 236.789 Relay, timing. A route within interlocking limits. A relay which will not close its front contacts or open its back contacts, or § 236.798 Section, dead. both, until the expiration of a definite A section of track, either within a time intervals after the relay has been track circuit or between two track cir- energized. cuits, the rails of which are not part of a track circuit. § 236.790 Release, time. A device used to prevent the oper- § 236.799 Section, fouling. ation of an operative unit until after The section of track between the the expiration of a predetermined time switch points and the clearance point interval after the device has been actu- in a turnout. ated.

714

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00724 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.819

§ 236.800 Sheet, locking. means of controlling the signal electrically, as well as mechanically. A description in tabular form of the locking operations in an interlocking § 236.810 Spectacle, semaphore arm. machine. That part of a semaphore arm which § 236.801 Shoe, latch. holds the roundels and to which the The casting by means of which the blade is fastened. latch rod and the latch block are held to a lever of a mechanical interlocking § 236.811 Speed, medium. machine. A speed not exceeding 40 miles per hour. § 236.802 Shunt. A by-path in an electrical circuit. § 236.812 Speed, restricted. A speed that will permit stopping § 236.802a Siding. within one-half the range of vision, but An auxiliary track for meeting or not exceeding 20 miles per hour. passing trains. [49 FR 3388, Jan. 26, 1984] § 236.803 Signal, approach. § 236.813 Speed, slow. A roadway signal used to govern the A speed not exceeding 20 miles per approach to another signal and if oper- hour. ative so controlled that its indication furnishes advance information of the § 236.813a State, most restrictive. indication of the next signal. The mode of an electric or electronic § 236.804 Signal, block. device that is equivalent to a track A roadway signal operated either relay in its deenergized position. automatically or manually at the en- [49 FR 3388, Jan. 26, 1984] trance to a block. § 236.814 Station, control. § 236.805 Signal, cab. The place where the control machine A signal located in engineman’s com- of a traffic control system is located. partment or cab, indicating a condition affecting the movement of a train and § 236.815 Stop. used in conjunction with interlocking As applied to mechanical locking, a signals and in conjunction with or in device secured to a locking bar to limit lieu of block signals. its movement. § 236.806 Signal, home. § 236.816 Superiority of trains. A roadway signal at the entrance to a route or block to govern trains in en- The precedence conferred upon one tering and using that route or block. train over other trains by train order or by reason of its class or the direc- § 236.807 Signal, interlocking. tion of its movement. A roadway signal which governs § 236.817 Switch, electro-pneumatic. movements into or within interlocking limits. A switch operated by an electro- pneumatic switch-and-lock movement. § 236.808 Signals, opposing. § 236.818 Switch, facing point. Roadway signals which govern movements in opposite directions on the A switch, the points of which face same track. traffic approaching in the direction for which the track is signaled. § 236.809 Signal, slotted mechanical. A mechanically operated signal with § 236.819 Switch, hand operated. an electromagnetic device inserted in A non-interlocked switch which can its operating connection to provide a only be operated manually.

715

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00725 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.820 49 CFR Ch. II (10–1–11 Edition)

§ 236.820 Switch, interlocked. application of the brakes until the train has been brought to a stop. A switch within the interlocking limits the control of which is interlocked § 236.827 System, block signal. with other functions of the interlocking. A method of governing the movement of trains into or within one or more § 236.820a Switch, power-operated. blocks by block signals or cab signals. A switch operated by an electrically, § 236.828 System, traffic control. hydraulically, or pneumatically driven A block signal system under which switch-and-lock movement. train movements are authorized by [49 FR 3388, Jan. 26, 1984] block signals whose indications super- sede the superiority of trains for both § 236.821 Switch, sectionalizing. opposing and following movements on A switch for disconnecting a section the same track. of a power line from the source of energy. § 236.829 Terminal, initial. The starting point of a locomotive § 236.822 Switch, spring. for a trip. A switch equipped with a spring de- § 236.830 Time, acknowledging. vice which forces the points to their original position after being trailed As applied to an intermittent auto- through and holds them under spring matic train stop system, a predeter- compression. mined time within which an automatic brake application may be forestalled § 236.823 Switch, trailing point. by means of the acknowledging device. A switch, the points of which face § 236.831 Time, delay. away from traffic approaching in the direction for which the track is sig- As applied to an automatic train stop naled. or train control system, the time which elapses after the onboard appa- § 236.824 System, automatic block sig- ratus detects a more restrictive indica- nal. tion until the brakes start to apply. A block signal system wherein the [49 FR 3388, Jan. 26, 1984] use of each block is governed by an automatic block signal, cab signal, or § 236.831a Track, main. both. A track, other than auxiliary track, extending through yards and between § 236.825 System, automatic train con- stations, upon which trains are oper- trol. ated by timetable or train orders, or A system so arranged that its oper- both, or the use of which is governed ation will automatically result in the by block signals. following: (a) A full service application of the § 236.832 Train. brakes which will continue either until A locomotive or more than one loco- the train is brought to a stop, or, under motive coupled, with or without cars. control of the engineman, its speed is reduced to a predetermined rate. § 236.833 Train, opposing. (b) When operating under a speed re- A train, the movement of which is in striction, an application of the brakes a direction opposite to and toward an- when the speed of the train exceeds the other train on the same track. predetermined rate and which will continue until the speed is reduced to that § 236.834 Trip. rate. A movement of a locomotive over all or any portion of automatic train stop, § 236.826 System, automatic train stop. train control or cab signal territory be- A system so arranged that its oper- tween the terminals for that loco- ation will automatically result in the motive; a movement in one direction.

716

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00726 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.903

CROSS REFERENCE: Trip-arm, see § 236.744. plains to FRA Associate Administrator for Safety’s satisfaction the following: § 236.835 Trunking. (i) How the objectives of any such re- A casing used to protect electrical quirements are met by the product; conductors. (ii) Why the objectives of any such requirements are not relevant to the § 236.836 Trunnion. product; or (iii) How the requirement is satisfied A cylindrical projection supporting a using alternative means. (See revolving part. § 236.907(a)(14)). § 236.837 Valve, electro-pneumatic. (2) Products subject to this subpart are also subject to applicable require- A valve electrically operated which, ments of parts 233, 234 and 235 of this when operated, will permit or prevent chapter. See § 234.275 of this chapter passage of air. with respect to use of this subpart to qualify certain products for use within § 236.838 Wire, shunt. highway-rail grade crossing warning A wire forming part of a shunt cir- systems. cuit. (3) Information required to be submitted by this subpart that a sub- Subpart H—Standards for Proc- mitter deems to be trade secrets, or essor-Based Signal and Train commercial or financial information that is privileged or confidential under Control Systems Exemption 4 of the Freedom of Infor- mation Act, 5 U.S.C. 552(b)(4), shall be SOURCE: 70 FR 11095, Mar. 7, 2005, unless so labeled in accordance with the pro- otherwise noted. visions of § 209.11 of this chapter. FRA handles information so labeled in ac- § 236.901 Purpose and scope. cordance with the provisions of § 209.11 (a) What is the purpose of this subpart? of this chapter. The purpose of this subpart is to promote the safe operation of processor- § 236.903 Definitions. based signal and train control systems, As used in this subpart— subsystems, and components that are Associate Administrator for Safety safety-critical products, as defined in means the Associate Administrator for § 236.903, and to facilitate the develop- Safety, FRA, or that person’s delegate ment of those products. as designated in writing. (b) What topics does it cover? This sub- Component means an element, device, part prescribes minimum, perform- or appliance (including those whose na- ance-based safety standards for safety- ture is electrical, mechanical, hard- critical products, including require- ware, or software) that is part of a sys- ments to ensure that the development, tem or subsystem. installation, implementation, inspec- Configuration management control plan tion, testing, operation, maintenance, means a plan designed to ensure that repair, and modification of those prod- the proper and intended product con- ucts will achieve and maintain an ac- figuration, including the hardware ceptable level of safety. This subpart components and software version, is also prescribes standards to ensure documented and maintained through that personnel working with safety- the life-cycle of the products in use. critical products receive appropriate Employer means a railroad, or con- training. Each railroad may prescribe tractor to a railroad, that directly en- additional or more stringent rules, and gages or compensates individuals to other special instructions, that are not perform the duties specified in § 236.921 inconsistent with this subpart. (a). (c) What other rules apply? (1) This Executive software means software subpart does not exempt a railroad common to all installations of a given from compliance with the require- product. It generally is used to sched- ments of subparts A through G of this ule the execution of the site-specific part, except to the extent a PSP ex- application programs, run timers, read

717

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00727 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.903 49 CFR Ch. II (10–1–11 Edition)

inputs, drive outputs, perform self- on a railroad as described in its PSP. diagnostics, access and check memory, The petition for approval is to contain and monitor the execution of the appli- information that is relevant to deter- cation software to detect unsolicited mining the safety of the resulting sys- changes in outputs. tem; relevant to determining compli- FRA means the Federal Railroad Ad- ance with this part; and relevant to de- ministration. termining the safety of the product, in- Full automatic operation means that cluding a complete copy of the prod- mode of an automatic train control uct’s PSP and supporting safety anal- system capable of operating without ysis. external human influence, in which the Predefined change means any post-im- locomotive engineer/operator may act plementation modification to the use as a passive system monitor, in addi- of a product that is provided for in the tion to an active system controller. PSP (see § 236.907(b)). Hazard means an existing or poten- Previous Condition refers to the esti- tial condition that can result in an ac- mated risk inherent in the portion of cident. the existing method of operation that High degree of confidence, as applied is relevant to the change under anal- to the highest level of aggregation, ysis (including the elements of any ex- means there exists credible safety isting signal or train control system analysis supporting the conclusion relevant to the review of the product). that the likelihood of the proposed con- Processor-based, as used in this sub- dition associated with the new product part, means dependent on a digital being less safe than the previous condi- processor for its proper functioning. tion is very small. Product means a processor-based sig- Human factors refers to a body of nal or train control system, subsystem, knowledge about human limitations, or component. human abilities, and other human Product Safety Plan (or PSP) refers to characteristics, such as behavior and a formal document which describes in motivation, that must be considered in detail all of the safety aspects of the product design. product, including but not limited to Human-machine interface (HMI) means procedures for its development, instal- the interrelated set of controls and dis- lation, implementation, operation, plays that allows humans to interact maintenance, repair, inspection, test- with the machine. ing and modification, as well as anal- Initialization refers to the startup yses supporting its safety claims, as process when it is determined that a described in § 236.907. product has all required data input and Railroad Safety Program Plan (or the product is prepared to function as RSPP) refers to a formal document intended. which describes a railroad’s strategy Mandatory directive has the meaning for addressing safety hazards associ- set forth in § 220.5 of this chapter. ated with operation of products under Materials handling refers to explicit this subpart and its program for execu- instructions for handling safety-crit- tion of such strategy though the use of ical components established to comply PSP requirements, as described in with procedures specified in the PSP. § 236.905. Mean Time to Hazardous Event Revision control means a chain of cus- (MTTHE) means the average or ex- tody regimen designed to positively pected time that a subsystem or com- identify safety-critical components and ponent will operate prior to the occur- spare equipment availability, including rence of an unsafe failure. repair/replacement tracking in accord- New or next-generation train control ance with procedures outlined in the system means a train control system PSP. using technologies not in use in rev- Risk means the expected probability enue service at the time of PSP sub- of occurrence for an individual acci- mission or without established his- dent event (probability) multiplied by tories of safe practice. the severity of the expected con- Petition for approval means a petition sequences associated with the accident to FRA for approval to use a product (severity).

718

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00728 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.905

Risk assessment means the process of dress, at a minimum, the following determining, either quantitatively or subject areas: qualitatively, the measure of risk asso- (1) Requirements and concepts. The ciated with use of the product under all RSPP must require a description of the intended operating conditions or the preliminary safety analysis, including: previous condition. (i) A complete description of methods Safety-critical, as applied to a func- used to evaluate a system’s behavioral tion, a system, or any portion thereof, characteristics; means the correct performance of (ii) A complete description of risk as- which is essential to safety of per- sessment procedures; sonnel or equipment, or both; or the in- (iii) The system safety precedence correct performance of which could followed; and cause a hazardous condition, or allow a (iv) The identification of the safety hazardous condition which was in- assessment process. tended to be prevented by the function (2) Design for verification and valida- or system to exist. tion. The RSPP must require the iden- Subsystem means a defined portion of tification of verification and validation a system. methods for the preliminary safety System refers to a signal or train con- analysis, initial development process, trol system and includes all sub- and future incremental changes, in- systems and components thereof, as cluding standards to be used in the the context requires. verification and validation process, System Safety Precedence means the consistent with appendix C to this order of precedence in which methods part. The RSPP must require that ref- used to eliminate or control identified erences to any non-published standards hazards within a system are imple- be included in the PSP. mented. (3) Design for human factors. The Validation means the process of deter- RSPP must require a description of the mining whether a product’s design re- process used during product develop- quirements fulfill its intended design ment to identify human factors issues objectives during its development and and develop design requirements which life-cycle. The goal of the validation address those issues. process is to determine ‘‘whether the (4) Configuration management control correct product was built.’’ plan. The RSPP must specify require- Verification means the process of de- ments for configuration management termining whether the results of a for all products to which this subpart given phase of the development cycle applies. fulfill the validated requirements es- (c) How are RSPP’s approved? (1) Each tablished at the start of that phase. railroad shall submit a petition for ap- The goal of the verification process is proval of an RSPP to the Associate Ad- to determine ‘‘whether the product was ministrator for Safety, FRA, 1200 New built correctly.’’ Jersey Avenue, SE., Mail Stop 25, Washington, DC 20590. The petition § 236.905 Railroad Safety Program must contain a copy of the proposed Plan (RSPP). RSPP, and the name, title, address, (a) What is the purpose of an RSPP? A and telephone number of the railroad’s railroad subject to this subpart shall primary contact person for review of develop an RSPP, subject to FRA ap- the petition. proval, that serves as its principal safe- (2) Normally within 180 days of re- ty document for all safety-critical ceipt of a petition for approval of an products. The RSPP must establish the RSPP, FRA: minimum PSP requirements that will (i) Grants the petition, if FRA finds govern the development and implemen- that the petition complies with appli- tation of all products subject to this cable requirements of this subpart, at- subpart, consistent with the provisions taching any special conditions to the contained in § 236.907. approval of the petition as necessary to (b) What subject areas must the RSPP carry out the requirements of this sub- address? The railroad’s RSPP must ad- part;

719

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00729 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.907 49 CFR Ch. II (10–1–11 Edition)

(ii) Denies the petition, setting forth the life cycle of the product, including reasons for denial; or maximum threshold limits for each (iii) Requests additional information. hazard (for unidentified hazards, the (3) If no action is taken on the peti- threshold shall be exceeded at one oc- tion within 180 days, the petition re- currence); mains pending for decision. The peti- (7) A risk assessment, as prescribed tioner is encouraged to contact FRA in § 236.909 and appendix B to this part; for information concerning its status. (8) A hazard mitigation analysis, in- (4) FRA may reopen consideration of cluding a complete and comprehensive any previously-approved petition for description of all hazards to be ad- cause, providing reasons for such ac- dressed in the system design and devel- tion. opment, mitigation techniques used, (d) How are RSPP’s modified? (1) Rail- and system safety precedence followed, roads shall obtain FRA approval for as prescribed by the applicable RSPP; any modification to their RSPP which affects a safety-critical requirement of (9) A complete description of the a PSP. Other modifications do not re- safety assessment and verification and quire FRA approval. validation processes applied to the (2) Petitions for FRA approval of product and the results of these proc- RSPP modifications are subject to the esses, describing how subject areas cov- same procedures as petitions for initial ered in appendix C to this part are ei- RSPP approval, as specified in para- ther: addressed directly, addressed graph (c) of this section. In addition, using other safety criteria, or not ap- such petitions must identify the pro- plicable; posed modification(s) to be made, the (10) A complete description of the reason for the modification(s), and the safety assurance concepts used in the effect of the modification(s) on safety. product design, including an explanation of the design principles and as- [70 FR 11095, Mar. 7, 2005, as amended at 74 sumptions; FR 25174, May 27, 2009] (11) A human factors analysis, includ- § 236.907 Product Safety Plan (PSP). ing a complete description of all (a) What must a PSP contain? The PSP human-machine interfaces, a complete must include the following: description of all functions performed (1) A complete description of the by humans in connection with the product, including a list of all product product to enhance or preserve safety, components and their physical rela- and an analysis in accordance with ap- tionship in the subsystem or system; pendix E to this part or in accordance (2) A description of the railroad oper- with other criteria if demonstrated to ation or categories of operations on the satisfaction of the Associate Ad- which the product is designed to be ministrator for Safety to be equally used, including train movement den- suitable; sity, gross tonnage, passenger train (12) A complete description of the movement density, hazardous mate- specific training of railroad and con- rials volume, railroad operating rules, tractor employees and supervisors nec- and operating speeds; essary to ensure the safe and proper in- (3) An operational concepts docu- stallation, implementation, operation, ment, including a complete description maintenance, repair, inspection, test- of the product functionality and infor- ing, and modification of the product; mation flows; (13) A complete description of the (4) A safety requirements document, specific procedures and test equipment including a list with complete descrip- necessary to ensure the safe and proper tions of all functions which the product installation, implementation, oper- performs to enhance or preserve safety; ation, maintenance, repair, inspection, (5) A document describing the man- testing, and modification of the prod- ner in which product architecture sat- uct. These procedures, including cali- isfies safety requirements; bration requirements, shall be con- (6) A hazard log consisting of a com- sistent with or explain deviations from prehensive description of all safety-rel- the equipment manufacturer’s rec- evant hazards to be addressed during ommendations;

720

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00730 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.907

(14) An analysis of the applicability with § 236.915. However, the risk assess- of the requirements of subparts A ment for the product must dem- through G of this part to the product onstrate that operation of the product, that may no longer apply or are satis- as modified by any predefined change, fied by the product using an alter- satisfies the minimum performance native method, and a complete expla- standard. nation of the manner in which those (2) The PSP must identify configura- requirements are otherwise fulfilled tion/revision control measures designed (see § 234.275 of this chapter and to ensure that safety-functional re- § 236.901(c)); quirements and safety-critical hazard (15) A complete description of the mitigation processes are not com- necessary security measures for the promised as a result of any such product over its life-cycle; change. (Software changes involving (16) A complete description of each safety functional requirements or safe- warning to be placed in the Operations ty critical hazard mitigation processes and Maintenance Manual identified in for components in use are also ad- § 236.919, and of all warning labels re- dressed in paragraph (c) of this sec- quired to be placed on equipment as tion.) necessary to ensure safety; (c) What requirements apply to other (17) A complete description of all ini- product changes? (1) Incremental tial implementation testing procedures changes are planned product version necessary to establish that safety-func- changes described in the initial PSP tional requirements are met and safe- where slightly different specifications ty-critical hazards are appropriately are used to allow the gradual enhance- mitigated; ment of the product’s capabilities. In- (18) A complete description of: cremental changes shall require (i) All post-implementation testing verification and validation to the ex- (validation) and monitoring proce- tent the changes involve safety-critical dures, including the intervals nec- functions. essary to establish that safety-func- (2) Changes classified as maintenance tional requirements, safety-critical require validation. hazard mitigation processes, and safe- (d) What are the responsibilities of the ty-critical tolerances are not com- railroad and product supplier regarding promised over time, through use, or communication of hazards? (1) The PSP after maintenance (repair, replace- shall specify all contractual arrangement, adjustment) is performed; and ments with hardware and software sup- (ii) Each record necessary to ensure pliers for immediate notification of the safety of the system that is associ- any and all safety critical software up- ated with periodic maintenance, in- grades, patches, or revisions for their spections, tests, repairs, replacements, processor-based system, sub-system, or adjustments, and the system’s result- component, and the reasons for such ing conditions, including records of changes from the suppliers, whether or component failures resulting in safety- not the railroad has experienced a fail- relevant hazards (see § 236.917(e)(3)); ure of that safety-critical system, sub- (19) A complete description of any system, or component. safety-critical assumptions regarding (2) The PSP shall specify the rail- availability of the product, and a com- road’s procedures for action upon noti- plete description of all backup methods fication of a safety-critical upgrade, of operation; and patch, or revision for this processor- (20) A complete description of all in- based system, sub-system, or compo- cremental and predefined changes (see nent, and until the upgrade, patch, or paragraphs (b) and (c) of this section). revision has been installed; and such (b) What requirements apply to action shall be consistent with the cri- predefined changes? (1) Predefined terion set forth in § 236.915(d) as if the changes are not considered design failure had occurred on that railroad. modifications requiring an entirely (3) The PSP must identify configura- new safety verification process, a re- tion/revision control measures designed vised PSP, and an informational filing to ensure that safety-functional re- or petition for approval in accordance quirements and safety-critical hazard

721

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00731 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.909 49 CFR Ch. II (10–1–11 Edition)

mitigation processes are not com- (d) What is an abbreviated risk assess- promised as a result of any such ment, and when may it be used? (1) An change, and that any such change can abbreviated risk assessment may be be audited. used in lieu of a full risk assessment to (4) Product suppliers entering into show compliance with the performance contractual arrangements for product standard if: support described in a PSP must (i) No new hazards are introduced as promptly report any safety-relevant a result of the change; failures and previously unidentified (ii) Severity of each hazard associ- hazards to each railroad using the ated with the previous condition does product. not increase from the previous condition; and § 236.909 Minimum performance stand- (iii) Exposure to such hazards does ard. not change from the previous condi- (a) What is the minimum performance tion. standard for products covered by this sub- (2) An abbreviated risk assessment part? The safety analysis included in supports the finding required by para- the railroad’s PSP must establish with graph (a) of this section if it estab- a high degree of confidence that intro- lishes that the resulting MTTHE for duction of the product will not result the proposed product is greater than or in risk that exceeds the previous condi- equal to the MTTHE for the system, component or method performing the tion. The railroad shall determine, same function in the previous condi- prior to filing its petition for approval tion. This determination must be sup- or informational filing, that this stand- ported by credible safety analysis suffi- ard has been met and shall make avail- cient to persuade the Associate Admin- able the necessary analyses and docu- istrator for Safety that the likelihood mentation as provided in this subpart. of the new product’s MTTHE being less (b) How does FRA determine whether than the MTTHE for the system, com- the PSP requirements for products covered ponent, or method performing the same by subpart H have been met? With re- function in the previous condition is spect to any FRA review of a PSP, the very small. Associate Administrator for Safety (3) Alternatively, an abbreviated risk independently determines whether the assessment supports the finding re- railroad’s safety case establishes with quired by paragraph (a) of this section a high degree of confidence that intro- if: duction of the product will not result (i) The probability of failure for each in risk that exceeds the previous condi- hazard of the product is equal to or less tion. In evaluating the sufficiency of the corresponding recommended Spe- the railroad’s case for the product, the cific Quantitative Hazard Probability Associate Administrator for Safety Ratings classified as more favorable considers, as applicable, the factors than ‘‘undesirable’’ by AREMA Manual pertinent to evaluation of risk assess- Part 17.3.5 (Recommended Procedure ments, listed in § 236.913(g)(2). for Hazard Identification and Manage- (c) What is the scope of a full risk as- ment of Vital Electronic/Software- sessment required by this section? A full Based Equipment Used in Signal and risk assessment performed under this Train Control Applications), or—in the subpart must address the safety risks case of a hazard classified as undesir- affected by the introduction, modifica- able—the Associate Administrator for tion, replacement, or enhancement of a Safety concurs that mitigation of the product. This includes risks associated hazard within the framework of the with the previous condition which are electronic system is not practical and no longer present as a result of the the railroad proposes reasonable steps change, new risks not present in the to undertake other mitigation. The Di- previous condition, and risks neither rector of the Federal Register approves newly created nor eliminated whose the incorporation by reference of the nature (probability of occurrence or se- entire AREMA Communications and verity) is nonetheless affected by the Signal Manual, Volume 4, Section 17— change. Quality Principles (2005) in this section

722

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00732 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.909

in accordance with 5 U.S.C. 552(a) and 1 the PSP. The total risk assessment CFR part 51. You may obtain a copy of must have a supporting sensitivity the incorporated standard from Amer- analysis. The analysis must confirm ican Railway Engineering and Mainte- that the risk metrics of the system are nance of Way Association, 8201 Cor- not negatively affected by sensitivity poration Drive, Suite 1125, Landover, analysis input parameters including, MD 20785–2230. You may inspect a copy for example, component failure rates, of the incorporated standard at the human factor error rates, and vari- Federal Railroad Administration, ations in train traffic affecting expo- Docket Clerk, 1200 New Jersey Avenue, sure. In this context, ‘‘negatively af- SE., or at the National Archives and fected’’ means that the final residual Records Administration (NARA). For risk metric does not exceed that of the information on the availability of this base case or that which has been other- material at NARA, call 202–741–6030, or go to http://www.archives.gov/ wise established through MTTHE tar- federallregister/ get. The sensitivity analysis must doc- codeloflfederallregulations/ ument the sensitivity to worst case ibrllocations.html; failure scenarios. Appendix B to this (ii) The product is developed in ac- part provides criteria for acceptable cordance with: risk assessment methods. Other meth- (A) AREMA Manual Part 17.3.1 (Com- ods may be acceptable if demonstrated munications and Signal Manual of Rec- to the satisfaction of the Associate Ad- ommended Practices, Recommended ministrator for Safety to be equally Safety Assurance Program for Elec- suitable. tronic/Software Based Products Used in (2) For the previous condition and for Vital Signal Applications); the life-cycle of the product, risk levels (B) AREMA Manual Part 17.3.3 (Com- must be expressed in units of con- munications and Signal Manual of Rec- sequences per unit of exposure. ommended Practices, Recommended (i) In all cases exposure must be ex- Practice for Hardware Analysis for pressed as total train miles traveled Vital Electronic/Software-Based Equip- per year over the relevant railroad in- ment Used in Signal and Train Control frastructure. Consequences must iden- Applications); tify the total cost, including fatalities, (C) AREMA Manual Part 17.3.5 (Com- injuries, property damage, and other munications and Signal Manual of Rec- incidental costs, such as potential con- ommended Practices, Recommended Practice for Hazard Identification and sequences of hazardous materials in- Management of Vital Electronic/Soft- volvement, resulting from preventable ware-Based Equipment Used in Signal accidents associated with the func- and Train Control Applications); tion(s) performed by the system. (D) Appendix C of this subpart; and (ii) In those cases where there is pas- (iii) Analysis supporting the PSP senger traffic, a second risk metric suggests no credible reason for believ- must be calculated, using passenger- ing that the product will be less safe miles traveled per year as the expo- than the previous condition. sure, and total societal costs of pas- (e) How are safety and risk measured senger injuries and fatalities, resulting for the full risk assessment? Risk assess- from preventable accidents associated ment techniques, including both quali- with the function(s) performed by the tative and quantitative methods, are system, as the consequences. recognized as providing credible and (3) If the description of railroad oper- useful results for purposes of this sec- ations for the product required by tion if they apply the following prin- § 236.907(a)(2) involves changes to the ciples: physical or operating conditions on the (1) Safety levels must be measured railroad prior to or within the expected using competent risk assessment meth- life cycle of the product subject to re- ods and must be expressed as the total view under this subpart, the previous residual risk in the system over its expected life-cycle after implementation condition shall be adjusted to reflect of all mitigating measures described in the lower risk associated with systems

