49 CFR Ch. II (10-1-16 Edition) 236.929: Subpart I-Positive Train Control Systems

§ 236.929 49 CFR Ch.
II (10–1–16 Edition)
(A) Manual operation of a train for a Subpart I—Positive Train Control

4-hour work period; Systems
(B) Simulated manual operation of a
train for a minimum of 4 hours in a SOURCE: 75 FR 2699, Jan. 15, 2010, unless
Type I simulator as required; or otherwise noted.
(C) Other means as determined fol-
lowing consultation between the rail- § 236.1001 Purpose and scope.
road and designated representatives of (a) This subpart prescribes minimum,
the affected employees and approved performance-based safety standards for
by the FRA. The PSP must designate PTC systems required by 49 U.S.C.
the appropriate frequency when man- 20157, this subpart, or an FRA order, in-
ual operation, starting, and stopping cluding requirements to ensure that
must be conducted, and the appropriate the development, functionality, archi-
frequency of simulated manual oper- tecture, installation, implementation,
ation. inspection, testing, operation, mainte-
nance, repair, and modification of
§ 236.929 Training specific to roadway those PTC systems will achieve and
workers. maintain an acceptable level of safety.
This subpart also prescribes standards
(a) How is training for roadway workers to ensure that personnel working with,
to be coordinated with part 214? Training and affected by, safety-critical PTC
required under this subpart for a road- system related products receive appro-
way worker must be integrated into priate training and testing.
the program of instruction required (b) Each railroad may prescribe addi-
under part 214, subpart C of this chap- tional or more stringent rules, and
ter (‘‘Roadway Worker Protection’’), other special instructions, that are not
consistent with task analysis require- inconsistent with this subpart.
ments of § 236.923. This training must (c) This subpart does not exempt a
provide instruction for roadway work- railroad from compliance with any re-
ers who provide protection for them- quirement of subparts A through H of
selves or roadway work groups. this part or parts 233, 234, and 235 of
(b) What subject areas must roadway this chapter, unless:
worker training include? (1) Instruction (1) It is otherwise explicitly excepted
by this subpart; or
for roadway workers must ensure an
(2) The applicable PTCSP, as defined
understanding of the role of processor-
under § 236.1003 and approved by FRA
based signal and train control equip- under § 236.1015, provides for such an ex-
ment in establishing protection for ception per § 236.1013.
roadway workers and their equipment.
(2) Instruction for roadway workers § 236.1003 Definitions.
must ensure recognition of processor- (a) Definitions contained in subparts
based signal and train control equip- G and H of this part apply equally to
ment on the wayside and an under- this subpart.
standing of how to avoid interference (b) The following definitions apply to
with its proper functioning. terms used only in this subpart unless
(3) Instructions concerning the rec- otherwise stated:
ognition of system failures and the pro- After-arrival mandatory directive
vision of alternative methods of on- means an authority to occupy a track
track safety in case the train control which is issued to a train that is not ef-
system fails, including periodic prac- fective and not to be acted upon until
tical exercises or simulations and oper- after the arrival and passing of a train,
ational testing under part 217 of this or trains, specifically identified in the
chapter to ensure the continued capa- authority.
Associate Administrator means the
bility of roadway workers to be free
FRA Associate Administrator for Rail-
from the danger of being struck by a
road Safety/Chief Safety Officer.
lpowell on DSK54DXVN1OFR with $$_JOB
moving train or other on-track equip- Class I railroad means a railroad

ment. which in the last year for which reve-
nues were reported exceeded the
864
VerDate Sep<11>2014 10:29 Feb 08, 2017 Jkt 238228 PO 00000 Frm 00874 Fmt 8010 Sfmt 8010 Q:\49\49V4.TXT 31
Federal Railroad Administration, DOT § 236.1003
threshold established under regulations PIH materials means materials poi-

of the Surface Transportation Board sonous by inhalation, as defined in
(49 CFR part 1201.1–1 (2008)). §§ 171.8, 173.115, and 173.132 of this title.
Cleartext means the un-encrypted PTC means positive train control as
text in its original, human readable, further described in § 236.1005.
form. It is the input of an encryption PTCDP means a PTC Development
or encipher process, and the output of Plan as further described in § 236.1013.
an decryption or decipher process. PTCIP means a PTC Implementation
Controlling locomotive means Loco- Plan as required under 49 U.S.C. 20157
motive, controlling, as defined in § 232.5 and further described in § 236.1011.
of this chapter. PTCPVL means a PTC Product Ven-
Host railroad means a railroad that dor List as further described in
has effective operating control over a § 236.1023.
segment of track. PTCSP means a PTC Safety Plan as
Interoperability means the ability of a further described in § 236.1015.
controlling locomotive to commu- PTC railroad means each Class I rail-
nicate with and respond to the PTC road and each entity providing regu-
railroad’s positive train control sys- larly scheduled intercity or commuter
tem, including uninterrupted move- rail passenger transportation required
ments over property boundaries. to implement or operate a PTC system.
Limited operations means operations PTC System Certification means cer-
on main line track that have limited or tification as required under 49 U.S.C.
no freight operations and are approved 20157 and further described in §§ 236.1009
to be excluded from this subpart’s PTC and 236.1015.
system implementation and operation Request for Amendment (‘‘RFA’’)
requirements in accordance with means a request for an amendment of a
§ 236.1019(c); plan or system made by a PTC railroad
Main line means, except as provided in accordance with § 236.1021.
in § 236.1019 or where all trains are lim- Request for Expedited Certification
ited to restricted speed within a yard (‘‘REC’’) means, as further described in
or terminal area or on auxiliary or in- § 236.1031, a request by a railroad to re-
dustry tracks, a segment or route of ceive expedited consideration for PTC
railroad tracks: System Certification.
(1) Of a Class I railroad, as docu- Restricted speed means, Speed, re-
mented in current timetables filed by stricted, as defined in subpart G of this
the Class I railroad with the FRA part.
under § 217.7 of this title, over which Safe State means a system state that,
5,000,000 or more gross tons of railroad when the system fails, cannot cause
traffic is transported annually; or death, injury, occupational illness, or
(2) Used for regularly scheduled damage to or loss of equipment or
intercity or commuter rail passenger property, or damage to the environ-
service, as defined in 49 U.S.C. 24102, or ment.
both. Tourist, scenic, historic, or ex- Segment of track means any part of
cursion operations as defined in part the railroad where a train operates.
238 of this chapter are not considered Temporal separation means that pas-
intercity or commuter passenger serv- senger and freight operations do not
ice for purposes of this part. operate on any segment of shared track
Main line track exclusion addendum during the same period and as further
(‘‘MTEA’’) means the document sub- defined under § 236.1019 and the process
mitted under §§ 236.1011 and 236.1019 re- or processes in place to assure that re-
questing to designate track as other sult.
than main line. Tenant railroad means a railroad,
Medium speed means, Speed, medium, other than a host railroad, operating
as defined in subpart G of this part. on track upon which a PTC system is
NPI means a Notice of Product Intent required.

(‘‘NPI’’) as further described in Track segment means segment of
§ 236.1013. track.
865
§ 236.1005 49 CFR Ch. II (10–1–16 Edition)
Type Approval means a number as- § 236.1005 Requirements for Positive

signed to a particular PTC system indi- Train Control systems.
cating FRA agreement that the PTC (a) PTC system requirements. Each
system could fulfill the requirements PTC system required to be installed
of this subpart. under this subpart shall:
Train means one or more loco- (1) Reliably and functionally prevent:
motives, coupled with or without cars. (i) Train-to-train collisions—includ-
ing collisions between trains operating
[75 FR 2699, Jan. 15, 2010, as amended at 77
over rail-to-rail at-grade crossings in
FR 28305, May 14, 2012; 79 FR 49716, Aug. 22,
2014] accordance with the following risk-
based table or alternative arrange-
ments providing an equivalent level of
safety as specified in an FRA approved
PTCSP:
Protection
Crossing type Max. speed required
(A) Interlocking—one or more ≤40 miles per hour .................. Interlocking signal arrangement in accordance with the re-
PTC routes intersecting with quirements of subparts A–G of this part and PTC enforced
one or more non-PTC routes. stop on PTC routes.
(B) Interlocking—one or more >40 miles per hour .................. Interlocking signal arrangement in accordance with the re-
PTC routes intersecting with quirements of subparts A–G of this part, PTC enforced
one or more non-PTC routes. stop on all PTC routes, and either the use of other than full
PTC technology that provides positive stop enforcement or
a split-point derail incorporated into the signal system ac-
companied by 20 miles per hour maximum allowable speed
on the approach of any intersecting non-PTC route.
(C) Interlocking—all PTC Any speed ............................... Interlocking signal arrangements in accordance with the re-
routes intersecting. quirements of subparts A–G of this part, and PTC enforced
stop on all routes.
(ii) Overspeed derailments, including (4) Provide an appropriate warning or

derailments related to railroad civil enforcement when:
engineering speed restrictions, slow or- (i) A derail or switch protecting ac-
ders, and excessive speeds over switch- cess to the main line required by
es and through turnouts; § 236.1007, or otherwise provided for in
(iii) Incursions into established work the applicable PTCSP, is not in its de-
zone limits without first receiving ap- railing or protecting position, respec-
propriate authority and verification tively;
from the dispatcher or roadway worker (ii) A mandatory directive is issued
in charge, as applicable and in accord- associated with a highway-rail grade
ance with part 214 of this chapter; and crossing warning system malfunction
(iv) The movement of a train through as required by §§ 234.105, 234.106, or
a main line switch in the improper po- 234.107;
sition as further described in paragraph
(iii) An after-arrival mandatory di-
(e) of this section.
rective has been issued and the train or
(2) Include safety-critical integration
trains to be waited on has not yet
of all authorities and indications of a
wayside or cab signal system, or other passed the location of the receiving
similar appliance, method, device, or train;
system of equivalent safety, in a man- (iv) Any movable bridge within the
ner by which the PTC system shall pro- route ahead is not in a position to
vide associated warning and enforce- allow permissive indication for a train
ment to the extent, and except as, de- movement pursuant to § 236.312; and
scribed and justified in the FRA ap- (v) A hazard detector integrated into
proved PTCDP or PTCSP, as applica- the PTC system that is required by
ble; paragraph (c) of this section, or other-
(3) As applicable, perform the addi- wise provided for in the applicable
tional functions specified in this sub- PTCSP, detects an unsafe condition or
part; transmits an alarm; and
866
(5) Limit the speed of passenger and ment from the PTCIP listing of lines to
freight trains to 59 miles per hour and be equipped.
49 miles per hour, respectively, in areas (3) Addition of track segments. To the
without broken rail detection or equiv- extent increases in freight rail traffic
alent safeguards. occur subsequent to calendar year 2008
(b) PTC system installation—(1) Lines that might affect the requirement to
required to be equipped. Except as other- install a PTC system on any line not
wise provided in this subpart, each yet equipped, the railroad shall seek to
Class I railroad and each railroad pro- amend its PTCIP by promptly filing an
viding or hosting intercity or com- RFA in accordance with § 236.1021. The
muter passenger service shall progres- following criteria apply:
sively equip its lines as provided in its (i) If rail traffic exceeds 5 million
approved PTCIP such that a PTC sys- gross tons in any year after 2008, the
tem certified under § 236.1015 is in- tonnage shall be calculated for the pre-
stalled and operated by the host rail- ceding two calendar years and if the
road on each: total tonnage for those two calendar
(i) Main line over which is trans- years exceeds 10 million gross tons, a
ported any quantity of material poi- PTCIP or its amendment is required.
sonous by inhalation (PIH), including (ii) If PIH traffic is carried on a track
anhydrous ammonia, as defined in segment as a result of a request for rail
§§ 171.8, 173.115 and 173.132 of this title; service or rerouting warranted under
(ii) Main line used for regularly pro- part 172 of this title, and if the line car-
vided intercity or commuter passenger ries in excess of 5 million gross tons of
service, except as provided in § 236.1019; rail traffic as determined under this
and paragraph, a PTCIP or its amendment
(iii) Additional line of railroad as re- is required. This does not apply when
quired by the applicable FRA approved temporary rerouting is authorized in
PTCIP, this subpart, or an FRA order accordance with paragraph (g) of this
requiring installation of a PTC system section.
by that date. (iii) Once a railroad is notified by
(2) Initial baseline identification of FRA that its RFA filed in accordance
lines. For the purposes of paragraph with this paragraph has been approved,
(b)(1)(i) of this section, the baseline in- the railroad shall equip the line with
formation necessary to determine the applicable PTC system by Decem-
whether a Class I railroad’s track seg- ber 31, 2015, or within 24 months,
ment shall be equipped with a PTC sys- whichever is later.
tem shall be determined and reported (4) Exclusion or removal of track seg-
as follows: ments from PTC baseline—(i) Routing
(i) The traffic density threshold of 5 changes. In a PTCIP or an RFA, a rail-
million gross tons shall be based upon road may request review of the require-
calendar year 2008 gross tonnage, ex- ment to install PTC on a track seg-
cept to the extent that traffic may fall ment where a PTC system is otherwise
below 5 million gross tons for two con- required by this section, but has not
secutive calendar years and a PTCIP or yet been installed, based upon changes
an RFA reflecting this change is filed in rail traffic such as reductions in
and approved under paragraph (b)(4) of total traffic volume to a level below 5
this section and, if applicable, million gross tons annually, cessation
§ 236.1021. of passenger service or the approval of
(ii) The presence or absence of any an MTEA, or the cessation of PIH ma-
quantity of PIH hazardous materials terials traffic. Any such request shall
shall be determined by whether one or be accompanied by estimated traffic
more cars containing such product(s) projections for the next 5 years (e.g., as
was transported over the track seg- a result of planned rerouting, coordina-
ment in calendar year 2008 or prior to tions, or location of new business on
the filing of the PTCIP, except to the the line).
extent that the PTCIP or RFA justi- (ii) FRA will approve the exclusion
fies, under paragraph (b)(4) of this sec- requested pursuant to paragraph
tion, removal of the subject track seg- (b)(4)(i) of this section if the railroad
867
§ 236.1005 49 CFR Ch. II (10–1–16 Edition)
establishes that, as of December 31, the working limits or, if the train crew
2015: does not have advance knowledge of
(A) No passenger service will be the working limits, as soon as prac-
present on the involved track segment tical;
or the passenger service will be subject (4) That carries fewer than 100 cars
to an MTEA approved in accordance containing PIH materials per year, ex-
with 49 CFR 236.1019; and cluding those cars containing only a
(B) No PIH traffic will be present on residue, as defined in § 171.8 of this
the involved track segment or the title, of PIH materials;
gross tonnage on the involved track (5) That carries 2 or fewer trains per
segment will decline to below 5 million day carrying any quantity of PIH ma-
gross tons annually as computed over a terials;
2-year period. (6) Where trains carrying any quan-
(iii) Freight lines with de minimis risk tity of PIH materials operate at speeds
not used for regularly provided intercity not to exceed 40 miles per hour; and
or commuter rail passenger service. (A) In (7) Where any train transporting a
a PTCIP or an RFA, a railroad may re- car containing any quantity of PIH
quest review of the requirement to in- materials is operated with a vacant
stall a PTC system on a track segment block ahead of and behind the train.
where a PTC system is otherwise re- (C) FRA may, in its discretion, ap-
quired by this section, but has not yet prove other track segments not used
been installed, based upon the presence for regularly provided intercity or
of a minimal quantity of PIH materials commuter passenger service that have
traffic. Any such request shall be ac- posed an equivalent or lesser level of
companied by estimated traffic projec- risk of a PTC-preventable accident or
tions for the next 5 years (e.g., as a re- PIH materials release as those track
sult of planned rerouting, coordination, segments covered by paragraph
or location of new business on the (b)(4)(iii)(B) of this section, where such
line). Where the request involves prior other track segments are similar to
or planned rerouting of PIH materials those covered by paragraph
traffic, the railroad must provide the (b)(4)(iii)(B) of this section.
information and analysis identified in (D) Failure to submit sufficient in-
paragraph (b)(4)(i) of this section. The formation will result in the denial of
submission shall also include a full de- any request under this paragraph
scription of potential safety hazards on (b)(4)(ii). If the request is granted, on
the segment of track and fully describe and after the date the line would have
train operations over the line. This otherwise been required to be equipped
paragraph does not apply to line seg- under the schedule contained in the
ments used for commuter rail or inter- PTCIP and approved by FRA, oper-
city rail passenger service. ations on the line shall be conducted in
(B) Absent special circumstances re- accordance with any conditions at-
lated to specific hazards presented by tached to the grant, including imple-
operations on the line segment, FRA mentation of proposed mitigations as
will approve a request for relief under applicable.
this paragraph for a rail line segment (5) Line sales. FRA does not approve
that meets all of the following criteria: removal of a line from the PTCIP ex-
(1) That carries less than 15 million clusively based upon a representation
gross tons annually; that a track segment will be abandoned
(2) That does not have a heavy grade or sold to another railroad. In the
as ‘‘heavy grade’’ is defined in § 232.407 event a track segment is approved for
of this chapter for any train operating abandonment or transfer by the Sur-
over the track segment; face Transportation Board, FRA will
(3) Where the railroad adopts and review at the request of the transfer-
complies with an operating rule requir- ring and acquiring railroads whether
ing the crew of any train approaching the requirement to install PTC on the
working limits established under part line should be removed given all of the
214 of this chapter to notify the road- circumstances, including expected traf-
way worker in charge of the train’s ap- fic and hazardous materials levels, res-
proach at least 2 miles in advance of ervation of trackage or haulage rights
868
by the transferring railroad, routing priately and timely enforced as de-

