299.441 Trainset electronic hardware and software safety.§ 299.441 Trainset electronic hardware and software safety.
(a) Purpose and scope. The requirements of this section apply to all safety-critical electronic control systems, subsystems, and components on the trainsets, except for on-board signaling and trainset control system components that must meet the software safety requirements defined in subpart B of this part.
(b) Applicability. (1) The trainsets shall utilize the service-proven safety-critical electronic control systems, subsystems, and components as used on the N700 to control and monitor safety-critical components.
(2) Any modifications to the existing service-proven safety-critical electronic control systems, subsystems, and components shall be subject to the requirements defined in paragraph (c) of this section.
(i) The railroad shall assure that the suppliers of new or modified safety-critical systems, subsystems, and components utilize an industry recognized hardware and software development process which is evaluated and certified by an independent third-party assessor authorized by the industry standard utilized.
(ii) The railroad shall require that all suppliers submit the certifications and audit results as applicable. All such certifications shall be made available to FRA upon request.
(3) Any major upgrades or introduction of new safety-critical technology shall be subject to § 299.613(d).
(c) Electronic hardware and software safety program. The railroad shall develop and maintain a written electronic hardware and software safety program to guide the design, development, testing, integration, and verification of all new or modified safety-critical trainset hardware and software.
(1) Hardware and software safety program description. The hardware and software safety program shall include a description of how the following will be implemented to ensure safety and reliability:
(i) The hardware and software design process;
(ii) The hardware and software design documentation;
(iii) The hardware and software hazard analysis;
(iv) Hardware and software safety reviews;
(v) Hardware and software hazard monitoring and tracking;
(vi) Hardware and software integration safety testing;
(vii) Demonstration of overall hardware and software system safety as part of the pre-revenue service testing of the equipment; and
(viii) Safety-critical changes and failures.
(2) Safety analysis. The hardware and software safety program shall be based on a formal safety methodology that includes a FMECA; verification and validation testing for all hardware and software components and their interfaces; and comprehensive hardware and software integration testing to ensure that the hardware and software system functions as intended.
(3) Compliance. The railroad shall comply with the elements of its hardware and software safety program that affect the safety of the passenger trainset.
(4) Safety-critical changes and failures. Whenever a planned safety-critical design change is made to the safety-critical electronic control systems, subsystems and components (the products) that are in use by the railroad and subject to this subpart, the railroad shall -
(i) Notify FRA in accordance with § 299.9 of the design changes made by the product supplier;
(ii) Ensure that the safety analysis required under paragraph (c)(2) of this section is updated as required;
(iii) Conduct all safety-critical changes in a manner that allows the change to be audited;
(iv) Document all arrangements with suppliers for notification of all electronic safety-critical changes as well as safety-critical failures in the supplier's system, subsystem, or components, and the reasons for that change or failure from the suppliers, whether or not the railroad has experienced a failure of that safety-critical system, sub-system, or component;
(v) Specify the railroad's procedures for action upon receipt of notification of a safety-critical change or failure of an electronic system, sub-system, or component, and until the upgrade or revision has been installed;
(vi) Identify all configuration/revision control measures designed to ensure that safety-functional requirements and safety-critical hazard mitigation processes are not compromised as a result of any such change, and that any such change can be audited;
(vii) Require suppliers to provide notification of all electronic safety-critical changes as well as safety-critical failures in the supplier's system, subsystem, or components;
(ix) Document all arrangements with suppliers for notification of any and all electronic safety-critical changes as well as safety-critical failures in the supplier's system, subsystem, or components.
(d) Specific requirements. Hardware and software that controls or monitors a trainset's primary braking system shall either -
(1) Fail safely by initiating an emergency or urgent brake application in the event of a hardware or software failure that could impair the ability of the driver to apply or release the brakes; or
(2) Provide the driver access to direct manual control of the primary braking system (emergency or urgent braking).
(e) Inspection, testing, and maintenance records. The inspection, testing, and maintenance conducted by the railroad in accordance with § 299.445 shall be recorded in hardcopy or stored electronically. Electronic recordkeeping or automated tracking systems, subject to the provisions contained in § 299.11, may be utilized to store and maintain any testing or training record required by this subpart. Results of product testing conducted by a vendor in support of a safety analysis shall be provided to and recorded by the railroad.