723

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00733 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.911 49 CFR Ch. II (10–1–11 Edition)

needed to maintain safety and perform- sociate Administrator for Safety, that ance at higher speeds or traffic vol- the current method of operation is ade- umes. In particular, the previous condi- quate for a specified volume of traffic tion must be adjusted for assumed im- in excess of 12 trains per day, but not plementation of systems necessary to more than 20 trains per day, without support higher train speeds as specified material delay in the movement of in § 236.0, as well as other changes re- trains over the territory and without quired to support projected increases in unreasonable expenditures to expedite train operations. The following specific those movements when compared with requirements apply: the expense of installing and maintain- (i) If the current method of operation ing a traffic control system. would not be adequate under § 236.0 for (4) In the case review of a PSP that the proposed operations, then the ad- has been consolidated with a pro- justed previous condition must include ceeding pursuant to part 235 of this a system as required under § 236.0, ap- subchapter (see § 236.911(b)), the base plied as follows: case shall be determined as follows: (A) The minimum system where a (i) If FRA determines that dis- passenger train is operated at a speed continuance or modification of the sys- of 60 or more miles per hour, or a tem should be granted without regard freight train is operated at a speed of to whether the product is installed on 50 or more miles per hour, shall be a the territory, then the base case shall traffic control system; be the conditions that would obtain on (B) The minimum system where a the territory following the discontinu- train is operated at a speed of 80 or ance or modification. NOTE: This is an more miles per hour, but not more instance in which the base case is pos- than 110 miles per hour, shall be an ited as greater risk than the actual automatic cab signal system with (unadjusted) previous condition be- automatic train control; and cause the railroad would have obtained (C) The minimum system where a relief from the requirement to main- train is operated at a speed of more tain the existing signal or train control than 110 miles per hour shall be a sys- system even if no new product had been tem determined by the Associate Ad- proffered. ministrator for Safety to provide an (ii) If FRA determines that dis- equivalent level of safety to systems continuance or modification of the sys- required or authorized by FRA for com- tem should be denied without regard to parable operations. whether the product is installed on the (ii) If the current method of oper- territory, then the base case shall re- ation would be adequate under § 236.0 main the previous condition for the proposed operations, but the (unadjusted). current system is not at least as safe (iii) If, after consideration of the ap- as a traffic control system, then the plication and review of the PSP, FRA adjusted previous condition must in- determines that neither paragraph clude a traffic control system in the (e)(4)(i) nor paragraph (e)(4)(ii) of this event of any change that results in: section should apply, FRA will estab- (A) An annual average daily train lish a base case that is consistent with density of more than twelve trains per safety and in the public interest. day; or (B) An increase in the annual average [70 FR 11095, Mar. 7, 2005, as amended at 74 daily density of passenger trains of FR 25174, May 27, 2009; 75 FR 2699, Jan. 15, more than four trains per day. 2010] (iii) Paragraph (e)(3)(ii)(A) of this section shall apply in all situations § 236.911 Exclusions. where train volume will exceed more (a) Does this subpart apply to existing than 20 trains per day but shall not systems? The requirements of this sub- apply to situations where train volume part do not apply to products in service will exceed 12 trains per day but not as of June 6, 2005. Railroads may con- exceed 20 trains per day, if in its PSP tinue to implement and use these prod- the railroad makes a showing sufficient ucts and components from these exist- to establish, in the judgment of the As- ing products.

724

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00734 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.913

(b) How will transition cases be han- (b) Under what circumstances must a dled? Products designed in accordance railroad submit a petition for approval for with subparts A through G of this part a PSP or PSP amendment, and when may which are not in service but are devel- a railroad submit an informational filing? oped or are in the developmental stage Depending on the nature of the pro- prior to March 7, 2005, may be excluded posed product or change, the railroad upon notification to FRA by June 6, shall submit either an informational 2005, if placed in service by March 7, filing or a petition for approval. Sub- 2008. Railroads may continue to imple- mission of a petition for approval is re- ment and use these products and com- quired for PSPs or PSP amendments ponents from these existing products. concerning installation of new or next- A railroad may at any time elect to generation train control systems. All have products that are excluded made other actions that result in the cre- subject to this subpart by submitting a ation of a PSP or PSP amendment re- PSP as prescribed in § 236.913 and other- quire an informational filing and are wise complying with this subpart. handled according to the procedures (c) How are office systems handled? The outlined in paragraph (c) of this sec- requirements of this subpart do not tion. Applications for discontinuance apply to existing office systems and fu- and material modification of signal ture deployments of existing office sys- and train control systems remain gov- tem technology. However, a subsystem erned by parts 235 and 211 of this chap- or component of an office system must ter; and petitions subject to this sec- comply with the requirements of this tion may be consolidated with any rel- subpart if it performs safety-critical evant application for administrative functions within, or affects the safety handling. performance of, a new or next-genera- (c) What are the procedures for infor- tion train control system. For purposes mational filings? The following proce- of this section, ‘‘office system’’ means dures apply to PSPs and PSP amend- a centralized computer-aided train-dis- ments which do not require submission patching system or centralized traffic of a petition for approval, but rather control board. require an informational filing: (d) How are modifications to excluded (1) Not less than 180 days prior to products handled? Changes or modifica- planned use of the product in revenue tions to products otherwise excluded service as described in the PSP or PSP from the requirements of this subpart amendment, the railroad shall submit by this section are not excluded from an informational filing to the Asso- the requirements of this subpart if ciate Administrator for Safety, FRA, they result in a degradation of safety 1200 New Jersey Avenue, SE., Mail Stop or a material increase in safety-critical 25, Washington, DC 20590. The informa- functionality. tional filing must provide a summary (e) What other rules apply to excluded description of the PSP or PSP amend- products? Products excluded by this ment, including the intended use of the section from the requirements of this product, and specify the location where subpart remain subject to subparts A the documentation as described in through G of this part as applicable. § 236.917(a)(1) is maintained. (2) Within 60 days of receipt of the in- § 236.913 Filing and approval of PSPs. formational filing, FRA: (a) Under what circumstances must a (i) Acknowledges receipt of the filing; PSP be prepared? A PSP must be pre- (ii) Acknowledges receipt of the in- pared for each product covered by this formational filing and requests further subpart. A joint PSP must be prepared information; or when: (iii) Acknowledges receipt of the fil- (1) The territory on which a product ing and notifies the railroad, for good covered by this subpart is normally cause, that the filing will be considered subject to joint operations, or is oper- as a petition for approval as set forth ated upon by more than one railroad; in paragraph (d) of this section, and re- and quests such further information as may (2) The PSP involves a change in be required to initiate action on the pe- method of operation. tition for approval. Examples of good

725

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00735 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.913 49 CFR Ch. II (10–1–11 Edition)

cause, any one of which is sufficient, provides a letter of preliminary review include: the PSP describes a product with detailed findings, including with unique architectural concepts; the whether the design concepts of the pro- PSP describes a product that uses de- posed product comply with the require- sign or safety assurance concepts con- ments of this subpart, whether design sidered outside existing accepted prac- modifications are necessary to meet tices (see appendix C); and the PSP de- the requirements of this subpart, and scribes a locomotive-borne product the extent and nature of the safety that commingles safety-critical train analysis necessary to comply with this control processing functions with loco- subpart. motive operational functions. In addi- (v) Not less than 60 days prior to use tion, good cause includes any instance of the product in revenue service, the where the PSP or PSP amendment railroad shall file with the Associate does not appear to support its safety Administrator for Safety a petition for claim of satisfaction of the perform- final approval. ance standard, after FRA has requested (vi) Within 30 days of receipt of the further information as provided in petition for final approval, the Asso- paragraph (c)(2)(ii) of this section. ciate Administrator for Safety either (d) What procedures apply to petitions acknowledges receipt or acknowledges for approval? The following procedures receipt and requests more information. apply to PSPs and PSP amendments Whenever possible, FRA acts on the pe- which require submission of a petition tition for final approval within 60 days for approval: of its filing by either granting it or de- (1) Petitions for approval involving nying it. If FRA neither grants nor de- prior FRA consultation. (i) The railroad nies the petition for approval within 60 may file a Notice of Product Develop- days, FRA advises the petitioner of the ment with the Associate Administrator projected time for decision and con- for Safety not less than 30 days prior to ducts any further consultations or in- the end of the system design review quiries necessary to decide the matter. phase of product development and 180 (2) Other petitions for approval. The days prior to planned implementation, following procedures apply to petitions inviting FRA to participate in the de- for approval of PSPs which do not in- sign review process and receive peri- volve prior FRA consultation as de- odic briefings and updates as needed to scribed in paragraph (d)(1) of this sec- follow the course of product develop- tion. ment. At a minimum, the Notice of (i) Not less than 180 days prior to use Product Development must contain a of a product in revenue service, the summary description of the product to railroad shall file with the Associate be developed and a brief description of Administrator for Safety a petition for goals for improved safety. approval. (ii) Within 15 days of receipt of the (ii) Within 60 days of receipt of the Notice of Product Development, the petition for approval, FRA either ac- Associate Administrator for Safety ei- knowledges receipt, or acknowledges ther acknowledges receipt or acknowl- receipt and requests more information. edges receipt and requests more infor- (iii) Whenever possible, considering mation. the scope, complexity, and novelty of (iii) If FRA concludes that the Notice the product or change, FRA acts on the of Product Development contains suffi- petition for approval within 180 days of cient information, the Associate Ad- its filing by either granting it or deny- ministrator for Safety determines the ing it. If FRA neither grants nor denies extent and nature of the assessment the petition for approval within 180 and review necessary for final product days, it remains pending, and FRA pro- approval. FRA may convene a tech- vides the petitioner with a statement nical consultation as necessary to dis- of reasons why the petition has not yet cuss issues related to the design and been approved. planned development of the product. (e) What role do product users play in (iv) Within 60 days of receiving the the process of safety review? (1) FRA will Notice of Product Development, the publish in the FEDERAL REGISTER peri- Associate Administrator for Safety odically a topic list including docket

726

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00736 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.913

numbers for informational filings and a associated with previously established petition summary including docket histories of safe operation; numbers for petitions for approval. (iv) The degree of rigor and precision (2) Interested parties may submit to associated with the safety analyses, in- FRA information and views pertinent cluding the comprehensiveness of the to FRA’s consideration of an informa- qualitative analyses, and the extent to tional filing or petition for approval. which any quantitative results realisti- FRA considers comments to the extent cally reflect appropriate sensitivity practicable within the periods set forth cases; in this section. In a proceeding consoli- (v) The extent to which validation of dated with a proceeding under part 235 the product has included experiments of this chapter, FRA considers all com- and tests to identify uncovered faults ments received. in the operation of the product; (f) Is it necessary to complete field test- (vi) The extent to which identified ing prior to filing the petition for ap- faults are effectively addressed; proval? A railroad may file a petition (vii) Whether the risk assessment for for approval prior to completion of the previous condition was conducted field testing of the product. The peti- using the same methodology as that tion for approval should additionally for operation under the proposed condi- include information sufficient for FRA tion; and to arrange monitoring of the tests. The (viii) If an independent third-party Associate Administrator for Safety assessment is required or is performed may approve a petition for approval at the election of the supplier or rail- contingent upon successful completion road, the extent to which the results of of the test program contained in the the assessment are favorable. PSP or hold the petition for approval (3) The Associate Administrator for pending completion of the tests. Safety also considers when assessing (g) How are PSPs approved? (1) The PSPs the safety requirements for the Associate Administrator for Safety product within the context of the pro- grants approval of a PSP when: posed method of operations, including: (i) The petition for approval has been (i) The degree to which the product is properly filed and contains the infor- relied upon as the primary safety sys- mation required in § 236.907; tem for train operations; and (ii) FRA has determined that the (ii) The degree to which the product PSP complies with the railroad’s ap- is overlaid upon and its operation is proved RSPP and applicable require- demonstrated to be independent of ments of this subpart; and safety-relevant rules, practices and (iii) The risk assessment supporting systems that will remain in place fol- the PSP demonstrates that the pro- lowing the change under review. posed product satisfies the minimum (4) As necessary to ensure compliance performance standard stated in with this subpart and with the RSPP, § 236.909. FRA may attach special conditions to (2) The Associate Administrator for the approval of the petition. Safety considers the following applica- (5) Following the approval of a peti- ble factors when evaluating the risk as- tion, FRA may reopen consideration of sessment: the petition for cause. Cause for re- (i) The extent to which recognized opening a petition includes such cir- standards have been utilized in product cumstances as a credible allegation of design and in the relevant safety anal- error or fraud, assumptions determined ysis; to be invalid as a result of in-service (ii) The availability of quantitative experience, or one or more unsafe data, including calculations of statis- events calling into question the safety tical confidence levels using accepted analysis underlying the approval. methods, associated with risk esti- (h) Under what circumstances may a mates; third-party assessment be required, and (iii) The complexity of the product by whom may it be conducted? (1) The and the extent to which it will incor- PSP must be supported by an inde- porate or deviate from design practices pendent third party assessment of the

727

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00737 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.915 49 CFR Ch. II (10–1–11 Edition)

product when FRA concludes it is nec- the approval of a PSP by the submis- essary based upon consideration of the sion of an informational filing by a following factors: railroad. The FRA will arrange to mon- (i) Those factors listed in paragraphs itor the tests based on the information (g)(2)(i) through (g)(2)(vii) of this sec- provided in the filing, which must in- tion; clude: (ii) The sufficiency of the assessment (i) A complete description of the or audit previously conducted at the product; election of a supplier or railroad; and (ii) An operational concepts docu- (iii) Whether applicable requirements ment; of subparts A through G of this part (iii) A complete description of the are satisfied. specific test procedures, including the (2) As used in this section, ‘‘inde- measures that will be taken to protect pendent third party’’ means a tech- trains and on-track equipment; nically competent entity responsible to (iv) An analysis of the applicability and compensated by the railroad (or an of the requirements of subparts A association on behalf of one or more through G of this part to the product railroads) that is independent of the that will not apply during testing; supplier of the product. An entity that (v) The date testing will begin; is owned or controlled by the supplier, (vi) The location of the testing; and that is under common ownership or (vii) A description of any effect the control with the supplier, or that is testing will have on the current meth- otherwise involved in the development od of operation. of the product is not considered ‘‘inde- (2) FRA may impose such additional pendent’’ within the meaning of this conditions on this testing as may be section. FRA may maintain a roster of necessary for the safety of train oper- recognized technically competent enti- ations. Exemptions from regulations ties as a service to railroads selecting other than those contained in this part reviewers under this section; however, must be requested through waiver pro- a railroad is not limited to entities cedures in part 211 of this chapter. currently listed on any such roster. (3) The third-party assessment must, [70 FR 11095, Mar. 7, 2005, as amended at 70 at a minimum, consist of the activities FR 72385, Dec. 5, 2005; 74 FR 25174, May 27, and result in production of documenta- 2009] tion meeting the requirements of Ap- pendix D to this part. However, when § 236.915 Implementation and operation. requiring an assessment pursuant to this section, FRA specifies any require- (a) When may a product be placed or re- ments in Appendix D to this part which tained in service? (1) Except as stated in the agency has determined are not rel- paragraphs (a)(2) and (a)(3) of this sec- evant to its concerns and, therefore, tion, a railroad may operate in revenue need not be included in the assessment. service any product 180 days after fil- The railroad shall make the final as- ing with FRA the informational filing sessment report available to FRA upon for that product. The FRA filing date request. can be found in FRA’s acknowledgment (i) How may a PSP be amended? A rail- letter referred to in § 236.913(c)(2). road may submit an amendment to a (2) Except as stated in paragraph PSP at any time in the same manner (a)(3) of this section, if FRA approval is as the initial PSP. Notwithstanding required for a product, the railroad the otherwise applicable requirements shall not operate the product in rev- found in this section and § 236.915, enue service until after the Associate changes affecting the safety-critical Administrator for Safety has approved functionality of a product may be made the petition for approval for that prod- prior to the submission and approval of uct pursuant to § 236.913. the PSP amendment as necessary in (3) If after product implementation order to mitigate risk. FRA elects, for cause, to treat the in- (j) How may field testing be conducted formational filing for the product as a prior to PSP approval? (1) Field testing petition for approval, the product may of a product may be conducted prior to remain in use if otherwise consistent

728

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00738 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.919

with the applicable law and regula- (3) Contractors of the railroad shall tions. FRA may impose special condi- maintain at a designated office train- tions for use of the product during the ing records pursuant to § 236.923(b). period of review for cause. (b) What actions must the railroad take (b) How does the PSP relate to oper- in the event of occurrence of a safety-relation of the product? Each railroad shall evant hazard? After the product is comply with all provisions in the PSP placed in service, the railroad shall for each product it uses and shall oper- maintain a database of all safety-relate within the scope of initial oper- evant hazards as set forth in the PSP ational assumptions and predefined and those that had not been previously changes identified by the PSP. Rail- identified in the PSP. If the frequency roads may at any time submit an of the safety-relevant hazards exceeds amended PSP according to the proce- the threshold set forth in the PSP (see dures outlined in § 236.913. § 236.907(a)(6)), then the railroad shall: (c) What precautions must be taken (1) Report the inconsistency in writ- prior to interference with the normal ing (by mail, facsimile, e-mail, or hand functioning of a product? The normal delivery to the Director, Office of Safe- functioning of any safety-critical prod- ty Assurance and Compliance, FRA, uct must not be interfered with in test- 1200 New Jersey Avenue, SE., Mail Stop 25, Washington, DC 20590, within 15 ing or otherwise without first taking days of discovery. Documents that are measures to provide for safe movement hand delivered must not be enclosed in of trains, locomotives, roadway work- an envelope; ers and on-track equipment that de- (2) Take prompt countermeasures to pend on normal functioning of such reduce the frequency of the safety-rel- product. evant hazard(s) below the threshold set (d) What actions must be taken imme- forth in the PSP; and diately upon failure of a safety-critical (3) Provide a final report to the FRA component? When any safety-critical Director, Office of Safety Assurance product component fails to perform its and Compliance, on the results of the intended function, the cause must be analysis and countermeasures taken to determined and the faulty component reduce the frequency of the safety-rel- adjusted, repaired, or replaced without evant hazard(s) below the threshold set undue delay. Until repair of such essen- forth in the PSP when the problem is tial components are completed, a rail- resolved. road shall take appropriate action as specified in the PSP. See also [70 FR 11095, Mar. 7, 2005, as amended at 74 §§ 236.907(d), 236.917(b). FR 25174, May 27, 2009]

§ 236.917 Retention of records. § 236.919 Operations and Maintenance Manual. (a) What life-cycle and maintenance (a) The railroad shall catalog and records must be maintained? (1) The rail- maintain all documents as specified in road shall maintain at a designated of- the PSP for the installation, mainte- fice on the railroad: nance, repair, modification, inspection, (i) For the life-cycle of the product, and testing of the product and have adequate documentation to dem- them in one Operations and Mainte- onstrate that the PSP meets the safety nance Manual, readily available to per- requirements of the railroad’s RSPP sons required to perform such tasks and applicable standards in this sub- and for inspection by FRA and FRA- part, including the risk assessment; certified State inspectors. and (b) Plans required for proper mainte- (ii) An Operations and Maintenance nance, repair, inspection, and testing Manual, pursuant to § 236.919; and of safety-critical products must be ade- (iii) Training records pursuant to quate in detail and must be made avail- § 236.923(b). able for inspection by FRA and FRA- (2) Results of inspections and tests certified State inspectors where such specified in the PSP must be recorded products are deployed or maintained. as prescribed in § 236.110. They must identify all software

729

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00739 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.921 49 CFR Ch. II (10–1–11 Edition)

versions, revisions, and revision dates. effectively complete their duties re- Plans must be legible and correct. lated to processor-based signal and (c) Hardware, software, and firmware train control equipment. revisions must be documented in the Operations and Maintenance Manual § 236.923 Task analysis and basic re- according to the railroad’s configura- quirements. tion management control plan and any (a) How must training be structured additional configuration/revision con- and delivered? As part of the program trol measures specified in the PSP. required by § 236.921, the employer (d) Safety-critical components, in- shall, at a minimum: cluding spare equipment, must be posi- (1) Identify the specific goals of the tively identified, handled, replaced, training program with regard to the and repaired in accordance with the target population (craft, experience procedures specified in the PSP. level, scope of work, etc.), task(s), and desired success rate; § 236.921 Training and qualification (2) Based on a formal task analysis, program, general. identify the installation, maintenance, (a) When is training necessary and who repair, modification, inspection, test- must be trained? Employers shall estab- ing, and operating tasks that must be lish and implement training and quali- performed on a railroad’s products. fication programs for products subject This includes the development of fail- to this subpart. These programs must ure scenarios and the actions expected meet the minimum requirements set under such scenarios; forth in the PSP and in §§ 236.923 (3) Develop written procedures for through 236.929 as appropriate, for the the performance of the tasks identi- following personnel: fied; (1) Persons whose duties include in- (4) Identify the additional knowledge, stalling, maintaining, repairing, modi- skills, and abilities above those re- fying, inspecting, and testing safety- quired for basic job performance nec- critical elements of the railroad’s prod- essary to perform each task; ucts, including central office, wayside, (5) Develop a training curriculum or onboard subsystems; that includes classroom, simulator, (2) Persons who dispatch train oper- computer-based, hands-on, or other for- ations (issue or communicate any man- mally structured training designed to datory directive that is executed or en- impart the knowledge, skills, and abili- forced, or is intended to be executed or ties identified as necessary to perform enforced, by a train control system each task; subject to this subpart); (6) Prior to assignment of related (3) Persons who operate trains or tasks, require all persons mentioned in serve as a train or engine crew member § 236.921(a) to successfully complete a subject to instruction and testing training curriculum and pass an exam- under part 217 of this chapter, on a ination that covers the product and ap- train operating in territory where a propriate rules and tasks for which train control system subject to this they are responsible (however, such subpart is in use; persons may perform such tasks under (4) Roadway workers whose duties re- the direct onsite supervision of a quali- quire them to know and understand fied person prior to completing such how a train control system affects training and passing the examination); their safety and how to avoid inter- (7) Require periodic refresher train- fering with its proper functioning; and ing at intervals specified in the PSP (5) The direct supervisors of persons that includes classroom, simulator, listed in paragraphs (a)(1) through computer-based, hands-on, or other for- (a)(4) of this section. mally structured training and testing, (b) What competencies are required? except with respect to basic skills for The employer’s program must provide which proficiency is known to remain training for persons who perform the high as a result of frequent repetition functions described in paragraph (a) of of the task; and this section to ensure that they have (8) Conduct regular and periodic eval- the necessary knowledge and skills to uations of the effectiveness of the

730

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00740 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.927

training program specified in (1) Familiarization with train control § 236.923(a)(1) verifying the adequacy of equipment onboard the locomotive and the training material and its validity the functioning of that equipment as with respect to current railroads prod- part of the system and in relation to ucts and operations. other onboard systems under that per- (b) What training records are required? son’s control; Employers shall retain records which (2) Any actions required of the on- designate persons who are qualified board personnel to enable, or enter under this section until new designa- data to, the system, such as consist tions are recorded or for at least one data, and the role of that function in year after such persons leave applica- the safe operation of the train; ble service. These records shall be kept (3) Sequencing of interventions by in a designated location and be avail- the system, including pre-enforcement able for inspection and replication by notification, enforcement notification, FRA and FRA-certified State inspec- penalty application initiation and tors. post-penalty application procedures; (4) Railroad operating rules applica- § 236.925 Training specific to control ble to the train control system, includ- office personnel. ing provisions for movement and pro- Any person responsible for issuing or tection of any unequipped trains, or communicating mandatory directives trains with failed or cut-out train con- in territory where products are or will trol onboard systems and other on- be in use must be trained in the fol- track equipment; lowing areas, as applicable: (5) Means to detect deviations from (a) Instructions concerning the inter- proper functioning of onboard train face between the computer-aided dis- control equipment and instructions re- patching system and the train control garding the actions to be taken with system, with respect to the safe move- respect to control of the train and noti- ment of trains and other on-track fication of designated railroad per- equipment; sonnel; and (b) Railroad operating rules applica- (6) Information needed to prevent un- ble to the train control system, includ- intentional interference with the prop- ing provision for movement and protec- er functioning of onboard train control tion of roadway workers, unequipped equipment. trains, trains with failed or cut-out (b) How must locomotive engineer train- train control onboard systems, and ing be conducted? Training required other on-track equipment; and under this subpart for a locomotive en- (c) Instructions concerning control of gineer, together with required records, trains and other on-track equipment in must be integrated into the program of case the train control system fails, in- training required by part 240 of this cluding periodic practical exercises or chapter. simulations, and operational testing (c) What requirements apply to full under part 217 of this chapter to ensure automatic operation? The following spe- the continued capability of the per- cial requirements apply in the event a sonnel to provide for safe operations train control system is used to effect under the alternative method of oper- full automatic operation of the train: ation. (1) The PSP must identify all safety hazards to be mitigated by the loco- § 236.927 Training specific to locomotive engineer. motive engineers and other oper- (2) The PSP must address and de- ating personnel. scribe the training required with provi- (a) What elements apply to operating sions for the maintenance of skills pro- personnel? Training provided under this ficiency. As a minimum, the training subpart for any locomotive engineer or program must: other person who participates in the (i) As described in § 236.923(a)(2), de- operation of a train in train control velop failure scenarios which incor- territory must be defined in the PSP porate the safety hazards identified in and the following elements must be ad- the PSP, including the return of train dressed: operations to a fully manual mode;