analysis under part 172 of this chapter, scribed in the applicable PTCSP.
commercial and real property arrange- (2) The applicable PTCSP must pro-
ments affecting the transferring and vide for receipt and presentation to the
acquiring railroads post-transfer, and locomotive engineer and other train
such other factors as may be relevant crew members of warnings from any
to continue safe operations on the line. additional hazard detectors using the
If FRA denies the request, the acquir- PTC data network, onboard displays,
ing railroad shall install the PTC sys- and audible alerts. If the PTCSP so
tem on the schedule provided in the provides, the action to be taken by the
transferring railroad’s PTCIP, without system and by the crew members shall
regard to whether it is a Class I rail- be specified.
road. (3) The PTCDP (as applicable) and
(6) New rail passenger service. No new PTCSP for any new service described in
intercity or commuter rail passenger § 236.1007 to be conducted above 90 miles
service shall commence after December per hour shall include a hazard anal-
31, 2020, until a PTC system certified ysis describing the hazards relevant to
under this subpart has been installed the specific route(s) in question (e.g.,
and made operative. potential for track obstruction due to
(7) Implementation deadlines. (i) Each events such as falling rock or under-
railroad must complete full implemen- mining of the track structure due to
tation of its PTC system by December high water or displacement of a bridge
31, 2018. over navigable waters), the basis for
(ii) A railroad is excepted from para- decisions concerning hazard detectors
graph (b)(7)(i) of this section and must provided, and the manner in which
complete full implementation of its such additional hazard detectors will
PTC system by December 31, 2020, or be interfaced with the PTC system.
the date specified in its approved alter- (d) Event recorders. (1) Each lead loco-
native schedule and sequence, which- motive, as defined in part 229, of a
ever is earlier, only if the railroad: train equipped and operating with a
(A) Installs all PTC hardware and ac- PTC system required by this subpart
quires all spectrum necessary to imple- must be equipped with an operative
ment its PTC system by December 31, event recorder, which shall:
2018; (i) Record safety-critical train con-
(B) Submits an alternative schedule trol data routed to the locomotive en-
and sequence providing for implemen- gineer’s display that the engineer is re-
tation of positive train control system quired to comply with;
as soon as practicable, but not later (ii) Specifically include text mes-
than December 31, 2020; sages conveying mandatory directives,
(C) Notifies the Associate Adminis- maximum authorized speeds, PTC sys-
trator in writing that it is prepared for tem brake warnings, PTC system brake
review of its alternative schedule and enforcements, and the state of the PTC
sequence under 49 U.S.C. 20157(a)(3)(B); system (e.g., cut in, cut out, active, or
and failed); and
(D) Receives FRA approval of its al- (iii) Include examples of how the cap-
ternative schedule and sequence. tured data will be displayed during
(iii) If a railroad meets the criteria in playback along with the format, con-
paragraph (b)(7)(ii) of this section, the tent, and data retention duration re-
railroad must adhere to its approved quirements specified in the PTCSP
alternative schedule and sequence and submitted and approved pursuant to
any of its subsequently approved this paragraph. If such train control
amendments or required modifications. data can be calibrated against other
(c) Hazard detectors. (1) All hazard de- data required by this part, it may, at
tectors integrated into a signal or the election of the railroad, be retained
train control system on or after Octo- in a separate memory module.
ber 16, 2008, shall be integrated into (2) Each lead locomotive, as defined
PTC systems required by this subpart; in part 229, manufactured and in serv-
and their warnings shall be appro- ice after October 1, 2009, that is
869
§ 236.1005 49 CFR Ch. II (10–1–16 Edition)
equipped and operating with a PTC sys- viding access to another subdivision or
tem required by this subpart, shall be branch line, etc.).
equipped with an event recorder mem- (3) A PTC system required by this
ory module meeting the crash hard- subpart shall be designed, installed,
ening requirements of § 229.135 of this and maintained to perform the switch
chapter. position detection and enforcement de-
(3) Nothing in this subpart excepts scribed in paragraphs (e)(1) and (e)(2) of
compliance with any of the event re- this section, except as provided for and
corder requirements contained in justified in the applicable, FRA ap-
§ 229.135 of this chapter. proved PTCDP or PTCSP.
(e) Switch position. The following re- (4) The control circuit or electronic
quirements apply with respect to deter- equivalent for all movement authori-
mining proper switch position under ties over any switches, movable-point
this section. When a main line switch frogs, or derails shall be selected
position is unknown or improperly through circuit controller or function-
aligned for a train’s route in advance of ally equivalent device operated di-
the train’s movement, the PTC system rectly by the switch points, derail, or
will provide warning of the condition by switch locking mechanism, or
associated with the following enforce- through relay or electronic device con-
ment: trolled by such circuit controller or
functionally equivalent device, for
(1) A PTC system shall enforce re-
each switch, movable-point frog, or de-
stricted speed over any switch:
rail in the route governed. Circuits or
(i) Where train movements are made
electronic equivalent shall be arranged
with the benefit of the indications of a so that any movement authorities less
wayside or cab signal system or other restrictive than those prescribed in
similar appliance, method, device, or paragraphs (e)(1) and (e)(2) of this sec-
system of equivalent safety proposed to tion can only be provided when each
FRA and approved by the Associate switch, movable-point frog, or derail in
Administrator in accordance with this the route governed is in proper posi-
part; and tion, and shall be in accordance with
(ii) Where wayside or cab signal sys- subparts A through G of this part, un-
tem or other similar appliance, meth- less it is otherwise provided in a
od, device, or system of equivalent PTCSP approved under this subpart.
safety, requires the train to be oper- (f) Train-to-train collision. A PTC sys-
ated at restricted speed. tem shall be considered to be config-
(2) A PTC system shall enforce a ured to prevent train-to-train colli-
positive stop short of any main line sions within the meaning of paragraph
switch, and any switch on a siding (a) of this section if trains are required
where the allowable speed is in excess to be operated at restricted speed and
of 20 miles per hour, if movement of if the onboard PTC equipment enforces
the train over the switch: the upper limits of the railroad’s re-
(i) Is made without the benefit of the stricted speed rule (15 or 20 miles per
indications of a wayside or cab signal hour). This application applies to:
system or other similar appliance, (1) Operating conditions under which
method, device, or system of equiva- trains are required by signal indication
lent safety proposed to FRA and ap- or operating rule to:
proved by the Associate Administrator (i) Stop before continuing; or
in accordance with this part; or (ii) Reduce speed to restricted speed
(ii) Would create an unacceptable and continue at restricted speed until
risk. Unacceptable risk includes condi- encountering a more favorable indica-
tions when traversing the switch, even tion or as provided by operating rule.
at low speeds, could result in direct (2) Operation of trains within the
conflict with the movement of another limits of a joint mandatory directive.
train (including a hand-operated cross- (g) Temporary rerouting. A train
over between main tracks, a hand-oper- equipped with a PTC system as re-
ated crossover between a main track quired by this subpart may be tempo-
and an adjoining siding or auxiliary rarily rerouted onto a track not
track, or a hand-operated switch pro- equipped with a PTC system and a
870
train not equipped with a PTC system (2) In the event the temporary re-
may be temporarily rerouted onto a routing described in paragraph (g)(2) of
track equipped with a PTC system as this section is to exceed 30 consecutive
required by this subpart in the fol- calendar days:
lowing circumstances: (i) The railroad shall provide a re-
(1) Emergencies. In the event of an quest in accordance with paragraphs (i)
emergency—including conditions such and (j) of this section with the Asso-
as derailment, flood, fire, tornado, hur- ciate Administrator no less than 10
ricane, earthquake, or other similar business days prior to the planned re-
circumstance outside of the railroad’s routing; and
control—that would prevent usage of (ii) The rerouting shall not com-
the regularly used track if: mence until receipt of approval from
(i) The rerouting is applicable only the Associate Administrator.
until the emergency condition ceases (i) Content of rerouting request. Each
to exist and for no more than 14 con- notice or request referenced in para-
secutive calendar days, unless other- graph (g) and (h) of this section must
wise extended by approval of the Asso- indicate:
ciate Administrator; (1) The dates that such temporary re-
(ii) The railroad provides written or routing will occur;
telephonic notification to the applica- (2) The number and types of trains
ble Regional Administrator of the in- that will be rerouted;
formation listed in paragraph (i) of this (3) The location of the affected
section within one business day of the tracks; and
beginning of the rerouting made in ac- (4) A description of the necessity for
cordance with this paragraph; and the temporary rerouting.
(iii) The conditions contained in (j) Rerouting conditions. Rerouting of
paragraph (j) of this section are fol- operations under paragraph (g) of this
lowed. section may occur under the following
(2) Planned maintenance. In the event conditions:
of planned maintenance that would (1) Where a train not equipped with a
prevent usage of the regularly used PTC system is rerouted onto a track
track if: equipped with a PTC system, or a train
(i) The maintenance period does not not equipped with a PTC system that is
exceed 30 days; compatible and functionally responsive
(ii) A request is filed with the appli- to the PTC system utilized on the line
cable Regional Administrator in ac- to which the train is being rerouted,
cordance with paragraph (i) of this sec- the train shall be operated in accord-
tion no less than 10 business days prior ance with § 236.1029; or
to the planned rerouting; and (2) Where any train is rerouted onto
(iii) The conditions contained in a track not equipped with a PTC sys-
paragraph (j) of this section are fol- tem, the train shall be operated in ac-
lowed. cordance with the operating rules ap-
(h) Rerouting requests. (1) For the pur- plicable to the line on which the train
poses of paragraph (g)(2) of this sec- is rerouted.
tion, the rerouting request shall be (k) Rerouting cessation. The applicable
self-executing unless the applicable Re- Regional Administrator may order a
gional Administrator responds with a railroad to cease any rerouting pro-
notice disapproving of the rerouting or vided under paragraph (g) or (h) of this
providing instructions to allow rerout- section.
ing. Such instructions may include [75 FR 2699, Jan. 15, 2010, as amended at 75
providing additional information to FR 59117, Sept. 27, 2010; 77 FR 28305, May 14,
the Regional Administrator or Asso- 2012; 79 FR 49716, Aug. 22, 2014; 81 FR 10128,
ciate Administrator prior to the com- Feb. 29, 2016]
mencement of rerouting. Once the Re-
gional Administrator responds with a § 236.1006 Equipping locomotives oper-
notice under this paragraph, no rerout- ating in PTC territory.
ing may occur until the Regional Ad- (a) General. Except as provided in
ministrator or Associate Adminis- paragraph (b) of this section, each loco-
trator provides his or her approval. motive, locomotive consist, or train on
871
§ 236.1006 49 CFR Ch. II (10–1–16 Edition)
any track segment equipped with a owned by a Class II or III railroad) is

PTC system shall be controlled by a lo- considered two trains for this purpose;
comotive equipped with an onboard and
PTC apparatus that is fully operative (iii) Where each movement shall ei-
and functioning in accordance with the ther:
applicable PTCSP approved under this (A) Not exceed 20 miles in length; or
subpart. (B) To the extent any movement ex-
(b) Exceptions. (1) Each railroad re- ceeds 20 miles in length, such move-
quired to install PTC shall include in ment is not permitted without the con-
its PTCIP specific goals for progressive trolling locomotive being equipped
implementation of onboard systems with an onboard PTC system after De-
and deployment of PTC-equipped loco- cember 31, 2023, and each applicable
motives such that the safety benefits Class II or III railroad shall report to
of PTC are achieved through incre- FRA its progress in equipping each
mental growth in the percentage of necessary locomotive with an onboard
controlling locomotives operating on PTC apparatus to facilitate continu-
PTC lines that are equipped with operation of the movement. The progress
ative PTC onboard equipment. The reports shall be filed not later than De-
PTCIP shall include a brief but suffi- cember 31, 2020 and, if all necessary lo-
cient explanation of how those goals comotives are not yet equipped, on De-
will be achieved, including assignment cember 31, 2022.
of responsibilities within the organiza- (5) Freight yard movements. For the
tion. The goals shall be expressed as purpose of freight switching service or
the percentage of trains operating on freight transfer train service, a loco-
PTC-equipped lines that are equipped motive, locomotive consist, or train
with operative onboard PTC apparatus may operate without onboard PTC ap-
responsive to the wayside, expressed as paratus installed or operational where
an annualized (calendar year) percent- an onboard PTC apparatus is otherwise
age for the railroad as a whole. required by this part only if all of the
(2) [Reserved] following six requirements and condi-
(3) A train controlled by a locomotive tions are met:
with an onboard PTC apparatus that (i) The locomotive, locomotive con-
has failed en route is permitted to op- sist, or train must be engaged in
erate in accordance with 49 U.S.C. freight switching service or freight
20157(j) or § 236.1029, as applicable. transfer train service, including yard,
(4) A train operated by a Class II or local, industrial, and hostling service,
Class III railroad, including a tourist movements in connection with the as-
or excursion railroad, and controlled sembling or disassembling of trains,
by a locomotive not equipped with an and work trains;
onboard PTC apparatus is permitted to (ii) The movement must originate ei-
operate on a PTC-operated track seg- ther:
ment: (A) In a yard; or
(i) That either: (B) Within 20 miles of a yard with the
(A) Has no regularly scheduled inter- yard as the final destination point;
city or commuter passenger rail traf- (iii) The locomotive, locomotive con-
fic; or sist, or train shall not travel to a point
(B) Has regularly scheduled intercity in excess of 20 miles from its point of
or commuter passenger rail traffic and entry onto the PTC-equipped main line
the applicable PTCIP permits the oper- track;
ation of a train operated by a Class II (iv) The speed of the locomotive, lo-
or III railroad and controlled by a loco- comotive consist, or train shall not ex-
motive not equipped with an onboard ceed restricted speed, except if:
PTC apparatus; (A) No other locomotive, locomotive
(ii) Where operations are restricted consist, or train is operating on any
to four or less such unequipped trains part of the route without an oper-
per day, whereas a train conducting a ational onboard PTC apparatus;
‘‘turn’’ operation (e.g., moving to a (B) No working limits are established

point of interchange to drop off or pick under part 214 of this chapter on any
up cars and returning to the track part of the route; and
872
(C) Either an air brake test under locomotive engineer from performance
part 232 of this chapter is performed, in of other safety-critical duties.
which case the locomotive, locomotive (2) The onboard PTC apparatus may
consist, or train may proceed at a be distributed among multiple loco-
speed not to exceed 30 miles per hour; motives if such functionality is in-
or an air brake test under part 232 of cluded with the applicable PTCSP ap-
this chapter is not performed, in which proved under this subpart. The control-
case the locomotive, locomotive con- ling locomotive shall be equipped with
sist, or train may proceed at a speed a fully operative interface that com-
not to exceed 20 miles per hour; plies with paragraph (d)(1) of this sec-
(v) The speed of the locomotive, loco- tion and is consistent with appendix E
motive consist, or train shall not ex- of this part.
ceed restricted speed on PTC-equipped [75 FR 2699, Jan. 15, 2010, as amended at 79
track where the route terminates; and FR 49716, Aug. 22, 2014; 81 FR 10129, Feb. 29,
(vi) The route of the locomotive or 2016]
train is protected against conflicting
operations by the PTC system and suf- § 236.1007 Additional requirements for
high-speed service.
ficient operating rules to protect
against train-to-train collisions, as (a) A PTC railroad that conducts a
specified in the PTCSP. passenger operation at or greater than
(vii) FRA may, in its discretion, ap- 60 miles per hour or a freight operation
prove yard movement procedures other at or greater than 50 miles per hour
than the yard movement procedures in shall have installed a PTC system in-
paragraphs (b)(5)(i) through (b)(5)(vi) of cluding or working in concert with
this section in a PTCSP or an RFA technology that includes all of the
that provide an equivalent or greater safety-critical functional attributes of
level of safety as the requirements of a block signal system meeting the re-
paragraphs (b)(5)(i) through (b)(5)(vi) of quirements of this part, including ap-
this section, where such procedures are propriate fouling circuits and broken
similar to those of paragraphs (b)(5)(i) rail detection (or equivalent safe-
through (b)(5)(vi) of this section. guards).
(b) In addition to the requirements of
(viii) A locomotive, locomotive con-
paragraph (a) of this section, a host
sist, or train with an operative onboard
railroad that conducts a freight or pas-
PTC apparatus may assist a loco- senger operation at more than 90 miles
motive, locomotive consist, or train per hour shall:
operating without an operative on- (1) Have an approved PTCSP estab-
board PTC apparatus for purposes such lishing that the system was designed
as locomotive malfunction, rescue of and will be operated to meet the fail-
locomotive or cars, or to add or remove safe operation criteria described in Ap-
power, provided that such a movement pendix C to this part; and
is made at restricted speed. (2) Prevent unauthorized or unin-
(c) When a train movement is con- tended entry onto the main line from
ducted under the exceptions described any track not equipped with a PTC sys-
in paragraph (b)(4) of this section, that tem compliant with this subpart by
movement shall be made in accordance placement of split-point derails or
with § 236.1029. equivalent means integrated into the
(d) Onboard PTC apparatus. (1) The PTC system; and
onboard PTC apparatus shall be so ar- (3) Comply with § 236.1029(c).
ranged that each member of the crew (c) In addition to the requirements of
assigned to perform duties in the loco- paragraphs (a) and (b) of this section, a
motive can receive the same PTC infor- host railroad that conducts a freight or
mation displayed in the same manner passenger operation at more than 125
and execute any functions necessary to miles per hour shall have an approved
that crew member’s duties. The loco- PTCSP accompanied by a document
motive engineer shall not be required (‘‘HSR–125’’) establishing that the sys-
to perform functions related to the tem:

PTC system while the train is moving (1) Will be operated at a level of safe-
that have the potential to distract the ty comparable to that achieved over
873
§ 236.1009 49 CFR Ch. II (10–1–16 Edition)
the 5 year period prior to the submis- PTCIP in accordance with § 236.1021 if it
sion of the PTCSP by other train con- intends to:
trol systems that perform PTC func- (A) Initiate a new category of service
tions required by this subpart, and (i.e., passenger or freight); or
which have been utilized on high-speed (B) Add, subtract, or otherwise mate-
rail systems with similar technical and rially modify one or more lines of rail-
operational characteristics in the road for which installation of a PTC
United States or in foreign service, system is required.
provided that the use of foreign service (3) The host and tenant railroad(s)
data must be approved by the Asso- shall jointly file a PTCIP that address-
ciate Administrator before submittal es shared track:
of the PTCSP; and (i) If the host railroad is required to
(2) Has been designed to detect incur- install and operate a PTC system on a
sions into the right-of-way, including segment of its track; and
incidents involving motor vehicles di- (ii) If the tenant railroad that shares
verting from adjacent roads and the same track segment would have
bridges, where conditions warrant. been required to install a PTC system
(d) In addition to the requirements of if the host railroad had not otherwise
paragraphs (a) through (c) of this sec- been required to do so.
tion, a host railroad that conducts a (4) If railroads required to file a joint
freight or passenger operation at more PTCIP are unable to jointly file a
than 150 miles per hour, which is gov- PTCIP in accordance with paragraphs
erned by a Rule of Particular Applica- (a)(1) and (a)(3) of this section, then
bility, shall have an approved PTCSP each railroad shall:
accompanied by a HSR–125 developed (i) Separately file a PTCIP in accord-
as part of an overall system safety plan ance with paragraph (a)(1);
approved by the Associate Adminis- (ii) Notify the Associate Adminis-
trator. trator that the subject railroads were
(e) A railroad providing existing unable to agree on a PTCIP to be joint-
high-speed passenger service may rely filed;
quest in its PTCSP that the Associate (iii) Provide the Associate Adminis-
Administrator excuse compliance with trator with a comprehensive list of all
one or more requirements of this sec- issues not in agreement between the
tion upon a showing that the subject railroads that would prevent the sub-
service has been conducted with a high ject railroads from jointly filing the
level of safety. PTCIP; and
(iv) Confer with the Associate Ad-
§ 236.1009 Procedural requirements.
ministrator to develop and submit a
(a) PTC Implementation Plan (PTCIP). PTCIP mutually acceptable to all sub-
(1) By April 16, 2010, each host railroad ject railroads.
that is required to implement and oper- (5) Each railroad filing a PTCIP shall
ate a PTC system in accordance with report annually, by March 31 of each
§ 236.1005(b) shall develop and submit in year, and until its PTC system imple-
accordance with § 236.1011(a) a PTCIP mentation is complete, its progress to-
for implementing a PTC system re- wards fulfilling the goals outlined in
quired under § 236.1005. Filing of the its PTCIP under this part, including
PTCIP shall not exempt the required progress towards PTC system installa-
filings of an NPI, PTCSP, PTCDP, or tion pursuant to § 236.1005 and onboard
Type Approval. PTC apparatus installation and use in
(2) After April 16, 2010, a host railroad PTC-equipped track segments pursuant
shall file: to § 236.1006, as well as impediments to
(i) A PTCIP if it becomes a host rail- completion of each of the goals.
road of a main line track segment for (b) Type Approval. Each host railroad,
which it is required to implement and individually or jointly with others such
operate a PTC system in accordance as a tenant railroad or system supplier,
with § 236.1005(b); or shall file prior to or simultaneously