(1) The testing records shall contain all of the following:
(i) The name of the railroad;
(ii) The location and date that the test was conducted;
(iii) The equipment tested;
(iv) The results of tests;
(v) The repairs or replacement of equipment;
(vi) Any preventative adjustments made; and
(vii) The condition in which the equipment is left.
(2) Each record shall be -
(i) Signed by the employee conducting the test, or electronically coded, or identified by the automated test equipment number;
(ii) Filed in the office of a supervisory official having jurisdiction, unless otherwise noted; and
(iii) Available for inspection and copying by FRA.
(3) The results of the testing conducted in accordance with this section shall be retained as follows:
(i) The results of tests that pertain to installation or modification of a product shall be retained for the life-cycle of the product tested and may be kept in any office designated by the railroad;
(ii) The results of periodic tests required for the maintenance or repair of the product tested shall be retained until the next record is filed and in no case less than one year; and
(iii) The results of all other tests and training shall be retained until the next record is filed and in no case less than one year.
(f) Review of safety analysis. (1) Prior to the initial planned use of a new product as defined by paragraphs (b)(2) or (3) of this section, the railroad shall notify FRA in accordance with § 299.9 of the intent to place this product in service. The notification shall provide a description of the product, and identify the location where the complete safety analysis documentation and the testing are maintained.
(2) The railroad shall maintain and make available to FRA upon request all railroad or vendor documentation used to demonstrate that the product meets the safety requirements of the safety analysis for the life-cycle of the product.
(g) Hazard tracking. After a new product is placed in service in accordance with paragraphs (b)(2) or (3) of this section, the railroad shall maintain a database of all safety-relevant hazards encountered with the product. The database shall include all hazards identified in the safety analysis and those that had not been previously identified in the safety analysis. If the frequency of the safety-relevant hazards exceeds the threshold set forth in the safety analysis, then the railroad shall -
(1) Report the inconsistency to the Associate Administrator, within 15 days of discovery in accordance with § 299.9;
(2) Take immediate countermeasures to reduce the frequency of the safety-relevant hazard(s) below the threshold set forth in the safety analysis;
(3) Provide a final report to the Associate Administrator, on the results of the analysis and countermeasures taken to mitigate the hazard to meet the threshold set forth in the safety analysis when the problem is resolved. For hazards not identified in the safety analysis the threshold shall be exceeded at one occurrence; and
(4) Electronic or automated tracking systems used to meet the requirements contained in paragraph (g) of this section shall be in accordance with § 299.11.
(h) Operations and maintenance manual. The railroad shall maintain all supplier or vendor documents pertaining to the operation, installation, maintenance, repair, modification, inspection, and testing of the safety-critical electronic control systems, subsystems and components.
(i) Training and qualification program. Under § 299.13(c)(3), the railroad shall establish and implement a training and qualification program for the safety-critical electronic control systems, subsystems, and components subject to subpart G of this part prior to the safety-critical electronic control systems, subsystems, and components being placed in use.
(j) Operating personnel training. The training program required by § 299.13(c)(3) for any driver or other person who participates in the operation of a trainset using the safety-critical electronic control systems, subsystems and components shall address all the following elements:
(1) Familiarization with the electronic control system equipment on-board the trainset and the functioning of that equipment as part of the system and in relation to other on-board systems under that person's control;
(2) Any actions required of the operating personnel to enable or enter data into the system and the role of that function in the safe operation of the trainset;
(3) Sequencing of interventions by the system, including notification, enforcement, and recovery from the enforcement as applicable;
(4) Railroad operating rules applicable to control systems, including provisions for movement and protection of any unequipped passenger equipment, or passenger equipment with failed or cut-out controls;
(5) Means to detect deviations from proper functioning of on-board electronic control system equipment and instructions explaining the proper response to be taken regarding control of the trainset and notification of designated railroad personnel; and
(6) Information needed to prevent unintentional interference with the proper functioning of on-board electronic control equipment.