731

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00741 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.929 49 CFR Ch. II (10–1–11 Edition)

(ii) Provide training, consistent with vision of alternative methods of on- § 236.923(a), for safe train operations track safety in case the train control under all failure scenarios and identi- system fails, including periodic prac- fied safety hazards that affect train op- tical exercises or simulations and oper- erations; ational testing under part 217 of this (iii) Provide training, consistent with chapter to ensure the continued capa- § 236.923(a), for safe train operations bility of roadway workers to be free under manual control; and from the danger of being struck by a (iv) Consistent with § 236.923(a), en- moving train or other on-track equip- sure maintenance of manual train opment. erating skills by requiring manual starting and stopping of the train for Subpart I—Positive Train Control an appropriate number of trips and by Systems one or more of the following methods: (A) Manual operation of a train for a SOURCE: 75 FR 2699, Jan. 15, 2010, unless 4-hour work period; otherwise noted. (B) Simulated manual operation of a train for a minimum of 4 hours in a § 236.1001 Purpose and scope. Type I simulator as required; or (a) This subpart prescribes minimum, (C) Other means as determined fol- performance-based safety standards for lowing consultation between the rail- PTC systems required by 49 U.S.C. road and designated representatives of 20157, this subpart, or an FRA order, in- the affected employees and approved cluding requirements to ensure that by the FRA. The PSP must designate the development, functionality, archi- the appropriate frequency when man- tecture, installation, implementation, ual operation, starting, and stopping inspection, testing, operation, mainte- must be conducted, and the appropriate nance, repair, and modification of frequency of simulated manual oper- those PTC systems will achieve and ation. maintain an acceptable level of safety. This subpart also prescribes standards § 236.929 Training specific to roadway to ensure that personnel working with, workers. and affected by, safety-critical PTC (a) How is training for roadway workers system related products receive appro- to be coordinated with part 214? Training priate training and testing. required under this subpart for a road- (b) Each railroad may prescribe addi- way worker must be integrated into tional or more stringent rules, and the program of instruction required other special instructions, that are not under part 214, subpart C of this chap- inconsistent with this subpart. ter (‘‘Roadway Worker Protection’’), (c) This subpart does not exempt a consistent with task analysis require- railroad from compliance with any re- ments of § 236.923. This training must quirement of subparts A through H of provide instruction for roadway work- this part or parts 233, 234, and 235 of ers who provide protection for them- this chapter, unless: selves or roadway work groups. (1) It is otherwise explicitly excepted (b) What subject areas must roadway by this subpart; or worker training include? (1) Instruction (2) The applicable PTCSP, as defined for roadway workers must ensure an under § 236.1003 and approved by FRA understanding of the role of processor- under § 236.1015, provides for such an ex- based signal and train control equip- ception per § 236.1013. ment in establishing protection for roadway workers and their equipment. § 236.1003 Definitions. (2) Instruction for roadway workers (a) Definitions contained in subparts must ensure recognition of processor- G and H of this part apply equally to based signal and train control equip- this subpart. ment on the wayside and an under- (b) The following definitions apply to standing of how to avoid interference terms used only in this subpart unless with its proper functioning. otherwise stated: (3) Instructions concerning the rec- After-arrival mandatory directive ognition of system failures and the pro- means an authority to occupy a track

732

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00742 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1003

which is issued to a train that is not ef- Main line track exclusion addendum fective and not to be acted upon until (‘‘MTEA’’) means the document sub- after the arrival and passing of a train, mitted under §§ 236.1011 and 236.1019 re- or trains, specifically identified in the questing to designate track as other authority. than main line. Associate Administrator means the Medium speed means, Speed, medium, FRA Associate Administrator for Rail- as defined in subpart G of this part. road Safety/Chief Safety Officer. NPI means a Notice of Product Intent Class I railroad means a railroad (‘‘NPI’’) as further described in which in the last year for which reve- § 236.1013. nues were reported exceeded the PTC means positive train control as threshold established under regulations further described in § 236.1005. of the Surface Transportation Board PTCDP means a PTC Development (49 CFR part 1201.1–1 (2008)). Plan as further described in § 236.1013. Cleartext means the un-encrypted PTCIP means a PTC Implementation text in its original, human readable, Plan as required under 49 U.S.C. 20157 form. It is the input of an encryption and further described in § 236.1011. or encipher process, and the output of PTCPVL means a PTC Product Ven- an decryption or decipher process. dor List as further described in Controlling locomotive means Loco- § 236.1023. motive, controlling, as defined in § 232.5 PTCSP means a PTC Safety Plan as of this chapter. further described in § 236.1015. Host railroad means a railroad that PTC railroad means each Class I rail- has effective operating control over a road and each entity providing regu- segment of track. larly scheduled intercity or commuter Interoperability means the ability of a rail passenger transportation required controlling locomotive to commu- to implement or operate a PTC system. nicate with and respond to the PTC PTC System Certification means cer- railroad’s positive train control sys- tification as required under 49 U.S.C. tem, including uninterrupted move- 20157 and further described in §§ 236.1009 ments over property boundaries. and 236.1015. Limited operations means operations Request for Amendment (‘‘RFA’’) on main line track that have limited or means a request for an amendment of a no freight operations and are approved plan or system made by a PTC railroad to be excluded from this subpart’s PTC in accordance with § 236.1021. system implementation and operation Request for Expedited Certification requirements in accordance with (‘‘REC’’) means, as further described in § 236.1019(c); § 236.1031, a request by a railroad to re- Main line means, except as provided ceive expedited consideration for PTC in § 236.1019 or where all trains are lim- System Certification. ited to restricted speed within a yard Restricted speed means, Speed, re- or terminal area or on auxiliary or in- stricted, as defined in subpart G of this dustry tracks, a segment or route of part. railroad tracks: Safe State means a system state that, (1) Of a Class I railroad, as docu- when the system fails, cannot cause mented in current timetables filed by death, injury, occupational illness, or the Class I railroad with the FRA damage to or loss of equipment or under § 217.7 of this title, over which property, or damage to the environ- 5,000,000 or more gross tons of railroad ment. traffic is transported annually; or Segment of track means any part of (2) Used for regularly scheduled the railroad where a train operates. intercity or commuter rail passenger Temporal separation means that pas- service, as defined in 49 U.S.C. 24102, or senger and freight operations do not both. Tourist, scenic, historic, or ex- operate on any segment of shared track cursion operations as defined in part during the same period and as further 238 of this chapter are not considered defined under § 236.1019 and the process intercity or commuter passenger serv- or processes in place to assure that re- ice for purposes of this part. sult.

733

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00743 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1005 49 CFR Ch. II (10–1–11 Edition)

Tenant railroad means a railroad, § 236.1005 Requirements for Positive other than a host railroad, operating Train Control systems. on track upon which a PTC system is (a) PTC system requirements. Each required. PTC system required to be installed Track segment means segment of under this subpart shall: track. (1) Reliably and functionally prevent: Type Approval means a number as- (i) Train-to-train collisions—includ- signed to a particular PTC system indi- ing collisions between trains operating cating FRA agreement that the PTC over rail-to-rail at-grade crossings in system could fulfill the requirements accordance with the following risk- of this subpart. based table or alternative arrange- Train means one or more loco- ments providing an equivalent level of motives, coupled with or without cars. safety as specified in an FRA approved PTCSP:

Crossing type Max speed * Protection required

(A) Interlocking—one or more ≤ 40 miles per hour ...... Interlocking signal arrangement in accordance with the re- PTC routes intersecting with quirements of subparts A–G of this part and PTC enforced one or more non-PTC routes. stop on PTC routes. (B) Interlocking—one or more > 40 miles per hour ...... Interlocking signal arrangement in accordance with the re- PTC routes intersecting with quirements of subparts A–G of this part, PTC enforced one or more non-PTC routes. stop on all PTC routes, and either the use of other than full PTC technology that provides positive stop enforcement or a split-point derail incorporated into the signal system accompanied by 20 miles per hour maximum allowable speed on the approach of any intersecting non-PTC route. (C) Interlocking—all PTC Any speed ...... Interlocking signal arrangements in accordance with the re- routes intersecting. quirements of subparts A–G of this part, and PTC enforced stop on all routes.

(ii) Overspeed derailments, including (4) Provide an appropriate warning or derailments related to railroad civil enforcement when: engineering speed restrictions, slow or- (i) A derail or switch protecting ac- ders, and excessive speeds over switch- cess to the main line required by es and through turnouts; § 236.1007, or otherwise provided for in (iii) Incursions into established work the applicable PTCSP, is not in its de- zone limits without first receiving ap- railing or protecting position, respec- propriate authority and verification tively; from the dispatcher or roadway worker (ii) A mandatory directive is issued in charge, as applicable and in accord- associated with a highway-rail grade ance with part 214 of this chapter; and crossing warning system malfunction (iv) The movement of a train through as required by §§ 234.105, 234.106, or 234.107; a main line switch in the improper po- (iii) An after-arrival mandatory di- sition as further described in paragraph rective has been issued and the train or (e) of this section. trains to be waited on has not yet (2) Include safety-critical integration passed the location of the receiving of all authorities and indications of a train; wayside or cab signal system, or other (iv) Any movable bridge within the similar appliance, method, device, or route ahead is not in a position to system of equivalent safety, in a man- allow permissive indication for a train ner by which the PTC system shall pro- movement pursuant to § 236.312; and vide associated warning and enforce- (v) A hazard detector integrated into ment to the extent, and except as, de- the PTC system that is required by scribed and justified in the FRA ap- paragraph (c) of this section, or other- proved PTCDP or PTCSP, as applica- wise provided for in the applicable ble; PTCSP, detects an unsafe condition or (3) As applicable, perform the addi- transmits an alarm; and tional functions specified in this sub- (5) Limit the speed of passenger and part; freight trains to 59 miles per hour and

734

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00744 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1005

49 miles per hour, respectively, in areas (3) Addition of track segments. To the without broken rail detection or equiv- extent increases in freight rail traffic alent safeguards. occur subsequent to calendar year 2008 (b) PTC system installation. (1) Lines that might affect the requirement to required to be equipped. Except as other- install a PTC system on any line not wise provided in this subpart, each yet equipped, the railroad shall seek to Class I railroad and each railroad pro- amend its PTCIP by promptly filing an viding or hosting intercity or com- RFA in accordance with § 236.1021. The muter passenger service shall progres- following criteria apply: sively equip its lines as provided in its (i) If rail traffic exceeds 5 million approved PTCIP such that, on and gross tons in any year after 2008, the after December 31, 2015, a PTC system tonnage shall be calculated for the pre- certified under § 236.1015 is installed ceding two calendar years and if the and operated by the host railroad on total tonnage for those two calendar each: years exceeds 10 million gross tons, a (i) Main line over which is trans- PTCIP or its amendment is required. ported any quantity of material poi- (ii) If PIH traffic is carried on a track sonous by inhalation (PIH), including segment as a result of a request for rail anhydrous ammonia, as defined in service or rerouting warranted under §§ 171.8, 173.115 and 173.132 of this title; part 172 of this title, and if the line car- (ii) Main line used for regularly pro- ries in excess of 5 million gross tons of vided intercity or commuter passenger rail traffic as determined under this service, except as provided in § 236.1019; paragraph, a PTCIP or its amendment and is required. This does not apply when (iii) Additional line of railroad as re- temporary rerouting is authorized in quired by the applicable FRA approved accordance with paragraph (g) of this PTCIP, this subpart, or an FRA order section. requiring installation of a PTC system (iii) Once a railroad is notified by by that date. FRA that its RFA filed in accordance (2) Initial baseline identification of with this paragraph has been approved, lines. For the purposes of paragraph the railroad shall equip the line with (b)(1)(i) of this section, the baseline in- the applicable PTC system by Decem- formation necessary to determine ber 31, 2015, or within 24 months, whether a Class I railroad’s track seg- whichever is later. ment shall be equipped with a PTC sys- (4) Exclusion or removal of track seg- tem shall be determined and reported ments from PTC baseline—(i) Routing as follows: changes. In a PTCIP or an RFA, a rail- (i) The traffic density threshold of 5 road may request review of the require- million gross tons shall be based upon ment to install PTC on a track seg- calendar year 2008 gross tonnage, ex- ment where a PTC system is otherwise cept to the extent that traffic may fall required by this section, but has not below 5 million gross tons for two con- yet been installed, based upon changes secutive calendar years and a PTCIP or in rail traffic such as reductions in an RFA reflecting this change is filed total traffic volume or cessation of and approved under paragraph (b)(4) of passenger or PIH service. Any such re- this section and, if applicable, quest shall be accompanied by esti- § 236.1021. mated traffic projections for the next 5 (ii) The presence or absence of any years (e.g., as a result of planned re- quantity of PIH hazardous materials routing, coordinations, or location of shall be determined by whether one or new business on the line). Where the more cars containing such product(s) request involves prior or planned re- was transported over the track seg- routing of PIH traffic, the railroad ment in calendar year 2008 or prior to must provide a supporting analysis the filing of the PTCIP, except to the that takes into consideration the re- extent that the PTCIP or RFA justi- quirements of subpart I, part 172 of this fies, under paragraph (b)(4) of this sec- title, assuming the subject route and tion, removal of the subject track seg- each practicable alternative route to ment from the PTCIP listing of lines to be PTC-equipped, and including any be equipped. interline routing impacts.

735

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00745 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1005 49 CFR Ch. II (10–1–11 Edition)

(A) FRA will approve the exclusion (4) On which any train transporting a if, based upon data in the docket of the car containing PIH materials (includ- proceeding, FRA finds that it would be ing a residue car) is operated under consistent with safety as further pro- conditions of temporal separation from vided in this paragraph. other trains using the line segment as (1) In the case of a requested exclu- documented by a temporal separation sion based on cessation of passenger plan accompanying the request. As service or a decline in gross tonnage used in this paragraph, ‘‘temporal sepa- below 5 million gross tons as computed ration’’ has the same meaning given by over a 2-year period, the removal will § 236.1019(e), except that the separation be approved absent special cir- addressed is the separation of a train cumstances as set forth in writing carrying any number of cars con- (e.g., because of anticipated traffic taining PIH materials from other growth in the near future). freight trains. (2) In the case of current or planned (C) FRA will also consider, and may cessation of PIH materials traffic over approve, requests for relief under this a track segment, FRA will approve an paragraph for additional line segments exclusion of a line from the PTCIP if where each such segment carries less the railroad satisfies the requirements than 15 million gross tons annually and of § 236.1020. where it is established to the satisfac- (B) [Reserved] tion of the Associate Administrator (ii) Lines with de minimis PIH risk. (A) that risk mitigations will be applied In a PTCIP or RFA, a railroad may re- that will ensure that risk of a release quest review of the requirement to in- of PIH materials is negligible. stall PTC on a low density track seg- (D) Failure to submit sufficient in- ment where a PTC system is otherwise formation will result in the denial of required by this section, but has not any request under this paragraph yet been installed, based upon the pres- (b)(4)(ii). If the request is granted, on ence of a minimal quantity of PIH haz- and after the date the line would have ardous materials (less than 100 cars per otherwise been required to be equipped year, loaded and residue). Any such re- under the schedule contained in the quest shall be accompanied by esti- PTCIP and approved by FRA, oper- mated traffic projections for the next 5 ations on the line shall be conducted in years (e.g., as a result of planned re- accordance with any conditions at- routing, coordinations, or location of tached to the grant, including imple- new business on the line). Where the mentation of proposed mitigations as request involves prior or planned re- applicable. routing of PIH traffic, the railroad (5) Line sales. FRA does not approve must provide the information and anal- removal of a line from the PTCIP ex- ysis identified in paragraph (b)(4)(i) of clusively based upon a representation this section. The submission shall also that a track segment will be abandoned include a full description of potential or sold to another railroad. In the safety hazards on the segment of track event a track segment is approved for and fully describe train operations over abandonment or transfer by the Sur- the line. This provision is not applica- face Transportation Board, FRA will ble to lines segments used by intercity review at the request of the transfer- or commuter passenger service. ring and acquiring railroads whether (B) Absent special circumstances re- the requirement to install PTC on the lated to specific hazards presented by line should be removed given all of the operations on the line segment, FRA circumstances, including expected traf- will approve a request for relief under fic and hazardous materials levels, res- this paragraph for a rail line segment: ervation of trackage or haulage rights (1) Consisting exclusively of Class 1 by the transferring railroad, routing or 2 track as described in part 213 of analysis under part 172 of this chapter, this title; commercial and real property arrange- (2) That carries less than 15 million ments affecting the transferring and gross tons annually; acquiring railroads post-transfer, and (3) Has a ruling grade of less than 1 such other factors as may be relevant percent; and to continue safe operations on the line.

736

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00746 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1005

If FRA denies the request, the acquir- enforcements, and the state of the PTC ing railroad shall install the PTC sys- system (e.g., cut in, cut out, active, or tem on the schedule provided in the failed); and transferring railroad’s PTCIP, without (iii) Include examples of how the cap- regard to whether it is a Class I rail- tured data will be displayed during road. playback along with the format, con- (6) New rail passenger service. No new tent, and data retention duration re- intercity or commuter rail passenger quirements specified in the PTCSP service shall commence after December submitted and approved pursuant to 31, 2015, until a PTC system certified this paragraph. If such train control under this subpart has been installed data can be calibrated against other and made operative. data required by this part, it may, at (c) Hazard detectors. (1) All hazard de- the election of the railroad, be retained tectors integrated into a signal or in a separate memory module. train control system on or after Octo- (2) Each lead locomotive, as defined ber 16, 2008, shall be integrated into in part 229, manufactured and in serv- PTC systems required by this subpart; ice after October 1, 2009, that is and their warnings shall be appro- equipped and operating with a PTC sys- priately and timely enforced as de- tem required by this subpart, shall be scribed in the applicable PTCSP. equipped with an event recorder mem- (2) The applicable PTCSP must pro- ory module meeting the crash hard- vide for receipt and presentation to the ening requirements of § 229.135 of this locomotive engineer and other train chapter. crew members of warnings from any (3) Nothing in this subpart excepts additional hazard detectors using the compliance with any of the event re- PTC data network, onboard displays, corder requirements contained in and audible alerts. If the PTCSP so § 229.135 of this chapter. provides, the action to be taken by the system and by the crew members shall (e) Switch position. The following re- be specified. quirements apply with respect to deter- (3) The PTCDP (as applicable) and mining proper switch position under PTCSP for any new service described in this section. When a main line switch § 236.1007 to be conducted above 90 miles position is unknown or improperly per hour shall include a hazard anal- aligned for a train’s route in advance of ysis describing the hazards relevant to the train’s movement, the PTC system the specific route(s) in question (e.g., will provide warning of the condition potential for track obstruction due to associated with the following enforce- events such as falling rock or under- ment: mining of the track structure due to (1) A PTC system shall enforce re- high water or displacement of a bridge stricted speed over any switch: over navigable waters), the basis for (i) Where train movements are made decisions concerning hazard detectors with the benefit of the indications of a provided, and the manner in which wayside or cab signal system or other such additional hazard detectors will similar appliance, method, device, or be interfaced with the PTC system. system of equivalent safety proposed to (d) Event recorders. (1) Each lead loco- FRA and approved by the Associate motive, as defined in part 229, of a Administrator in accordance with this train equipped and operating with a part; and PTC system required by this subpart (ii) Where wayside or cab signal sys- must be equipped with an operative tem or other similar appliance, meth- event recorder, which shall: od, device, or system of equivalent (i) Record safety-critical train con- safety, requires the train to be oper- trol data routed to the locomotive en- ated at restricted speed. gineer’s display that the engineer is re- (2) A PTC system shall enforce a quired to comply with; positive stop short of any main line (ii) Specifically include text mes- switch, and any switch on a siding sages conveying mandatory directives, where the allowable speed is in excess maximum authorized speeds, PTC sys- of 20 miles per hour, if movement of tem brake warnings, PTC system brake the train over the switch:

737

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00747 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1005 49 CFR Ch. II (10–1–11 Edition)

(i) Is made without the benefit of the stricted speed rule (15 or 20 miles per indications of a wayside or cab signal hour). This application applies to: system or other similar appliance, (1) Operating conditions under which method, device, or system of equiva- trains are required by signal indication lent safety proposed to FRA and ap- or operating rule to: proved by the Associate Administrator (i) Stop before continuing; or in accordance with this part; or (ii) Reduce speed to restricted speed (ii) Would create an unacceptable and continue at restricted speed until risk. Unacceptable risk includes condi- encountering a more favorable indications when traversing the switch, even tion or as provided by operating rule. at low speeds, could result in direct (2) Operation of trains within the conflict with the movement of another limits of a joint mandatory directive. train (including a hand-operated cross- (g) Temporary rerouting. A train over between main tracks, a hand-oper- equipped with a PTC system as re- ated crossover between a main track quired by this subpart may be tempo- and an adjoining siding or auxiliary rarily rerouted onto a track not track, or a hand-operated switch pro- equipped with a PTC system and a viding access to another subdivision or train not equipped with a PTC system branch line, etc.). may be temporarily rerouted onto a (3) A PTC system required by this track equipped with a PTC system as subpart shall be designed, installed, required by this subpart in the fol- and maintained to perform the switch lowing circumstances: position detection and enforcement de- (1) Emergencies. In the event of an scribed in paragraphs (e)(1) and (e)(2) of emergency—including conditions such this section, except as provided for and as derailment, flood, fire, tornado, hur- justified in the applicable, FRA ap- ricane, earthquake, or other similar proved PTCDP or PTCSP. circumstance outside of the railroad’s (4) The control circuit or electronic control—that would prevent usage of equivalent for all movement authori- the regularly used track if: ties over any switches, movable-point (i) The rerouting is applicable only frogs, or derails shall be selected until the emergency condition ceases through circuit controller or function- to exist and for no more than 14 con- ally equivalent device operated di- secutive calendar days, unless other- rectly by the switch points, derail, or wise extended by approval of the Asso- by switch locking mechanism, or ciate Administrator; through relay or electronic device con- (ii) The railroad provides written or trolled by such circuit controller or telephonic notification to the applica- functionally equivalent device, for ble Regional Administrator of the in- each switch, movable-point frog, or de- formation listed in paragraph (i) of this rail in the route governed. Circuits or section within one business day of the electronic equivalent shall be arranged beginning of the rerouting made in ac- so that any movement authorities less cordance with this paragraph; and restrictive than those prescribed in (iii) The conditions contained in paragraphs (e)(1) and (e)(2) of this sec- paragraph (j) of this section are fol- tion can only be provided when each lowed. switch, movable-point frog, or derail in (2) Planned maintenance. In the event the route governed is in proper posi- of planned maintenance that would tion, and shall be in accordance with prevent usage of the regularly used subparts A through G of this part, un- track if: less it is otherwise provided in a (i) The maintenance period does not PTCSP approved under this subpart. exceed 30 days; (f) Train-to-train collision. A PTC sys- (ii) A request is filed with the appli- tem shall be considered to be config- cable Regional Administrator in ac- ured to prevent train-to-train colli- cordance with paragraph (i) of this sec- sions within the meaning of paragraph tion no less than 10 business days prior (a) of this section if trains are required to the planned rerouting; and to be operated at restricted speed and (iii) The conditions contained in if the onboard PTC equipment enforces paragraph (j) of this section are fol- the upper limits of the railroad’s re- lowed.

738

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00748 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1006

(h) Rerouting requests. (1) For the pur- plicable to the line on which the train poses of paragraph (g)(2) of this sec- is rerouted. tion, the rerouting request shall be (k) Rerouting cessation. The applicable self-executing unless the applicable Re- Regional Administrator may order a gional Administrator responds with a railroad to cease any rerouting pro- notice disapproving of the rerouting or vided under paragraph (g) or (h) of this providing instructions to allow rerout- section. ing. Such instructions may include providing additional information to [75 FR 2699, Jan. 15, 2010, as amended at 75 the Regional Administrator or Asso- FR 59117, Sept. 27, 2010] ciate Administrator prior to the com- § 236.1006 Equipping locomotives oper- mencement of rerouting. Once the Re- ating in PTC territory. gional Administrator responds with a notice under this paragraph, no rerout- (a) Except as provided in paragraph ing may occur until the Regional Ad- (b) of this section, each train operating ministrator or Associate Adminis- on any track segment equipped with a trator provides his or her approval. PTC system shall be controlled by a lo- (2) In the event the temporary re- comotive equipped with an onboard routing described in paragraph (g)(2) of PTC apparatus that is fully operative this section is to exceed 30 consecutive and functioning in accordance with the calendar days: applicable PTCSP approved under this (i) The railroad shall provide a re- subpart. quest in accordance with paragraphs (i) (b) Exceptions. (1) Prior to December and (j) of this section with the Asso- 31, 2015, each railroad required to in- ciate Administrator no less than 10 stall PTC shall include in its PTCIP business days prior to the planned re- specific goals for progressive imple- routing; and mentation of onboard systems and de- (ii) The rerouting shall not com- ployment of PTC-equipped locomotives mence until receipt of approval from such that the safety benefits of PTC the Associate Administrator. are achieved through incremental (i) Content of rerouting request. Each growth in the percentage of controlling notice or request referenced in para- locomotives operating on PTC lines graph (g) and (h) of this section must that are equipped with operative PTC indicate: onboard equipment. The PTCIP shall (1) The dates that such temporary re- include a brief but sufficient expla- routing will occur; nation of how those goals will be (2) The number and types of trains achieved, including assignment of re- that will be rerouted; sponsibilities within the organization. (3) The location of the affected The goals shall be expressed as the per- tracks; and centage of trains operating on PTC- (4) A description of the necessity for equipped lines that are equipped with the temporary rerouting. operative onboard PTC apparatus re- (j) Rerouting conditions. Rerouting of sponsive to the wayside, expressed as operations under paragraph (g) of this an annualized (calendar year) percent- section may occur under the following age for the railroad as a whole. conditions: (2) Each railroad shall adhere to its (1) Where a train not equipped with a PTCIP and shall report, on April 16, of PTC system is rerouted onto a track 2011, 2012, 2013, and 2014, its progress to- equipped with a PTC system, or a train ward achieving the goals set under not equipped with a PTC system that is paragraph (b)(1) of this section. In the compatible and functionally responsive event any annual goal is not achieved, to the PTC system utilized on the line the railroad shall further report the ac- to which the train is being rerouted, tions it is taking to ensure achieve- the train shall be operated in accord- ment of subsequent annual goals. ance with § 236.1029; or (3) On and after December 31, 2015, a (2) Where any train is rerouted onto train controlled by a locomotive with a track not equipped with a PTC sys- an onboard PTC apparatus that has tem, the train shall be operated in ac- failed en route is permitted to operate cordance with the operating rules ap- in accordance with § 236.1029.