(ii) A request for amendment with the filing made in accordance
(‘‘RFA’’) of its current and approved with paragraph (a) of this section:
874
(1) An unmodified Type Approval pre- cordance with this section and
viously issued by the Associate Admin- § 236.1011, as applicable.
istrator in accordance with § 236.1013 or (ii) If an update to a ‘‘Provisionally
§ 236.1031(b) with its associated docket Approved’’ PTCIP is not received by
number; the Associate Administrator by the end
(2) A PTCDP requesting a Type Ap- of the period indicated in this para-
proval for: graph, the ‘‘Provisional Approval’’
(i) A PTC system that does not have given to the PTCIP is automatically
a Type Approval; or revoked. The revocation is retroactive
(ii) A PTC system with a previously to the date the original PTCIP and NPI
issued Type Approval that requires one were first submitted to the Associate
or more variances; Administrator.
(3) A PTCSP subject to the condi- (d) PTCSP and PTC System Certifi-
tions set forth in paragraph (c) of this cation. The following apply to each
section, with or without a Type Ap- PTCSP and PTC System Certification.
proval; or (1) A PTC System Certification for a
(4) A document attesting that a Type PTC system may be obtained by sub-
Approval is not necessary since the mitting an acceptable PTCSP. If the
host railroad has no territory for which PTC system is the subject of a Type
a PTC system is required under this Approval, the safety case elements con-
subpart. tained in the PTCDP may be incor-
(c) Notice of Product Intent (NPI). A porated by reference into the PTCSP,
railroad may, in lieu of submitting a subject to finalization of the human
PTCDP, or referencing an already factors analysis contained in the
issued Type Approval, submit an NPI PTCDP.
describing the functions of the pro- (2) Each PTCSP requirement under
posed PTC system. If a railroad elects § 236.1015 shall be supported by informa-
to file an NPI in lieu of a PTCDP or tion and analysis sufficient to establish
referencing an existing Type Approval that the requirements of this subpart
with the PTCIP, and the PTCIP is oth- have been satisfied.
erwise acceptable to the Associate Ad-
(3) If the Associate Administrator
ministrator, the Associate Adminis-
finds that the PTCSP and supporting
trator may grant provisional approval
documentation support a finding that
of the PTCIP.
the system complies with this part, the
(1) A provisional approval of a
Associate Administrator may approve
PTCIP, unless otherwise extended by
the PTCSP. If the Associate Adminis-
the Associate Administrator, is valid
trator approves the PTCSP, the rail-
for a period of 270 days from the date of
road shall receive PTC System Certifi-
approval by the Associate Adminis-
cation for the subject PTC system and
trator.
shall implement the PTC system ac-
(2) The railroad must submit an up-
cording to the PTCSP.
dated PTCIP with either a complete
(4) A required PTC system shall not:
PTCDP as defined in § 236.1013(a), an
updated PTCIP referencing an already (i) Be used in service until it receives
approved Type Approval, or a full from FRA a PTC System Certification;
PTCSP within 270 days after the ‘‘Pro- and
visional Approval.’’ (ii) Receive a PTC System Certifi-
(i) Within 90 days of receipt of an up- cation unless FRA receives and ap-
dated PTCIP that was submitted with proves an applicable:
an NPI, the Associate Administrator (A) PTCSP; or
will approve or disapprove of the up- (B) Request for Expedited Certifi-
dated PTCIP and notify in writing the cation (REC) as defined by § 236.1031(a).
affected railroad. If the updated PTCIP (e) Plan contents. (1) No PTCIP shall
is not approved, the notification will receive approval unless it complies
include the plan’s deficiencies. Within with § 236.1011. No railroad shall receive
30 days of receipt of that notification, a Type Approval or PTC System Cer-
the railroad or other entity that sub- tification unless the applicable PTCDP
mitted the plan shall correct all defi- or PTCSP, respectively, comply with
ciencies and resubmit the plan in ac- §§ 236.1013 and 236.1015, respectively.
875
§ 236.1009 49 CFR Ch. II (10–1–16 Edition)
(2) All materials filed in accordance (3) During FRA’s reconsideration in

with this subpart must be in the accordance with this paragraph, the
English language, or have been trans- PTC system may remain in use if oth-
lated into English and attested as true erwise consistent with the applicable
and correct. law and regulations and FRA may im-
(3) Each filing referenced in this sec- pose special conditions for use of the
tion may include a request for full or PTC system.
partial confidentiality in accordance (4) After FRA’s reconsideration in ac-
with § 209.11 of this chapter. If confiden- cordance with this paragraph, FRA
tiality is requested as to a portion of may:
any applicable document, then in addi- (i) Dismiss its reconsideration and
tion to the filing requirements under continue to recognize the existing FRA
§ 209.11 of this chapter, the person filing approved Type Approval or PTC Sys-
the document shall also file a copy of tem Certification;
the original unredacted document, (ii) Allow continued operations under
marked to indicate which portions are such conditions the Associate Adminis-
redacted in the document’s confiden- trator deems necessary to ensure safe-
tial version without obscuring the ty; or
original document’s contents. (iii) Revoke the Type Approval or
(f) Supporting documentation and infor- PTC System Certification and direct
mation. (1) Issuance of a Type Approval the railroad to cease operations where
or PTC System Certification is contin- PTC systems are required under this
gent upon FRA’s confidence in the im- subpart.
plementation and operation of the sub- (h) FRA access. The Associate Admin-
ject PTC system. This confidence may istrator, or that person’s designated
be based on FRA-monitored field test- representatives, shall be afforded rea-
ing or an independent assessment per- sonable access to monitor, test, and in-
formed in accordance with § 236.1035 or spect processes, procedures, facilities,
§ 236.1017, respectively. documents, records, design and testing
(2) Upon request by FRA, the railroad materials, artifacts, training materials
requesting a Type Approval or PTC and programs, and any other informa-
System Certification must engage in tion used in the design, development,
field testing or independent assessment manufacture, test, implementation,
performed in accordance with § 236.1035 and operation of the system, as well as
or § 236.1017, respectively, to support interview any personnel:
the assertions made in any of the plans (1) Associated with a PTC system for
submitted under this subpart. These which a Type Approval or PTC System
assertions include any of the plans’ Certification has been requested or pro-
content requirements under this sub- vided; or
part. (2) To determine whether a railroad
(g) FRA conditions, reconsiderations, has been in compliance with this sub-
and modifications. (1) As necessary to part.
ensure safety, FRA may attach special (i) Foreign regulatory entity
conditions to approving a PTCIP or verification. Information that has been
issuing a Type Approval or PTC Sys- certified under the auspices of a for-
tem Certification. eign regulatory entity recognized by
(2) After granting a Type Approval or the Associate Administrator may, at
PTC System Certification, FRA may the Associate Administrator’s sole dis-
reconsider the Type Approval or PTC cretion, be accepted as independently
System Certification upon revelation Verified and Validated and used to sup-
of any of the following factors con- port each railroad’s development of the
cerning the contents of the PTCDP or PTCSP.
PTCSP: (j) Processing times for PTCDP and
(i) Potential error or fraud; PTCSP.
(ii) Potentially invalidated assump- (1) Within 30 days of receipt of a
tions determined as a result of in-serv- PTCDP or PTCSP, the Associate Ad-
ice experience or one or more unsafe ministrator will either acknowledge re-
events calling into question the safety ceipt or acknowledge receipt and re-
analysis supporting the approval. quest more information.
876
(2) To the extent practicable, consid- and railroad employees before areas of
ering the scope, complexity, and nov- lesser risk;
elty of the product or change: (5) The sequence and schedule in
(i) FRA will approve, approve with which track segments will be equipped
conditions, or deny the PTCDP within and the basis for those decisions, and
60 days of the date on which the shall at a minimum address the fol-
PTCDP was filed; lowing risk factors by track segment:
(ii) FRA will approve, approve with (i) Segment traffic characteristics
conditions, or deny the PTCSP within such as typical annual passenger and
180 days of the date on which the freight train volume and volume of
PTCSP was filed; poison- or toxic-by-inhalation (PIH or
(iii) If FRA has not approved, ap- TIH) shipments (loads, residue);
proved with conditions, or denied the (ii) Segment operational characteris-
PTCDP or PTCSP within the 60-day or tics such as current method of oper-
180-day window, as applicable, FRA ation (including presence or absence of
will provide the submitting party with a block signal system), number of
a statement of reasons as to why the tracks, and maximum allowable train
submission has not yet been acted upon speeds, including planned modifica-
and a projected deadline by which an tions; and
approval or denial will be issued and
(iii) Route attributes bearing on risk,
any further consultations or inquiries
including ruling grades and extreme
will be resolved.
curvature;
[75 FR 2699, Jan. 15, 2010, as amended at 79 (6) The following information relat-
FR 49717, Aug. 22, 2014; 81 FR 10129, Feb. 29, ing to rolling stock:
2016]
(i) What rolling stock will be
§ 236.1011 PTC Implementation Plan equipped with PTC technology;
content requirements. (ii) The schedule to equip that rolling
stock by the applicable deadline under
(a) Contents. A PTCIP filed pursuant
§ 236.1005(b)(7);
to this subpart shall, at a minimum,
describe: (iii) All documents and information
required by § 236.1006; and
(1) The functional requirements that
the proposed system must meet; (iv) Unless the tenant railroad is fil-
(2) How the PTC railroad intends to ing its own PTCIP, the host railroad’s
comply with §§ 236.1009(c) and (d); PTCIP shall:
(3) How the PTC system will provide (A) Attest that the host railroad has
for interoperability of the system be- made a formal written request to each
tween the host and all tenant railroads tenant railroad requesting identifica-
on the track segments required to be tion of each item of rolling stock to be
equipped with PTC systems under this PTC system equipped and the date each
subpart and: will be equipped; and
(i) Include relevant provisions of (B) Include each tenant railroad’s re-
agreements, executed by all applicable sponse to the host railroad’s written
railroads, in place to achieve interoper- request made in accordance with para-
ability; graph (a)(6)(iv)(A) of this section;
(ii) List all methods used to obtain (7) The number of wayside devices re-
interoperability; and quired for each track segment and the
(iii) Identify any railroads with re- installation schedule to complete way-
spect to which interoperability agree- side equipment installation by the ap-
ments have not been achieved as of the plicable deadline under § 236.1005(b)(7);
time the plan is filed, the practical ob- (8) Identification of each track seg-
stacles that were encountered that pre- ment on the railroad as mainline or
vented resolution, and the further non-mainline track. If the PTCIP in-
steps planned to overcome those obsta- cludes an MTEA, as defined by
cles; § 236.1019, the PTCIP should identify
(4) How, to the extent practical, the the tracks included in the MTEA as
PTC system will be implemented to ad- main line track with a reference to the
dress areas of greater risk to the public MTEA;
877
§ 236.1013 49 CFR Ch. II (10–1–16 Edition)
(9) To the extent the railroad deter- will include the plan’s deficiencies.
mines that risk-based prioritization re- Within 30 days of receipt of that notifi-
quired by paragraph (a)(4) of this sec- cation, the railroad or other entity
tion is not practical, the basis for this that submitted the plan shall correct
determination; and all deficiencies and resubmit the plan
(10) The dates the associated PTCDP in accordance with § 236.1009 and para-
and PTCSP, as applicable, will be sub- graph (a) of this section, as applicable.
mitted to FRA in accordance with (d) Subpart H. A railroad that elects
§ 236.1009. to install a PTC system when not re-
(b) Additional Class I railroad PTCIP quired to do so may elect to proceed
requirements. Each Class I railroad shall under this subpart or under subpart H
include: of this part.
(1) In its PTCIP a strategy for full de-
(e) Upon receipt of a PTCIP, NPI,
ployment of its PTC system, describing
PTCDP, or PTCSP, FRA posts on its
the criteria that it will apply in identi-
public web site notice of receipt and
fying additional rail lines on its own
reference to the public docket in which
network, and rail lines of entities that
a copy of the filing has been placed.
it controls or engages in joint oper-
ations with, for which full or partial FRA may consider any public comment
deployment of PTC technologies is ap- on each document to the extent prac-
propriate, beyond those required to be ticable within the time allowed by law
equipped under this subpart. Such cri- and without delaying implementation
teria shall include consideration of the of PTC systems.
policies established by 49 U.S.C. 20156 (f) The PTCIP shall be maintained to
(railroad safety risk reduction pro- reflect the railroad’s most recent PTC
gram), and regulations issued there- deployment plans until all PTC system
under, as well as non-safety business deployments required under this sub-
benefits that may accrue. part are complete.
(2) In the Technology Implementa- [75 FR 2699, Jan. 15, 2010, as amended at 75
tion Plan of its Risk Reduction Pro- FR 59117, Sept. 27, 2010; 81 FR 10129, Feb. 29,
gram, when first required to be filed in 2016]
accordance with 49 U.S.C. 20156 and any
regulation promulgated thereunder, a § 236.1013 PTC Development Plan and
specification of rail lines selected for Notice of Product Intent content re-
full or partial deployment of PTC quirements and Type Approval.
under the criteria identified in its (a) For a PTC system to obtain a
PTCIP. Type Approval from FRA, the PTCDP
(3) Nothing in this paragraph shall be shall be filed in accordance with
construed to create an expectation or § 236.1009 and shall include:
requirement that additional rail lines
(1) A complete description of the PTC
beyond those required to be equipped
system, including a list of all PTC sys-
by this subpart must be equipped or
tem components and their physical re-
that such lines will be equipped during
lationships in the subsystem or sys-
the period of primary implementation
ending on the applicable deadline tem;
under § 236.1005(b)(7). (2) A description of the railroad oper-
(4) As used in this paragraph, ‘‘par- ation or categories of operations on
tial implementation’’ of a PTC system which the PTC system is designed to be
refers to use, pursuant to subpart H of used, including train movement den-
this part, of technology embedded in sity (passenger, freight), operating
PTC systems that does not employ all speeds (including a thorough expla-
of the functionalities required by this nation of intended compliance with
subpart. § 236.1007), track characteristics, and
(c) FRA review. Within 90 days of re- railroad operating rules;
ceipt of a PTCIP, the Associate Admin- (3) An operational concepts docu-
istrator will approve or disapprove of ment, including a list with complete
the plan and notify in writing the af- descriptions of all functions which the
fected railroad or other entity. If the PTC system will perform to enhance or
PTCIP is not approved, the notification preserve safety;
878
(4) A document describing the man- ments, and restrictions to any Type
ner in which the PTC system architec- Approval as necessary for safety.
ture satisfies safety requirements; (e) If submitted, an NPI must contain
(5) A preliminary human factors the following information:
analysis, including a complete descrip- (1) A description of the railroad oper-
tion of all human-machine interfaces ation or categories of operations on
and the impact of interoperability re- which the proposed PTC system is de-
quirements on the same; signed to be used, including train
(6) An analysis of the applicability to movement density (passenger, freight),
the PTC system of the requirements of operating speeds (including a thorough
subparts A through G of this part that explanation of intended compliance
may no longer apply or are satisfied by with § 236.1007), track characteristics,
the PTC system using an alternative and railroad operating rules;
method, and a complete explanation of (2) An operational concepts docu-
the manner in which those requirement, including a list with complete
ments are otherwise fulfilled; descriptions of all functions that the
(7) A prioritized service restoration proposed PTC system will perform to
and mitigation plan and a description enhance or preserve safety;
of the necessary security measures for (3) A description of target safety lev-
the system; els (e.g., MTTHE for major subsystems
(8) A description of target safety lev- as defined in subpart H of this part), in-
els (e.g., MTTHE for major subsystems cluding requirements for system avail-
as defined in subpart H of this part), in- ability and a description of all backup
cluding requirements for system avail- methods of operation and any critical
ability and a description of all backup assumptions associated with the target
methods of operation and any critical levels;
assumptions associated with the target (4) A complete description of how the
levels; proposed PTC system will enforce au-
(9) A complete description of how the thorities and signal indications; and
PTC system will enforce authorities (5) A complete description of how the
and signal indications; proposed PTC system will appro-
(10) A description of the deviation priately and timely enforce all inte-
which may be proposed under grated hazard detectors in accordance
§ 236.1029(c), if applicable; and with § 236.1005(c)(3), if applicable.
(11) A complete description of how
the PTC system will appropriately and § 236.1015 PTC Safety Plan content re-
timely enforce all integrated hazard quirements and PTC System Certifi-
detectors in accordance with cation.
§ 236.1005(c)(3), if applicable. (a) Before placing a PTC system re-
(b) If the Associate Administrator quired under this part in service, the
finds that the system described in the host railroad must submit to FRA a
PTCDP would satisfy the requirements PTCSP and receive a PTC System Cer-
for PTC systems under this subpart and tification. If the Associate Adminis-
that the applicant has made a reason- trator finds that the PTCSP and sup-
able showing that a system built to the porting documentation support a find-
stated requirements would achieve the ing that the system complies with this
level of safety mandated for such a sys- part, the Associate Administrator ap-
tem under § 236.1015, the Associate Ad- proves the PTCSP and issues a PTC
ministrator may grant a numbered System Certification. Receipt of a PTC
Type Approval for the system. System Certification affirms that the
(c) Each Type Approval shall be valid PTC system has been reviewed and ap-
for a period of 5 years, subject to auto- proved by FRA in accordance with, and
matic and indefinite extension pro- meets the requirements of, this part.
vided that at least one PTC System (b) A PTCSP submitted under this
Certification using the subject PTC subpart may reference and utilize in
system has been issued within that pe- accordance with this subpart any Type
riod and not revoked. Approval previously issued by the As-

(d) The Associate Administrator may sociate Administrator to any railroad,
prescribe special conditions, amend- provided that the railroad:
879
§ 236.1015 49 CFR Ch. II (10–1–16 Edition)
(1) Maintains a continually updated (2) A description of the safety assur-

