Title 49

SECTION 236.1015

236.1015 PTC Safety Plan content requirements and PTC System Certification.

§ 236.1015 PTC Safety Plan content requirements and PTC System Certification.

(a) Before placing a PTC system required under this part in service, the host railroad must submit to FRA a PTCSP and receive a PTC System Certification. If the Associate Administrator finds that the PTCSP and supporting documentation support a finding that the system complies with this part, the Associate Administrator approves the PTCSP and issues a PTC System Certification. Receipt of a PTC System Certification affirms that the PTC system has been reviewed and approved by FRA in accordance with, and meets the requirements of, this part.

(b) A PTCSP submitted under this subpart may reference and utilize in accordance with this subpart any Type Approval previously issued by the Associate Administrator to any railroad, provided that the railroad:

(1) Maintains a continually updated PTCPVL pursuant to § 236.1023;

(2) Shows that the supplier from which they are procuring the PTC system has established and can maintain a quality control system for PTC system design and manufacturing acceptable to the Associate Administrator. The quality control system must include the process for the product supplier or vendor to promptly and thoroughly report any safety-relevant failure and previously unidentified hazards to each railroad using the product; and

(3) Provides the applicable licensing information.

(c) A PTCSP submitted in accordance with this subpart shall:

(1) Include the FRA approved PTCDP or, if applicable, the FRA issued Type Approval;

(2)(i) Specifically and rigorously document each variance, including the significance of each variance between the PTC system and its applicable operating conditions as described in the applicable PTCDP from that as described in the PTCSP, and attest that there are no other such variances; or

(ii) Attest that there are no variances between the PTC system and its applicable operating conditions as described in the applicable PTCDP from that as described in the PTCSP; and

(3) Attest that the system was otherwise built in accordance with the applicable PTCDP and PTCSP and achieves the level of safety represented therein.

(d) A PTCSP shall include the same information required for a PTCDP under § 236.1013(a). If a PTCDP has been filed and approved prior to filing of the PTCSP, the PTCSP may incorporate the PTCDP by reference, with the exception that a final human factors analysis shall be provided. The PTCSP shall contain the following additional elements:

(1) A hazard log consisting of a comprehensive description of all safety-relevant hazards not previously addressed by the vendor or supplier to be addressed during the life-cycle of the PTC system, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);

(2) A description of the safety assurance concepts that are to be used for system development, including an explanation of the design principles and assumptions;

(3) A risk assessment of the as-built PTC system described;

(4) A hazard mitigation analysis, including a complete and comprehensive description of each hazard and the mitigation techniques used;

(5) A complete description of the safety assessment and Verification and Validation processes applied to the PTC system, their results, and whether these processes address the safety principles described in Appendix C to this part directly, using other safety criteria, or not at all;

(6) A complete description of the railroad's training plan for railroad and contractor employees and supervisors necessary to ensure safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system;

(7) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system on the railroad and establish safety-critical hazards are appropriately mitigated. These procedures, including calibration requirements, shall be consistent with or explain deviations from the equipment manufacturer's recommendations;

(8) A complete description of any additional warning to be placed in the Operations and Maintenance Manual in the same manner specified in § 236.919 and all warning labels to be placed on equipment as necessary to ensure safety;

(9) A complete description of the configuration or revision control measures designed to ensure that the railroad or its contractor does not adversely affect the safety-functional requirements and that safety-critical hazard mitigation processes are not compromised as a result of any such change;

(10) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;

(11) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (adjustment, repair, or replacement) is performed;

(12) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, adjustments, repairs, or replacements, and the system's resulting conditions, including records of component failures resulting in safety-relevant hazards (see § 236.1037);

(13) A safety analysis to determine whether, when the system is in operation, any risk remains of an unintended incursion into a roadway work zone due to human error. If the analysis reveals any such risk, the PTCDP and PTCSP shall describe how that risk will be mitigated;

(14) A more detailed description of any alternative arrangements as already provided under § 236.1005(a)(1)(i).