739

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00749 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1007 49 CFR Ch. II (10–1–11 Edition)

(4) A train operated by a Class II or technology that includes all of the Class III railroad, including a tourist safety-critical functional attributes of or excursion railroad, and controlled a block signal system meeting the re- by a locomotive not equipped with an quirements of this part, including ap- onboard PTC apparatus is permitted to propriate fouling circuits and broken operate on a PTC-operated track seg- rail detection (or equivalent safe- ment: guards). (i) That either: (b) In addition to the requirements of (A) Has no regularly scheduled inter- paragraph (a) of this section, a host city or commuter passenger rail traf- railroad that conducts a freight or pas- fic; or senger operation at more than 90 miles (B) Has regularly scheduled intercity per hour shall: or commuter passenger rail traffic and (1) Have an approved PTCSP estab- the applicable PTCIP permits the oper- lishing that the system was designed ation of a train operated by a Class II and will be operated to meet the fail- or III railroad and controlled by a loco- safe operation criteria described in Ap- motive not equipped with an onboard pendix C to this part; and PTC apparatus; (2) Prevent unauthorized or unin- (ii) Where operations are restricted tended entry onto the main line from to four or less such unequipped trains any track not equipped with a PTC sys- per day, whereas a train conducting a tem compliant with this subpart by ‘‘turn’’ operation (e.g., moving to a placement of split-point derails or point of interchange to drop off or pick equivalent means integrated into the up cars and returning to the track PTC system; and owned by a Class II or III railroad) is (3) Comply with § 236.1029(c). considered two trains for this purpose; (c) In addition to the requirements of and paragraphs (a) and (b) of this section, a (iii) Where each movement shall ei- host railroad that conducts a freight or ther: passenger operation at more than 125 (A) Not exceed 20 miles in length; or miles per hour shall have an approved (B) To the extent any movement ex- PTCSP accompanied by a document ceeds 20 miles in length, such move- (‘‘HSR–125’’) establishing that the sys- ment is not permitted without the con- tem: trolling locomotive being equipped (1) Will be operated at a level of safe- with an onboard PTC system after De- ty comparable to that achieved over cember 31, 2020, and each applicable the 5 year period prior to the submis- Class II or III railroad shall report to sion of the PTCSP by other train con- FRA its progress in equipping each trol systems that perform PTC func- necessary locomotive with an onboard tions required by this subpart, and PTC apparatus to facilitate continu- which have been utilized on high-speed ation of the movement. The progress rail systems with similar technical and reports shall be filed not later than De- operational characteristics in the cember 31, 2017 and, if all necessary lo- United States or in foreign service, comotives are not yet equipped, on De- provided that the use of foreign service cember 31, 2019. data must be approved by the Asso- (c) When a train movement is con- ciate Administrator before submittal ducted under the exceptions described of the PTCSP; and in paragraph (b)(4) of this section, that (2) Has been designed to detect incur- movement shall be made in accordance sions into the right-of-way, including with § 236.1029. incidents involving motor vehicles di- verting from adjacent roads and § 236.1007 Additional requirements for bridges, where conditions warrant. high-speed service. (d) In addition to the requirements of (a) A PTC railroad that conducts a paragraphs (a) through (c) of this sec- passenger operation at or greater than tion, a host railroad that conducts a 60 miles per hour or a freight operation freight or passenger operation at more at or greater than 50 miles per hour than 150 miles per hour, which is gov- shall have installed a PTC system in- erned by a Rule of Particular Applica- cluding or working in concert with bility, shall have an approved PTCSP

740

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00750 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1009

accompanied by a HSR–125 developed (i) Separately file a PTCIP in accord- as part of an overall system safety plan ance with paragraph (a)(1); approved by the Associate Adminis- (ii) Notify the Associate Adminis- trator. trator that the subject railroads were (e) A railroad providing existing unable to agree on a PTCIP to be joint- high-speed passenger service may rely filed; quest in its PTCSP that the Associate (iii) Provide the Associate Adminis- Administrator excuse compliance with trator with a comprehensive list of all one or more requirements of this sec- issues not in agreement between the tion upon a showing that the subject railroads that would prevent the sub- service has been conducted with a high ject railroads from jointly filing the level of safety. PTCIP; and (iv) Confer with the Associate Ad- § 236.1009 Procedural requirements. ministrator to develop and submit a (a) PTC Implementation Plan (PTCIP). PTCIP mutually acceptable to all sub- (1) By April 16, 2010, each host railroad ject railroads. that is required to implement and oper- (b) Type Approval. Each host railroad, ate a PTC system in accordance with individually or jointly with others such § 236.1005(b) shall develop and submit in as a tenant railroad or system supplier, accordance with § 236.1011(a) a PTCIP shall file prior to or simultaneously for implementing a PTC system re- with the filing made in accordance quired under § 236.1005. Filing of the with paragraph (a) of this section: PTCIP shall not exempt the required (1) An unmodified Type Approval pre- filings of an NPI, PTCSP, PTCDP, or viously issued by the Associate Admin- Type Approval. istrator in accordance with § 236.1013 or (2) After April 16, 2010, a host railroad § 236.1031(b) with its associated docket shall file: number; (2) A PTCDP requesting a Type Ap- (i) A PTCIP if it becomes a host rail- proval for: road of a main line track segment for (i) A PTC system that does not have which it is required to implement and a Type Approval; or operate a PTC system in accordance (ii) A PTC system with a previously with § 236.1005(b); or issued Type Approval that requires one (ii) A request for amendment or more variances; (‘‘RFA’’) of its current and approved (3) A PTCSP subject to the condi- PTCIP in accordance with § 236.1021 if it tions set forth in paragraph (c) of this intends to: section, with or without a Type Ap- (A) Initiate a new category of service proval; or (i.e., passenger or freight); or (4) A document attesting that a Type (B) Add, subtract, or otherwise mate- Approval is not necessary since the rially modify one or more lines of rail- host railroad has no territory for which road for which installation of a PTC a PTC system is required under this system is required. subpart. (3) The host and tenant railroad(s) (c) Notice of Product Intent (NPI). A shall jointly file a PTCIP that address- railroad may, in lieu of submitting a es shared track: PTCDP, or referencing an already (i) If the host railroad is required to issued Type Approval, submit an NPI install and operate a PTC system on a describing the functions of the pro- segment of its track; and posed PTC system. If a railroad elects (ii) If the tenant railroad that shares to file an NPI in lieu of a PTCDP or the same track segment would have referencing an existing Type Approval been required to install a PTC system with the PTCIP, and the PTCIP is oth- if the host railroad had not otherwise erwise acceptable to the Associate Ad- been required to do so. ministrator, the Associate Adminis- (4) If railroads required to file a joint trator may grant provisional approval PTCIP are unable to jointly file a of the PTCIP. PTCIP in accordance with paragraphs (1) A provisional approval of a (a)(1) and (a)(3) of this section, then PTCIP, unless otherwise extended by each railroad shall: the Associate Administrator, is valid

741

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00751 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1009 49 CFR Ch. II (10–1–11 Edition)

for a period of 270 days from the date of road shall receive PTC System Certifi- approval by the Associate Adminis- cation for the subject PTC system and trator. shall implement the PTC system ac- (2) The railroad must submit an up- cording to the PTCSP. dated PTCIP with either a complete (4) A required PTC system shall not: PTCDP as defined in § 236.1013(a), an (i) Be used in service until it receives updated PTCIP referencing an already from FRA a PTC System Certification; approved Type Approval, or a full and PTCSP within 270 days after the ‘‘Pro- (ii) Receive a PTC System Certifi- visional Approval.’’ cation unless FRA receives and ap- (i) Within 90 days of receipt of an up- proves an applicable: dated PTCIP that was submitted with (A) PTCSP; or an NPI, the Associate Administrator (B) Request for Expedited Certifi- will approve or disapprove of the up- cation (REC) as defined by § 236.1031(a). dated PTCIP and notify in writing the (e) Plan contents. (1) No PTCIP shall affected railroad. If the updated PTCIP receive approval unless it complies is not approved, the notification will with § 236.1011. No railroad shall receive include the plan’s deficiencies. Within a Type Approval or PTC System Cer- 30 days of receipt of that notification, tification unless the applicable PTCDP the railroad or other entity that sub- or PTCSP, respectively, comply with mitted the plan shall correct all defi- §§ 236.1013 and 236.1015, respectively. ciencies and resubmit the plan in ac- (2) All materials filed in accordance cordance with this section and with this subpart must be in the § 236.1011, as applicable. English language, or have been trans- (ii) If an update to a ‘‘Provisionally lated into English and attested as true Approved’’ PTCIP is not received by and correct. the Associate Administrator by the end (3) Each filing referenced in this sec- of the period indicated in this para- tion may include a request for full or graph, the ‘‘Provisional Approval’’ partial confidentiality in accordance given to the PTCIP is automatically with § 209.11 of this chapter. If confiden- revoked. The revocation is retroactive tiality is requested as to a portion of to the date the original PTCIP and NPI any applicable document, then in addi- were first submitted to the Associate tion to the filing requirements under Administrator. § 209.11 of this chapter, the person filing (d) PTCSP and PTC System Certifi- the document shall also file a copy of cation. The following apply to each the original unredacted document, PTCSP and PTC System Certification. marked to indicate which portions are (1) A PTC System Certification for a redacted in the document’s confiden- PTC system may be obtained by sub- tial version without obscuring the mitting an acceptable PTCSP. If the original document’s contents. PTC system is the subject of a Type (f) Supporting documentation and infor- Approval, the safety case elements con- mation. (1) Issuance of a Type Approval tained in the PTCDP may be incor- or PTC System Certification is contin- porated by reference into the PTCSP, gent upon FRA’s confidence in the im- subject to finalization of the human plementation and operation of the sub- factors analysis contained in the ject PTC system. This confidence may PTCDP. be based on FRA-monitored field test- (2) Each PTCSP requirement under ing or an independent assessment per- § 236.1015 shall be supported by informa- formed in accordance with § 236.1035 or tion and analysis sufficient to establish § 236.1017, respectively. that the requirements of this subpart (2) Upon request by FRA, the railroad have been satisfied. requesting a Type Approval or PTC (3) If the Associate Administrator System Certification must engage in finds that the PTCSP and supporting field testing or independent assessment documentation support a finding that performed in accordance with § 236.1035 the system complies with this part, the or § 236.1017, respectively, to support Associate Administrator may approve the assertions made in any of the plans the PTCSP. If the Associate Adminis- submitted under this subpart. These trator approves the PTCSP, the rail- assertions include any of the plans’

742

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00752 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1011

content requirements under this sub- Certification has been requested or pro- part. vided; or (g) FRA conditions, reconsiderations, (2) To determine whether a railroad and modifications. (1) As necessary to has been in compliance with this sub- ensure safety, FRA may attach special part. conditions to approving a PTCIP or (i) Foreign regulatory entity issuing a Type Approval or PTC Sys- verification. Information that has been tem Certification. certified under the auspices of a for- (2) After granting a Type Approval or eign regulatory entity recognized by PTC System Certification, FRA may the Associate Administrator may, at reconsider the Type Approval or PTC the Associate Administrator’s sole dis- System Certification upon revelation cretion, be accepted as independently of any of the following factors con- Verified and Validated and used to sup- cerning the contents of the PTCDP or port each railroad’s development of the PTCSP: PTCSP. (i) Potential error or fraud; (j) Processing times for PTCDP and (ii) Potentially invalidated assump- PTCSP. tions determined as a result of in-serv- (1) Within 30 days of receipt of a ice experience or one or more unsafe PTCDP or PTCSP, the Associate Ad- events calling into question the safety ministrator will either acknowledge re- analysis supporting the approval. ceipt or acknowledge receipt and re- (3) During FRA’s reconsideration in quest more information. accordance with this paragraph, the (2) To the extent practicable, consid- PTC system may remain in use if oth- ering the scope, complexity, and nov- erwise consistent with the applicable elty of the product or change: law and regulations and FRA may im- (i) FRA will approve, approve with pose special conditions for use of the conditions, or deny the PTCDP within PTC system. 60 days of the date on which the (4) After FRA’s reconsideration in ac- PTCDP was filed; cordance with this paragraph, FRA (ii) FRA will approve, approve with may: conditions, or deny the PTCSP within (i) Dismiss its reconsideration and 180 days of the date on which the continue to recognize the existing FRA PTCSP was filed; approved Type Approval or PTC Sys- (iii) If FRA has not approved, ap- tem Certification; proved with conditions, or denied the (ii) Allow continued operations under PTCDP or PTCSP within the 60-day or such conditions the Associate Adminis- 180-day window, as applicable, FRA trator deems necessary to ensure safe- will provide the submitting party with ty; or a statement of reasons as to why the (iii) Revoke the Type Approval or submission has not yet been acted upon PTC System Certification and direct and a projected deadline by which an the railroad to cease operations where approval or denial will be issued and PTC systems are required under this any further consultations or inquiries subpart. will be resolved. (h) FRA access. The Associate Admin- istrator, or that person’s designated § 236.1011 PTC Implementation Plan content requirements. representatives, shall be afforded reasonable access to monitor, test, and in- (a) Contents. A PTCIP filed pursuant spect processes, procedures, facilities, to this subpart shall, at a minimum, documents, records, design and testing describe: materials, artifacts, training materials (1) The functional requirements that and programs, and any other informa- the proposed system must meet; tion used in the design, development, (2) How the PTC railroad intends to manufacture, test, implementation, comply with §§ 236.1009(c) and (d); and operation of the system, as well as (3) How the PTC system will provide interview any personnel: for interoperability of the system be- (1) Associated with a PTC system for tween the host and all tenant railroads which a Type Approval or PTC System on the track segments required to be

743

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00753 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1011 49 CFR Ch. II (10–1–11 Edition)

equipped with PTC systems under this (B) Include each tenant railroad’s re- subpart and: sponse to the host railroad’s written (i) Include relevant provisions of request made in accordance with para- agreements, executed by all applicable graph (a)(6)(iv)(A) of this section; railroads, in place to achieve interoper- (7) The number of wayside devices re- ability; quired for each track segment and the (ii) List all methods used to obtain installation schedule to complete way- interoperability; and side equipment installation by Decem- (iii) Identify any railroads with re- ber 31, 2015; spect to which interoperability agree- (8) Identification of each track segments have not been achieved as of the ment on the railroad as mainline or time the plan is filed, the practical ob- non-mainline track. If the PTCIP in- stacles that were encountered that pre- cludes an MTEA, as defined by vented resolution, and the further § 236.1019, the PTCIP should identify steps planned to overcome those obsta- the tracks included in the MTEA as cles; main line track with a reference to the (4) How, to the extent practical, the MTEA; PTC system will be implemented to ad- (9) To the extent the railroad deter- dress areas of greater risk to the public mines that risk-based prioritization re- and railroad employees before areas of quired by paragraph (a)(4) of this sec- lesser risk; tion is not practical, the basis for this (5) The sequence and schedule in determination; and which track segments will be equipped (10) The dates the associated PTCDP and the basis for those decisions, and and PTCSP, as applicable, will be sub- shall at a minimum address the fol- mitted to FRA in accordance with lowing risk factors by track segment: § 236.1009. (b) Additional Class I railroad PTCIP (i) Segment traffic characteristics requirements. Each Class I railroad shall such as typical annual passenger and include: freight train volume and volume of (1) In its PTCIP a strategy for full de- poison- or toxic-by-inhalation (PIH or ployment of its PTC system, describing TIH) shipments (loads, residue); the criteria that it will apply in identi- (ii) Segment operational characteris- fying additional rail lines on its own tics such as current method of oper- network, and rail lines of entities that ation (including presence or absence of it controls or engages in joint oper- a block signal system), number of ations with, for which full or partial tracks, and maximum allowable train deployment of PTC technologies is ap- speeds, including planned modifica- propriate, beyond those required to be tions; and equipped under this subpart. Such cri- (iii) Route attributes bearing on risk, teria shall include consideration of the including ruling grades and extreme policies established by 49 U.S.C. 20156 curvature; (railroad safety risk reduction pro- (6) The following information relat- gram), and regulations issued there- ing to rolling stock: under, as well as non-safety business (i) What rolling stock will be benefits that may accrue. equipped with PTC technology; (2) In the Technology Implementa- (ii) The schedule to equip that rolling tion Plan of its Risk Reduction Pro- stock by December 31, 2015; gram, when first required to be filed in (iii) All documents and information accordance with 49 U.S.C. 20156 and any required by § 236.1006; and regulation promulgated thereunder, a (iv) Unless the tenant railroad is fil- specification of rail lines selected for ing its own PTCIP, the host railroad’s full or partial deployment of PTC PTCIP shall: under the criteria identified in its (A) Attest that the host railroad has PTCIP. made a formal written request to each (3) Nothing in this paragraph shall be tenant railroad requesting identifica- construed to create an expectation or tion of each item of rolling stock to be requirement that additional rail lines PTC system equipped and the date each beyond those required to be equipped will be equipped; and by this subpart must be equipped or

744

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00754 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1013

that such lines will be equipped during (2) A description of the railroad oper- the period of primary implementation ation or categories of operations on ending December 31, 2015. which the PTC system is designed to be (4) As used in this paragraph, ‘‘par- used, including train movement den- tial implementation’’ of a PTC system sity (passenger, freight), operating refers to use, pursuant to subpart H of speeds (including a thorough expla- this part, of technology embedded in nation of intended compliance with PTC systems that does not employ all § 236.1007), track characteristics, and of the functionalities required by this railroad operating rules; subpart. (3) An operational concepts docu- (c) FRA review. Within 90 days of re- ment, including a list with complete ceipt of a PTCIP, the Associate Admin- descriptions of all functions which the istrator will approve or disapprove of PTC system will perform to enhance or the plan and notify in writing the af- preserve safety; fected railroad or other entity. If the (4) A document describing the man- PTCIP is not approved, the notification ner in which the PTC system architec- will include the plan’s deficiencies. ture satisfies safety requirements; Within 30 days of receipt of that notifi- (5) A preliminary human factors cation, the railroad or other entity analysis, including a complete descrip- that submitted the plan shall correct tion of all human-machine interfaces all deficiencies and resubmit the plan and the impact of interoperability re- in accordance with § 236.1009 and para- quirements on the same; graph (a) of this section, as applicable. (6) An analysis of the applicability to (d) Subpart H. A railroad that elects the PTC system of the requirements of to install a PTC system when not re- subparts A through G of this part that quired to do so may elect to proceed may no longer apply or are satisfied by under this subpart or under subpart H the PTC system using an alternative of this part. method, and a complete explanation of (e) Upon receipt of a PTCIP, NPI, the manner in which those require- PTCDP, or PTCSP, FRA posts on its ments are otherwise fulfilled; public web site notice of receipt and (7) A prioritized service restoration reference to the public docket in which and mitigation plan and a description a copy of the filing has been placed. of the necessary security measures for FRA may consider any public comment the system; on each document to the extent prac- (8) A description of target safety lev- ticable within the time allowed by law els (e.g., MTTHE for major subsystems and without delaying implementation as defined in subpart H of this part), in- of PTC systems. cluding requirements for system availability and a description of all backup (f) The PTCIP shall be maintained to methods of operation and any critical reflect the railroad’s most recent PTC assumptions associated with the target deployment plans until all PTC system levels; deployments required under this sub- (9) A complete description of how the part are complete. PTC system will enforce authorities [75 FR 2699, Jan. 15, 2010, as amended at 75 and signal indications; FR 59117, Sept. 27, 2010] (10) A description of the deviation which may be proposed under § 236.1013 PTC Development Plan and § 236.1029(c), if applicable; and Notice of Product Intent content re- (11) A complete description of how quirements and Type Approval. the PTC system will appropriately and (a) For a PTC system to obtain a timely enforce all integrated hazard Type Approval from FRA, the PTCDP detectors in accordance with shall be filed in accordance with § 236.1005(c)(3), if applicable. § 236.1009 and shall include: (b) If the Associate Administrator (1) A complete description of the PTC finds that the system described in the system, including a list of all PTC sys- PTCDP would satisfy the requirements tem components and their physical re- for PTC systems under this subpart and lationships in the subsystem or sys- that the applicant has made a reason- tem; able showing that a system built to the

745

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00755 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1015 49 CFR Ch. II (10–1–11 Edition)

stated requirements would achieve the ing that the system complies with this level of safety mandated for such a sys- part, the Associate Administrator ap- tem under § 236.1015, the Associate Ad- proves the PTCSP and issues a PTC ministrator may grant a numbered System Certification. Receipt of a PTC Type Approval for the system. System Certification affirms that the (c) Each Type Approval shall be valid PTC system has been reviewed and ap- for a period of 5 years, subject to auto- proved by FRA in accordance with, and matic and indefinite extension pro- meets the requirements of, this part. vided that at least one PTC System (b) A PTCSP submitted under this Certification using the subject PTC subpart may reference and utilize in system has been issued within that pe- accordance with this subpart any Type riod and not revoked. Approval previously issued by the As- (d) The Associate Administrator may sociate Administrator to any railroad, prescribe special conditions, amend- provided that the railroad: ments, and restrictions to any Type (1) Maintains a continually updated Approval as necessary for safety. PTCPVL pursuant to § 236.1023; (e) If submitted, an NPI must contain (2) Shows that the supplier from the following information: which they are procuring the PTC sys- (1) A description of the railroad oper- tem has established and can maintain a ation or categories of operations on quality control system for PTC system which the proposed PTC system is de- design and manufacturing acceptable signed to be used, including train to the Associate Administrator. The movement density (passenger, freight), quality control system must include operating speeds (including a thorough the process for the product supplier or explanation of intended compliance vendor to promptly and thoroughly re- with § 236.1007), track characteristics, port any safety-relevant failure and and railroad operating rules; previously unidentified hazards to each (2) An operational concepts docu- railroad using the product; and ment, including a list with complete (3) Provides the applicable licensing descriptions of all functions that the information. proposed PTC system will perform to (c) A PTCSP submitted in accordance enhance or preserve safety; with this subpart shall: (3) A description of target safety levels (e.g., MTTHE for major subsystems (1) Include the FRA approved PTCDP as defined in subpart H of this part), in- or, if applicable, the FRA issued Type cluding requirements for system avail- Approval; ability and a description of all backup (2)(i) Specifically and rigorously doc- methods of operation and any critical ument each variance, including the sig- assumptions associated with the target nificance of each variance between the levels; PTC system and its applicable oper- (4) A complete description of how the ating conditions as described in the ap- proposed PTC system will enforce au- plicable PTCDP from that as described thorities and signal indications; and in the PTCSP, and attest that there (5) A complete description of how the are no other such variances; or proposed PTC system will appro- (ii) Attest that there are no priately and timely enforce all inte- variances between the PTC system and grated hazard detectors in accordance its applicable operating conditions as with § 236.1005(c)(3), if applicable. described in the applicable PTCDP from that as described in the PTCSP; § 236.1015 PTC Safety Plan content re- and quirements and PTC System Certifi- (3) Attest that the system was other- cation. wise built in accordance with the appli- (a) Before placing a PTC system re- cable PTCDP and PTCSP and achieves quired under this part in service, the the level of safety represented therein. host railroad must submit to FRA a (d) A PTCSP shall include the same PTCSP and receive a PTC System Cer- information required for a PTCDP tification. If the Associate Adminis- under § 236.1013(a). If a PTCDP has been trator finds that the PTCSP and sup- filed and approved prior to filing of the porting documentation support a find- PTCSP, the PTCSP may incorporate

746

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00756 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1015

the PTCDP by reference, with the ex- equipment as necessary to ensure safe- ception that a final human factors ty; analysis shall be provided. The PTCSP (9) A complete description of the con- shall contain the following additional figuration or revision control measures elements: designed to ensure that the railroad or (1) A hazard log consisting of a com- its contractor does not adversely affect prehensive description of all safety-rel- the safety-functional requirements and evant hazards not previously addressed that safety-critical hazard mitigation by the vendor or supplier to be ad- processes are not compromised as a re- dressed during the life-cycle of the PTC sult of any such change; system, including maximum threshold (10) A complete description of all ini- limits for each hazard (for unidentified tial implementation testing procedures hazards, the threshold shall be exceed- necessary to establish that safety-func- ed at one occurrence); tional requirements are met and safe- (2) A description of the safety assur- ty-critical hazards are appropriately ance concepts that are to be used for mitigated; system development, including an ex- (11) A complete description of all planation of the design principles and post-implementation testing (valida- assumptions; tion) and monitoring procedures, in- (3) A risk assessment of the as-built cluding the intervals necessary to es- PTC system described; tablish that safety-functional require- (4) A hazard mitigation analysis, in- ments, safety-critical hazard mitiga- cluding a complete and comprehensive tion processes, and safety-critical tol- description of each hazard and the erances are not compromised over mitigation techniques used; time, through use, or after mainte- (5) A complete description of the nance (adjustment, repair, or replace- safety assessment and Verification and ment) is performed; Validation processes applied to the (12) A complete description of each PTC system, their results, and whether record necessary to ensure the safety these processes address the safety prin- of the system that is associated with ciples described in Appendix C to this periodic maintenance, inspections, part directly, using other safety cri- tests, adjustments, repairs, or replace- teria, or not at all; ments, and the system’s resulting con- (6) A complete description of the rail- ditions, including records of component road’s training plan for railroad and failures resulting in safety-relevant contractor employees and supervisors hazards (see § 236.1037); necessary to ensure safe and proper in- (13) A safety analysis to determine stallation, implementation, operation, whether, when the system is in oper- maintenance, repair, inspection, test- ation, any risk remains of an unin- ing, and modification of the PTC sys- tended incursion into a roadway work tem; zone due to human error. If the anal- (7) A complete description of the spe- ysis reveals any such risk, the PTCDP cific procedures and test equipment and PTCSP shall describe how that necessary to ensure the safe and proper risk will be mitigated; installation, implementation, oper- (14) A more detailed description of ation, maintenance, repair, inspection, any alternative arrangements as al- testing, and modification of the PTC ready provided under § 236.1005(a)(1)(i). system on the railroad and establish (15) A complete description of how safety-critical hazards are appro- the PTC system will enforce authori- priately mitigated. These procedures, ties and signal indications, unless al- including calibration requirements, ready completely provided for in the shall be consistent with or explain de- PTCDP; viations from the equipment manufac- (16) A description of how the PTCSP turer’s recommendations; complies with § 236.1019(f), if applicable; (8) A complete description of any ad- (17) A description of any deviation in ditional warning to be placed in the operational requirements for en route Operations and Maintenance Manual in failures as specified under § 236.1029(c), the same manner specified in § 236.919 if applicable and unless already com- and all warning labels to be placed on pletely provided for in the PTCDP;