PTCPVL pursuant to § 236.1023; ance concepts that are to be used for
(2) Shows that the supplier from system development, including an ex-
which they are procuring the PTC sys- planation of the design principles and
tem has established and can maintain a assumptions;
quality control system for PTC system (3) A risk assessment of the as-built
design and manufacturing acceptable PTC system described;
to the Associate Administrator. The (4) A hazard mitigation analysis, in-
quality control system must include cluding a complete and comprehensive
the process for the product supplier or description of each hazard and the
vendor to promptly and thoroughly re- mitigation techniques used;
port any safety-relevant failure and (5) A complete description of the
previously unidentified hazards to each safety assessment and Verification and
railroad using the product; and Validation processes applied to the
(3) Provides the applicable licensing PTC system, their results, and whether
information. these processes address the safety prin-
(c) A PTCSP submitted in accordance ciples described in Appendix C to this
with this subpart shall: part directly, using other safety cri-
(1) Include the FRA approved PTCDP teria, or not at all;
or, if applicable, the FRA issued Type (6) A complete description of the rail-
Approval; road’s training plan for railroad and
(2)(i) Specifically and rigorously doc- contractor employees and supervisors
ument each variance, including the sig- necessary to ensure safe and proper in-
nificance of each variance between the stallation, implementation, operation,
PTC system and its applicable oper- maintenance, repair, inspection, test-
ating conditions as described in the ap- ing, and modification of the PTC sys-
plicable PTCDP from that as described tem;
in the PTCSP, and attest that there
(7) A complete description of the spe-
are no other such variances; or
cific procedures and test equipment
(ii) Attest that there are no
necessary to ensure the safe and proper
variances between the PTC system and
installation, implementation, oper-
its applicable operating conditions as
ation, maintenance, repair, inspection,
described in the applicable PTCDP
testing, and modification of the PTC
from that as described in the PTCSP;
and system on the railroad and establish
safety-critical hazards are appro-
(3) Attest that the system was other-
priately mitigated. These procedures,
wise built in accordance with the appli-
including calibration requirements,
cable PTCDP and PTCSP and achieves
shall be consistent with or explain de-
the level of safety represented therein.
viations from the equipment manufac-
(d) A PTCSP shall include the same
turer’s recommendations;
information required for a PTCDP
under § 236.1013(a). If a PTCDP has been (8) A complete description of any ad-
filed and approved prior to filing of the ditional warning to be placed in the
PTCSP, the PTCSP may incorporate Operations and Maintenance Manual in
the PTCDP by reference, with the ex- the same manner specified in § 236.919
ception that a final human factors and all warning labels to be placed on
analysis shall be provided. The PTCSP equipment as necessary to ensure safe-
shall contain the following additional ty;
elements: (9) A complete description of the con-
(1) A hazard log consisting of a com- figuration or revision control measures
prehensive description of all safety-rel- designed to ensure that the railroad or
evant hazards not previously addressed its contractor does not adversely affect
by the vendor or supplier to be ad- the safety-functional requirements and
dressed during the life-cycle of the PTC that safety-critical hazard mitigation
system, including maximum threshold processes are not compromised as a re-
limits for each hazard (for unidentified sult of any such change;
hazards, the threshold shall be exceed- (10) A complete description of all ini-
ed at one occurrence); tial implementation testing procedures
880
necessary to establish that safety-func- (21) A list of each location where a lo-
tional requirements are met and safe- comotive with a failed onboard PTC ap-
ty-critical hazards are appropriately paratus will be regularly be exchanged
mitigated; or repaired pursuant to § 236.1029(b)(6)
(11) A complete description of all and a list of each movement that could
post-implementation testing (valida- take place pursuant to § 236.1029(b)(6) if
tion) and monitoring procedures, in- the movement potentially could exceed
cluding the intervals necessary to es- 500 miles.
tablish that safety-functional require- (e) The following additional require-
ments, safety-critical hazard mitiga- ments apply to:
tion processes, and safety-critical tol- (1) Non-vital overlay. A PTC system
erances are not compromised over proposed as an overlay on the existing
time, through use, or after mainte- method of operation and not built in
nance (adjustment, repair, or replace- accordance with the safety assurance
ment) is performed; principles set forth in appendix C of
(12) A complete description of each this part must, to the satisfaction of
record necessary to ensure the safety the Associate Administrator, be shown
of the system that is associated with to:
periodic maintenance, inspections, (i) Reliably execute the functions set
tests, adjustments, repairs, or replace- forth in § 236.1005;
ments, and the system’s resulting con-
(ii) Obtain at least 80 percent reduc-
ditions, including records of component
tion of the risk associated with acci-
failures resulting in safety-relevant
dents preventable by the functions set
hazards (see § 236.1037);
forth in § 236.1005, when all effects of
(13) A safety analysis to determine
the change associated with the PTC
whether, when the system is in oper-
system are taken into account. The
ation, any risk remains of an unin-
supporting risk assessment shall evalu-
tended incursion into a roadway work
ate all intended changes in railroad op-
zone due to human error. If the anal-
erations coincident with the introduc-
ysis reveals any such risk, the PTCDP
tion of the new system; and
and PTCSP shall describe how that
risk will be mitigated; (iii) Maintain a level of safety for
(14) A more detailed description of each subsequent system modification
any alternative arrangements as al- that is equal to or greater than the
ready provided under § 236.1005(a)(1)(i). level of safety for the previous PTC
(15) A complete description of how systems.
the PTC system will enforce authori- (2) Vital overlay. A PTC system pro-
ties and signal indications, unless al- posed on a newly constructed track or
ready completely provided for in the as an overlay on the existing method of
PTCDP; operation and built in accordance with
(16) A description of how the PTCSP the safety assurance principles set
complies with § 236.1019(f), if applicable; forth in appendix C of this part must,
(17) A description of any deviation in to the satisfaction of the Associate Ad-
operational requirements for en route ministrator, be shown to:
failures as specified under § 236.1029(c), (i) Reliably execute the functions set
if applicable and unless already com- forth in § 236.1005; and
pletely provided for in the PTCDP; (ii) Have sufficient documentation to
(18) A complete description of how demonstrate that the PTC system, as
the PTC system will appropriately and built, fulfills the safety assurance prin-
timely enforce all integrated hazard ciples set forth in appendix C of this
detectors in accordance with § 236.1005; part. The supporting risk assessment
(19) An emergency and planned main- may be abbreviated as that term is
tenance temporary rerouting plan indi- used in subpart H of this part.
cating how operations on the subject (3) Stand-alone. A PTC system pro-
PTC system will take advantage of the posed on a newly constructed track, an
benefits provided under § 236.1005(g) existing track for which no signal sys-
through (k); and tem exists, as a replacement for an ex-

(20) The documents and information isting signal or train control system,
required under §§ 236.1007 and 236.1033. or otherwise to replace or materially
881
§ 236.1017 49 CFR Ch. II (10–1–16 Edition)
modify the existing method of oper- the risks and a discussion of each ap-
ation, shall: plicable mitigation. In an appropriate
(i) Reliably execute the functions re- case, such as a case in which the resid-
quired by § 236.1005 and be dem- ual risk after mitigation is substantial
onstrated to do so to FRA’s satisfac- or the underlying method of operation
tion; and will be significantly altered, the Asso-
(ii) Have a PTCSP establishing, with ciate Administrator may require sub-
a high degree of confidence, that the mission of a quantitative risk assess-
system will not introduce new hazards ment addressing these potential errors.
that have not been mitigated. The sup- [75 FR 2699, Jan. 15, 2010, as amended at 79
porting risk assessment shall evaluate FR 49717, Aug. 22, 2014]
all intended changes in railroad oper-
ations in relation to the introduction § 236.1017 Independent third party
of the new system and shall examine in Verification and Validation.
detail the direct and indirect effects of (a) The PTCSP must be supported by
all changes in the method of oper- an independent third-party assessment
ations. when the Associate Administrator con-
(4) Mixed systems. If a PTC system cludes that it is necessary based upon
combining overlay, stand-alone, vital, the criteria set forth in § 236.913, with
or non-vital characteristics is pro- the exception that consideration of the
posed, the railroad shall confer with methodology used in the risk assess-
the Associate Administrator regarding ment (§ 236.913(g)(2)(vii)) shall apply
appropriate structuring of the safety only to the extent that a comparative
case and analysis. risk assessment was required. To the
(f) When determining whether the extent practicable, FRA makes this de-
PTCSP fulfills the requirements under termination not later than review of
paragraph (d) of this section, the Asso- the PTCIP and the accompanying
ciate Administrator may consider all PTCDP or PTCSP. If an independent
available evidence concerning the reli- assessment is required, the assessment
ability and availability of the proposed may apply to the entire system or a
system and any and all safety con- designated portion of the system.
sequences of the proposed changes. In (b) If a PTC system is to undergo an
any case where the PTCSP lacks ade- independent assessment in accordance
quate data regarding safety impacts of with this section, the host railroad
the proposed changes, the Associate may submit to the Associate Adminis-
Administrator may request the nec- trator a written request that FRA con-
essary data from the applicant. If the firm whether a particular entity would
requested data is not provided, the As- be considered an independent third
sociate Administrator may find that party pursuant to this section. The re-
potential hazards could or will arise. quest should include supporting infor-
(g) If a PTCSP applies to a system mation identified in paragraph (c) of
designed to replace an existing cer- this section. FRA may request further
tified PTC system, the PTCSP will be information to make a determination
approved provided that the PTCSP es- or provide its determination in writing.
tablishes with a high degree of con- (c) As used in this section, ‘‘inde-
fidence that the new system will pro- pendent third party’’ means a tech-
vide a level of safety not less than the nically competent entity responsible to
level of safety provided by the system and compensated by the railroad (or an
to be replaced. association on behalf of one or more
(h) When reviewing the issue of the railroads) that is independent of the
potential data errors (for example, er- PTC system supplier and vendor. An
rors arising from data supplied from entity that is owned or controlled by
other business systems needed to exe- the supplier or vendor, that is under
cute the braking algorithm, survey common ownership or control with the
data needed for location determina- supplier or vendor, or that is otherwise
tion, or mandatory directives issued involved in the development of the
through the computer-aided dis- PTC system is not considered ‘‘inde-

patching system), the PTCSP must in- pendent’’ within the meaning of this
clude a careful identification of each of section.
882
(d) The independent third-party as- (i) No freight operations are per-
sessment shall, at a minimum, consist mitted; or
of the activities and result in the pro- (ii) Freight operations are permitted
duction of documentation meeting the but no passengers will be aboard pas-
requirements of Appendix F to this senger trains within the defined limits.
part, unless excepted by this part or by (c) Limited operations exception. FRA
FRA order or waiver. will consider an exception in the case
(e) Information provided that has of a track segment used for limited op-
been certified under the auspices of a erations (operating in accordance with
foreign railroad regulatory entity rec- § 236.0 of this part) under one of the fol-
ognized by the Associate Adminis- lowing sets of conditions:
trator may, at the Associate Adminis- (1) The trackage is used for limited
trator’s discretion, be accepted as hav- operations by at least one passenger
ing been independently verified. railroad subject to at least one of the
following conditions:
§ 236.1019 Main line track exceptions. (i) All trains are limited to restricted
(a) Scope and procedure. This section speed;
pertains exclusively to exceptions from (ii) Temporal separation of passenger
the rule that trackage over which and other trains is maintained as pro-
scheduled intercity and commuter pas- vided in paragraph (e) of this section;
senger service is provided is considered or
main line track requiring installation (iii) Passenger service is operated
of a PTC system. One or more intercity under a risk mitigation plan submitted
or commuter passenger railroads, or by all railroads involved in the joint
freight railroads conducting joint pas- operation and approved by FRA. The
senger and freight operation over the risk mitigation plan must be supported
same segment of track may file a main by a risk assessment establishing that
line track exclusion addendum the proposed mitigations will achieve a
(‘‘MTEA’’) to its PTCIP requesting to level of safety not less than the level of
designate track as not main line sub- safety that would obtain if the oper-
ject to the conditions set forth in para- ations were conducted under paragraph
graphs (b) or (c) of this section. No (c)(1) or (c)(2) of this section.
track shall be designated as yard or (2) Passenger service is operated on a
terminal unless it is identified in an segment of track of a freight railroad
MTEA that is part of an FRA approved that is not a Class I railroad on which
PTCIP. less than 15 million gross tons of
(b) Passenger terminal exception. FRA freight traffic is transported annually
will consider an exception in the case and on which one of the following con-
of trackage used exclusively as yard or ditions applies:
terminal tracks by or in support of reg- (i) If the segment is unsignaled and
ularly scheduled intercity or commuter no more than four regularly scheduled
passenger service where the MTEA de- passenger trains are operated during a
scribes in detail the physical bound- calendar day, or
aries of the trackage in question, its (ii) If the segment is signaled (e.g.,
use and characteristics (including equipped with a traffic control system,
track and signal charts) and all of the automatic block signal system, or cab
following apply: signal system) and no more than 12
(1) The maximum authorized speed regularly scheduled passenger trains
for all movements is not greater than are operated during a calendar day.
20 miles per hour, and that maximum (3) Not more than four passenger
is enforced by any available onboard trains per day are operated on a seg-
PTC equipment within the confines of ment of track of a Class I freight rail-
the yard or terminal; road on which less than 15 million
(2) Interlocking rules are in effect gross tons of freight traffic is trans-
prohibiting reverse movements other ported annually.
than on signal indications without dis- (d) A limited operations exception
patcher permission; and under paragraph (c) is subject to FRA

(3) Either of the following conditions review and approval. FRA may require
exists: a collision hazard analysis to identify
883
§ 236.1020 49 CFR Ch. II (10–1–16 Edition)
hazards and may require that specific (2) The Associate Administrator ap-
mitigations be undertaken. Operations proves the RFA.
under any such exception shall be con- (b) After approval of an RFA in ac-
ducted subject to the terms and condi- cordance with paragraph (a) of this sec-
tions of the approval. Any main line tion, the railroad shall immediately
track exclusion is subject to periodic adopt and comply with the amend-
review. ment.
(e) Temporal separation. As used in (c) In lieu of a separate filing under
this section, temporal separation part 235 of this chapter, a railroad may
means that limited passenger and request approval of a discontinuance or
freight operations do not operate on material modification of a signal or
any segment of shared track during the train control system by filing an RFA
same period and also refers to the proc- to its PTCIP, PTCDP, or PTCSP with
esses or physical arrangements, or the Associate Administrator.
both, in place to ensure that temporal (d) An RFA made in accordance with
separation is established and main- this section will not be approved by
tained at all times. The use of exclu- FRA unless the request includes:
sive authorities under mandatory di- (1) The information listed in § 235.10
rectives is not, by itself, sufficient to of this chapter and the railroad pro-
establish that temporal separation is vides FRA upon request any additional
achieved. Procedures to ensure tem- information necessary to evaluate the
poral separation shall include RFA (see § 235.12), including:
verification checks between passenger (2) The proposed modifications;
and freight operations and effective (3) The reasons for each modification;
physical means to positively ensure (4) The changes to the PTCIP,
segregation of passenger and freight PTCDP, or PTCSP, as applicable;
operations in accordance with this (5) Each modification’s effect on PTC
paragraph. system safety;
(f) PTCSP requirement. No PTCSP— (6) An approximate timetable for fil-
filed after the approval of a PTCIP ing of the PTCDP, PTCSP, or both, if
with an MTEA—shall be approved by the amendment pertains to a PTCIP;
FRA unless it attests that no changes, and
except for those included in an FRA ap- (7) An explanation of whether each
proved RFA, have been made to the in- change to the PTCSP is planned or un-
formation in the PTCIP and MTEA re- planned.
quired by paragraph (b) or (c) of this (i) Unplanned changes that affect the
section. Type Approval’s PTCDP require sub-
(g) Designation modifications. If subse- mission and approval in accordance
quent to approval of its PTCIP or with § 236.1013 of a new PTCDP, fol-
PTCSP the railroad seeks to modify lowed by submission and approval in
which track or tracks should be des- accordance with § 236.1015 of a new
ignated as main line or not main line, PTCSP for the PTC system.
it shall request modification of its (ii) Unplanned changes that do not
PTCIP or PTCSP, as applicable, in ac- affect the Type Approval’s PTCDP re-
cordance with § 236.1021. quire submission and approval of a new
[75 FR 2699, Jan. 15, 2010, as amended at 75 PTCSP.
FR 59117, Sept. 27, 2010] (iii) Unplanned changes are changes
affecting system safety that have not
§ 236.1020 [Reserved] been documented in the PTCSP. The
impact of unplanned changes on PTC
§ 236.1021 Discontinuances, material system safety has not yet been deter-
modifications, and amendments. mined.
(a) No changes, as defined by this sec- (iv) Planned changes may be imple-
tion, to a PTC system, PTCIP, PTCDP, mented after they have undergone suit-
or PTCSP, shall be made unless: able regression testing to demonstrate,
(1) The railroad files a request for to the satisfaction of the Associate Ad-
amendment (‘‘RFA’’) to the applicable ministrator, they have been correctly