(15) A complete description of how the PTC system will enforce authorities and signal indications, unless already completely provided for in the PTCDP;

(16) A description of how the PTCSP complies with § 236.1019(f), if applicable;

(17) A description of any deviation in operational requirements for en route failures as specified under § 236.1029(c), if applicable and unless already completely provided for in the PTCDP;

(18) A complete description of how the PTC system will appropriately and timely enforce all integrated hazard detectors in accordance with § 236.1005;

(19) An emergency and planned maintenance temporary rerouting plan indicating how operations on the subject PTC system will take advantage of the benefits provided under § 236.1005(g) through (k); and

(20) The documents and information required under §§ 236.1007 and 236.1033.

(21) A list of each location where a locomotive with a failed onboard PTC apparatus will be regularly be exchanged or repaired pursuant to § 236.1029(b)(6) and a list of each movement that could take place pursuant to § 236.1029(b)(6) if the movement potentially could exceed 500 miles.

(e) The following additional requirements apply to:

(1) Non-vital overlay. A PTC system proposed as an overlay on the existing method of operation and not built in accordance with the safety assurance principles set forth in appendix C of this part must, to the satisfaction of the Associate Administrator, be shown to:

(i) Reliably execute the functions set forth in § 236.1005;

(ii) Obtain at least 80 percent reduction of the risk associated with accidents preventable by the functions set forth in § 236.1005, when all effects of the change associated with the PTC system are taken into account. The supporting risk assessment shall evaluate all intended changes in railroad operations coincident with the introduction of the new system; and

(iii) Maintain a level of safety for each subsequent system modification that is equal to or greater than the level of safety for the previous PTC systems.

(2) Vital overlay. A PTC system proposed on a newly constructed track or as an overlay on the existing method of operation and built in accordance with the safety assurance principles set forth in appendix C of this part must, to the satisfaction of the Associate Administrator, be shown to:

(i) Reliably execute the functions set forth in § 236.1005; and

(ii) Have sufficient documentation to demonstrate that the PTC system, as built, fulfills the safety assurance principles set forth in appendix C of this part. The supporting risk assessment may be abbreviated as that term is used in subpart H of this part.

(3) Stand-alone. A PTC system proposed on a newly constructed track, an existing track for which no signal system exists, as a replacement for an existing signal or train control system, or otherwise to replace or materially modify the existing method of operation, shall:

(i) Reliably execute the functions required by § 236.1005 and be demonstrated to do so to FRA's satisfaction; and

(ii) Have a PTCSP establishing, with a high degree of confidence, that the system will not introduce new hazards that have not been mitigated. The supporting risk assessment shall evaluate all intended changes in railroad operations in relation to the introduction of the new system and shall examine in detail the direct and indirect effects of all changes in the method of operations.

(4) Mixed systems. If a PTC system combining overlay, stand-alone, vital, or non-vital characteristics is proposed, the railroad shall confer with the Associate Administrator regarding appropriate structuring of the safety case and analysis.

(f) When determining whether the PTCSP fulfills the requirements under paragraph (d) of this section, the Associate Administrator may consider all available evidence concerning the reliability and availability of the proposed system and any and all safety consequences of the proposed changes. In any case where the PTCSP lacks adequate data regarding safety impacts of the proposed changes, the Associate Administrator may request the necessary data from the applicant. If the requested data is not provided, the Associate Administrator may find that potential hazards could or will arise.

(g) If a PTCSP applies to a system designed to replace an existing certified PTC system, the PTCSP will be approved provided that the PTCSP establishes with a high degree of confidence that the new system will provide a level of safety not less than the level of safety provided by the system to be replaced.

(h) When reviewing the issue of the potential data errors (for example, errors arising from data supplied from other business systems needed to execute the braking algorithm, survey data needed for location determination, or mandatory directives issued through the computer-aided dispatching system), the PTCSP must include a careful identification of each of the risks and a discussion of each applicable mitigation. In an appropriate case, such as a case in which the residual risk after mitigation is substantial or the underlying method of operation will be significantly altered, the Associate Administrator may require submission of a quantitative risk assessment addressing these potential errors.

[75 FR 2699, Jan. 15, 2010, as amended at 79 FR 49717, Aug. 22, 2014]

---