747

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00757 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1015 49 CFR Ch. II (10–1–11 Edition)

(18) A complete description of how tem exists, as a replacement for an ex- the PTC system will appropriately and isting signal or train control system, timely enforce all integrated hazard or otherwise to replace or materially detectors in accordance with § 236.1005; modify the existing method of oper- (19) An emergency and planned main- ation, shall: tenance temporary rerouting plan indi- (i) Reliably execute the functions re- cating how operations on the subject quired by § 236.1005 and be dem- PTC system will take advantage of the onstrated to do so to FRA’s satisfac- benefits provided under § 236.1005(g) tion; and through (k); and (ii) Have a PTCSP establishing, with (20) The documents and information a high degree of confidence, that the required under §§ 236.1007 and 236.1033. system will not introduce new hazards (e) The following additional require- that have not been mitigated. The sup- ments apply to: porting risk assessment shall evaluate (1) Non-vital overlay. A PTC system all intended changes in railroad oper- proposed as an overlay on the existing ations in relation to the introduction method of operation and not built in of the new system and shall examine in accordance with the safety assurance detail the direct and indirect effects of principles set forth in appendix C of all changes in the method of oper- this part must, to the satisfaction of ations. the Associate Administrator, be shown (4) Mixed systems. If a PTC system to: combining overlay, stand-alone, vital, (i) Reliably execute the functions set or non-vital characteristics is pro- forth in § 236.1005; posed, the railroad shall confer with (ii) Obtain at least 80 percent reduc- the Associate Administrator regarding tion of the risk associated with acci- appropriate structuring of the safety dents preventable by the functions set case and analysis. forth in § 236.1005, when all effects of (f) When determining whether the the change associated with the PTC PTCSP fulfills the requirements under system are taken into account. The paragraph (d) of this section, the Asso- supporting risk assessment shall evalu- ciate Administrator may consider all ate all intended changes in railroad op- available evidence concerning the reli- erations coincident with the introduc- ability and availability of the proposed tion of the new system; and system and any and all safety con- (iii) Maintain a level of safety for sequences of the proposed changes. In each subsequent system modification any case where the PTCSP lacks ade- that is equal to or greater than the quate data regarding safety impacts of level of safety for the previous PTC the proposed changes, the Associate systems. Administrator may request the nec- (2) Vital overlay. A PTC system pro- essary data from the applicant. If the posed on a newly constructed track or requested data is not provided, the As- as an overlay on the existing method of sociate Administrator may find that operation and built in accordance with potential hazards could or will arise. the safety assurance principles set (g) If a PTCSP applies to a system forth in appendix C of this part must, designed to replace an existing cer- to the satisfaction of the Associate Ad- tified PTC system, the PTCSP will be ministrator, be shown to: approved provided that the PTCSP es- (i) Reliably execute the functions set tablishes with a high degree of con- forth in § 236.1005; and fidence that the new system will pro- (ii) Have sufficient documentation to vide a level of safety not less than the demonstrate that the PTC system, as level of safety provided by the system built, fulfills the safety assurance prin- to be replaced. ciples set forth in Appendix C of this (h) When reviewing the issue of the part. The supporting risk assessment potential data errors (for example, er- may be abbreviated as that term is rors arising from data supplied from used in subpart H of this part. other business systems needed to exe- (3) Stand-alone. A PTC system pro- cute the braking algorithm, survey posed on a newly constructed track, an data needed for location determina- existing track for which no signal sys- tion, or mandatory directives issued

748

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00758 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1019

through the computer-aided dis- pendent’’ within the meaning of this patching system), the PTCSP must in- section. clude a careful identification of each of (d) The independent third-party as- the risks and a discussion of each ap- sessment shall, at a minimum, consist plicable mitigation. In an appropriate of the activities and result in the pro- case, such as a case in which the resid- duction of documentation meeting the ual risk after mitigation is substantial requirements of Appendix F to this or the underlying method of operation part, unless excepted by this part or by will be significantly altered, the Asso- FRA order or waiver. ciate Administrator may require sub- (e) Information provided that has mission of a quantitative risk assess- been certified under the auspices of a ment addressing these potential errors. foreign railroad regulatory entity recognized by the Associate Adminis- § 236.1017 Independent third party trator may, at the Associate Adminis- Verification and Validation. trator’s discretion, be accepted as hav- (a) The PTCSP must be supported by ing been independently verified. an independent third-party assessment § 236.1019 Main line track exceptions. when the Associate Administrator concludes that it is necessary based upon (a) Scope and procedure. This section the criteria set forth in § 236.913, with pertains exclusively to exceptions from the exception that consideration of the the rule that trackage over which methodology used in the risk assess- scheduled intercity and commuter pas- ment (§ 236.913(g)(2)(vii)) shall apply senger service is provided is considered only to the extent that a comparative main line track requiring installation risk assessment was required. To the of a PTC system. One or more intercity or commuter passenger railroads, or extent practicable, FRA makes this de- freight railroads conducting joint pas- termination not later than review of senger and freight operation over the the PTCIP and the accompanying same segment of track may file a main PTCDP or PTCSP. If an independent line track exclusion addendum assessment is required, the assessment (‘‘MTEA’’) to its PTCIP requesting to may apply to the entire system or a designate track as not main line sub- designated portion of the system. ject to the conditions set forth in para- (b) If a PTC system is to undergo an graphs (b) or (c) of this section. No independent assessment in accordance track shall be designated as yard or with this section, the host railroad terminal unless it is identified in an may submit to the Associate Adminis- MTEA that is part of an FRA approved trator a written request that FRA con- PTCIP. firm whether a particular entity would (b) Passenger terminal exception. FRA be considered an independent third will consider an exception in the case party pursuant to this section. The re- of trackage used exclusively as yard or quest should include supporting infor- terminal tracks by or in support of reg- mation identified in paragraph (c) of ularly scheduled intercity or commuter this section. FRA may request further passenger service where the MTEA de- information to make a determination scribes in detail the physical bound- or provide its determination in writing. aries of the trackage in question, its (c) As used in this section, ‘‘inde- use and characteristics (including pendent third party’’ means a tech- track and signal charts) and all of the nically competent entity responsible to following apply: and compensated by the railroad (or an (1) The maximum authorized speed association on behalf of one or more for all movements is not greater than railroads) that is independent of the 20 miles per hour, and that maximum PTC system supplier and vendor. An is enforced by any available onboard entity that is owned or controlled by PTC equipment within the confines of the supplier or vendor, that is under the yard or terminal; common ownership or control with the (2) Interlocking rules are in effect supplier or vendor, or that is otherwise prohibiting reverse movements other involved in the development of the than on signal indications without dis- PTC system is not considered ‘‘inde- patcher permission; and

749

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00759 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1020 49 CFR Ch. II (10–1–11 Edition)

(3) Either of the following conditions review and approval. FRA may require exists: a collision hazard analysis to identify (i) No freight operations are per- hazards and may require that specific mitted; or mitigations be undertaken. Operations (ii) Freight operations are permitted under any such exception shall be con- but no passengers will be aboard pas- ducted subject to the terms and condi- senger trains within the defined limits. tions of the approval. Any main line (c) Limited operations exception. FRA track exclusion is subject to periodic will consider an exception in the case review. of a track segment used for limited op- (e) Temporal separation. As used in erations (operating in accordance with this section, temporal separation § 236.0 of this part) under one of the fol- means that limited passenger and lowing sets of conditions: freight operations do not operate on (1) The trackage is used for limited any segment of shared track during the operations by at least one passenger same period and also refers to the proc- railroad subject to at least one of the esses or physical arrangements, or following conditions: both, in place to ensure that temporal (i) All trains are limited to restricted separation is established and main- speed; tained at all times. The use of exclu- (ii) Temporal separation of passenger sive authorities under mandatory di- and other trains is maintained as pro- rectives is not, by itself, sufficient to vided in paragraph (e) of this section; establish that temporal separation is or achieved. Procedures to ensure tem- (iii) Passenger service is operated poral separation shall include under a risk mitigation plan submitted verification checks between passenger by all railroads involved in the joint and freight operations and effective operation and approved by FRA. The physical means to positively ensure risk mitigation plan must be supported segregation of passenger and freight by a risk assessment establishing that operations in accordance with this the proposed mitigations will achieve a paragraph. level of safety not less than the level of (f) PTCSP requirement. No PTCSP— safety that would obtain if the oper- filed after the approval of a PTCIP ations were conducted under paragraph with an MTEA—shall be approved by (c)(1) or (c)(2) of this section. FRA unless it attests that no changes, (2) Passenger service is operated on a except for those included in an FRA ap- segment of track of a freight railroad proved RFA, have been made to the in- that is not a Class I railroad on which formation in the PTCIP and MTEA re- less than 15 million gross tons of quired by paragraph (b) or (c) of this freight traffic is transported annually section. and on which one of the following con- (g) Designation modifications. If subse- ditions applies: quent to approval of its PTCIP or (i) If the segment is unsignaled and PTCSP the railroad seeks to modify no more than four regularly scheduled which track or tracks should be des- passenger trains are operated during a ignated as main line or not main line, calendar day, or it shall request modification of its (ii) If the segment is signaled (e.g., PTCIP or PTCSP, as applicable, in ac- equipped with a traffic control system, cordance with § 236.1021. automatic block signal system, or cab [75 FR 2699, Jan. 15, 2010, as amended at 75 signal system) and no more than 12 FR 59117, Sept. 27, 2010] regularly scheduled passenger trains are operated during a calendar day. § 236.1020 Exclusion of track segments (3) Not more than four passenger for implementation due to cessation trains per day are operated on a seg- of PIH materials service or rerout- ment of track of a Class I freight railing. road on which less than 15 million (a) Purpose and scope. This section gross tons of freight traffic is trans- sets forth the conditions under which ported annually. track segments identified in the 2008 (d) A limited operations exception baseline described in § 236.1005(b)(2) under paragraph (c) is subject to FRA may be removed from the PTCIP. A

750

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00760 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1020

track segment qualified for removal lated conditions for analysis. In deter- under this section may be removed mining whether risk is substantially after FRA approves a request con- the same, FRA will consider the vol- tained in the PTCIP or an RFA filed ume of traffic diverted, and such other prior to the required and scheduled factors as safety may require. PTC installation date for the subject (3) Residual risk. In the case of a track segment. track segment for which cessation of (b) Cessation of PIH materials service. local service is established under para- Except as provided in paragraph (c) of graph (b)(1) of this section and for this section, the following three condi- which analysis shows any overhead tions must all be satisfied in order to PIH materials traffic could properly be justify removal of a track segment rerouted under paragraph (b)(2) of this from the PTCIP: section, the railroad shall also estab- (1) Local service. The railroad must af- lish that the remaining risk arising firm that there is no remaining local from rail operations on the track seg- PIH materials traffic expected on the ment—pertaining to events that can be track segment, or that service is ex- prevented or mitigated in severity by a pected to cease as of a date certain PTC system—is less than the average prior to December 31, 2015. In the case equivalent risk per route mile on track of future cessation of local service, the segments required to be equipped with expectation may be documented by PTC because of annual gross tonnage statements from all current PIH mate- and the presence of PIH materials traf- rials shippers and/or consignees. The fic (excluding track segments also car- railroad is not required to anticipate rying passenger traffic). Such average future requests for service not in keep- equivalent risk shall be determined as ing with prior service patterns.(See of a time prior to installation of PTC § 236.1005(b)(3)). on the line segments. This provision of (2) Overhead traffic. (i) To the extent the rule requires a future rulemaking that the track segment carried PIH to finalize and implement a risk eval- materials traffic other than local traf- uation methodology. Lines identified fic in 2008, the railroad must establish for removal subject to this provision that current or prospective rerouting will not be required to be equipped to one or more alternate track seg- with PTC prior to the issuance of a ments is justified. In making this final rule detailing the methodology. showing, the railroad must assume, for (i) FRA will develop a risk evaluation purposes of analysis only, that both methodology for the purpose of con- the subject track segment and the al- ducting the analysis required pursuant ternative route(s) will be equipped and to paragraph (b)(3) of this section. The operated with PTC. Rerouting will be risk evaluation methodology will be fi- justified if the analysis is conducted in nalized through a separate rulemaking accordance with the same procedures proceeding that will permit all inter- and using the same methodology as re- ested parties to provide input on the quired for safety and security route specific methodology and, whether that analysis under 49 CFR 172.820, with ap- methodology should be employed. If in propriate quantitative weight given to the rulemaking proceeding FRA deter- risk reduction effected by installation mines that a risk methodology should of a PTC system. If the track segment not be employed, then FRA will amend in question is not clearly the route pos- this final rule to eliminate the residual ing the least overall safety and secu- risk provisions. rity risks, then removal of the line (ii) Any track segment qualifying for from the PTCIP may be granted. consideration under paragraph (b)(3) of (ii) However, unlike analysis under this section and identified by the rail- part 172, FRA will consider the case for road for requested removal from the rerouting and removal of the line from PTCIP shall be considered to be ‘‘pend- the PTCIP to be made if the alter- ing for decision’’ until such time as native(s) to the track segment sought FRA has published the risk evaluation to be removed has substantially the methodology identified in paragraph same overall safety and security risks (b)(3)(i) of this section. If a final risk as the subject routes under the stipu- evaluation methodology is employed,

751

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00761 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1021 49 CFR Ch. II (10–1–11 Edition)

the railroad may be requested to pro- (2) The proposed modifications; vide supplemental information related (3) The reasons for each modification; to its request for removal of specific (4) The changes to the PTCIP, lines. The railroad is not required to PTCDP, or PTCSP, as applicable; commence installation of PTC on any (5) Each modification’s effect on PTC track segment ‘‘pending for decision’’ system safety; under this paragraph, until a final FRA (6) An approximate timetable for fil- determination is made. ing of the PTCDP, PTCSP, or both, if (c) If a track segment qualifies for re- the amendment pertains to a PTCIP; moval from the PTCIP under para- and graphs (b)(1) and (b)(2) of this section but does not meet the test of paragraph (7) An explanation of whether each (b)(3) of this section, the railroad may change to the PTCSP is planned or un- nevertheless request that the PTCIP be planned. amended to remove the track segment (i) Unplanned changes that affect the based upon compensating reductions in Type Approval’s PTCDP require sub- the risk related to PTC-preventable ac- mission and approval in accordance cidents based on installation of PTC with § 236.1013 of a new PTCDP, fol- technology on one or more track seg- lowed by submission and approval in ments not otherwise required to be accordance with § 236.1015 of a new equipped. Upon a proper showing that PTCSP for the PTC system. the increment of risk reduction is at (ii) Unplanned changes that do not least as great on the substitute line as affect the Type Approval’s PTCDP re- it would be on the line sought to be ex- quire submission and approval of a new cluded from the PTCIP, FRA may ap- PTCSP. prove the substitution. (iii) Unplanned changes are changes affecting system safety that have not [75 FR 59117, Sept. 27, 2010] been documented in the PTCSP. The § 236.1021 Discontinuances, material impact of unplanned changes on PTC modifications, and amendments. system safety has not yet been deter- (a) No changes, as defined by this sec- mined. tion, to a PTC system, PTCIP, PTCDP, (iv) Planned changes may be imple- or PTCSP, shall be made unless: mented after they have undergone suit- (1) The railroad files a request for able regression testing to demonstrate, amendment (‘‘RFA’’) to the applicable to the satisfaction of the Associate Ad- PTCIP, PTCDP, or PTCSP with the As- ministrator, they have been correctly sociate Administrator; and implemented and their implementation (2) The Associate Administrator ap- does not degrade safety. proves the RFA. (v) Planned changes are changes af- (b) After approval of an RFA in ac- fecting system safety in the PTCSP cordance with paragraph (a) of this sec- and have been included in all required tion, the railroad shall immediately analysis under § 236.1015. The impact of adopt and comply with the amend- these changes on the PTC system’s ment. safety has been incorporated as an in- (c) In lieu of a separate filing under tegral part of the approved PTCSP part 235 of this chapter, a railroad may safety analysis. request approval of a discontinuance or (e) If the RFA includes a request for material modification of a signal or approval of a discontinuance or mate- train control system by filing an RFA rial modification of a signal or train to its PTCIP, PTCDP, or PTCSP with control system, FRA will publish a no- the Associate Administrator. tice in the FEDERAL REGISTER of the (d) An RFA made in accordance with application and will invite public com- this section will not be approved by ment in accordance with part 211 of FRA unless the request includes: this chapter. (1) The information listed in § 235.10 (f) When considering the RFA, FRA of this chapter and the railroad pro- will review the issue of the discontinu- vides FRA upon request any additional ance or material modification and de- information necessary to evaluate the termine whether granting the request RFA (see § 235.12), including: is in the public interest and consistent

752

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00762 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1023

with railroad safety, taking into con- approved PTCSP of this part, it is not sideration all changes in the method of necessary to file for approval to de- operation and system functionalities, crease the limits of a system when it both within normal PTC system avail- involves the: ability and in the case of a system (1) Decrease of the limits of a PTC failed state (unavailable), con- system when interlocked switches, de- templated in conjunction with installa- rails, or movable-point frogs are not in- tion of the PTC system. The railroad volved; submitting the RFA must, at FRA’s re- (2) Removal of an electric or mechan- quest, perform field testing in accord- ical lock, or signal used in lieu thereof, ance with § 236.1035 or engage in from hand-operated switch in a PTC Verification and Validation in accord- system where train speed over such ance with § 236.1017. switch does not exceed 20 miles per (g) FRA may issue at its discretion a hour, and use of those devices has not new Type Approval number for a PTC been part of the considerations for ap- system modified under this section. proval of a PTCSP; or (h) Changes requiring filing of an RFA. (3) Removal of an electric or mechan- Except as provided by paragraph (i), an RFA shall be filed to request the fol- ical lock, or signal used in lieu thereof, lowing: from a hand-operated switch in a PTC (1) Discontinuance of a PTC system, system where trains are not permitted or other similar appliance or device; to clear the main track at such switch (2) Decrease of the PTC system’s lim- and use of those devices has not been a its (e.g., exclusion or removal of a PTC part of the considerations for approval system on a track segment); of a PTCSP. (3) Modification of a safety critical (k) Modifications not requiring the fil- element of a PTC system; or ing of an RFA. When the resultant ar- (4) Modification of a PTC system that rangement will comply with an ap- affects the safety critical functionality proved PTCSP of this part, it is not of any other PTC system with which it necessary to file an application for ap- interoperates. proval of the following modifications: (i) Discontinuances not requiring the (1) A modification that is required to filing of an RFA. It is not necessary to comply with an order of the Federal file an RFA for the following Railroad Administration or any section discontinuances: of part 236 of this title; (1) Removal of a PTC system from (2) Installation of devices used to pro- track approved for abandonment by vide protection against unusual contin- formal proceeding; gencies such as landslide, burned (2) Removal of PTC devices used to bridges, high water, high and wide provide protection against unusual loads, or dragging equipment; contingencies such as landslide, burned (3) Elimination of existing track bridge, high water, high and wide load, other than a second main track; or tunnel protection when the unusual (4) Extension or shortening of a pass- contingency no longer exists; ing siding; or (3) Removal of the PTC devices that (5) The temporary or permanent ar- are used on a movable bridge that has been permanently closed by the formal rangement of existing systems neces- approval of another government agen- sitated by highway-rail grade separa- cy and is mechanically secured in the tion construction. Temporary arrange- closed position for rail traffic; or ments shall be removed within six (4) Removal of the PTC system from months following completion of con- service for a period not to exceed 6 struction. months that is necessitated by cata- strophic occurrence such as derail- § 236.1023 Errors and malfunctions. ment, flood, fire, or hurricane, or (a) Each railroad implementing a earthquake. PTC system on its property shall es- (j) Changes not requiring the filing of tablish and continually update a PTC an RFA. When the resultant change to Product Vendor List (PTCPVL) that the PTC system will comply with an includes all vendors and suppliers of

753

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00763 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1023 49 CFR Ch. II (10–1–11 Edition)

each PTC system, subsystem, compo- (e) After the product is placed in nent, and associated product, and proc- service, the railroad shall maintain a ess in use system-wide. The PTCPVL database of all safety-relevant hazards shall be made available to FRA upon as set forth in the PTCSP and those request. that had not previously been identified (b)(1) The railroad shall specify within the PTCSP. If the frequency of the in its PTCSP all contractual arrange- safety-relevant hazard exceeds the ments with hardware and software sup- thresholds set forth in the PTCSP, or pliers or vendors for immediate notifi- has not been previously identified in cation between the parties of any and the appropriate risk analysis, the rail- all safety-critical software failures, up- road shall: grades, patches, or revisions, as well as (1) Notify the applicable vendor or any hardware repairs, replacements, or supplier and FRA of the failure, mal- modifications for their PTC system, function, or defective condition that subsystems, or components. decreased or eliminated the safety (2) A vendor or supplier, on receipt of functionality; a report of any safety-critical failure (2) Keep the applicable vendor or sup- to their product, shall promptly notify plier and FRA apprised on a continual all other railroads that are using that basis of the status of any and all subse- product, whether or not the other rail- quent failures; and roads have experienced the reported (3) Take prompt counter measures to failure of that safety-critical system, reduce or eliminate the frequency of subsystem, or component. the safety-relevant hazards below the threshold identified in the PTCSP. (3) The notification from a supplier (f) Each notification to FRA required to any railroad shall include expla- by this section shall: nation from the supplier of the reasons (1) Be made within 15 days after the for such notification, the cir- vendor, supplier, or railroad discovers cumstances associated with the failure, the failure, malfunction, or defective and any recommended mitigation ac- condition. However, a report that is tions to be taken pending determina- due on a Saturday or a Sunday may be tion of the root cause and final correc- delivered on the following Monday and tive actions. one that is due on a holiday may be de- (c) The railroad shall: livered on the next business day; (1) Specify the railroad’s process and (2) Be transmitted in a manner and procedures in its PTCSP for action form acceptable to the Associate Ad- upon their receipt of notification of ministrator and by the most expedi- safety-critical failure, as well as re- tious method available; and ceipt of a safety-critical upgrade, (3) Include as much available and ap- patch, revision, repair, replacement, or plicable information as possible, in- modification. cluding: (2) Identify configuration/revision (i) PTC system name and model; control measures in its PTCSP that are (ii) Identification of the part, compo- designed to ensure the safety-func- nent, or system involved, including the tional requirements and the safety- part number as applicable; critical hazard mitigation processes (iii) Nature of the failure, malfunc- are not compromised as a result of any tions, or defective condition; change and that such a change can be (iv) Mitigation taken to ensure the audited. safety of train operation, railroad em- (d) The railroad shall provide to the ployees, and the public; and applicable vendor or supplier the rail- (v) The estimated time to correct the road’s procedures for action upon noti- failure. fication of a safety-critical failure, up- (4) In the event that all information grade, patch, or revision for the PTC required by paragraph (f)(3) of this sec- system, subsystem, component, prod- tion is not immediately available, the uct, or process, and actions to be taken non-available information shall be for- until the faulty system, subsystem, or warded to the Associate Administrator component has been adjusted, repaired as soon as practicable in supplemental or replaced. reports.