PTCIP, PTCDP, or PTCSP with the As- implemented and their implementation
sociate Administrator; and does not degrade safety.
884
(v) Planned changes are changes af- (2) Removal of PTC devices used to
fecting system safety in the PTCSP provide protection against unusual
and have been included in all required contingencies such as landslide, burned
analysis under § 236.1015. The impact of bridge, high water, high and wide load,
these changes on the PTC system’s or tunnel protection when the unusual
safety has been incorporated as an in- contingency no longer exists;
tegral part of the approved PTCSP (3) Removal of the PTC devices that
safety analysis. are used on a movable bridge that has
(e) If the RFA includes a request for been permanently closed by the formal
approval of a discontinuance or mate- approval of another government agen-
rial modification of a signal or train cy and is mechanically secured in the
control system, FRA will publish a no- closed position for rail traffic; or
tice in the FEDERAL REGISTER of the (4) Removal of the PTC system from
application and will invite public com- service for a period not to exceed 6
ment in accordance with part 211 of months that is necessitated by cata-
this chapter. strophic occurrence such as derail-
(f) When considering the RFA, FRA ment, flood, fire, or hurricane, or
will review the issue of the discontinu- earthquake.
ance or material modification and de- (j) Changes not requiring the filing of
termine whether granting the request an RFA. When the resultant change to
is in the public interest and consistent
the PTC system will comply with an
with railroad safety, taking into con-
approved PTCSP of this part, it is not
sideration all changes in the method of
necessary to file for approval to de-
operation and system functionalities,
crease the limits of a system when it
both within normal PTC system avail-
involves the:
ability and in the case of a system
(1) Decrease of the limits of a PTC
failed state (unavailable), con-
system when interlocked switches, de-
templated in conjunction with installa-
rails, or movable-point frogs are not in-
tion of the PTC system. The railroad
volved;
submitting the RFA must, at FRA’s re-
quest, perform field testing in accord- (2) Removal of an electric or mechan-
ance with § 236.1035 or engage in ical lock, or signal used in lieu thereof,
Verification and Validation in accord- from hand-operated switch in a PTC
ance with § 236.1017. system where train speed over such
(g) FRA may issue at its discretion a switch does not exceed 20 miles per
new Type Approval number for a PTC hour, and use of those devices has not
system modified under this section. been part of the considerations for ap-
(h) Changes requiring filing of an RFA. proval of a PTCSP; or
Except as provided by paragraph (i), an (3) Removal of an electric or mechan-
RFA shall be filed to request the fol- ical lock, or signal used in lieu thereof,
lowing: from a hand-operated switch in a PTC
(1) Discontinuance of a PTC system, system where trains are not permitted
or other similar appliance or device; to clear the main track at such switch
(2) Decrease of the PTC system’s lim- and use of those devices has not been a
its (e.g., exclusion or removal of a PTC part of the considerations for approval
system on a track segment); of a PTCSP.
(3) Modification of a safety critical (k) Modifications not requiring the fil-
element of a PTC system; or ing of an RFA. When the resultant ar-
(4) Modification of a PTC system that rangement will comply with an ap-
affects the safety critical functionality proved PTCSP of this part, it is not
of any other PTC system with which it necessary to file an application for ap-
interoperates. proval of the following modifications:
(i) Discontinuances not requiring the (1) A modification that is required to
filing of an RFA. It is not necessary to comply with an order of the Federal
file an RFA for the following Railroad Administration or any section
discontinuances: of part 236 of this title;
(1) Removal of a PTC system from (2) Installation of devices used to pro-
track approved for abandonment by vide protection against unusual contin-
formal proceeding; gencies such as landslide, burned
885
§ 236.1023 49 CFR Ch. II (10–1–16 Edition)
bridges, high water, high and wide patch, revision, repair, replacement, or
loads, or dragging equipment; modification.
(3) Elimination of existing track (2) Identify configuration/revision
other than a second main track; control measures in its PTCSP that are
(4) Extension or shortening of a pass- designed to ensure the safety-func-
ing siding; or tional requirements and the safety-
(5) The temporary or permanent ar- critical hazard mitigation processes
rangement of existing systems neces- are not compromised as a result of any
sitated by highway-rail grade separa- change and that such a change can be
tion construction. Temporary arrange- audited.
ments shall be removed within six (d) The railroad shall provide to the
months following completion of con- applicable vendor or supplier the rail-
struction. road’s procedures for action upon noti-
fication of a safety-critical failure, up-
§ 236.1023 Errors and malfunctions. grade, patch, or revision for the PTC
(a) Each railroad implementing a system, subsystem, component, prod-
PTC system on its property shall es- uct, or process, and actions to be taken
tablish and continually update a PTC until the faulty system, subsystem, or
Product Vendor List (PTCPVL) that component has been adjusted, repaired
includes all vendors and suppliers of or replaced.
each PTC system, subsystem, compo- (e) After the product is placed in
nent, and associated product, and proc- service, the railroad shall maintain a
ess in use system-wide. The PTCPVL database of all safety-relevant hazards
shall be made available to FRA upon as set forth in the PTCSP and those
request. that had not previously been identified
(b)(1) The railroad shall specify within the PTCSP. If the frequency of the
in its PTCSP all contractual arrange- safety-relevant hazard exceeds the
ments with hardware and software sup- thresholds set forth in the PTCSP, or
pliers or vendors for immediate notifi- has not been previously identified in
cation between the parties of any and the appropriate risk analysis, the rail-
all safety-critical software failures, up- road shall:
grades, patches, or revisions, as well as (1) Notify the applicable vendor or
any hardware repairs, replacements, or supplier and FRA of the failure, mal-
modifications for their PTC system, function, or defective condition that
subsystems, or components. decreased or eliminated the safety
(2) A vendor or supplier, on receipt of functionality;
a report of any safety-critical failure (2) Keep the applicable vendor or sup-
to their product, shall promptly notify plier and FRA apprised on a continual
all other railroads that are using that basis of the status of any and all subse-
product, whether or not the other rail- quent failures; and
roads have experienced the reported (3) Take prompt counter measures to
failure of that safety-critical system, reduce or eliminate the frequency of
subsystem, or component. the safety-relevant hazards below the
(3) The notification from a supplier threshold identified in the PTCSP.
to any railroad shall include expla- (f) Each notification to FRA required
nation from the supplier of the reasons by this section shall:
for such notification, the cir- (1) Be made within 15 days after the
cumstances associated with the failure, vendor, supplier, or railroad discovers
and any recommended mitigation ac- the failure, malfunction, or defective
tions to be taken pending determina- condition. However, a report that is
tion of the root cause and final correc- due on a Saturday or a Sunday may be
tive actions. delivered on the following Monday and
(c) The railroad shall: one that is due on a holiday may be de-
(1) Specify the railroad’s process and livered on the next business day;
procedures in its PTCSP for action (2) Be transmitted in a manner and
upon their receipt of notification of form acceptable to the Associate Ad-

safety-critical failure, as well as re- ministrator and by the most expedi-
ceipt of a safety-critical upgrade, tious method available; and
886
(3) Include as much available and ap- faulty product adjusted, repaired, or
plicable information as possible, in- replaced without undue delay. Until
cluding: corrective action is completed, a rail-
(i) PTC system name and model; road shall take appropriate action to
(ii) Identification of the part, compo- ensure safety and reliability as speci-
nent, or system involved, including the fied within its PTCSP.
part number as applicable; (k) Any railroad experiencing a fail-
(iii) Nature of the failure, malfunc- ure of a system resulting in a more fa-
tions, or defective condition; vorable aspect than intended or other
(iv) Mitigation taken to ensure the condition hazardous to the movement
safety of train operation, railroad em- of a train shall comply with the report-
ployees, and the public; and ing requirements, including the mak-
(v) The estimated time to correct the
ing of a telephonic report of an acci-
failure.
dent or incident involving such failure,
(4) In the event that all information
under part 233 of this chapter. Filing of
required by paragraph (f)(3) of this sec-
one or more reports under part 233 of
tion is not immediately available, the
non-available information shall be for- this chapter does not exempt a rail-
warded to the Associate Administrator road, vendor, or supplier from the re-
as soon as practicable in supplemental porting requirements contained in this
reports. section.
(g) Whenever any investigation of an
accident or service difficulty report § 236.1025 [Reserved]
shows that a PTC system or product is § 236.1027 PTC system exclusions.
unsafe because of a manufacturing or
design defect, the railroad and its ven- (a) The requirements of this subpart
dor or supplier shall, upon request of apply to each office automation system
the Associate Administrator, report to that performs safety-critical functions
the Associate Administrator the re- within, or affects the safety perform-
sults of its investigation and any ac- ance of, the PTC system. For purposes
tion taken or proposed to correct that of this section, ‘‘office automation sys-
defect. tem’’ means any centralized or distrib-
(h) PTC system and product suppliers uted computer-based system that di-
and vendors shall: rectly or indirectly controls the active
(1) Promptly report any safety-rel- movement of trains in a rail network.
evant failures or defective conditions, (b) Changes or modifications to PTC
previously unidentified hazards, and systems otherwise excluded from the
recommended mitigation actions in requirements of this subpart by this
their PTC system, subsystem, or com- section do not exclude those PTC sys-
ponent to each railroad using the prod- tems from the requirements of this
uct; and subpart if the changes or modifications
(2) Notify FRA of any safety-relevant result in a degradation of safety or a
failure, defective condition, or pre- material decrease in safety-critical
viously unidentified hazard discovered functionality.
by the vendor or supplier and the iden- (c) Primary train control systems
tity of each affected and notified rail-
cannot be integrated with locomotive
road.
electronic systems unless the complete
(i) The requirements of this section
integrated systems:
do not apply to failures, malfunctions,
or defective conditions that: (1) Have been shown to be designed
(1) Are caused by improper mainte- on fail-safe principles;
nance or improper usage; or (2) Have demonstrated to operate in a
(2) Have been previously identified to fail-safe mode;
the FRA, vendor or supplier, and appli- (3) Have a manual fail-safe fallback
cable user railroads. and override to allow the locomotive to
(j) When any safety-critical PTC sys- be brought to a safe stop in the event
tem, subsystem, or component fails to of any loss of electronic control; and

perform its intended function, the (4) Are included in the approved and
cause shall be determined and the applicable PTCDP and PTCSP.
887
§ 236.1029 49 CFR Ch. II (10–1–16 Edition)
(d) PTC systems excluded by this sec- (5) Where the PTC system is the ex-
tion from the requirements of this sub- clusive method of delivering manda-
part remain subject to subparts A tory directives, an absolute block must
through H of this part as applicable. be established in advance of the train
as soon as safe and practicable, and the
§ 236.1029 PTC system use and fail- train shall not exceed restricted speed
ures. until the absolute block in advance of
(a) When any safety-critical PTC sys- the train is established.
tem component fails to perform its in- (6) Where the failure or cut-out is a
tended function, the cause must be de- result of a defective onboard PTC appa-
termined and the faulty component ad- ratus, the train may continue no far-
justed, repaired, or replaced without ther than the next forward designated
undue delay. Until repair of such essen- location for the repair or exchange of
tial components is completed, a rail- onboard PTC apparatuses.
road shall take appropriate action as (c) Exception for alternative system fail-
specified in its PTCSP. ure procedure. A railroad may submit
(b) En route failures. Except as pro- for approval a PTCSP, an RFA, or an
vided in paragraphs (c) and (g) of this Order of Particular Applicability with
section, where a controlling loco- an alternative system failure proce-
motive that is operating in, or is to be dure other than that required by para-
operated within, a PTC-equipped track graph (b) of this section. FRA may, in
segment experiences PTC system fail- its discretion, approve such an alter-
ure or the PTC system is otherwise cut native system failure procedure if it
out while en route (i.e., after the train provides similar requirements of, and
has departed its initial terminal), the an equivalent or greater level of safety
train may only continue in accordance as, the requirements of paragraph (b) of
with all of the following: this section.
(1) Except as provided in paragraph (d) Each railroad shall comply with
(b)(5) of this section, where no block all provisions in the applicable PTCDP
signal system is in use, the train may and PTCSP for each PTC system it
proceed at a speed not to exceed 40 uses and shall operate within the scope
miles per hour; however, if the involved of initial operational assumptions and
train is transporting one or more cars predefined changes identified.
containing PIH materials, excluding (e) The normal functioning of any
those cars containing only a residue of safety-critical PTC system must not be
PIH materials, the train may only pro- interfered with in testing or otherwise
ceed at a speed not to exceed 30 miles without first taking measures to pro-
per hour. vide for the safe movement of trains,
(2) Where a block signal system is in locomotives, roadway workers, and on-
place: track equipment that depend on the
(i) A passenger train may proceed at normal functioning of the system.
a speed not to exceed 59 miles per hour; (f) [Reserved]
(ii) A freight train transporting one (g) Temporary exceptions. From Octo-
or more cars containing PIH materials, ber 21, 2014 through the 24 months fol-
excluding those cars containing only a lowing the date of required PTC system
residue of PIH materials, may proceed implementation established by section
at a speed not to exceed 40 miles per 20157 of title 49 of the United States
hour; and Code—
(iii) Any other freight train may pro- (1) A railroad’s PTCSP or Order of
ceed at a speed not to exceed 49 miles Particular Applicability may provide
per hour. for compliance with the en route fail-
(3) Where a cab signal system with an ure requirements of § 236.567 instead of
automatic train control system is in paragraph (b) of this section where a
use, the train may proceed at a speed controlling locomotive that is oper-
not to exceed 79 miles per hour. ating in, or is to be operated within, a
(4) A report of the failure or cut-out PTC-equipped track segment experi-
must be made to a designated railroad ences PTC system failure or the PTC
officer of the host railroad as soon as system is otherwise cut out while en
safe and practicable. route;
888
(2) A train may proceed as prescribed road, or one or more system suppliers
under either paragraph (b) of this sec- and one or more PTC railroads, sub-
tion or § 236.567 where the PTC system mits a Request for Expedited Certifi-
fails to initialize for any reason prior cation (REC) letter to the Associate
to the train’s departure from its initial Administrator. The REC letter must do
terminal; and one of the following:
(3) A railroad’s PTCSP may provide (1) Reference a product safety plan
for the temporary disabling of PTC sys- (PSP) approved by FRA under subpart
tem service where necessary to perform H of this part and include a document
PTC system repair or maintenance. In fulfilling the requirements under
this paragraph (g)(3), ‘‘PTC system §§ 236.1011 and 236.1013 not already in-
service’’ does not refer to the failure of cluded in the PSP;
the onboard PTC apparatus for a single (2) Attest that the PTC system has
locomotive, locomotive consist, or been approved by FRA and in operation
train. for at least 5 years and has already re-
(i) The PTCSP shall specify appro- ceived an assessment of Verification
priate operating rules to apply when and Validation from an independent
the PTC system is temporarily disabled third party under part 236 or a waiver
in accordance with this paragraph supporting such operation; or
(g)(3). (3) Attest that the PTC system is rec-
(ii) The railroad shall make reason- ognized under an Order issued prior to
able efforts to schedule the temporary March 16, 2010.
disabling of PTC system service for (b) If an REC letter conforms to para-
times posing the least risk to railroad graph (a)(1) of this section, the Asso-
safety. ciate Administrator, at his or her sole
(iii) The railroad shall provide notice discretion, may also issue a new Type
to the FRA regional office having juris- Approval for the PTC system.
diction over that territory at least 7 (c) In order to receive a Type Ap-
days in advance of planned temporary proval or PTC System Certification
disabling of PTC system service and under paragraph (a) or (b) of this sec-
contemporaneous notice for unplanned tion, the PTC system must be shown to
temporary disabling of PTC system reliably execute the functionalities re-
service. quired by §§ 236.1005 and 236.1007 and
(iv) The PTC system that is tempo- otherwise conform to this subpart.
rarily disabled in accordance with this (d) Previous approval or recognition
paragraph (g)(3) shall be placed back of a train control system, together
into service without undue delay. with an established service history,
(h) Annual report of system failures. may, at the request of the PTC rail-
Annually, by April 16 of each year fol- road, and consistent with available
lowing the date of required PTC system safety data, be credited toward satis-
implementation established by section faction of the safety case requirements
20157 of title 49 of the United States set forth in this part for the PTCSP
Code, each railroad shall provide FRA with respect to all functionalities and
with a report of the number of PTC implementations contemplated by the
failures that occurred during the pre- approval or recognition.
vious calendar year. The report shall (e) To the extent that the PTC sys-
identify failures by category, including tem proposed for implementation
but not limited to locomotive, wayside, under this subpart is different in sig-
communications, and back office sys- nificant detail from the system pre-
tem failures. viously approved or recognized, the
[75 FR 2699, Jan. 15, 2010, as amended at 79 changes shall be fully analyzed in the
FR 49717, Aug. 22, 2014] PTCDP or PTCSP as would be the case
absent prior approval or recognition.
§ 236.1031 Previously approved PTC (f) As used in this section—
systems. (1) Approved refers to approval of a
(a) Any PTC system fully imple- Product Safety Plan under subpart H
mented and operational prior to March of this part.

16, 2010, may receive PTC System Cer- (2) Recognized refers to official action
tification if the applicable PTC rail- permitting a system to be implemented
889
§ 236.1033 49 CFR Ch. II (10–1–16 Edition)
for control of train operations under an (1) Comply with the same require-
FRA order or waiver, after review of ments for message integrity and au-
safety case documentation for the im- thentication under this section; and
plementation. (2) Only use keys meeting or exceed-
(g) Upon receipt of an REC, FRA will ing the security strength required to
consider all safety case information to protect the data as defined in the rail-
the extent feasible and appropriate, road’s PTCSP and required under
given the specific facts before the agen- § 236.1013(a)(7).
cy. Nothing in this section limits re- (f) Each railroad, or its vendor or
use of any applicable safety case infor- supplier, shall have a prioritized serv-
mation by a party other than the party ice restoration and mitigation plan for
receiving: scheduled and unscheduled interrup-
(1) A prior approval or recognition re- tions of service. This plan shall be in-
ferred to in this section; or cluded in the PTCDP or PTCSP as re-
(2) A Type Approval or PTC System quired by §§ 236.1013 or 236.1015, as appli-
Certification under this subpart. cable, and made available to FRA upon
request, without undue delay, for res-
§ 236.1033 Communications and secu- toration of communication services
rity requirements. that support PTC system services.
(a) All wireless communications be- (g) Each railroad may elect to impose
tween the office, wayside, and onboard more restrictive requirements than
components in a PTC system shall pro- those in this section, consistent with
vide cryptographic message integrity interoperability requirements specified
and authentication. in the PTCSP for the system.
(b) Cryptographic keys required
under paragraph (a) of this section § 236.1035 Field testing requirements.
shall: (a) Before any field testing of an
(1) Use an algorithm approved by the uncertified PTC system, or a product of
National Institute of Standards (NIST) an uncertified PTC system, or any re-
or a similarly recognized and FRA ap- gression testing of a certified PTC sys-
proved standards body; tem is conducted on the general rail
(2) Be distributed using manual or system, the railroad requesting the
automated methods, or a combination testing must provide:
of both; and (1) A complete description of the PTC
(3) Be revoked: system;
(i) If compromised by unauthorized (2) An operational concepts docu-
disclosure of the cleartext key; or ment;
(ii) When the key algorithm reaches (3) A complete description of the spe-
its lifespan as defined by the standards cific test procedures, including the
body responsible for approval of the al- measures that will be taken to protect
gorithm. trains and on-track equipment;
(c) The cleartext form of the cryp- (4) An analysis of the applicability of
tographic keys shall be protected from the requirements of subparts A
unauthorized disclosure, modification, through G of this part to the PTC sys-
or substitution, except during key tem that will not apply during testing;
entry when the cleartext keys and key (5) The date the proposed testing
components may be temporarily dis- shall begin;
played to allow visual verification. (6) The test locations; and
When encrypted keys or key compo- (7) The effect on the current method
nents are entered, the cryptographi- of operation the PTC system will or
cally protected cleartext key or key may have under test.
components shall not be displayed. (b) FRA may impose additional test-
(d) Access to cleartext keys shall be ing conditions that it believes may be
protected by a tamper resistant mecha- necessary for the safety of train oper-
nism. ations.
(e) Each railroad electing to also pro- (c) Relief from regulations other than
vide cryptographic message confiden- from subparts A through G of this part
tiality shall: that the railroad believes are necessary
890
to support the field testing, must be re- evant hazard(s) below the threshold set
quested in accordance with part 211 of forth in the PTCSP and PTCDP.
this title.
§ 236.1039 Operations and Mainte-
§ 236.1037 Records retention. nance Manual.
(a) Each railroad with a PTC system (a) The railroad shall catalog and
required to be installed under this sub- maintain all documents as specified in
part shall maintain at a designated of- the PTCDP and PTCSP for the instal-
fice on the railroad: lation, maintenance, repair, modifica-
(1) A current copy of each FRA ap- tion, inspection, and testing of the PTC
proved Type Approval, if any, PTCDP, system and have them in one Oper-
and PTCSP that it holds; ations and Maintenance Manual, read-
(2) Adequate documentation to dem- ily available to persons required to per-
onstrate that the PTCSP and PTCDP form such tasks and for inspection by
meet the safety requirements of this FRA and FRA-certified state inspec-
subpart, including the risk assessment; tors.
(3) An Operations and Maintenance (b) Plans required for proper mainte-
Manual, pursuant to § 236.1039; and nance, repair, inspection, and testing
(4) Training and testing records pur- of safety-critical PTC systems must be
suant to § 236.1043(b). adequate in detail and must be made
(b) Results of inspections and tests available for inspection by FRA and
specified in the PTCSP and PTCDP FRA-certified state inspectors where
must be recorded pursuant to § 236.110. such PTC systems are deployed or
(c) Each contractor providing serv- maintained. They must identify all
ices relating to the testing, mainte- software versions, revisions, and revi-
nance, or operation of a PTC system sion dates. Plans must be legible and
required to be installed under this sub- correct.
part shall maintain at a designated of- (c) Hardware, software, and firmware
fice training records required under revisions must be documented in the
§ 236.1039(b). Operations and Maintenance Manual
(d) After the PTC system is placed in according to the railroad’s configura-
service, the railroad shall maintain a tion management control plan and any
database of all safety-relevant hazards additional configuration/revision con-
as set forth in the PTCSP and PTCDP trol measures specified in the PTCDP
and those that had not been previously and PTCSP.
identified in either document. If the (d) Safety-critical components, in-
frequency of the safety-relevant haz- cluding spare equipment, must be posi-
ards exceeds the threshold set forth in tively identified, handled, replaced,
either of these documents, then the and repaired in accordance with the
railroad shall: procedures specified in the PTCDP and
(1) Report the inconsistency in writ- PTCSP.
ing by mail, facsimile, e-mail, or hand (e) Each railroad shall designate in
delivery to the Director, Office of Safe- its Operations and Maintenance Man-
ty Assurance and Compliance, FRA, ual an appropriate railroad officer re-
1200 New Jersey Ave, SE, Mail Stop 25, sponsible for issues relating to sched-
Washington, DC 20590, within 15 days of uled interruptions of service con-
discovery. Documents that are hand templated by § 236.1029.
delivered must not be enclosed in an
envelope; § 236.1041 Training and qualification
(2) Take prompt countermeasures to program, general.
reduce the frequency of each safety-rel- (a) Training program for PTC per-
evant hazard to below the threshold set sonnel. Employers shall establish and
forth in the PTCSP and PTCDP; and implement training and qualification
(3) Provide a final report when the in- programs for PTC systems subject to
consistency is resolved to the FRA Di- this subpart. These programs must
rector, Office of Safety Assurance and meet the minimum requirements set
Compliance, on the results of the anal- forth in the PTCDP and PTCSP in
ysis and countermeasures taken to re- §§ 236.1039 through 236.1045, as appro-
duce the frequency of the safety-rel- priate, for the following personnel:
891
§ 236.1043 49 CFR Ch. II (10–1–16 Edition)
(1) Persons whose duties include in- (4) Identify the additional knowledge,
stalling, maintaining, repairing, modi- skills, and abilities above those re-
fying, inspecting, and testing safety- quired for basic job performance nec-
critical elements of the railroad’s PTC essary to perform each task;
systems, including central office, way- (5) Develop a training and evaluation
side, or onboard subsystems; curriculum that includes classroom,
(2) Persons who dispatch train oper- simulator, computer-based, hands-on,
ations (issue or communicate any man- or other formally structured training
datory directive that is executed or en- designed to impart the knowledge,
forced, or is intended to be executed or skills, and abilities identified as nec-
enforced, by a train control system essary to perform each task;
subject to this subpart); (6) Prior to assignment of related
(3) Persons who operate trains or tasks, require all persons mentioned in
serve as a train or engine crew member § 236.1041(a) to successfully complete a
subject to instruction and testing training curriculum and pass an exam-
under part 217 of this chapter, on a ination that covers the PTC system
train operating in territory where a and appropriate rules and tasks for
train control system subject to this which they are responsible (however,
subpart is in use; such persons may perform such tasks
(4) Roadway workers whose duties re- under the direct onsite supervision of a
quire them to know and understand qualified person prior to completing
how a train control system affects such training and passing the examina-
their safety and how to avoid inter- tion);
fering with its proper functioning; and (7) Require periodic refresher train-
(5) The direct supervisors of persons ing and evaluation at intervals speci-
listed in paragraphs (a)(1) through fied in the PTCDP and PTCSP that in-
(a)(4) of this section. cludes classroom, simulator, computer-
(b) Competencies. The employer’s pro- based, hands-on, or other formally
gram must provide training for persons structured training and testing, except
who perform the functions described in with respect to basic skills for which
paragraph (a) of this section to ensure proficiency is known to remain high as
that they have the necessary knowl- a result of frequent repetition of the
edge and skills to effectively complete task; and
their duties related to operation and (8) Conduct regular and periodic eval-
maintenance of the PTC system. uations of the effectiveness of the
training program specified in
§ 236.1043 Task analysis and basic re- § 236.1041(a)(1) verifying the adequacy of
quirements. the training material and its validity
(a) Training structure and delivery. As with respect to current railroads PTC
part of the program required by systems and operations.
§ 236.1041, the employer shall, at a min- (b) Training records. Employers shall
imum: retain records which designate persons
(1) Identify the specific goals of the who are qualified under this section
training program with regard to the until new designations are recorded or
target population (craft, experience for at least one year after such persons
level, scope of work, etc.), task(s), and leave applicable service. These records
desired success rate; shall be kept in a designated location
(2) Based on a formal task analysis, and be available for inspection and rep-
identify the installation, maintenance, lication by FRA and FRA-certified
repair, modification, inspection, test- State inspectors
ing, and operating tasks that must be
performed on a railroad’s PTC systems. § 236.1045 Training specific to office
This includes the development of fail- control personnel.
ure scenarios and the actions expected (a) Any person responsible for issuing
under such scenarios; or communicating mandatory direc-
(3) Develop written procedures for tives in territory where PTC systems
the performance of the tasks identi- are or will be in use shall be trained in
fied; the following areas, as applicable:
892
(1) Instructions concerning the inter- (5) Means to detect deviations from
face between the computer-aided dis- proper functioning of onboard train
patching system and the train control control equipment and instructions re-
system, with respect to the safe move- garding the actions to be taken with
ment of trains and other on-track respect to control of the train and noti-
equipment; fication of designated railroad per-
(2) Railroad operating rules applica- sonnel; and
ble to the train control system, includ- (6) Information needed to prevent un-
ing provision for movement and protec- intentional interference with the prop-
tion of roadway workers, unequipped er functioning of onboard train control
trains, trains with failed or cut-out equipment.
train control onboard systems, and (b) Locomotive engineer training.
other on-track equipment; and Training required under this subpart
(3) Instructions concerning control of for a locomotive engineer, together
trains and other on-track equipment in with required records, shall be inte-
case the train control system fails, in- grated into the program of training re-
cluding periodic practical exercises or quired by part 240 of this chapter.
simulations, and operational testing (c) Full automatic operation. The fol-
under part 217 of this chapter to ensure lowing special requirements apply in
the continued capability of the per- the event a train control system is
sonnel to provide for safe operations used to effect full automatic operation
under the alternative method of oper- of the train:
ation. (1) The PTCDP and PTCSP shall
(b) [Reserved] identify all safety hazards to be miti-
gated by the locomotive engineer.
§ 236.1047 Training specific to loco- (2) The PTCDP and PTCSP shall ad-
motive engineers and other oper- dress and describe the training re-
ating personnel. quired with provisions for the mainte-
(a) Operating personnel. Training pro- nance of skills proficiency. As a min-
vided under this subpart for any loco- imum, the training program must:
motive engineer or other person who (i) As described in § 236.1043(a)(2), de-
participates in the operation of a train velop failure scenarios which incor-
in train control territory shall be de- porate the safety hazards identified in
fined in the PTCDP as well as the the PTCDP and PTCSP including the
PTCSP. The following elements shall return of train operations to a fully
be addressed: manual mode;
(1) Familiarization with train control (ii) Provide training, consistent with
equipment onboard the locomotive and § 236.1047(a), for safe train operations
the functioning of that equipment as under all failure scenarios and identi-
part of the system and in relation to fied safety hazards that affect train op-
other onboard systems under that per- erations;
son’s control; (iii) Provide training, consistent with
(2) Any actions required of the on- § 236.1047(a), for safe train operations
board personnel to enable, or enter under manual control; and
data to, the system, such as consist (iv) Consistent with § 236.1047(a), en-
data, and the role of that function in sure maintenance of manual train op-
the safe operation of the train; erating skills by requiring manual
(3) Sequencing of interventions by starting and stopping of the train for
the system, including pre-enforcement an appropriate number of trips and by
notification, enforcement notification, one or more of the following methods:
penalty application initiation and (A) Manual operation of a train for a
post-penalty application procedures; 4-hour work period;
(4) Railroad operating rules and test- (B) Simulated manual operation of a
ing (part 217) applicable to the train train for a minimum of 4 hours in a
control system, including provisions Type I simulator as required; or
for movement and protection of any (C) Other means as determined fol-
unequipped trains, or trains with failed lowing consultation between the rail-
or cut-out train control onboard sys- road and designated representatives of
tems and other on-track equipment; the affected employees and approved
893
§ 236.1049 49 CFR Ch. II (10–1–16 Edition)
by FRA. The PTCDP and PTCSP shall an understanding of the role of proc-
designate the appropriate frequency essor-based signal and train control
when manual operation, starting, and equipment in establishing protection
stopping must be conducted, and the for roadway workers and their equip-
appropriate frequency of simulated ment.
manual operation. (2) Instruction for all roadway work-
(d) Conductor training. Training re- ers working in territories where PTC is
quired under this subpart for a con- required under this subpart shall en-
ductor, together with required records,
sure recognition of processor-based sig-
shall be integrated into the program of
training required under this chapter. nal and train control equipment on the
wayside and an understanding of how
§ 236.1049 Training specific to road- to avoid interference with its proper
way workers. functioning.
(a) Roadway worker training. Training (3) Instructions concerning the rec-
required under this subpart for a road- ognition of system failures and the pro-
way worker shall be integrated into vision of alternative methods of on-
the program of instruction required track safety in case the train control
under part 214, subpart C of this chap- system fails, including periodic prac-
ter (‘‘Roadway Worker Protection’’), tical exercises or simulations and oper-
consistent with task analysis require- ational testing under part 217 of this
ments of § 236.1043. This training shall chapter to ensure the continued capa-
provide instruction for roadway work- bility of roadway workers to be free
ers who provide protection for them- from the danger of being struck by a
selves or roadway work groups. moving train or other on-track equip-
(b) Training subject areas. (1) Instruc- ment.
tion for roadway workers shall ensure
APPENDIX A TO PART 236—CIVIL PENALTIES 1, 2
Willful viola-
Section Violation tion
Subpart A—Rules and Instructions—All Systems
General:
236.0 Applicability, minimum requirements ........................................................................................ $2,500 $5,000
236.1 Plans, where kept ..................................................................................................................... 1,000 2,000
236.2 Grounds .................................................................................................................................... 1,000 2,000
236.3 Locking of signal apparatus housings:
(a) Power interlocking machine cabinet not secured against unauthorized entry ................. 2,500 5,000
(b) other violations .................................................................................................................. 1,000 2,000
236.4 Interference with normal functioning of device ......................................................................... 5,000 7,500
236.5 Design of control circuits on closed circuit principle ................................................................ 1,000 2,000
236.6 Hand-operated switch equipped with switch circuit controller ................................................. 1,000 2,000
236.7 Circuit controller operated by switch-and-lock movement ....................................................... 1,000 2,000
236.8 Operating characteristics of electro-magnetic, electronic, or electrical apparatus .................. 1,000 2,000
236.9 Selection of circuits through indicating or annunciating instruments ....................................... 1,000 2,000
236.10 Electric locks, force drop type; where required ...................................................................... 1,000 2,000
236.11 Adjustment, repair, or replacement of component ................................................................. 2,500 5,000
236.12 Spring switch signal protection; where required .................................................................... 1,000 2,000
236.13 Spring switch; selection of signal control circuits through circuit controller ........................... 1,000 2,000
236.14 Spring switch signal protection; requirements ........................................................................ 1,000 2,000
236.15 Timetable instructions ............................................................................................................. 1,000 2,000
236.16 Electric lock, main track releasing circuit:.
(a) Electric lock releasing circuit on main track extends into fouling circuit where turnout
not equipped with derail at clearance point either pipe-connected to switch or independ-
ently locked, electrically ...................................................................................................... 2,500 5,000
236.17 Pipe for operating connections, requirements 1,000 2,000
236.18 Software management control plan:.
Failure to develop and adopt a plan ....................................................................................... $5,000 $10,000
Failure to fully implement plan ................................................................................................ 5,000 10,000
Inadequate plan ...................................................................................................................... 2,500 10,000
Roadway Signals and Cab Signals—

236.21 Location of roadway signals ................................................................................................... 1,000 2,000
236.22 Semaphore signal arm; clearance to other objects ............................................................... 1,000 2,000
894
Federal Railroad Administration, DOT Pt. 236, App. A
Willful viola-
236.23 Aspects and indications .......................................................................................................... 1,000 2,000

236.24 Spacing of roadway signals .................................................................................................... 2,500 5,000
236.26 Buffing device, maintenance .................................................................................................. 1,000 2,000
Track Circuits—
236.51 Track circuit requirements:
(a) Shunt fouling circuit used where permissible speed through turnout greater than 45
m.p.h .................................................................................................................................... 2,500 5,000
(b) Track relay not in de-energized position or device that functions as track relay not in
its most restrictive state when train, locomotive, or car occupies any part of track circuit,
except fouling section of turnout of hand-operated main-track crossover ......................... 2,500 5,000
(c) other violations .................................................................................................................. 1,000 2,000
236.52 Relayed cut-section ................................................................................................................ 1,000 2,000
236.53 Track circuit feed at grade crossing ....................................................................................... 1,000 2,000
236.54 Minimum length of track circuit ............................................................................................... 1,000 2,000
236.55 Dead section; maximum length .............................................................................................. 1,000 2,000
236.56 Shunting sensitivity ................................................................................................................. 2,500 5,000
236.57 Shunt and fouling wires:
(a) Shunt or fouling wires do not consist of at least two discrete conductors ....................... 2,500 5,000
236.58 Turnout, fouling section:
(a) Rail joint in shunt fouling section not bonded ................................................................... 2,500 5,000
236.59 Insulated rail joints .................................................................................................................. 1,000 2,000
236.60 Switch shunting circuit; use restricted .................................................................................... 2,500 5,000
Wires and Cables—
236.71 Signal wires on pole line and aerial cable ............................................................................. 1,000 2,000
236.73 Open-wire transmission line; clearance to other circuits ....................................................... 1,000 2,000
236.74 Protection of insulated wire; splice in underground wire ....................................................... 1,000 2,000
236.76 Tagging of wires and interference of wires or tags with signal apparatus ............................ 1,000 2,000
Inspections and Tests; All Systems—
236.101 Purpose of inspection and tests; removal from service or relay or device failing to meet
test requirements ............................................................................................................................... 2,500 5,000
236.102 Semaphore or search-light signal mechanism ..................................................................... 1,000 2,000
236.103 Switch circuit controller or point detector ............................................................................. 1,000 2,000
236.104 Shunt fouling circuit .............................................................................................................. 1,000 2,000
236.105 Electric lock ........................................................................................................................... 1,000 2,000
236.106 Relays ................................................................................................................................... 1,000 2,000
236.107 Ground tests ......................................................................................................................... 1,000 2,000
236.108 Insulation resistance tests, wires in trunking and cables:
(a) Circuit permitted to function on a conductor having insulation resistance value less
than 200,000 ohms ............................................................................................................. 2,500 5,000
236.109 Time releases, timing relays and timing devices ................................................................. 1,000 2,000
236.110 Results of tests ..................................................................................................................... 1,000 2,000
Subpart B—Automatic Block Signal Systems
236.201 Track circuit control of signals .............................................................................................. 1,000 2,000

236.202 Signal governing movements over hand-operated switch ................................................... 1,000 2,000
236.203 Hand-operated crossover between main tracks; protection ................................................. 1,000 2,000
236.204 Track signaled for movements in both directions, requirements ......................................... 1,000 2,000
236.205 Signal control circuits; requirements .................................................................................... 1,000 2,000
236.206 Battery or power supply with respect to relay; location ....................................................... 1,000 2,000
Subpart C—Interlocking
236.207 Electric lock on hand-operated switch; control:

(a) Approach or time locking of electric lock on hand-operated switch can be defeated by
unauthorized use of emergency device which is not kept sealed in the non-release posi-
tion ....................................................................................................................................... 2,500 5,000
236.301 Where signals shall be provided .......................................................................................... 1,000 2,000
236.302 Track circuits and route locking ............................................................................................ 1,000 2,000
236.303 Control circuits for signals, selection through circuit controller operated by switch points
or by switch locking mechanism ........................................................................................................ 1,000 2,000
236.304 Mechanical locking or same protection effected by circuits ................................................. 1,000 2,000
236.305 Approach or time locking ...................................................................................................... 1,000 2,000

236.306 Facing point lock or switch-and-lock movement .................................................................. 1,000 2,000
236.307 Indication locking:
236.308 Mechanical or electric locking or electric circuits; requisites ............................................... 1,000 2,000
895
Pt. 236, App. A 49 CFR Ch. II (10–1–16 Edition)
Willful viola-
236.309 Loss of shunt protection; where required:

(a) Loss of shunt of five seconds or less permits release of route locking of power-oper-
ated switch, movable point frog, or derail ........................................................................... 2,500 5,000
(b) Other violations ................................................................................................................. 1,000 2,000
236.310 Signal governing approach to home signal .......................................................................... 1,000 2,000
236.311 Signal control circuits, selection through track relays or devices functioning as track re-
lays and through signal mechanism contacts and time releases at automatic interlocking ............. 1,000 2,000
236.312 Movable bridge, interlocking of signal appliances with bridge devices:
(a) Emergency bypass switch or device not locked or sealed ............................................... 2,500 5,000
236.314 Electric lock for hand-operated switch or derail:
(a) Approach or time locking of electric lock at hand-operated switch or derail can be de-
feated by unauthorized use of emergency device which is not kept sealed in non-re-
lease position ...................................................................................................................... 2,500 5,000
Rules and Instructions—
236.326 Mechanical locking removed or disarranged; requirement for permitting train movements
through interlocking ........................................................................................................................... 1,000 2,000
236.327 Switch, movable-point frog or split-point derail .................................................................... 1,000 2,000
236.328 Plunger of facing-point .......................................................................................................... 1,000 2,000
236.329 Bolt lock ................................................................................................................................ 1,000 2,000
236.330 Locking dog of switch and lock movement .......................................................................... 1,000 2,000
236.334 Point detector ........................................................................................................................ 1,000 2,000
236.335 Dogs, stops and trunnions of mechanical locking ................................................................ 1,000 2,000
236.336 Locking bed .......................................................................................................................... 1,000 2,000
236.337 Locking faces of mechanical locking; fit ............................................................................... 1,000 2,000
236.338 Mechanical locking required in accordance with locking sheet and dog chart .................... 1,000 2,000
236.339 Mechanical locking; maintenance requirements .................................................................. 1,000 2,000
236.340 Electromechanical interlocking machine; locking between electrical and mechanical le-
vers .................................................................................................................................................... 1,000 2,000
236.341 Latch shoes, rocker links, and quadrants ............................................................................ 1,000 2,000
236.342 Switch circuit controller ......................................................................................................... 1,000 2,000
Inspection and Tests—
236.376 Mechanical locking ............................................................................................................... 1,000 2,000
236.377 Approach locking .................................................................................................................. 1,000 2,000
236.378 Time locking .......................................................................................................................... 1,000 2,000
236.379 Route locking ........................................................................................................................ 1,000 2,000
236.380 Indication locking .................................................................................................................. 1,000 2,000
236.381 Traffic locking ........................................................................................................................ 1,000 2,000
236.382 Switch obstruction test .......................................................................................................... 1,000 2,000
236.383 Valve locks, valves, and valve magnets .............................................................................. 1,000 2,000
236.384 Cross protection
236.386 Restoring feature on power switches
236.387 Movable bridge locking ......................................................................................................... 1,000 2,000
Subpart D—Traffic Control Systems Standards
236.401 Automatic block signal system and interlocking standards applicable to traffic control sys-
tems:
236.402 Signals controlled by track circuits and control operator ..................................................... 1,000 2,000
236.403 Signals at controlled point .................................................................................................... 1,000 2,000
236.404 Signals at adjacent control points ........................................................................................ 1,000 2,000
236.405 Track signaled for movements in both directions, change of direction of traffic ................. 1,000 2,000
236.407 Approach or time locking; where required ........................................................................... 1,000 2,000
236.408 Route locking ........................................................................................................................ 1,000 2,000
236.410 Locking, hand-operated switch; requirements:
(a) Hand-operated switch on main track not electrically or mechanically locked in normal
position where signal not provided to govern movement to main track, movements
made at speeds in excess of 20 m.p.h., and train or engine movements may clear main
track ..................................................................................................................................... 2,500 5,000
(b) Hand-operated switch on signaled siding not electrically or mechanically locked in nor-
mal position where signal not provided to govern movements to signaled siding, train
movements made at speeds in excess of 30 m.p.h., and train or engine movements
may clear signaled siding .................................................................................................... 2,500 5,000
(c) Approach or time locking of electric lock at hand-operated switch can be defeated by
use of emergency release device of electric lock which is not kept sealed in non-release
position ................................................................................................................................ 2,500 5,000
(d) other violations .................................................................................................................. 1,000 2,000
Rules and Instructions—