754

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00764 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1029

(g) Whenever any investigation of an § 236.1025 [Reserved] accident or service difficulty report shows that a PTC system or product is § 236.1027 PTC system exclusions. unsafe because of a manufacturing or (a) The requirements of this subpart design defect, the railroad and its ven- apply to each office automation system dor or supplier shall, upon request of that performs safety-critical functions the Associate Administrator, report to within, or affects the safety perform- the Associate Administrator the re- ance of, the PTC system. For purposes sults of its investigation and any ac- of this section, ‘‘office automation sys- tion taken or proposed to correct that tem’’ means any centralized or distrib- defect. uted computer-based system that di- (h) PTC system and product suppliers rectly or indirectly controls the active and vendors shall: movement of trains in a rail network. (1) Promptly report any safety-rel- (b) Changes or modifications to PTC evant failures or defective conditions, systems otherwise excluded from the previously unidentified hazards, and requirements of this subpart by this recommended mitigation actions in section do not exclude those PTC sys- their PTC system, subsystem, or com- tems from the requirements of this ponent to each railroad using the prod- subpart if the changes or modifications uct; and result in a degradation of safety or a (2) Notify FRA of any safety-relevant material decrease in safety-critical failure, defective condition, or pre- functionality. viously unidentified hazard discovered (c) Primary train control systems by the vendor or supplier and the iden- cannot be integrated with locomotive tity of each affected and notified rail- electronic systems unless the complete road. integrated systems: (i) The requirements of this section (1) Have been shown to be designed do not apply to failures, malfunctions, on fail-safe principles; or defective conditions that: (2) Have demonstrated to operate in a (1) Are caused by improper mainte- fail-safe mode; nance or improper usage; or (3) Have a manual fail-safe fallback (2) Have been previously identified to and override to allow the locomotive to the FRA, vendor or supplier, and appli- be brought to a safe stop in the event cable user railroads. of any loss of electronic control; and (j) When any safety-critical PTC sys- (4) Are included in the approved and tem, subsystem, or component fails to applicable PTCDP and PTCSP. perform its intended function, the (d) PTC systems excluded by this sec- cause shall be determined and the tion from the requirements of this sub- faulty product adjusted, repaired, or part remain subject to subparts A replaced without undue delay. Until through H of this part as applicable. corrective action is completed, a railroad shall take appropriate action to § 236.1029 PTC system use and en ensure safety and reliability as speci- route failures. fied within its PTCSP. (a) When any safety-critical PTC sys- (k) Any railroad experiencing a fail- tem component fails to perform its in- ure of a system resulting in a more fa- tended function, the cause must be de- vorable aspect than intended or other termined and the faulty component ad- condition hazardous to the movement justed, repaired, or replaced without of a train shall comply with the report- undue delay. Until repair of such essen- ing requirements, including the mak- tial components are completed, a railing of a telephonic report of an acci- road shall take appropriate action as dent or incident involving such failure, specified in its PTCSP. under part 233 of this chapter. Filing of (b) Where a PTC onboard apparatus one or more reports under part 233 of on a controlling locomotive that is op- this chapter does not exempt a rail- erating in or is to be operated within a road, vendor, or supplier from the re- PTC system fails or is otherwise cut- porting requirements contained in this out while en route (i.e, after the train section. has departed its initial terminal), the

755

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00765 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1031 49 CFR Ch. II (10–1–11 Edition)

train may only continue in accordance (d) Each railroad shall comply with with the following: all provisions in the applicable PTCDP (1) The train may proceed at re- and PTCSP for each PTC system it stricted speed, or if a block signal sys- uses and shall operate within the scope tem is in operation according to signal of initial operational assumptions and indication at medium speed, to the predefined changes identified. next available point where communica- (e) The normal functioning of any tion of a report can be made to a des- safety-critical PTC system must not be ignated railroad officer of the host rail- interfered with in testing or otherwise road; without first taking measures to pro- (2) Upon completion and communica- vide for the safe movement of trains, tion of the report required in para- locomotives, roadway workers, and on- graph (b)(1) of this section, or where track equipment that depend on the immediate electronic report of said normal functioning of the system. condition is appropriately provided by the PTC system itself, a train may con- (f) The PTC system’s onboard appa- tinue to a point where an absolute ratus shall be so arranged that each block can be established in advance of member of the crew assigned to per- the train in accordance with the fol- form duties in the locomotive can re- lowing: ceive the same PTC information dis- (i) Where no block signal system is in played in the same manner and execute use, the train may proceed at re- any functions necessary to that crew stricted speed, or member’s duties. The locomotive engi- (ii) Where a block signal system is in neer shall not be required to perform operation according to signal indica- functions related to the PTC system tion, the train may proceed at a speed while the train is moving that have the not to exceed medium speed. potential to distract the locomotive (3) Upon reaching the location where engineer from performance of other an absolute block has been established safety-critical duties. in advance of the train, as referenced in paragraph (b)(2) of this section, the § 236.1031 Previously approved PTC train may proceed in accordance with systems. the following: (a) Any PTC system fully imple- (i) Where no block signal system is in mented and operational prior to March use, the train may proceed at medium 16, 2010, may receive PTC System Cer- speed; however, if the involved train is tification if the applicable PTC rail- a passenger train or a train hauling road, or one or more system suppliers any amount of PIH material, it may and one or more PTC railroads, sub- only proceed at a speed not to exceed 30 mits a Request for Expedited Certifi- miles per hour. cation (REC) letter to the Associate (ii) Where a block signal system is in Administrator. The REC letter must do use, a passenger train may proceed at a one of the following: speed not to exceed 59 miles per hour (1) Reference a product safety plan and a freight train may proceed at a speed not to exceed 49 miles per hour. (PSP) approved by FRA under subpart (iii) Except as provided in paragraph H of this part and include a document (c), where a cab signal system with an fulfilling the requirements under automatic train control system is in §§ 236.1011 and 236.1013 not already in- operation, the train may proceed at a cluded in the PSP; speed not to exceed 79 miles per hour. (2) Attest that the PTC system has (c) In order for a train equipped with been approved by FRA and in operation PTC traversing a track segment for at least 5 years and has already re- equipped with PTC to deviate from the ceived an assessment of Verification operating limitations contained in and Validation from an independent paragraph (b) of this section, the devi- third party under part 236 or a waiver ation must be described and justified in supporting such operation; or the FRA approved PTCDP or PTCSP, (3) Attest that the PTC system is rec- or the Order of Particular Applica- ognized under an Order issued prior to bility, as applicable. March 16, 2010.

756

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00766 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1033

(b) If an REC letter conforms to para- vide cryptographic message integrity graph (a)(1) of this section, the Asso- and authentication. ciate Administrator, at his or her sole (b) Cryptographic keys required discretion, may also issue a new Type under paragraph (a) of this section Approval for the PTC system. shall: (c) In order to receive a Type Ap- (1) Use an algorithm approved by the proval or PTC System Certification National Institute of Standards (NIST) under paragraph (a) or (b) of this sec- or a similarly recognized and FRA ap- tion, the PTC system must be shown to proved standards body; reliably execute the functionalities re- (2) Be distributed using manual or quired by §§ 236.1005 and 236.1007 and automated methods, or a combination otherwise conform to this subpart. of both; and (d) Previous approval or recognition (3) Be revoked: of a train control system, together (i) If compromised by unauthorized with an established service history, disclosure of the cleartext key; or may, at the request of the PTC rail- (ii) When the key algorithm reaches road, and consistent with available its lifespan as defined by the standards safety data, be credited toward satis- body responsible for approval of the al- faction of the safety case requirements gorithm. set forth in this part for the PTCSP (c) The cleartext form of the cryp- with respect to all functionalities and tographic keys shall be protected from implementations contemplated by the unauthorized disclosure, modification, approval or recognition. or substitution, except during key (e) To the extent that the PTC sys- entry when the cleartext keys and key tem proposed for implementation components may be temporarily dis- under this subpart is different in sig- played to allow visual verification. nificant detail from the system pre- When encrypted keys or key compo- viously approved or recognized, the nents are entered, the cryptographi- changes shall be fully analyzed in the cally protected cleartext key or key PTCDP or PTCSP as would be the case components shall not be displayed. absent prior approval or recognition. (f) As used in this section— (d) Access to cleartext keys shall be (1) Approved refers to approval of a protected by a tamper resistant mecha- Product Safety Plan under subpart H nism. of this part. (e) Each railroad electing to also pro- (2) Recognized refers to official action vide cryptographic message confiden- permitting a system to be implemented tiality shall: for control of train operations under an (1) Comply with the same require- FRA order or waiver, after review of ments for message integrity and au- safety case documentation for the im- thentication under this section; and plementation. (2) Only use keys meeting or exceed- (g) Upon receipt of an REC, FRA will ing the security strength required to consider all safety case information to protect the data as defined in the rail- the extent feasible and appropriate, road’s PTCSP and required under given the specific facts before the agen- § 236.1013(a)(7). cy. Nothing in this section limits re- (f) Each railroad, or its vendor or use of any applicable safety case infor- supplier, shall have a prioritized serv- mation by a party other than the party ice restoration and mitigation plan for receiving: scheduled and unscheduled interrup- (1) A prior approval or recognition re- tions of service. This plan shall be in- ferred to in this section; or cluded in the PTCDP or PTCSP as re- (2) A Type Approval or PTC System quired by §§ 236.1013 or 236.1015, as appli- Certification under this subpart. cable, and made available to FRA upon request, without undue delay, for res- § 236.1033 Communications and secu- toration of communication services rity requirements. that support PTC system services. (a) All wireless communications be- (g) Each railroad may elect to impose tween the office, wayside, and onboard more restrictive requirements than components in a PTC system shall pro- those in this section, consistent with

757

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00767 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1035 49 CFR Ch. II (10–1–11 Edition)

interoperability requirements specified (c) Each contractor providing serv- in the PTCSP for the system. ices relating to the testing, maintenance, or operation of a PTC system § 236.1035 Field testing requirements. required to be installed under this sub- (a) Before any field testing of an part shall maintain at a designated of- uncertified PTC system, or a product of fice training records required under an uncertified PTC system, or any re- § 236.1039(b). gression testing of a certified PTC sys- (d) After the PTC system is placed in tem is conducted on the general rail service, the railroad shall maintain a system, the railroad requesting the database of all safety-relevant hazards testing must provide: as set forth in the PTCSP and PTCDP (1) A complete description of the PTC and those that had not been previously system; identified in either document. If the (2) An operational concepts docu- frequency of the safety-relevant haz- ment; ards exceeds the threshold set forth in (3) A complete description of the spe- either of these documents, then the cific test procedures, including the railroad shall: measures that will be taken to protect (1) Report the inconsistency in writ- trains and on-track equipment; ing by mail, facsimile, e-mail, or hand (4) An analysis of the applicability of delivery to the Director, Office of Safe- the requirements of subparts A ty Assurance and Compliance, FRA, through G of this part to the PTC sys- 1200 New Jersey Ave, SE, Mail Stop 25, tem that will not apply during testing; Washington, DC 20590, within 15 days of (5) The date the proposed testing discovery. Documents that are hand shall begin; delivered must not be enclosed in an (6) The test locations; and envelope; (7) The effect on the current method (2) Take prompt countermeasures to of operation the PTC system will or reduce the frequency of each safety-rel- may have under test. evant hazard to below the threshold set (b) FRA may impose additional test- forth in the PTCSP and PTCDP; and ing conditions that it believes may be (3) Provide a final report when the in- necessary for the safety of train oper- consistency is resolved to the FRA Di- ations. rector, Office of Safety Assurance and (c) Relief from regulations other than Compliance, on the results of the anal- from subparts A through G of this part ysis and countermeasures taken to re- that the railroad believes are necessary duce the frequency of the safety-rel- to support the field testing, must be re- evant hazard(s) below the threshold set quested in accordance with part 211 of forth in the PTCSP and PTCDP. this title. § 236.1039 Operations and Mainte- § 236.1037 Records retention. nance Manual. (a) Each railroad with a PTC system (a) The railroad shall catalog and required to be installed under this sub- maintain all documents as specified in part shall maintain at a designated of- the PTCDP and PTCSP for the instal- fice on the railroad: lation, maintenance, repair, modifica- (1) A current copy of each FRA ap- tion, inspection, and testing of the PTC proved Type Approval, if any, PTCDP, system and have them in one Oper- and PTCSP that it holds; ations and Maintenance Manual, read- (2) Adequate documentation to dem- ily available to persons required to per- onstrate that the PTCSP and PTCDP form such tasks and for inspection by meet the safety requirements of this FRA and FRA-certified state inspec- subpart, including the risk assessment; tors. (3) An Operations and Maintenance (b) Plans required for proper mainte- Manual, pursuant to § 236.1039; and nance, repair, inspection, and testing (4) Training and testing records pur- of safety-critical PTC systems must be suant to § 236.1043(b). adequate in detail and must be made (b) Results of inspections and tests available for inspection by FRA and specified in the PTCSP and PTCDP FRA-certified state inspectors where must be recorded pursuant to § 236.110. such PTC systems are deployed or

758

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00768 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT § 236.1043

maintained. They must identify all their safety and how to avoid inter- software versions, revisions, and revi- fering with its proper functioning; and sion dates. Plans must be legible and (5) The direct supervisors of persons correct. listed in paragraphs (a)(1) through (c) Hardware, software, and firmware (a)(4) of this section. revisions must be documented in the (b) Competencies. The employer’s pro- Operations and Maintenance Manual gram must provide training for persons according to the railroad’s configura- who perform the functions described in tion management control plan and any paragraph (a) of this section to ensure additional configuration/revision con- that they have the necessary knowl- trol measures specified in the PTCDP edge and skills to effectively complete and PTCSP. their duties related to operation and (d) Safety-critical components, in- maintenance of the PTC system. cluding spare equipment, must be posi- § 236.1043 Task analysis and basic re- tively identified, handled, replaced, quirements. and repaired in accordance with the procedures specified in the PTCDP and (a) Training structure and delivery. As PTCSP. part of the program required by (e) Each railroad shall designate in § 236.1041, the employer shall, at a min- its Operations and Maintenance Man- imum: (1) Identify the specific goals of the ual an appropriate railroad officer re- training program with regard to the sponsible for issues relating to sched- target population (craft, experience uled interruptions of service con- level, scope of work, etc.), task(s), and templated by § 236.1029. desired success rate; § 236.1041 Training and qualification (2) Based on a formal task analysis, program, general. identify the installation, maintenance, repair, modification, inspection, test- (a) Training program for PTC per- ing, and operating tasks that must be sonnel. Employers shall establish and performed on a railroad’s PTC systems. implement training and qualification This includes the development of fail- programs for PTC systems subject to ure scenarios and the actions expected this subpart. These programs must under such scenarios; meet the minimum requirements set (3) Develop written procedures for forth in the PTCDP and PTCSP in the performance of the tasks identi- §§ 236.1039 through 236.1045, as appro- fied; priate, for the following personnel: (4) Identify the additional knowledge, (1) Persons whose duties include in- skills, and abilities above those re- stalling, maintaining, repairing, modi- quired for basic job performance nec- fying, inspecting, and testing safety- essary to perform each task; critical elements of the railroad’s PTC (5) Develop a training and evaluation systems, including central office, way- curriculum that includes classroom, side, or onboard subsystems; simulator, computer-based, hands-on, (2) Persons who dispatch train oper- or other formally structured training ations (issue or communicate any man- designed to impart the knowledge, datory directive that is executed or en- skills, and abilities identified as nec- forced, or is intended to be executed or essary to perform each task; enforced, by a train control system (6) Prior to assignment of related subject to this subpart); tasks, require all persons mentioned in (3) Persons who operate trains or § 236.1041(a) to successfully complete a serve as a train or engine crew member training curriculum and pass an exam- subject to instruction and testing ination that covers the PTC system under part 217 of this chapter, on a and appropriate rules and tasks for train operating in territory where a which they are responsible (however, train control system subject to this such persons may perform such tasks subpart is in use; under the direct onsite supervision of a (4) Roadway workers whose duties re- qualified person prior to completing quire them to know and understand such training and passing the examina- how a train control system affects tion);

759

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00769 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 § 236.1045 49 CFR Ch. II (10–1–11 Edition)

(7) Require periodic refresher train- § 236.1047 Training specific to loco- ing and evaluation at intervals speci- motive engineers and other oper- fied in the PTCDP and PTCSP that in- ating personnel. cludes classroom, simulator, computer- (a) Operating personnel. Training pro- based, hands-on, or other formally vided under this subpart for any loco- structured training and testing, except motive engineer or other person who with respect to basic skills for which participates in the operation of a train proficiency is known to remain high as in train control territory shall be de- a result of frequent repetition of the fined in the PTCDP as well as the task; and PTCSP. The following elements shall (8) Conduct regular and periodic eval- be addressed: uations of the effectiveness of the (1) Familiarization with train control training program specified in equipment onboard the locomotive and § 236.1041(a)(1) verifying the adequacy of the functioning of that equipment as the training material and its validity part of the system and in relation to with respect to current railroads PTC other onboard systems under that per- systems and operations. son’s control; (b) Training records. Employers shall (2) Any actions required of the on- retain records which designate persons board personnel to enable, or enter who are qualified under this section data to, the system, such as consist until new designations are recorded or data, and the role of that function in for at least one year after such persons the safe operation of the train; leave applicable service. These records (3) Sequencing of interventions by shall be kept in a designated location the system, including pre-enforcement and be available for inspection and rep- notification, enforcement notification, lication by FRA and FRA-certified penalty application initiation and State inspectors post-penalty application procedures; (4) Railroad operating rules and test- § 236.1045 Training specific to office ing (part 217) applicable to the train control personnel. control system, including provisions (a) Any person responsible for issuing for movement and protection of any or communicating mandatory direc- unequipped trains, or trains with failed tives in territory where PTC systems or cut-out train control onboard sys- are or will be in use shall be trained in tems and other on-track equipment; the following areas, as applicable: (5) Means to detect deviations from (1) Instructions concerning the inter- proper functioning of onboard train face between the computer-aided dis- control equipment and instructions re- patching system and the train control garding the actions to be taken with system, with respect to the safe move- respect to control of the train and noti- ment of trains and other on-track fication of designated railroad per- equipment; sonnel; and (2) Railroad operating rules applica- (6) Information needed to prevent un- ble to the train control system, includ- intentional interference with the prop- ing provision for movement and protec- er functioning of onboard train control tion of roadway workers, unequipped equipment. trains, trains with failed or cut-out (b) Locomotive engineer training. train control onboard systems, and Training required under this subpart other on-track equipment; and for a locomotive engineer, together (3) Instructions concerning control of with required records, shall be inte- trains and other on-track equipment in grated into the program of training re- case the train control system fails, in- quired by part 240 of this chapter. cluding periodic practical exercises or (c) Full automatic operation. The fol- simulations, and operational testing lowing special requirements apply in under part 217 of this chapter to ensure the event a train control system is the continued capability of the per- used to effect full automatic operation sonnel to provide for safe operations of the train: under the alternative method of oper- (1) The PTCDP and PTCSP shall ation. identify all safety hazards to be miti- (b) [Reserved] gated by the locomotive engineer.

760

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00770 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. A

(2) The PTCDP and PTCSP shall ad- shall be integrated into the program of dress and describe the training re- training required under this chapter. quired with provisions for the maintenance of skills proficiency. As a min- § 236.1049 Training specific to road- imum, the training program must: way workers. (i) As described in § 236.1043(a)(2), de- (a) Roadway worker training. Training velop failure scenarios which incor- required under this subpart for a road- porate the safety hazards identified in way worker shall be integrated into the PTCDP and PTCSP including the the program of instruction required return of train operations to a fully under part 214, subpart C of this chap- manual mode; ter (‘‘Roadway Worker Protection’’), (ii) Provide training, consistent with consistent with task analysis require- § 236.1047(a), for safe train operations ments of § 236.1043. This training shall under all failure scenarios and identi- provide instruction for roadway work- fied safety hazards that affect train op- ers who provide protection for them- erations; selves or roadway work groups. (iii) Provide training, consistent with (b) Training subject areas. (1) Instruc- § 236.1047(a), for safe train operations tion for roadway workers shall ensure under manual control; and an understanding of the role of proc- (iv) Consistent with § 236.1047(a), en- essor-based signal and train control sure maintenance of manual train op- equipment in establishing protection erating skills by requiring manual for roadway workers and their equip- starting and stopping of the train for ment. an appropriate number of trips and by (2) Instruction for all roadway work- one or more of the following methods: ers working in territories where PTC is (A) Manual operation of a train for a required under this subpart shall en- 4-hour work period; sure recognition of processor-based sig- (B) Simulated manual operation of a nal and train control equipment on the train for a minimum of 4 hours in a wayside and an understanding of how Type I simulator as required; or to avoid interference with its proper (C) Other means as determined fol- functioning. lowing consultation between the rail- (3) Instructions concerning the rec- road and designated representatives of ognition of system failures and the pro- the affected employees and approved vision of alternative methods of on- by FRA. The PTCDP and PTCSP shall track safety in case the train control designate the appropriate frequency system fails, including periodic prac- when manual operation, starting, and tical exercises or simulations and oper- stopping must be conducted, and the ational testing under part 217 of this appropriate frequency of simulated chapter to ensure the continued capa- manual operation. bility of roadway workers to be free (d) Conductor training. Training re- from the danger of being struck by a quired under this subpart for a con- moving train or other on-track equip- ductor, together with required records, ment.

APPENDIX A TO PART 236—CIVIL PENALTIES 1

Willful viola- Section Violation tion

Subpart A—Rules and Instructions—All Systems

General: 236.0 Applicability, minimum requirements ...... $2,500 $5,000 236.1 Plans, where kept ...... 1,000 2,000 236.2 Grounds ...... 1,000 2,000 236.3 Locking of signal apparatus housings: (a) Power interlocking machine cabinet not secured against unauthorized entry ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.4 Interference with normal functioning of device ...... 5,000 7,500 236.5 Design of control circuits on closed circuit principle ...... 1,000 2,000 236.6 Hand-operated switch equipped with switch circuit controller ...... 1,000 2,000 236.7 Circuit controller operated by switch-and-lock movement ...... 1,000 2,000

761

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00771 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. A 49 CFR Ch. II (10–1–11 Edition)

Willful viola- Section Violation tion

236.8 Operating characteristics of electro-magnetic, electronic, or electrical apparatus ...... 1,000 2,000 236.9 Selection of circuits through indicating or annunciating instruments ...... 1,000 2,000 236.10 Electric locks, force drop type; where required ...... 1,000 2,000 236.11 Adjustment, repair, or replacement of component ...... 2,500 5,000 236.12 Spring switch signal protection; where required ...... 1,000 2,000 236.13 Spring switch; selection of signal control circuits through circuit controller ...... 1,000 2,000 236.14 Spring switch signal protection; requirements ...... 1,000 2,000 236.15 Timetable instructions ...... 1,000 2,000 236.16 Electric lock, main track releasing circuit:. (a) Electric lock releasing circuit on main track extends into fouling circuit where turnout not equipped with derail at clearance point either pipe-connected to switch or independently locked, electrically ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.17 Pipe for operating connections, requirements 1,000 2,000 236.18 Software management control plan:. Failure to develop and adopt a plan ...... $5,000 $10,000 Failure to fully implement plan ...... 5,000 10,000 Inadequate plan ...... 2,500 10,000 Roadway Signals and Cab Signals— 236.21 Location of roadway signals ...... 1,000 2,000 236.22 Semaphore signal arm; clearance to other objects ...... 1,000 2,000 236.23 Aspects and indications ...... 1,000 2,000 236.24 Spacing of roadway signals ...... 2,500 5,000 236.26 Buffing device, maintenance ...... 1,000 2,000 Track Circuits— 236.51 Track circuit requirements: (a) Shunt fouling circuit used where permissible speed through turnout greater than 45 m.p.h ...... 2,500 5,000 (b) Track relay not in de-energized position or device that functions as track relay not in its most restrictive state when train, locomotive, or car occupies any part of track circuit, except fouling section of turnout of hand-operated main-track crossover ...... 2,500 5,000 (c) other violations ...... 1,000 2,000 236.52 Relayed cut-section ...... 1,000 2,000 236.53 Track circuit feed at grade crossing ...... 1,000 2,000 236.54 Minimum length of track circuit ...... 1,000 2,000 236.55 Dead section; maximum length ...... 1,000 2,000 236.56 Shunting sensitivity ...... 2,500 5,000 236.57 Shunt and fouling wires: (a) Shunt or fouling wires do not consist of at least two discrete conductors ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.58 Turnout, fouling section: (a) Rail joint in shunt fouling section not bonded ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.59 Insulated rail joints ...... 1,000 2,000 236.60 Switch shunting circuit; use restricted ...... 2,500 5,000 Wires and Cables— 236.71 Signal wires on pole line and aerial cable ...... 1,000 2,000 236.73 Open-wire transmission line; clearance to other circuits ...... 1,000 2,000 236.74 Protection of insulated wire; splice in underground wire ...... 1,000 2,000 236.76 Tagging of wires and interference of wires or tags with signal apparatus ...... 1,000 2,000 Inspections and Tests; All Systems— 236.101 Purpose of inspection and tests; removal from service or relay or device failing to meet test requirements ...... 2,500 5,000 236.102 Semaphore or search-light signal mechanism ...... 1,000 2,000 236.103 Switch circuit controller or point detector ...... 1,000 2,000 236.104 Shunt fouling circuit ...... 1,000 2,000 236.105 Electric lock ...... 1,000 2,000 236.106 Relays ...... 1,000 2,000 236.107 Ground tests ...... 1,000 2,000 236.108 Insulation resistance tests, wires in trunking and cables: (a) Circuit permitted to function on a conductor having insulation resistance value less than 200,000 ohms ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.109 Time releases, timing relays and timing devices ...... 1,000 2,000 236.110 Results of tests ...... 1,000 2,000

Subpart B—Automatic Block Signal Systems

236.201 Track circuit control of signals ...... 1,000 2,000 236.202 Signal governing movements over hand-operated switch ...... 1,000 2,000 236.203 Hand-operated crossover between main tracks; protection ...... 1,000 2,000

762

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00772 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. A

Willful viola- Section Violation tion

236.204 Track signaled for movements in both directions, requirements ...... 1,000 2,000 236.205 Signal control circuits; requirements ...... 1,000 2,000 236.206 Battery or power supply with respect to relay; location ...... 1,000 2,000

Subpart C—Interlocking

236.207 Electric lock on hand-operated switch; control: (a) Approach or time locking of electric lock on hand-operated switch can be defeated by unauthorized use of emergency device which is not kept sealed in the non-release position ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.301 Where signals shall be provided ...... 1,000 2,000 236.302 Track circuits and route locking ...... 1,000 2,000 236.303 Control circuits for signals, selection through circuit controller operated by switch points or by switch locking mechanism ...... 1,000 2,000 236.304 Mechanical locking or same protection effected by circuits ...... 1,000 2,000 236.305 Approach or time locking ...... 1,000 2,000 236.306 Facing point lock or switch-and-lock movement ...... 1,000 2,000 236.307 Indication locking: 236.308 Mechanical or electric locking or electric circuits; requisites ...... 1,000 2,000 236.309 Loss of shunt protection; where required: (a) Loss of shunt of five seconds or less permits release of route locking of power-operated switch, movable point frog, or derail ...... 2,500 5,000 (b) Other violations ...... 1,000 2,000 236.310 Signal governing approach to home signal ...... 1,000 2,000 236.311 Signal control circuits, selection through track relays or devices functioning as track relays and through signal mechanism contacts and time releases at automatic interlocking ...... 1,000 2,000 236.312 Movable bridge, interlocking of signal appliances with bridge devices: (a) Emergency bypass switch or device not locked or sealed ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 236.314 Electric lock for hand-operated switch or derail: (a) Approach or time locking of electric lock at hand-operated switch or derail can be defeated by unauthorized use of emergency device which is not kept sealed in non-release position ...... 2,500 5,000 (b) other violations ...... 1,000 2,000 Rules and Instructions— 236.326 Mechanical locking removed or disarranged; requirement for permitting train movements through interlocking ...... 1,000 2,000 236.327 Switch, movable-point frog or split-point derail ...... 1,000 2,000 236.328 Plunger of facing-point ...... 1,000 2,000 236.329 Bolt lock ...... 1,000 2,000 236.330 Locking dog of switch and lock movement ...... 1,000 2,000 236.334 Point detector ...... 1,000 2,000 236.335 Dogs, stops and trunnions of mechanical locking ...... 1,000 2,000 236.336 Locking bed ...... 1,000 2,000 236.337 Locking faces of mechanical locking; fit ...... 1,000 2,000 236.338 Mechanical locking required in accordance with locking sheet and dog chart ...... 1,000 2,000 236.339 Mechanical locking; maintenance requirements ...... 1,000 2,000 236.340 Electromechanical interlocking machine; locking between electrical and mechanical levers ...... 1,000 2,000 236.341 Latch shoes, rocker links, and quadrants ...... 1,000 2,000 236.342 Switch circuit controller ...... 1,000 2,000 Inspection and Tests— 236.376 Mechanical locking ...... 1,000 2,000 236.377 Approach locking ...... 1,000 2,000 236.378 Time locking ...... 1,000 2,000 236.379 Route locking ...... 1,000 2,000 236.380 Indication locking ...... 1,000 2,000 236.381 Traffic locking ...... 1,000 2,000 236.382 Switch obstruction test ...... 1,000 2,000 236.383 Valve locks, valves, and valve magnets ...... 1,000 2,000 236.384 Cross protection 236.386 Restoring feature on power switches 236.387 Movable bridge locking ...... 1,000 2,000