236.426 Interlocking rules and instructions applicable to traffic control systems .............................. 1,000 2,000
236.476 Interlocking inspections and tests applicable to traffic control systems .............................. 1,000 2,000
896
Willful viola-
Subpart E—Automatic Train Stop, Train Control and Cab Signal Systems Standards
236.501 Forestalling device and speed control .................................................................................. 1,000 2,000

236.502 Automatic brake application, initiation by restrictive block conditions stopping distance in
advance ............................................................................................................................................. 1,000 2,000
236.503 Automatic brake application; initiation when predetermined rate of speed exceeded ........ 1,000 2,000
236.504 Operations interconnected with automatic block-signal system .......................................... 1,000 2,000
236.505 Proper operative relation between parts along roadway and parts on locomotive ............. 1,000 2,000
236.506 Release of brakes after automatic application ..................................................................... 1,000 2,000
236.507 Brake application; full service ............................................................................................... 1,000 2,000
236.508 Interference with application of brakes by means of brake valve ........................................ 1,000 2,000
236.509 Two or more locomotives coupled ....................................................................................... 1,000 2,000
236.511 Cab signals controlled in accordance with block conditions stopping distance in advance 1,000 2,000
236.512 Cab signal indication when locomotive enters blocks .......................................................... 1,000 2,000
236.513 Audible indicator ................................................................................................................... 1,000 2,000
236.514 Interconnection of cab signal system with roadway signal system ..................................... 1,000 2,000
236.515 Visibility of cab signals ......................................................................................................... 1,000 2,000
236.516 Power supply ........................................................................................................................ 1,000 2,000
Rules and Instructions; Roadway—
236.526 Roadway element not functioning properly .......................................................................... 2,500 5,000
236.527 Roadway element insulation resistance ............................................................................... 1,000 2,000
236.528 Restrictive condition resulting from open hand-operated switch; requirement .................... 1,000 2,000
236.529 Roadway element inductor; height and distance from rail ................................................... 1,000 2,000
236.531 Trip arm; height and distance from rail ................................................................................ 1,000 2,000
236.532 Strap iron inductor; use restricted ........................................................................................ 1,000 2,000
236.534 Rate of pressure reduction; equalizing reservoir or brake pipe ........................................... 1,000 2,000
236.551 Power supply voltage ........................................................................................................... 1,000 2,000
236.552 Insulation resistance ............................................................................................................. 1,000 2,000
236.553 Seal, where required ............................................................................................................ 2,500 5,000
236.554 Rate of pressure reduction; equalizing reservoir or brake pipe ........................................... 1,000 2,000
236.555 Repaired or rewound receiver coil ....................................................................................... 1,000 2,000
236.556 Adjustment of relay ............................................................................................................... 1,000 2,000
236.557 Receiver; location with respect to rail .................................................................................. 1,000 2,000
236.560 Contact element, mechanical trip type; location with respect to rail .................................... 1,000 2,000
236.562 Minimum rail current required ............................................................................................... 1,000 2,000
236.563 Delay time ............................................................................................................................. 1,000 2,000
236.564 Acknowledging time .............................................................................................................. 1,000 2,000
236.565 Provision made for preventing operation of pneumatic brake-applying apparatus by dou-
ble-heading clock; requirement ......................................................................................................... 1,000 2,000
236.566 Locomotive of each train operating in train stop, train control or cab signal territory;
equipped ............................................................................................................................................ 5,000 7,500
236.567 Restrictions imposed when device fails and/or is cut out en route:
(a) Report not made to designated officer at next available point of communication after
automatic train stop, train control, or cab signal device fails and/or is cut en route .......... 5,000 7,500
(b) Train permitted to proceed at speed exceeding 79 m.p.h. where automatic train stop,
train control, or cab signal device fails and/or is cut out en route when absolute block
established in advance of train on which device is inoperative ......................................... 5,000 7,500
(c) other violations .................................................................................................................. 1,000 2,000
236.568 Difference between speeds authorized by roadway signal and cab signal; action ............. 1,000 2,000
Inspection and Tests; Roadway—
236.576 Roadway element ................................................................................................................. 1,000 2,000
236.577 Test, acknowledgement, and cut-in circuits ......................................................................... 1,000 2,000
Inspection and Tests; Locomotive—
236.586 Daily or after trip test ............................................................................................................ 2,500 5,000
236.587 Departure test:
(a) Test of automatic train stop, train control, or cab signal apparatus on locomotive not
made on departure of locomotive from initial terminal if equipment on locomotive not cut
out between initial terminal and equipped territory ............................................................. 5,000 7,500
(b) Test of automatic train stop, train control, or cab signal apparatus on locomotive not
made immediately on entering equipped territory, if equipment on locomotive cut out be-
tween initial terminal and equipped territory ....................................................................... 5,000 7,500
(c) Automatic train stop, train control, or cab signal apparatus on locomotive making more
than one trip within 24-hour period not given departure test within corresponding 24-
hour period .......................................................................................................................... 5,000 7,500
(d) other violations .................................................................................................................. 2,500 5,000
236.588 Periodic test .......................................................................................................................... 2,500 5,000
236.589 Relays ................................................................................................................................... 2,500 5,000
236.590 Pneumatic apparatus:
(a) Automatic train stop, train control, or cab signal apparatus not inspected and cleaned
at least once every 736 days .............................................................................................. 2,500 5,000
897
Pt. 236, App. A 49 CFR Ch. II (10–1–16 Edition)
Willful viola-
Subpart F—Dragging Equipment and Slide Detectors and Other Similar Protective Devices; Standards
236.601 Signals controlled by devices; location ................................................................................ 1,000 2,000

Subpart H—Standards for Processor-Based Signal and Train Control Systems
236.905 Railroad Safety Program Plan (RSPP):

Failure to develop and submit RSPP when required ............................................................. 5,000 7,500
Failure to obtain FRA approval for a modification to RSPP .................................................. 5,000 7,500
236.907 Product Safety Plan (PSP):
Failure to develop a PSP ........................................................................................................ 5,000 7,500
Failure to submit a PSP when required ................................................................................. 5,000 7,500
236.909 Minimum Performance Standard:
Failure to make analyses or documentation available ........................................................... 2,500 5,000
Failure to determine that the standard has been met ............................................................ 5,000 7,500
236.913 Notification to FRA of PSPs: 2,500 5,000
Failure to prepare a PSP or PSP amendment as required ................................................... 5,000 7,500
Failure to submit a PSP or PSP amendment as required ..................................................... 5,000 7,500
Field testing without authorization or approval ....................................................................... 10,000 20,000
236.915 Implementation and operation:
(a) Operation of product without authorization or approval .................................................... 10,000 20,000
(b) Failure to comply with PSP ............................................................................................... 2,500 5,000
(c) Interference with normal functioning safety-critical product .............................................. 7,500 15,000
(d) Failure to determine cause and adjust, repair or replace without undue delay or take
appropriate action pending repair ....................................................................................... 5,000 7,500
236.917 Retention of records:
Failure to maintain records as required .................................................................................. 7,500 15,000
Failure to report inconsistency ................................................................................................ 10,000 20,000
Failure to take prompt countermeasures ................................................................................ 10,000 20,000
Failure to provide final report .................................................................................................. 2,500 5,000
236.919 Operations and Maintenance Manual .................................................................................. 3,000 6,000
236.921 Training and qualification program, general ......................................................................... 3,000 6,000
236.923 Task analysis and basic requirements:
Failure to develop an acceptable training program ................................................................ 2,500 5,000
Failure to train persons as required ....................................................................................... 2,500 5,000
Failure to conduct evaluation of training program as required .............................................. 2,500 5,000
236.925 Training specific to control office personnel ......................................................................... 2,500 5,000
236.927 Training specific to locomotive engineers and other operating personnel .......................... 2,500 5,000
236.929 Training specific to roadway workers ................................................................................... 2,500 5,000
Subpart I—Positive Train Control Systems
236.1005 Positive Train Control System Requirements:

Failure to timely complete PTC system installation on track segment where PTC is re-
quired ................................................................................................................................... 16,000 25,000
Commencement of revenue service prior to obtaining PTC System Certification ................. 16,000 25,000
Failure of the PTC system to perform a safety-critical function required by this section ...... 5,000 7,500
Operating outside the limits of an approved de minimis exception ....................................... 15,000 25,000
Failure to integrate a hazard detector .................................................................................... 15,000 25,000
Non-compliant event recorder ................................................................................................ 2,500 5,000
Failure of event recorder ........................................................................................................ 2,500 5,000
Failure to provide notice, obtain approval, or follow a condition for temporary rerouting
when required ...................................................................................................................... 5,000 7,500
Exceeding the allowed percentage of controlling locomotives operating out of an initial ter-
minal after receiving a failed initialization ........................................................................... 5,000 7,500
236.1006 Equipping locomotives operating in PTC territory:
Failure to adhere to a PTCIP. ................................................................................................ (2) (2)
Operating in PTC territory a controlling locomotive without a required and operative PTC
onboard apparatus .............................................................................................................. 15,000 25,000
Operating with a PTC onboard apparatus that is not functioning in accordance with the
applicable PTCSP.. ............................................................................................................. 15,000 25,000
Failure to report as prescribed by this section ....................................................................... 5,000 7,500
Non-compliant operation of unequipped trains in PTC territory ............................................. 15,000 25,000
Failure to equip locomotives in accordance with the applicable PTCIP ................................ 15,000 25,000
Failure to comply with conditions of a yard movement exception ......................................... (2) (2)
Improper arrangement of the PTC system onboard apparatus ............................................. 2,500 5,000
Engineer performing prohibited duties .................................................................................... 5,000 7,500
236.1007 Additional requirements for high-speed service:
Installing or operating a PTC system without the required safety-critical functional at-
tributes of a block signal system ......................................................................................... 15,000 25,000
Operation of passenger trains at speed equal to or greater than 60 mph on non-PTC-

equipped territory where required ....................................................................................... 15,000 25,000
Operation of freight trains at speed equal to or greater than 50 mph on non-PTC-equipped
territory where required ....................................................................................................... 15,000 25,000
898
Willful viola-
Failure to fully implement incursion protection where required .............................................. 5,000 7,500
236.1009 Procedural requirements:
Failure to file PTCIP when required ....................................................................................... 5,000 7,500
Failure to amend PTCIP when required ................................................................................. 5,000 7,500
Failure to obtain Type Approval when required ..................................................................... 5,000 7,500
Failure to update NPI .............................................................................................................. 5,000 7,500
Operation of PTC system without system certification ........................................................... 16,000 25,000
Failure to comply with FRA condition or modification ............................................................ (2) (2)
Failure to report as required ................................................................................................... 5,000 7,500
Failure to provide FRA access ............................................................................................... 10,000 16,000
236.1011 PTCIP content requirements:
Failure to install a PTC system as required ........................................................................... 11,000 16,000
Failure to maintain a PTCIP as required ................................................................................ (2) (2)
236.1013 PTCDP content requirements and Type Approval:
Failure to maintain quality control system .............................................................................. 5,000 7,500
Inappropriate use of Type Approval ....................................................................................... 5,000 7,500
236.1015 PTCSP content requirements and PTC System Certification:
Failure to implement PTC system in accordance with the associated PTCSP and resultant
system certification .............................................................................................................. 16,000 25,000
Failure to maintain PTC system in accordance with the associated PTCSP and resultant
system certification .............................................................................................................. 16,000 25,000
Failure to maintain required supporting documentation ......................................................... 2,500 5,000
236.1017 Independent third party Verification and Validation:
Failure to conduct independent third party Verification and Validation when ordered .......... 11,000 16,000
236.1019 Main line track exceptions:
Operations conducted in non-compliance with the passenger terminal exception ................ 16,000 25,000
Operations conducted in non-compliance with the limited operations exception .................. 16,000 25,000
Failure to request modification of the PTCIP or PTCSP when required ............................... 11,000 16,000
Operations conducted in violation of (c)(2) ............................................................................ 16,000 25,000
Operations conducted in violation of (c)(3) ............................................................................ 25,000 25,000
236.1021 Discontinuances, material modifications, and amendments:
Failure to update PTCDP when required ............................................................................... 5,000 7,500
Failure to update PTCSP when required ............................................................................... 5,000 7,500
Failure to immediately adopt and comply with approved RFA .............................................. 5,000 7,500
Discontinuance or modification of a PTC system without approval when required ............... 11,000 16,000
236.1023 Errors and malfunctions:
Railroad failure to provide proper notification of PTC system error or malfunction ............... 5,000 7,500
Failure to maintain PTCPVL ................................................................................................... 2,500 5,000
Supplier failure to provide proper notification of previously identified PTC system error or
malfunction .......................................................................................................................... 5,000 7,500
Failure to provide timely notification ....................................................................................... 5,000 7,500
Failure to provide appropriate protective measures in the event of PTC system failure ...... 15,000 25,000
236.1027 Exclusions:
Integration of primary train control system with locomotive electronic system without ap-
proval ................................................................................................................................... 5,000 7,500
236.1029 PTC system use and en route failures:
Failure to determine cause of PTC system component failure without undue delay ............ 5,000 7,500
Failure to adjust, repair, or replace faulty PTC system component without undue delay ..... 5,000 7,500
Failure to take appropriate action pending adjustment, repair, or replacement of faulty
PTC system component ...................................................................................................... 15,000 25,000
PTC territory operation with an inoperative PTC onboard apparatus .................................... 5,000 7,500
Interference with the normal functioning of safety-critical PTC system ................................. 15,000 25,000
236.1033 Communications and security requirements:
Failure to provide cryptographic message integrity and authentication ................................. 5,000 7,500
Improper use of revoked cryptographic key ........................................................................... 5,000 15,000
Failure to protect cryptographic keys from unauthorized disclosure, modification, or substi-
tution .................................................................................................................................... 5,000 15,000
Failure to establish prioritized service restoration and mitigation plan for communication
services ............................................................................................................................... 5,000 7,500
236.1035 Field testing requirements:
Field testing without authorization or approval ....................................................................... 10,000 20,000
Failure to comply with FRA condition ..................................................................................... (2) (2)
236.1037 Records retention:
Failure to maintain records and databases as required ......................................................... 7,500 15,000
Failure to report inconsistency ................................................................................................ 10,000 20,000
Failure to take prompt countermeasures ................................................................................ 10,000 20,000
Failure to provide final report .................................................................................................. 2,500 5,000
236.1039 Operations and Maintenance Manual:
Failure to implement and maintain Operations and Maintenance Manual as required ......... 3,000 6,000
Failure to make Operations and Maintenance Manual available to FRA when required ...... 10,000 16,000
Failure to make Operations and Maintenance Manual available to persons required to per-
formed the required tasks ................................................................................................... 15,000 25,000
Amends Operations and Maintenance Manual without FRA approval .................................. 5,000 10,000
899
Pt. 236, App. B 49 CFR Ch. II (10–1–16 Edition)
Willful viola-
236.1043 Task analysis and basic requirements:

Failure to develop and maintain an acceptable training program .......................................... 10,000 20,000
Failure to train persons as required ....................................................................................... 2,500 5,000
Failure to conduct evaluation of training program as required .............................................. 2,500 5,000
236.1045 Training specific to office control personnel:
Failure to conduct training unique to office control personnel ............................................... 2,500 5,000
236.1047 Training specific to locomotive engineers and other operating personnel:
Failure to conduct training unique to locomotive engineers and other operating personnel 2,500 5,000
236.1049 Training specific to roadway workers:
Failure to conduct training unique to roadway workers ......................................................... 2,500 5,000
1A penalty may be assessed against an individual only for a willful violation. The Administrator reserves the right to assess a
civil penalty of up to $109,819 per day for any violation where circumstances warrant. See 49 CFR part 209, Appendix A.
2 Each plan has numerous conditions and requirements with varying degrees of importance or impact. Thus, a single rec-
ommended civil penalty amount for a violation for failure to adhere to each plan or condition is not advisable or warranted. When
a violation of a plan or condition is found, FRA may consider a variety of factors to determine the appropriate civil penalty to as-
sess, including any underlying or related violation.
[53 FR 52936, Dec. 29, 1988, as amended at 63 FR 11624, Mar. 10, 1998; 69 FR 30595, May 28, 2004;
70 FR 11104, Mar. 7, 2005; 73 FR 79704, Dec. 30, 2008; 75 FR 2715, Jan. 15, 2010; 77 FR 24422, Apr.
24, 2012; 81 FR 10129, Feb. 29, 2016; 81 FR 43112, July 1, 2016]
APPENDIX B TO PART 236—RISK of accidents assessed for both previous and