Subpart D—Traffic Control Systems Standards

236.401 Automatic block signal system and interlocking standards applicable to traffic control systems: 236.402 Signals controlled by track circuits and control operator ...... 1,000 2,000 236.403 Signals at controlled point ...... 1,000 2,000 236.404 Signals at adjacent control points ...... 1,000 2,000

763

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00773 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. A 49 CFR Ch. II (10–1–11 Edition)

Willful viola- Section Violation tion

236.405 Track signaled for movements in both directions, change of direction of traffic ...... 1,000 2,000 236.407 Approach or time locking; where required ...... 1,000 2,000 236.408 Route locking ...... 1,000 2,000 236.410 Locking, hand-operated switch; requirements: (a) Hand-operated switch on main track not electrically or mechanically locked in normal position where signal not provided to govern movement to main track, movements made at speeds in excess of 20 m.p.h., and train or engine movements may clear main track ...... 2,500 5,000 (b) Hand-operated switch on signaled siding not electrically or mechanically locked in normal position where signal not provided to govern movements to signaled siding, train movements made at speeds in excess of 30 m.p.h., and train or engine movements may clear signaled siding ...... 2,500 5,000 (c) Approach or time locking of electric lock at hand-operated switch can be defeated by use of emergency release device of electric lock which is not kept sealed in non-release position ...... 2,500 5,000 (d) other violations ...... 1,000 2,000 Rules and Instructions— 236.426 Interlocking rules and instructions applicable to traffic control systems ...... 1,000 2,000 236.476 Interlocking inspections and tests applicable to traffic control systems ...... 1,000 2,000

Subpart E—Automatic Train Stop, Train Control and Cab Signal Systems Standards

236.501 Forestalling device and speed control ...... 1,000 2,000 236.502 Automatic brake application, initiation by restrictive block conditions stopping distance in advance ...... 1,000 2,000 236.503 Automatic brake application; initiation when predetermined rate of speed exceeded ...... 1,000 2,000 236.504 Operations interconnected with automatic block-signal system ...... 1,000 2,000 236.505 Proper operative relation between parts along roadway and parts on locomotive ...... 1,000 2,000 236.506 Release of brakes after automatic application ...... 1,000 2,000 236.507 Brake application; full service ...... 1,000 2,000 236.508 Interference with application of brakes by means of brake valve ...... 1,000 2,000 236.509 Two or more locomotives coupled ...... 1,000 2,000 236.511 Cab signals controlled in accordance with block conditions stopping distance in advance 1,000 2,000 236.512 Cab signal indication when locomotive enters blocks ...... 1,000 2,000 236.513 Audible indicator ...... 1,000 2,000 236.514 Interconnection of cab signal system with roadway signal system ...... 1,000 2,000 236.515 Visibility of cab signals ...... 1,000 2,000 236.516 Power supply ...... 1,000 2,000 Rules and Instructions; Roadway— 236.526 Roadway element not functioning properly ...... 2,500 5,000 236.527 Roadway element insulation resistance ...... 1,000 2,000 236.528 Restrictive condition resulting from open hand-operated switch; requirement ...... 1,000 2,000 236.529 Roadway element inductor; height and distance from rail ...... 1,000 2,000 236.531 Trip arm; height and distance from rail ...... 1,000 2,000 236.532 Strap iron inductor; use restricted ...... 1,000 2,000 236.534 Rate of pressure reduction; equalizing reservoir or brake pipe ...... 1,000 2,000 236.551 Power supply voltage ...... 1,000 2,000 236.552 Insulation resistance ...... 1,000 2,000 236.553 Seal, where required ...... 2,500 5,000 236.554 Rate of pressure reduction; equalizing reservoir or brake pipe ...... 1,000 2,000 236.555 Repaired or rewound receiver coil ...... 1,000 2,000 236.556 Adjustment of relay ...... 1,000 2,000 236.557 Receiver; location with respect to rail ...... 1,000 2,000 236.560 Contact element, mechanical trip type; location with respect to rail ...... 1,000 2,000 236.562 Minimum rail current required ...... 1,000 2,000 236.563 Delay time ...... 1,000 2,000 236.564 Acknowledging time ...... 1,000 2,000 236.565 Provision made for preventing operation of pneumatic brake-applying apparatus by double-heading clock; requirement ...... 1,000 2,000 236.566 Locomotive of each train operating in train stop, train control or cab signal territory; equipped ...... 5,000 7,500 236.567 Restrictions imposed when device fails and/or is cut out en route: (a) Report not made to designated officer at next available point of communication after automatic train stop, train control, or cab signal device fails and/or is cut en route ...... 5,000 7,500 (b) Train permitted to proceed at speed exceeding 79 m.p.h. where automatic train stop, train control, or cab signal device fails and/or is cut out en route when absolute block established in advance of train on which device is inoperative ...... 5,000 7,500 (c) other violations ...... 1,000 2,000 236.568 Difference between speeds authorized by roadway signal and cab signal; action ...... 1,000 2,000 Inspection and Tests; Roadway— 236.576 Roadway element ...... 1,000 2,000

764

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00774 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. A

Willful viola- Section Violation tion

236.577 Test, acknowledgement, and cut-in circuits ...... 1,000 2,000 Inspection and Tests; Locomotive— 236.586 Daily or after trip test ...... 2,500 5,000 236.587 Departure test: (a) Test of automatic train stop, train control, or cab signal apparatus on locomotive not made on departure of locomotive from initial terminal if equipment on locomotive not cut out between initial terminal and equipped territory ...... 5,000 7,500 (b) Test of automatic train stop, train control, or cab signal apparatus on locomotive not made immediately on entering equipped territory, if equipment on locomotive cut out between initial terminal and equipped territory ...... 5,000 7,500 (c) Automatic train stop, train control, or cab signal apparatus on locomotive making more than one trip within 24-hour period not given departure test within corresponding 24- hour period ...... 5,000 7,500 (d) other violations ...... 2,500 5,000 236.588 Periodic test ...... 2,500 5,000 236.589 Relays ...... 2,500 5,000 236.590 Pneumatic apparatus: (a) Automatic train stop, train control, or cab signal apparatus not inspected and cleaned at least once every 736 days ...... 2,500 5,000 (b) other violations ...... 1,000 2,000

Subpart F—Dragging Equipment and Slide Detectors and Other Similar Protective Devices; Standards

236.601 Signals controlled by devices; location ...... 1,000 2,000 Subpart H—Standards for Processor-Based Signal and Train Control Systems

236.905 Railroad Safety Program Plan (RSPP): Failure to develop and submit RSPP when required ...... 5,000 7,500 Failure to obtain FRA approval for a modification to RSPP ...... 5,000 7,500 236.907 Product Safety Plan (PSP): Failure to develop a PSP ...... 5,000 7,500 Failure to submit a PSP when required ...... 5,000 7,500 236.909 Minimum Performance Standard: Failure to make analyses or documentation available ...... 2,500 5,000 Failure to determine that the standard has been met ...... 5,000 7,500 236.913 Notification to FRA of PSPs: 2,500 5,000 Failure to prepare a PSP or PSP amendment as required ...... 5,000 7,500 Failure to submit a PSP or PSP amendment as required ...... 5,000 7,500 Field testing without authorization or approval ...... 10,000 20,000 236.915 Implementation and operation: (a) Operation of product without authorization or approval ...... 10,000 20,000 (b) Failure to comply with PSP ...... 2,500 5,000 (c) Interference with normal functioning safety-critical product ...... 7,500 15,000 (d) Failure to determine cause and adjust, repair or replace without undue delay or take appropriate action pending repair ...... 5,000 7,500 236.917 Retention of records: Failure to maintain records as required ...... 7,500 15,000 Failure to report inconsistency ...... 10,000 20,000 Failure to take prompt countermeasures ...... 10,000 20,000 Failure to provide final report ...... 2,500 5,000 236.919 Operations and Maintenance Manual ...... 3,000 6,000 236.921 Training and qualification program, general ...... 3,000 6,000 236.923 Task analysis and basic requirements: Failure to develop an acceptable training program ...... 2,500 5,000 Failure to train persons as required ...... 2,500 5,000 Failure to conduct evaluation of training program as required ...... 2,500 5,000 Failure to maintain records as required ...... 1,500 3,000 236.925 Training specific to control office personnel ...... 2,500 5,000 236.927 Training specific to locomotive engineers and other operating personnel ...... 2,500 5,000 236.929 Training specific to roadway workers ...... 2,500 5,000 Subpart I—Positive Train Control Systems

236.1005 Positive Train Control System Requirements: Failure to complete PTC system installation on track segment where PTC is required prior to 12/31/2015 ...... 16,000 25,000 Commencement of revenue service prior to obtaining PTC System Certification ...... 16,000 25,000 Failure of the PTC system to perform a safety-critical function required by this section ...... 5,000 7,500 Failure to provide notice, obtain approval, or follow a condition for temporary rerouting when required ...... 5,000 7,500 Exceeding the allowed percentage of controlling locomotives operating out of an initial terminal after receiving a failed initialization ...... 5,000 7,500 236.1006 Equipping locomotives operating in PTC territory:

765

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00775 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. A 49 CFR Ch. II (10–1–11 Edition)

Willful viola- Section Violation tion

Operating in PTC territory a controlling locomotive without a required and operative PTC onboard apparatus ...... 15,000 25,000 Failure to report as prescribed by this section ...... 5,000 7,500 Non-compliant operation of unequipped trains in PTC territory ...... 15,000 25,000 236.1007 Additional requirements for high-speed service: Operation of passenger trains at speed equal to or greater than 60 mph on non-PTC- equipped territory where required ...... 15,000 25,000 Operation of freight trains at speed equal to or greater than 50 mph on non-PTC-equipped territory where required ...... 15,000 25,000 Failure to fully implement incursion protection where required ...... 5,000 7,500 236.1009 Procedural requirements: Failure to file PTCIP when required ...... 5,000 7,500 Failure to amend PTCIP when required ...... 5,000 7,500 Failure to obtain Type Approval when required ...... 5,000 7,500 Failure to update NPI ...... 5,000 7,500 Operation of PTC system prior to system certification ...... 16,000 25,000 236.1011 PTCIP content requirements: Failure to install a PTC system in accordance with subpart I when so required ...... 11,000 16,000 236.1013 PTCDP content requirements and Type Approval: Failure to maintain quality control system ...... 5,000 7,500 Inappropriate use of Type Approval ...... 5,000 7,500 236.1015 PTCSP content requirements and PTC System Certification: Failure to implement PTC system in accordance with the associated PTCSP and resultant system certification ...... 16,000 25,000 Failure to maintain PTC system in accordance with the associated PTCSP and resultant system certification ...... 16,000 25,000 Failure to maintain required supporting documentation ...... 2,500 5,000 236.1017 Independent third party Verification and Validation: Failure to conduct independent third party Verification and Validation when ordered ...... 11,000 16,000 236.1019 Main line track exceptions: Revenue operations conducted in non-compliance with the passenger terminal exception 16,000 25,000 Revenue operations conducted in non-compliance with the limited operations exception ... 16,000 25,000 Failure to request modification of the PTCIP or PTCSP when required ...... 11,000 16,000 Revenue operations conducted in violation of (c)(2) ...... 16,000 25,000 Revenue operations conducted in violation of (c)(3) ...... 25,000 25,000 236.1021 Discontinuances, material modifications, and amendments: Failure to update PTCDP when required ...... 5,000 7,500 Failure to update PTCSP when required ...... 5,000 7,500 Failure to immediately adopt and comply with approved RFA ...... 5,000 7,500 Discontinuance or modification of a PTC system without approval when required ...... 11,000 16,000 236.1023 Errors and malfunctions: Railroad failure to provide proper notification of PTC system error or malfunction ...... 5,000 7,500 Failure to maintain PTCPVL ...... 2,500 5,000 Supplier failure to provide proper notification of previously identified PTC system error or malfunction ...... 5,000 7,500 Failure to provide timely notification ...... 5,000 7,500 Failure to provide appropriate protective measures in the event of PTC system failure ...... 15,000 25,000 236.1027 Exclusions: Integration of primary train control system with locomotive electronic system without approval ...... 5,000 7,500 236.1029 PTC system use and en route failures: Failure to determine cause of PTC system component failure without undue delay ...... 5,000 7,500 Failure to adjust, repair, or replace faulty PTC system component without undue delay ..... 5,000 7,500 Failure to take appropriate action pending adjustment, repair, or replacement of faulty PTC system component ...... 15,000 25,000 Non-compliant train operation within PTC-equipped territory with inoperative PTC onboard apparatus ...... 5,000 7,500 Interference with the normal functioning of safety-critical PTC system ...... 15,000 25,000 Improper arrangement of the PTC system onboard apparatus ...... 2,500 5,000 236.1033 Communications and security requirements: Failure to provide cryptographic message integrity and authentication ...... 5,000 7,500 Improper use of revoked cryptographic key ...... 5,000 15,000 Failure to protect cryptographic keys from unauthorized disclosure, modification, or substitution ...... 5,000 15,000 Failure to establish prioritized service restoration and mitigation plan for communication services ...... 5,000 7,500 236.1035 Field testing requirements: Field testing without authorization or approval ...... 10,000 20,000 236.1037 Records retention: Failure to maintain records and databases as required ...... 7,500 15,000 Failure to report inconsistency ...... 10,000 20,000 Failure to take prompt countermeasures ...... 10,000 20,000 Failure to provide final report ...... 2,500 5,000

766

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00776 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. B

Willful viola- Section Violation tion

236.1039 Operations and Maintenance Manual: Failure to implement and maintain Operations and Maintenance Manual as required ...... 3,000 6,000 236.1043 Task analysis and basic requirements: Failure to develop and maintain an acceptable training program ...... 10,000 20,000 Failure to train persons as required ...... 2,500 5,000 Failure to conduct evaluation of training program as required ...... 2,500 5,000 Failure to maintain records as required ...... 1,500 3,000 236.1045 Training specific to office control personnel: Failure to conduct training unique to office control personnel ...... 2,500 5,000 236.1047 Training specific to locomotive engineers and other operating personnel: Failure to conduct training unique to locomotive engineers and other operating personnel 2,500 5,000 236.1049 Training specific to roadway workers: Failure to conduct training unique to roadway workers ...... 2,500 5,000 1 A penalty may be assessed against an individual only for a willful violation. The Administrator reserves the right to assess a penalty of up to $100,000 for any violation where circumstances warrant. See 49 CFR part 209, appendix A.

[53 FR 52936, Dec. 29, 1988, as amended at 63 FR 11624, Mar. 10, 1998; 69 FR 30595, May 28, 2004; 70 FR 11104, Mar. 7, 2005; 73 FR 79704, Dec. 30, 2008; 75 FR 2715, Jan. 15, 2010]

APPENDIX B TO PART 236—RISK comparison. An abbreviated risk assessment ASSESSMENT CRITERIA must, as a minimum, clearly compute the MTTHE for all of the hazardous events iden- The safety-critical performance of each tified for both previous and current condi- product for which risk assessment is re- tions. The comparison between MTTHE for quired under this part must be assessed in both conditions is to determine whether the accordance with the following minimum cri- product implementation meets the safety teria or other criteria if demonstrated to the criteria as required by subpart H or subpart Associate Administrator for Safety to be I of this part as applicable. equally suitable: (d) What major system characteristics must be (a) How are risk metrics to be expressed? The included when relevant to risk assessment? risk metric for the proposed product must Each risk calculation must consider the describe with a high degree of confidence the total signaling and train control system and accumulated risk of a train control system method of operation, as subjected to a list of that operates over the designated life-cycle hazards to be mitigated by the signaling and of the product. Each risk metric for the pro- train control system. The methodology re- posed product must be expressed with an quirements must include the following major upper bound, as estimated with a sensitivity characteristics, when they are relevant to analysis, and the risk value selected must be the product being considered: demonstrated to have a high degree of con- (1) Track plan infrastructure, switches, fidence. rail crossings at grade and highway-rail (b) How does the risk assessment handle inter- grade crossings as applicable; action risks for interconnected subsystems/com- (2) Train movement density for freight, ponents? The risk assessment of each safety- work, and passenger trains where applicable critical system (product) must account not and computed over a time span of not less only for the risks associated with each sub- than 12 months; system or component, but also for the risks (3) Train movement operational rules, as associated with interactions (interfaces) be- enforced by the dispatcher, roadway worker/ tween such subsystems. Employee in Charge, and train crew behav- (c) What is the main principle in computing iors; risk for the previous and current conditions? (4) Wayside subsystems and components; The risk for the previous condition must be (5) Onboard subsystems and components; computed using the same metrics as for the (6) Consist contents such as hazardous ma- new system being proposed. A full risk as- terial, oversize loads; and sessment must consider the entire railroad (7) Operating speeds if the provisions of environment where the product is being ap- part 236 cite additional requirements for cer- plied, and show all aspects of the previous tain type of train control systems to be used condition that are affected by the installa- at such speeds for freight and passenger tion of the product, considering all faults, trains. operating errors, exposure scenarios, and (e) What other relevant parameters must be consequences that are related as described in determined for the subsystems and components? this part. For the full risk assessment, the In order to derive the frequency of hazardous total societal cost of the potential numbers events (or MTTHE) applicable for a product, of accidents assessed for both previous and subsystem or component included in the risk new system conditions must be computed for assessment, the railroad may use various

767

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00777 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. C 49 CFR Ch. II (10–1–11 Edition)

techniques, such as reliability and avail- (h) What assumptions must be documented for ability calculations for subsystems and com- risk assessment? (1) The railroad shall docu- ponents, Fault Tree Analysis (FTA) of the ment any assumptions regarding the deriva- subsystems, and results of the application of tion of risk metrics used. For example, for safety design principles as noted in Appendix the full risk assessment, all assumptions C to this part. The MTTHE is to be derived made about each value of the parameters for both fail-safe and non-fail-safe sub- used in the calculation of total cost of acci- systems or components. The lower bounds of dents should be documented. For abbreviated the MTTF or MTBF determined from the risk assessment, all assumptions made for system sensitivity analysis, which account MTHHE derivation using existing reliability for all necessary and well justified assump- and availability data on the current system tions, may be used to represent the estimate components should be documented. The rail- of MTTHE for the associated non-fail-safe road shall document these assumptions in subsystem or component in the risk assess- such a form as to permit later comparisons ment. with in-service experience. (f) How are processor-based subsystems/com- (2) The railroad shall document any as- ponents assessed? (1) An MTTHE value must sumptions regarding human performance. be calculated for each processor-based sub- The documentation shall be in such a form system or component, or both, indicating the as to facilitate later comparisons with in- safety-critical behavior of the integrated service experience. hardware/software subsystem or component, or both. The human factor impact must be (3) The railroad shall document any as- included in the assessment, whenever appli- sumptions regarding software defects. These cable, to provide the integrated MTTHE assumptions shall be in a form that permit value. The MTTHE calculation must con- the railroad to project the likelihood of de- sider the rates of failures caused by perma- tecting an in-service software defect. These nent, transient, and intermittent faults ac- assumptions shall be documented in such a counting for the fault coverage of the inte- form as to permit later comparisons with in- grated hardware/software subsystem or com- service experience. ponent, phased-interval maintenance, and (4) The railroad shall document all of the restoration of the detected failures. identified safety-critical fault paths to a (2) Software fault/failure analysis must be mishap as predicted by the safety analysis based on the assessment of the design and methodology. The documentation shall be in implementation of all safety-related soft- such a form as to facilitate later compari- ware including the application code, its oper- sons with in-service faults. ating/executive program, COTS software, and [75 FR 2717, Jan. 15, 2010 associated device drivers, as well as histor- ical performance data, analytical methods and experimental safety-critical perform- APPENDIX C TO PART 236—SAFETY ance testing performed on the subsystem or ASSURANCE CRITERIA AND PROCESSES component. The software assessment process must demonstrate through repeatable pre- (a) What is the purpose of this appendix? dictive results that all software defects have This appendix provides safety criteria and been identified and corrected by process with processes that the designer must use to de- a high degree of confidence. velop and validate the product that meets (g) How are non-processor-based subsystems/ safety requirements of this part. FRA uses components assessed? (1) The safety-critical the criteria and processes set forth in this behavior of all non-processor-based compo- appendix to evaluate the validity of safety nents, which are part of a processor-based targets and the results of system safety system or subsystem, must be quantified analyses provided in the RSPP, PSP, PTCIP, with an MTTHE metric. The MTTHE assess- PTCDP, and PTCSP documents as appro- ment methodology must consider failures priate. An analysis performed under this ap- caused by permanent, transient, and inter- pendix must: mittent faults, phase-interval maintenance (1) Address each of the safety principles of and restoration of operation after failures paragraph (b) of this appendix, or explain and the effect of fault coverage of each non- why they are not relevant, and processor-based subsystem or component. (2) Employ a validation and verification (2) MTTHE compliance verification and process pursuant to paragraph (c) of this ap- validation must be based on the assessment pendix. of the design for adequacy by a documented (b) What safety principles must be followed verification and validation process, histor- during product development? The designer ical performance data, analytical methods shall address each of the following safety and experimental safety-critical perform- considerations principles when designing and ance testing performed on the subsystem or demonstrating the safety of products covered component. The non-processor-based quan- by subpart H or I of this part. In the event tification compliance must be demonstrated that any of these principles are not followed, to have a high degree of confidence. the PSP or PTCDP or PTCSP shall state

768

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00778 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. C

both the reason(s) for departure and the al- undesirable, then the second failure must be ternative(s) utilized to mitigate or eliminate detected and the product must achieve a the hazards associated with the design prin- known safe state that eliminates the possi- ciple not followed. bility of false activation of any physical ap- (1) System safety under normal operating con- pliance. ditions. The system (all its elements includ- (v) Another concern of multiple failures in- ing hardware and software) must be designed volves common mode failures in which two to assure safe operation with no hazardous or more subsystems or components intended events under normal anticipated operating to compensate one another to perform the conditions with proper inputs and within the same function all fail by the same mode and expected range of environmental conditions. result in unsafe conditions. This is of par- All safety-critical functions must be per- ticular concern in instances in which two or formed properly under these normal condi- more elements (hardware or software, or tions. The system shall operate safely even both) are used in combination to ensure safe- in the absence of prescribed operator actions ty. If a common mode failure exists, then or procedures. The designer must identify any analysis performed under this appendix and categorize all hazards that may lead to cannot rely on the assumption that failures unsafe system operation. Hazards cat- are independent. Examples include: The use egorized as unacceptable, which are deter- of redundancy in which two or more ele- mined by hazard analysis, must be elimi- ments perform a given function in parallel nated by design. Best effort shall also be and when one (hardware or software) ele- made by the designer to eliminate by design ment checks/monitors another element (of the hazards categorized as undesirable. hardware or software) to help ensure its safe Those undesirable hazards that cannot be operation. Common mode failure relates to eliminated should be mitigated to the ac- independence, which must be ensured in ceptable level as required by this part. these instances. When dealing with the ef- (2) System safety under failures. fects of hardware failure, the designer shall (i) It must be shown how the product is de- address the effects of the failure not only on signed to eliminate or mitigate unsafe sys- other hardware, but also on the execution of tematic failures—those conditions which can the software, since hardware failures can be attributed to human error that could greatly affect how the software operates. occur at various stages throughout product (3) Closed loop principle. System design ad- development. This includes unsafe errors in hering to the closed loop principle requires the software due to human error in the soft- that all conditions necessary for the exist- ware specification, design, or coding phases; ence of any permissive state or action be human errors that could impact hardware verified to be present before the permissive design; unsafe conditions that could occur state or action can be initiated. Likewise the because of an improperly designed human- requisite conditions shall be verified to be machine interface; installation and mainte- continuously present for the permissive nance errors; and errors associated with state or action to be maintained. This is in making modifications. contrast to allowing a permissive state or (ii) The product must be shown to operate action to be initiated or maintained in the safely under conditions of random hardware absence of detected failures. In addition, failures. This includes single hardware fail- closed loop design requires that failure to ures as well as multiple hardware failures perform a logical operation, or absence of a that may occur at different times but remain logical input, output or decision shall not undetected (latent) and react in combination cause an unsafe condition, i.e. system safety with a subsequent failure at a later time to does not depend upon the occurrence of an cause an unsafe operating situation. In in- action or logical decision. stances involving a latent failure, a subse- (4) Safety assurance concepts. The product quent failure is similar to there being a sin- design must include one or more of the fol- gle failure. In the event of a transient fail- lowing Safety Assurance Concepts as de- ure, and if so designed, the system should re- scribed in IEEE–1483 standard to ensure that start itself if it is safe to do so. Frequency of failures are detected and the product is attempted restarts must be considered in the placed in a safe state. One or more different hazard analysis required by § 236.907(a)(8). principles may be applied to each individual (iii) There shall be no single point failures subsystem or component, depending on the in the product that can result in hazards cat- safety design objectives of that part of the egorized as unacceptable or undesirable. Oc- product. currence of credible single point failures (i) Design diversity and self-checking concept. that can result in hazards must be detected This concept requires that all critical func- and the product must achieve a known safe tions be performed in diverse ways, using di- state that eliminates the possibility of false verse software operations and/or diverse activation of any physical appliance. hardware channels, and that critical hard- (iv) If one non-self-revealing failure com- ware be tested with Self-Checking routines. bined with a second failure can cause a haz- Permissive outputs are allowed only if the ard that is categorized as unacceptable or results of the diverse operations correspond,

769

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00779 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. C 49 CFR Ch. II (10–1–11 Edition)

and the Self-Checking process reveals no ual unmitigated failures. In the event of crit- failures in either execution of software or in ical failures, the safety-critical functions any monitored input or output hardware. If and outputs must default to a known safe the diverse operations do not agree or if the state. checking reveals critical failures, safety- (5) Human factor engineering principle. The critical functions and outputs must default product design must sufficiently incorporate to a known safe state. human factors engineering that is appro- (ii) Checked redundancy concept. The priate to the complexity of the product; the Checked Redundancy concept requires imple- educational, mental, and physical capabili- mentation of two or more identical, inde- ties of the intended operators and maintain- pendent hardware units, each executing iden- ers; the degree of required human inter- tical software and performing identical func- action with the component; and the environ- tions. A means is to be provided to periodi- ment in which the product will be used. cally compare vital parameters and results (6) System safety under external influences. of the independent redundant units, requir- The product must be shown to operate safely ing agreement of all compared parameters to when subjected to different external influ- assert or maintain a permissive output. If ences, including: the units do not agree, safety-critical func- (i) Electrical influences such as power sup- tions and outputs must default to a known ply anomalies/transients, abnormal/improper safe state. input conditions (e.g., outside of normal (iii) N-version programming concept. This range inputs relative to amplitude and fre- concept requires a processor-based product quency, unusual combinations of inputs) in- to use at least two software programs per- cluding those related to a human operator, forming identical functions and executing and others such as electromagnetic inter- concurrently in a cycle. The software pro- ference or electrostatic discharges, or both; grams must be written by independent (ii) Mechanical influences such as vibra- teams, using different tools. The multiple tion and shock; and independently written software programs comprise a redundant system, and may be (iii) Climatic conditions such as tempera- executed either on separate hardware units ture and humidity. (which may or may not be identical) or with- (7) System safety after modifications. Safety in one hardware unit. A means is to be pro- must be ensured following modifications to vided to compare the results and output the hardware or software, or both. All or states of the multiple redundant software some of the concerns identified in this para- systems. If the system results do not agree, graph may be applicable depending upon the then the safety-critical functions and out- nature and extent of the modifications. Such puts must default to a known safe state. modifications must follow all of the concept, (iv) Numerical assurance concept. This con- design, implementation and test processes cept requires that the state of each vital pa- and principles as documented in the PSP for rameter of the product or system be unique- the original product. Regression testing ly represented by a large encoded numerical must be comprehensive and documented to value, such that permissive results are cal- include all scenarios which are affected by culated by pseudo-randomly combining the the change made, and the operating modes of representative numerical values of each of the changed product during normal and fail- the critical constituent parameters of a per- ure state (fallback) operation. missive decision. Vital algorithms must be (c) What standards are acceptable for entirely represented by data structures con- Verification and Validation? (1) The standards taining numerical values with verified char- employed for Verification or Validation, or acteristics, and no vital decisions are to be both, of products subject to this subpart made in the executing software, only by the must be sufficient to support achievement of numerical representations themselves. In the applicable requirements of subpart H and the event of critical failures, the safety-crit- subpart I of this part. ical functions and outputs must default to a (2) U.S. Department of Defense Military known safe state. Standard (MIL–STD) 882C, ‘‘System Safety (v) Intrinsic fail-safe design concept. Intrinsi- Program Requirements’’ (January 19, 1993), cally fail-safe hardware circuits or systems is recognized as providing appropriate risk are those that employ discrete mechanical analysis processes for incorporation into and/or electrical components. The fail-safe verification and validation standards. operation for a product or subsystem de- (3) The following standards designed for ap- signed using this principle concept requires a plication to processor-based signal and train verification that the effect of every relevant control systems are recognized as acceptable failure mode of each component, and rel- with respect to applicable elements of safety evant combinations of component failure analysis required by subpart H and subpart I modes, be considered, analyzed, and docu- of this part. The latest versions of the stand- mented. This is typically performed by a ards listed below should be used unless oth- comprehensive failure modes and effects erwise provided. analysis (FMEA) which must show no resid- (i) IEEE standards as follows:

770

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00780 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. D

(A) IEEE 1483–2000, Standard for the (4) Use of unpublished standards, including Verification of Vital Functions in Processor- proprietary standards, is authorized to the Based Systems Used in Rail Transit Control. extent that such standards are shown to (B) IEEE 1474.2–2003, Standard for user achieve the requirements of this part. How- interface requirements in communications ever, any such standards shall be available based train control (CBTC) systems. for inspection and replication by FRA and (C) IEEE 1474.1–2004, Standard for Commu- for public examination in any public pro- nications-Based Train Control (CBTC) Per- ceeding before the FRA to which they are formance and Functional Requirements. relevant. (ii) CENELEC Standards as follows: (5) The various standards provided in this (A) EN50129: 2003, Railway Applications: paragraph are for illustrative purposes only. Communications, Signaling, and Processing Copies of these standards can be obtained in Systems-Safety Related Electronic Systems accordance with the following: for Signaling; and (B) EN50155:2001/A1:2002, Railway Applica- (i) U.S. government standards and tech- tions: Electronic Equipment Used in Rolling nical publications may be obtained by con- Stock. tacting the federal National Technical Infor- (iii) ATCS Specification 200 Communica- mation Service, 5301 Shawnee Rd, Alexan- tions Systems Architecture. dria, VA 22312. (iv) ATCS Specification 250 Message For- (ii) U.S. National Standards may be ob- mats. tained by contacting the American National (v) AREMA 2009 Communications and Sig- Standards Institute, 25 West 43rd Street, 4 nal Manual of Recommended Practices, Part Floor, New York, NY 10036. 16, Part 17, 21, and 23. (iii) IEC Standards may be obtained by (vi) Safety of High-Speed Ground Transpor- contacting the International Electro- tation Systems. Analytical Methodology for technical Commission, 3, rue de Varembe´, Safety Validation of Computer Controlled P.O. Box 131 CH—1211, GENEVA, 20, Switzer- Subsystems. Volume II: Development of a land. Safety Validation Methodology. Final Re- (iv) CENLEC Standards may be obtained port September 1995. Author: Jonathan F. by contacting any of one the national stand- Luedeke, Battelle. DOT/FRA/ORD–95/10.2. ards bodies that make up the European Com- (vii) IEC 61508 (International Electro- mittee for Electrotechnical Standardization. technical Commission), Functional Safety of (v) IEEE standards may be obtained by Electrical/Electronic/Programmable/Elec- contacting the IEEE Publications Office, tronic Safety (E/E/P/ES) Related Systems, 10662 Los Vaqueros Circle, P.O. Box 3014, Los Parts 1–7 as follows: Alamitos, CA 90720–1264. (A) IEC 61508–1 (1998–12) Part 1: General re- (vi) AREMA standards may be obtained quirements and IEC 61508–1 Corr. (1999–05) from the American Railway Engineering and Corrigendum 1—Part 1: General Require- Maintenance-of-Way Association, 10003 ments. (B) IEC 61508–2 (2000–05) Part 2: Require- Derekwood Lane, Suite 210, Lanham, MD ments for electrical/electronic/program- 20706. mable electronic safety-related systems. [75 FR 2718, Jan. 15, 2010] (C) IEC 61508–3 (1998–12) Part 3: Software requirements and IEC 61508–3 Corr. 1 (1999–04) APPENDIX D TO PART 236—INDEPENDENT Corrigendum 1—Part 3: Software require- REVIEW OF VERIFICATION AND VALI- ments. (D) IEC 61508–4 (1998–12) Part 4: Definitions DATION and abbreviations and IEC 61508–4 Corr. 1 (a) This appendix provides minimum re- (1999–04) Corrigendum 1—Part 4: Definitions quirements for independent third-party as- and abbreviations. sessment of product safety verification and (E) IEC 61508–5 (1998–12) Part 5: Examples of validation pursuant to subpart H or subpart methods for the determination of safety in- I of this part. The goal of this assessment is tegrity levels and IEC 61508–5 Corr. 1 (1999–04) Corrigendum 1—Part 5: Examples of methods to provide an independent evaluation of the for determination of safety integrity levels. product manufacturer’s utilization of safety (F) IEC 61508–6 (2000–04) Part 6: Guidelines design practices during the product’s devel- on the applications of IEC 61508–2 and –3. opment and testing phases, as required by (G) IEC 61508–7 (2000–03) Part 7: Overview of any mutually agreed upon controlling docu- techniques and measures. ments and standards and the applicable rail- (H) IEC 62278: 2002, Railway Applications: road’s: Specification and Demonstration of Reli- (1) Railroad Safety Program Plan (RSPP) ability, Availability, Maintainability and and Product Safety Plan (PSP) for processor Safety (RAMS); based systems developed under subpart H or, (I) IEC 62279: 2002 Railway Applications: (2) PTC Product Development Plan Software for Railway Control and Protection (PTCDP) and PTC Safety Plan (PTCSP) for Systems; PTC systems developed under subpart I.

771

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00781 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. E 49 CFR Ch. II (10–1–11 Edition)

(b) The supplier may request advice and as- (h) The reviewer shall evaluate and com- sistance of the reviewer concerning the ac- ment on the plan for installation and test tions identified in paragraphs (c) through (g) procedures of the product for revenue serv- of this appendix. However, the reviewer shall ice. not engage in any design efforts associated (i) The reviewer shall prepare a final report with the product, the products subsystems, of the assessment. The report shall be sub- or the products components, in order to pre- mitted to the railroad prior to the com- serve the reviewer’s independence and main- mencement of installation testing and contain the supplier’s proprietary right to the tain at least the following information: product. (1) Reviewer’s evaluation of the adequacy (c) The supplier shall provide the reviewer of the PSP in the case of products developed access to any and all documentation that the under subpart H, or PTCSP for products de- reviewer requests and attendance at any developed under subpart I of this part, includ- sign review or walkthrough that the re- ing the supplier’s MTTHE and risk estimates viewer determines as necessary to complete for the product, and the supplier’s confidence and accomplish the third party assessment. interval in these estimates; The reviewer may be accompanied by rep- (2) Product vulnerabilities, potentially resentatives of FRA as necessary, in FRA’s hazardous failure modes, or potentially haz- judgment, for FRA to monitor the assess- ardous operating circumstances which the ment. reviewer felt were not adequately identified, (d) The reviewer shall evaluate the product tracked, mitigated, and corrected by either with respect to safety and comment on the the vendor or supplier or the railroad; adequacy of the processes which the supplier (3) A clear statement of position for all applies to the design and development of the parties involved for each product vulner- product. At a minimum, the reviewer shall ability cited by the reviewer; compare the supplier processes with accept- (4) Identification of any documentation or able validation and verification methodology information sought by the reviewer that was and employ any other such tests or compari- denied, incomplete, or inadequate; sons if they have been agreed to previously (5) A listing of each applicable vendor, sup- with FRA. Based on these analyses, the re- plier, industry, national, or international viewer shall identify and document any sig- standard, procedure or process which was not nificant safety vulnerabilities which are not properly followed; adequately mitigated by the supplier’s (or (6) Identification of the software user’s) processes. Finally, the reviewer shall verification and validation procedures, as evaluate and document the adequacy of the well as the hardware verification validation railroad’s procedures if deemed appropriate by FRA, (1) RSPP, the PSP, and any other docu- for the product’s safety-critical applications, ments pertinent to a product being developed and the reviewer’s evaluation of the ade- under subpart H of this part; or quacy of these procedures; (2) PTCDP and PTCSP for systems being (7) Methods employed by the product man- developed under subpart I of this part. (e) The reviewer shall analyze the Hazard ufacturer to develop safety-critical software; Log and/or any other hazard analysis docu- (8) If deemed applicable by FRA, the meth- ments for comprehensiveness and compli- ods employed by the product manufacturer ance with applicable railroad, vendor, sup- to develop safety-critical hardware by gen- plier, industry, national, and international erally acceptable techniques; standards. (9) Method by which the supplier or rail- (f) The reviewer shall analyze all Fault road addresses comprehensiveness of the Tree Analyses (FTA), Failure Mode and Ef- product design which considers the safety fects Criticality Analysis (FMECA), and elements listed in paragraph (b) of appendix other hazard analyses for completeness, cor- C to this part. rectness, and compliance with applicable [75 FR 2720, Jan. 15, 2010] railroad, vendor, supplier, industry, national and international standards. APPENDIX E TO PART 236—HUMAN- (g) The reviewer shall randomly select var- MACHINE INTERFACE (HMI) DESIGN ious safety-critical software, and hardware modules, if directed by FRA, for audit to (a) This appendix provides human factors verify whether the requirements of the appli- design criteria applicable to both subpart H cable railroad, vendor, supplier, industry, na- and subpart I of this part. HMI design cri- tional, and international standards were fol- teria will minimize negative safety effects lowed. The number of modules audited must by causing designers to consider human fac- be determined as a representative number tors in the development of HMIs. The prod- sufficient to provide confidence that all uct design should sufficiently incorporate unaudited modules were developed in compli- human factors engineering that is appro- ance with the applicable railroad, vendor, priate to the complexity of the product; the supplier, industry, national, and inter- gender, educational, mental, and physical national standards. capabilities of the intended operators and

772

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00782 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 236, App. E

maintainers; the degree of required human (i) To minimize short-term memory load, interaction with the component; and the en- the designer shall integrate data or informa- vironment in which the product will be used. tion from multiple sources into a single for- (b) As used in this section, ‘‘designer’’ mat or representation (‘‘chunking’’) and de- means anyone who specifies requirements sign so that three or fewer ‘‘chunks’’ of infor—or designs a system or subsystem, or formation need to be remembered at any one both, for—a product subject to subpart H or time. subpart I of this part, and ‘‘operator’’ means (ii) To minimize long-term memory load, any human who is intended to receive infor- the designer shall design to support recogni- mation from, provide information to, or per- tion memory, design memory aids to mini- form repairs or maintenance on a safety- mize the amount of information that must critical product subject to subpart H or I of be recalled from unaided memory when mak- this part. ing critical decisions, and promote active (c) Human factors issues the designers processing of the information. must consider with regard to the general (d) Design systems that anticipate possible function of a system include: user errors and include capabilities to catch (1) Reduced situational awareness and over- errors before they propagate through the reliance. HMI design must give an operator system; active functions to perform, feedback on the (1) Conduct cognitive task analyses prior results of the operator’s actions, and infor- to designing the system to better understand mation on the automatic functions of the the information processing requirements of system as well as its performance. The oper- operators when making critical decisions; ator must be ‘‘in-the-loop.’’ Designers must and consider at a minimum the following meth- (2) Present information that accurately ods of maintaining an active role for human represents or predicts system states. operators: (e) When creating displays and controls, (i) The system must require an operator to the designer must consider user ergonomics initiate action to operate the train and re- and shall: quire an operator to remain ‘‘in-the-loop’’ (1) Locate displays as close as possible to for at least 30 minutes at a time; the controls that affect them; (ii) The system must provide timely feed- (2) Locate displays and controls based on back to an operator regarding the system’s an operator’s position; automated actions, the reasons for such ac- (3) Arrange controls to minimize the need tions, and the effects of the operator’s man- for the operator to change position; ual actions on the system; (4) Arrange controls according to their ex- (iii) The system must warn operators in pected order of use; advance when it requires an operator to take (5) Group similar controls together; action; (6) Design for high stimulus-response com- (iv) HMI design must equalize an opera- patibility (geometric and conceptual); tor’s workload; and (7) Design safety-critical controls to re- (v) HMI design must not distract from the quire more than one positive action to acti- operator’s safety related duties. vate (e.g., auto stick shift requires two (2) Expectation of predictability and consist- movements to go into reverse); ency in product behavior and communications. (8) Design controls to allow easy recovery HMI design must accommodate an operator’s from error; and expectation of logical and consistent rela- (9) Design display and controls to reflect tionships between actions and results. Simi- specific gender and physical limitations of lar objects must behave consistently when the intended operators. an operator performs the same action upon (f) The designer shall also address informa- them. tion management. To that end, HMI design (3) End user limited ability to process informa- shall: tion. HMI design must therefore minimize an (1) Display information in a manner which operator’s information processing load. To emphasizes its relative importance; minimize information processing load, the (2) Comply with the ANSI/HFS 100–1988 designer must: standard; (i) Present integrated information that di- (3) Utilize a display luminance that has a rectly supports the variety and types of deci- difference of at least 35cd/m2 between the sions that an operator makes; foreground and background (the displays (ii) Provide information in a format or rep- should be capable of a minimum contrast 3:1 resentation that minimizes the time re- with 7:1 preferred, and controls should be quired to understand and act; and provided to adjust the brightness level and (iii) Conduct utility tests of decision aids contrast level); to establish clear benefits such as processing (4) Display only the information necessary time saved or improved quality of decisions. to the user; (4) End user limited memory. HMI design (5) Where text is needed, use short, simple must therefore minimize an operator’s infor- sentences or phrases with wording that an mation processing load. operator will understand and appropriate to

773

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00783 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Pt. 236, App. F 49 CFR Ch. II (10–1–11 Edition)

the educational and cognitive capabilities of information concerning personal commu- the intended operator; nication services (PCS) transmitters oper- (6) Use complete words where possible; ating under Part 15, Subpart D of the rules. where abbreviations are necessary, choose a (iii) 47 Code of Federal Regulations Parts 0 commonly accepted abbreviation or con- to 19. The FCC rules and regulations gov- sistent method and select commonly used erning PCS transmitters may be found in 47 terms and words that the operator will un- CFR, Parts 0 to 19. derstand; (iv) OET Bulletin 62 (December 1993) Un- (7) Adopt a consistent format for all dis- derstanding The FCC Regulations for Com- play screens by placing each design element puters and other Digital Devices. This docu- in a consistent and specified location; ment has been prepared to provide a basic (8) Display critical information in the cen- understanding of the FCC regulations for ter of the operator’s field of view by placing digital (computing) devices, and includes an- items that need to be found quickly in the swers to some commonly-asked questions. upper left hand corner and items which are (2) Designers must comply with FCC re- not time-critical in the lower right hand cor- quirements for Maximum Permissible Expo- ner of the field of view; sure limits for field strength and power den- (9) Group items that belong together; sity for the transmitters operating at fre- (10) Design all visual displays to meet quencies of 300 kHz to 100 GHz and specific human performance criteria under mono- absorption rate (SAR) limits for devices op- chrome conditions and add color only if it erating within close proximity to the body. will help the user in performing a task, and The Commission’s requirements are detailed use color coding as a redundant coding tech- in parts 1 and 2 of the FCC’s Rules and Regu- nique; lations (47 CFR 1.1307(b), 1.1310, 2.1091, 2.1093). (11) Limit the number of colors over a The following documentation is applicable to group of displays to no more than seven; demonstrating whether proposed or existing (12) Design warnings to match the level of transmitting facilities, operations or devices risk or danger with the alerting nature of comply with limits for human exposure to the signal; and radiofrequency RF fields adopted by the (13) With respect to information entry, FCC: avoid full QWERTY keyboards for data (i) OET Bulletin No. 65 (Edition 97–01, Au- entry. gust 1997), ‘‘Evaluating Compliance With (g) With respect to problem management, FCC Guidelines For Human Exposure To Ra- the HMI designer shall ensure that the: diofrequency Electromagnetic Fields’’, (1) HMI design must enhance an operator’s (ii) OET Bulletin No 65 Supplement A, situation awareness; (Edition 97–01, August 1997), OET Bulletin No (2) HMI design must support response se- 65 Supplement B (Edition 97–01, August 1997) lection and scheduling; and and (3) HMI design must support contingency (iii) OET Bulletin No 65 Supplement C planning. (Edition 01–01, June 2001). (h) Ensure that electronics equipment (3) The bulletin and supplements offer radio frequency emissions are compliant guidelines and suggestions for evaluating with appropriate Federal Communications compliance. However, they are not intended Commission regulations. The FCC rules and to establish mandatory procedures. Other regulations are codified in Title 47 of the methods and procedures may be acceptable if Code of Federal Regulations (CFR). based on sound engineering practice. (1) Electronics equipment must have appropriate FCC Equipment Authorizations. [75 FR 2720, Feb. 15, 2010] The following documentation is applicable to obtaining FCC Equipment Authorization: APPENDIX F TO PART 236—MINIMUM RE- (i) OET Bulletin Number 61 (October, 1992 QUIREMENTS OF FRA DIRECTED Supersedes May, 1987 issue) FCC Equipment INDEPENDENT THIRD-PARTY ASSESS- Authorization Program for Radio Frequency MENT OF PTC SYSTEM SAFETY Devices. This document provides an overview VERIFICATION AND VALIDATION of the equipment authorization program to control radio interference from radio trans- (a) This appendix provides minimum re- mitters and certain other electronic prod- quirements for mandatory independent ucts and an overview of how to obtain an third-party assessment of PTC system safety equipment authorization. verification and validation pursuant to sub- (ii) OET Bulletin 63: (October 1993) Under- part H or I of this part. The goal of this as- standing The FCC Part 15 Regulations for sessment is to provide an independent eval- Low Power, Non-Licensed Transmitters. uation of the PTC system manufacturer’s This document provides a basic under- utilization of safety design practices during standing of the FCC regulations for low the PTC system’s development and testing power, unlicensed transmitters, and includes phases, as required by the applicable PSP, answers to some commonly-asked questions. PTCDP, and PTCSP, the applicable require- This edition of the bulletin does not contain ments of subpart H or I of this part, and any

774

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00784 Fmt 8010 Sfmt 8002 Q:\49\49V4.TXT ofr150 PsN: PC150 Federal Railroad Administration, DOT Pt. 237

other previously agreed-upon controlling (i) The reviewer shall prepare a final report documents or standards. of the assessment. The report shall be sub- (b) The supplier may request advice and as- mitted to the railroad prior to the com- sistance of the independent third-party re- mencement of installation testing and con- viewer concerning the actions identified in tain at least the following information: paragraphs (c) through (g) of this appendix. (1) Reviewer’s evaluation of the adequacy However, the reviewer should not engage in of the PSP or PTCSP including the sup- design efforts in order to preserve the re- plier’s MTTHE and risk estimates for the viewer’s independence and maintain the sup- PTC system, and the supplier’s confidence plier’s proprietary right to the PTC system. interval in these estimates; (c) The supplier shall provide the reviewer (2) PTC system vulnerabilities, potentially access to any and all documentation that the hazardous failure modes, or potentially haz- reviewer requests and attendance at any de- ardous operating circumstances which the sign review or walkthrough that the re- reviewer felt were not adequately identified, viewer determines as necessary to complete tracked or mitigated; and accomplish the third party assessment. (3) A clear statement of position for all The reviewer may be accompanied by rep- parties involved for each PTC system vulner- resentatives of FRA as necessary, in FRA’s ability cited by the reviewer; judgment, for FRA to monitor the assess- (4) Identification of any documentation or ment. information sought by the reviewer that was (d) The reviewer shall evaluate with re- denied, incomplete, or inadequate; spect to safety and comment on the ade- (5) A listing of each applicable vendor, sup- quacy of the processes which the supplier ap- plier, industry, national or international plies to the design and development of the standard, process, or procedure which was PTC system. At a minimum, the reviewer not properly followed; shall evaluate the supplier design and devel- (6) Identification of the hardware and soft- opment process regarding the use of an ap- ware verification and validation procedures propriate design methodology. The reviewer for the PTC system’s safety-critical applica- may use the comparison processes and test tions, and the reviewer’s evaluation of the procedures that have been previously agreed adequacy of these procedures; to with FRA. Based on these analyses, the reviewer shall identify and document any (7) Methods employed by PTC system man- significant safety vulnerabilities which are ufacturer to develop safety-critical software; not adequately mitigated by the supplier’s and (or user’s) processes. Finally, the reviewer (8) If directed by FRA, methods employed shall evaluate the adequacy of the railroad’s by PTC system manufacturer to develop applicable PSP or PTCSP, and any other safety-critical hardware. documents pertinent to the PTC system [75 FR 2721, Jan. 15, 2010] being assessed. (e) The reviewer shall analyze the Hazard Log and/or any other hazard analysis docu- PART 237—BRIDGE SAFETY ments for comprehensiveness and compli- STANDARDS ance with railroad, vendor, supplier, industry, national, or international standards. Subpart A—General (f) The reviewer shall analyze all Fault Tree Analyses (FTA), Failure Mode and Ef- Sec. fects Criticality Analysis (FMECA), and 237.1 Application. other hazard analyses for completeness, cor- 237.3 Responsibility for compliance. rectness, and compliance with railroad, ven- 237.5 Definitions. dor, supplier, industry, national, or inter- 237.7 Penalties. national standards. 237.9 Waivers. (g) The reviewer shall randomly select various safety-critical software modules, as well Subpart B—Railroad Bridge Safety as safety-critical hardware components if re- Assurance quired by FRA for audit to verify whether the railroad, vendor, supplier, industry, na- 237.31 Adoption of bridge management pro- tional, or international standards were fol- grams. lowed. The number of modules audited must 237.33 Content of bridge management pro- be determined as a representative number grams. sufficient to provide confidence that all unaudited modules were developed in compli- Subpart C—Qualifications and ance with railroad, vendor, supplier, indus- Designations of Responsible Persons try, national, or international standards (h) The reviewer shall evaluate and com- 237.51 Railroad bridge engineers. ment on the plan for installation and test 237.53 Railroad bridge inspectors. procedures of the PTC system for revenue 237.55 Railroad bridge supervisors. service. 237.57 Designation of individuals.

775

VerDate Mar<15>2010 14:14 Nov 15, 2011 Jkt 223217 PO 00000 Frm 00785 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT ofr150 PsN: PC150