ASSESSMENT CRITERIA new system conditions must be computed for
comparison. An abbreviated risk assessment
The safety-critical performance of each must, as a minimum, clearly compute the
product for which risk assessment is re- MTTHE for all of the hazardous events iden-
quired under this part must be assessed in tified for both previous and current condi-
accordance with the following minimum cri- tions. The comparison between MTTHE for
teria or other criteria if demonstrated to the both conditions is to determine whether the
Associate Administrator for Safety to be product implementation meets the safety
equally suitable: criteria as required by subpart H or subpart
(a) How are risk metrics to be expressed? The I of this part as applicable.
risk metric for the proposed product must (d) What major system characteristics must be
describe with a high degree of confidence the included when relevant to risk assessment?
accumulated risk of a train control system Each risk calculation must consider the
that operates over the designated life-cycle total signaling and train control system and
of the product. Each risk metric for the pro- method of operation, as subjected to a list of
posed product must be expressed with an hazards to be mitigated by the signaling and
upper bound, as estimated with a sensitivity train control system. The methodology re-
analysis, and the risk value selected must be quirements must include the following major
demonstrated to have a high degree of con- characteristics, when they are relevant to
fidence. the product being considered:
(b) How does the risk assessment handle inter- (1) Track plan infrastructure, switches,
action risks for interconnected subsystems/com- rail crossings at grade and highway-rail
ponents? The risk assessment of each safety- grade crossings as applicable;
critical system (product) must account not (2) Train movement density for freight,
only for the risks associated with each sub- work, and passenger trains where applicable
system or component, but also for the risks and computed over a time span of not less
associated with interactions (interfaces) be- than 12 months;
tween such subsystems. (3) Train movement operational rules, as
(c) What is the main principle in computing enforced by the dispatcher, roadway worker/
risk for the previous and current conditions? Employee in Charge, and train crew behav-
The risk for the previous condition must be iors;
computed using the same metrics as for the (4) Wayside subsystems and components;
new system being proposed. A full risk as- (5) Onboard subsystems and components;
sessment must consider the entire railroad (6) Consist contents such as hazardous ma-
environment where the product is being ap- terial, oversize loads; and
plied, and show all aspects of the previous (7) Operating speeds if the provisions of
condition that are affected by the installa- part 236 cite additional requirements for cer-
tion of the product, considering all faults, tain type of train control systems to be used
operating errors, exposure scenarios, and at such speeds for freight and passenger
consequences that are related as described in trains.

this part. For the full risk assessment, the (e) What other relevant parameters must be
total societal cost of the potential numbers determined for the subsystems and components?
900
Federal Railroad Administration, DOT Pt. 236, App. C
In order to derive the frequency of hazardous ance testing performed on the subsystem or
events (or MTTHE) applicable for a product, component. The non-processor-based quan-
subsystem or component included in the risk tification compliance must be demonstrated
assessment, the railroad may use various to have a high degree of confidence.
techniques, such as reliability and avail- (h) What assumptions must be documented for
ability calculations for subsystems and com- risk assessment? (1) The railroad shall docu-
ponents, Fault Tree Analysis (FTA) of the ment any assumptions regarding the deriva-
subsystems, and results of the application of tion of risk metrics used. For example, for
safety design principles as noted in Appendix the full risk assessment, all assumptions
C to this part. The MTTHE is to be derived made about each value of the parameters
for both fail-safe and non-fail-safe sub- used in the calculation of total cost of acci-
systems or components. The lower bounds of dents should be documented. For abbreviated
the MTTF or MTBF determined from the risk assessment, all assumptions made for
system sensitivity analysis, which account MTHHE derivation using existing reliability
for all necessary and well justified assump- and availability data on the current system
tions, may be used to represent the estimate components should be documented. The rail-
of MTTHE for the associated non-fail-safe road shall document these assumptions in
subsystem or component in the risk assess- such a form as to permit later comparisons
ment. with in-service experience.
(f) How are processor-based subsystems/com- (2) The railroad shall document any as-
ponents assessed? (1) An MTTHE value must sumptions regarding human performance.
be calculated for each processor-based sub- The documentation shall be in such a form
system or component, or both, indicating the as to facilitate later comparisons with in-
safety-critical behavior of the integrated service experience.
hardware/software subsystem or component, (3) The railroad shall document any as-
or both. The human factor impact must be sumptions regarding software defects. These
included in the assessment, whenever appli- assumptions shall be in a form that permit
cable, to provide the integrated MTTHE the railroad to project the likelihood of de-
value. The MTTHE calculation must con- tecting an in-service software defect. These
sider the rates of failures caused by perma- assumptions shall be documented in such a
nent, transient, and intermittent faults ac- form as to permit later comparisons with in-
counting for the fault coverage of the inte- service experience.
grated hardware/software subsystem or com- (4) The railroad shall document all of the
ponent, phased-interval maintenance, and identified safety-critical fault paths to a
restoration of the detected failures.
mishap as predicted by the safety analysis
(2) Software fault/failure analysis must be
methodology. The documentation shall be in
based on the assessment of the design and
such a form as to facilitate later compari-
implementation of all safety-related soft-
sons with in-service faults.
ware including the application code, its oper-
ating/executive program, COTS software, and [75 FR 2717, Jan. 15, 2010]
associated device drivers, as well as histor-
ical performance data, analytical methods APPENDIX C TO PART 236—SAFETY
and experimental safety-critical perform- ASSURANCE CRITERIA AND PROCESSES
ance testing performed on the subsystem or
component. The software assessment process (a) What is the purpose of this appendix?
must demonstrate through repeatable pre- This appendix provides safety criteria and
dictive results that all software defects have processes that the designer must use to de-
been identified and corrected by process with velop and validate the product that meets
a high degree of confidence. safety requirements of this part. FRA uses
(g) How are non-processor-based subsystems/ the criteria and processes set forth in this
components assessed? (1) The safety-critical appendix to evaluate the validity of safety
behavior of all non-processor-based compo- targets and the results of system safety
nents, which are part of a processor-based analyses provided in the RSPP, PSP, PTCIP,
system or subsystem, must be quantified PTCDP, and PTCSP documents as appro-
with an MTTHE metric. The MTTHE assess- priate. An analysis performed under this ap-
ment methodology must consider failures pendix must:
caused by permanent, transient, and inter- (1) Address each of the safety principles of
mittent faults, phase-interval maintenance paragraph (b) of this appendix, or explain
and restoration of operation after failures why they are not relevant, and
and the effect of fault coverage of each non- (2) Employ a validation and verification
processor-based subsystem or component. process pursuant to paragraph (c) of this ap-
(2) MTTHE compliance verification and pendix.
validation must be based on the assessment (b) What safety principles must be followed
of the design for adequacy by a documented during product development? The designer
verification and validation process, histor- shall address each of the following safety
ical performance data, analytical methods considerations principles when designing and
and experimental safety-critical perform- demonstrating the safety of products covered
901
Pt. 236, App. C 49 CFR Ch. II (10–1–16 Edition)
by subpart H or I of this part. In the event (iv) If one non-self-revealing failure com-
that any of these principles are not followed, bined with a second failure can cause a haz-
the PSP or PTCDP or PTCSP shall state ard that is categorized as unacceptable or
both the reason(s) for departure and the al- undesirable, then the second failure must be
ternative(s) utilized to mitigate or eliminate detected and the product must achieve a
the hazards associated with the design prin- known safe state that eliminates the possi-
ciple not followed. bility of false activation of any physical ap-
(1) System safety under normal operating con- pliance.
ditions. The system (all its elements includ- (v) Another concern of multiple failures in-
ing hardware and software) must be designed volves common mode failures in which two
to assure safe operation with no hazardous or more subsystems or components intended
events under normal anticipated operating to compensate one another to perform the
conditions with proper inputs and within the same function all fail by the same mode and
expected range of environmental conditions. result in unsafe conditions. This is of par-
All safety-critical functions must be per- ticular concern in instances in which two or
formed properly under these normal condi- more elements (hardware or software, or
tions. The system shall operate safely even both) are used in combination to ensure safe-
in the absence of prescribed operator actions ty. If a common mode failure exists, then
or procedures. The designer must identify any analysis performed under this appendix
and categorize all hazards that may lead to cannot rely on the assumption that failures
unsafe system operation. Hazards cat- are independent. Examples include: The use
egorized as unacceptable, which are deter- of redundancy in which two or more ele-
mined by hazard analysis, must be elimi- ments perform a given function in parallel
nated by design. Best effort shall also be and when one (hardware or software) ele-
made by the designer to eliminate by design ment checks/monitors another element (of
the hazards categorized as undesirable. hardware or software) to help ensure its safe
Those undesirable hazards that cannot be
operation. Common mode failure relates to
eliminated should be mitigated to the ac-
independence, which must be ensured in
ceptable level as required by this part.
these instances. When dealing with the ef-
(2) System safety under failures.
fects of hardware failure, the designer shall
(i) It must be shown how the product is de-
address the effects of the failure not only on
signed to eliminate or mitigate unsafe sys-
other hardware, but also on the execution of
tematic failures—those conditions which can
the software, since hardware failures can
be attributed to human error that could
occur at various stages throughout product greatly affect how the software operates.
development. This includes unsafe errors in (3) Closed loop principle. System design ad-
the software due to human error in the soft- hering to the closed loop principle requires
ware specification, design, or coding phases; that all conditions necessary for the exist-
human errors that could impact hardware ence of any permissive state or action be
design; unsafe conditions that could occur verified to be present before the permissive
because of an improperly designed human- state or action can be initiated. Likewise the
machine interface; installation and mainte- requisite conditions shall be verified to be
nance errors; and errors associated with continuously present for the permissive
making modifications. state or action to be maintained. This is in
(ii) The product must be shown to operate contrast to allowing a permissive state or
safely under conditions of random hardware action to be initiated or maintained in the
failures. This includes single hardware fail- absence of detected failures. In addition,
ures as well as multiple hardware failures closed loop design requires that failure to
that may occur at different times but remain perform a logical operation, or absence of a
undetected (latent) and react in combination logical input, output or decision shall not
with a subsequent failure at a later time to cause an unsafe condition, i.e. system safety
cause an unsafe operating situation. In in- does not depend upon the occurrence of an
stances involving a latent failure, a subse- action or logical decision.
quent failure is similar to there being a sin- (4) Safety assurance concepts. The product
gle failure. In the event of a transient fail- design must include one or more of the fol-
ure, and if so designed, the system should re- lowing Safety Assurance Concepts as de-
start itself if it is safe to do so. Frequency of scribed in IEEE–1483 standard to ensure that
attempted restarts must be considered in the failures are detected and the product is
hazard analysis required by § 236.907(a)(8). placed in a safe state. One or more different
(iii) There shall be no single point failures principles may be applied to each individual
in the product that can result in hazards cat- subsystem or component, depending on the
egorized as unacceptable or undesirable. Oc- safety design objectives of that part of the
currence of credible single point failures product.
that can result in hazards must be detected (i) Design diversity and self-checking concept.
and the product must achieve a known safe This concept requires that all critical func-
state that eliminates the possibility of false tions be performed in diverse ways, using di-
activation of any physical appliance. verse software operations and/or diverse
902
Federal Railroad Administration, DOT Pt. 236, App. C
hardware channels, and that critical hard- modes, be considered, analyzed, and docu-
ware be tested with Self-Checking routines. mented. This is typically performed by a
Permissive outputs are allowed only if the comprehensive failure modes and effects
results of the diverse operations correspond, analysis (FMEA) which must show no resid-
and the Self-Checking process reveals no ual unmitigated failures. In the event of crit-
failures in either execution of software or in ical failures, the safety-critical functions
any monitored input or output hardware. If and outputs must default to a known safe
the diverse operations do not agree or if the state.
checking reveals critical failures, safety- (5) Human factor engineering principle. The
critical functions and outputs must default product design must sufficiently incorporate
to a known safe state. human factors engineering that is appro-
(ii) Checked redundancy concept. The priate to the complexity of the product; the
Checked Redundancy concept requires imple- educational, mental, and physical capabili-
mentation of two or more identical, inde- ties of the intended operators and maintain-
pendent hardware units, each executing iden- ers; the degree of required human inter-
tical software and performing identical func- action with the component; and the environ-
tions. A means is to be provided to periodi- ment in which the product will be used.
cally compare vital parameters and results (6) System safety under external influences.
of the independent redundant units, requir- The product must be shown to operate safely
ing agreement of all compared parameters to when subjected to different external influ-
assert or maintain a permissive output. If ences, including:
the units do not agree, safety-critical func- (i) Electrical influences such as power sup-
tions and outputs must default to a known
ply anomalies/transients, abnormal/improper
safe state.
input conditions (e.g., outside of normal
(iii) N-version programming concept. This
range inputs relative to amplitude and fre-
concept requires a processor-based product
quency, unusual combinations of inputs) in-
to use at least two software programs per-
cluding those related to a human operator,
forming identical functions and executing
and others such as electromagnetic inter-
concurrently in a cycle. The software pro-
ference or electrostatic discharges, or both;
grams must be written by independent
teams, using different tools. The multiple (ii) Mechanical influences such as vibra-
independently written software programs tion and shock; and
comprise a redundant system, and may be (iii) Climatic conditions such as tempera-
executed either on separate hardware units ture and humidity.
(which may or may not be identical) or with- (7) System safety after modifications. Safety
in one hardware unit. A means is to be pro- must be ensured following modifications to
vided to compare the results and output the hardware or software, or both. All or
states of the multiple redundant software some of the concerns identified in this para-
systems. If the system results do not agree, graph may be applicable depending upon the
then the safety-critical functions and out- nature and extent of the modifications. Such
puts must default to a known safe state. modifications must follow all of the concept,
(iv) Numerical assurance concept. This con- design, implementation and test processes
cept requires that the state of each vital pa- and principles as documented in the PSP for
rameter of the product or system be unique- the original product. Regression testing
ly represented by a large encoded numerical must be comprehensive and documented to
value, such that permissive results are cal- include all scenarios which are affected by
culated by pseudo-randomly combining the the change made, and the operating modes of
representative numerical values of each of the changed product during normal and fail-
the critical constituent parameters of a per- ure state (fallback) operation.
missive decision. Vital algorithms must be (c) What standards are acceptable for
entirely represented by data structures con- Verification and Validation? (1) The standards
taining numerical values with verified char- employed for Verification or Validation, or
acteristics, and no vital decisions are to be both, of products subject to this subpart
made in the executing software, only by the must be sufficient to support achievement of
numerical representations themselves. In the applicable requirements of subpart H and
the event of critical failures, the safety-crit- subpart I of this part.
ical functions and outputs must default to a (2) U.S. Department of Defense Military
known safe state. Standard (MIL–STD) 882C, ‘‘System Safety
(v) Intrinsic fail-safe design concept. Intrinsi- Program Requirements’’ (January 19, 1993),
cally fail-safe hardware circuits or systems is recognized as providing appropriate risk
are those that employ discrete mechanical analysis processes for incorporation into
and/or electrical components. The fail-safe verification and validation standards.
operation for a product or subsystem de- (3) The following standards designed for ap-
signed using this principle concept requires a plication to processor-based signal and train
verification that the effect of every relevant control systems are recognized as acceptable
failure mode of each component, and rel- with respect to applicable elements of safety
evant combinations of component failure analysis required by subpart H and subpart I
903
Pt. 236, App. D 49 CFR Ch. II (10–1–16 Edition)
of this part. The latest versions of the stand- ability, Availability, Maintainability and
ards listed below should be used unless oth- Safety (RAMS);
erwise provided. (I) IEC 62279: 2002 Railway Applications:
(i) IEEE standards as follows: Software for Railway Control and Protection
(A) IEEE 1483–2000, Standard for the Systems;
Verification of Vital Functions in Processor- (4) Use of unpublished standards, including
Based Systems Used in Rail Transit Control. proprietary standards, is authorized to the
(B) IEEE 1474.2–2003, Standard for user extent that such standards are shown to
interface requirements in communications achieve the requirements of this part. How-
based train control (CBTC) systems. ever, any such standards shall be available
(C) IEEE 1474.1–2004, Standard for Commu- for inspection and replication by FRA and
nications-Based Train Control (CBTC) Per- for public examination in any public pro-
formance and Functional Requirements. ceeding before the FRA to which they are
(ii) CENELEC Standards as follows: relevant.
(A) EN50129: 2003, Railway Applications: (5) The various standards provided in this
Communications, Signaling, and Processing paragraph are for illustrative purposes only.
Systems-Safety Related Electronic Systems Copies of these standards can be obtained in
for Signaling; and accordance with the following:
(B) EN50155:2001/A1:2002, Railway Applica- (i) U.S. government standards and tech-
tions: Electronic Equipment Used in Rolling nical publications may be obtained by con-
Stock. tacting the federal National Technical Infor-
(iii) ATCS Specification 200 Communica- mation Service, 5301 Shawnee Rd, Alexan-
tions Systems Architecture. dria, VA 22312.
(iv) ATCS Specification 250 Message For- (ii) U.S. National Standards may be ob-
mats. tained by contacting the American National
(v) AREMA 2009 Communications and Sig- Standards Institute, 25 West 43rd Street, 4
nal Manual of Recommended Practices, Part Floor, New York, NY 10036.
16, Part 17, 21, and 23. (iii) IEC Standards may be obtained by
(vi) Safety of High-Speed Ground Transpor- contacting the International Electro-
tation Systems. Analytical Methodology for technical Commission, 3, rue de Varembé,
Safety Validation of Computer Controlled P.O. Box 131 CH—1211, GENEVA, 20, Switzer-
Subsystems. Volume II: Development of a land.
Safety Validation Methodology. Final Re- (iv) CENLEC Standards may be obtained
port September 1995. Author: Jonathan F. by contacting any of one the national stand-
Luedeke, Battelle. DOT/FRA/ORD–95/10.2. ards bodies that make up the European Com-
(vii) IEC 61508 (International Electro- mittee for Electrotechnical Standardization.
technical Commission), Functional Safety of (v) IEEE standards may be obtained by
Electrical/Electronic/Programmable/Elec- contacting the IEEE Publications Office,
tronic Safety (E/E/P/ES) Related Systems, 10662 Los Vaqueros Circle, P.O. Box 3014, Los
Parts 1–7 as follows: Alamitos, CA 90720–1264.
(A) IEC 61508–1 (1998–12) Part 1: General re- (vi) AREMA standards may be obtained
quirements and IEC 61508–1 Corr. (1999–05) from the American Railway Engineering and
Corrigendum 1—Part 1: General Require- Maintenance-of-Way Association, 10003
ments. Derekwood Lane, Suite 210, Lanham, MD
(B) IEC 61508–2 (2000–05) Part 2: Require- 20706.
ments for electrical/electronic/program- [75 FR 2718, Jan. 15, 2010]
mable electronic safety-related systems.
(C) IEC 61508–3 (1998–12) Part 3: Software re- APPENDIX D TO PART 236—INDEPENDENT
quirements and IEC 61508–3 Corr. 1 (1999–04) REVIEW OF VERIFICATION AND VALI-
Corrigendum 1—Part 3: Software require- DATION
ments.
(D) IEC 61508–4 (1998–12) Part 4: Definitions (a) This appendix provides minimum re-
and abbreviations and IEC 61508–4 Corr. 1 quirements for independent third-party as-
(1999–04) Corrigendum 1—Part 4: Definitions sessment of product safety verification and
and abbreviations. validation pursuant to subpart H or subpart
(E) IEC 61508–5 (1998–12) Part 5: Examples of I of this part. The goal of this assessment is
methods for the determination of safety in- to provide an independent evaluation of the
tegrity levels and IEC 61508–5 Corr. 1 (1999–04) product manufacturer’s utilization of safety
Corrigendum 1—Part 5: Examples of methods design practices during the product’s devel-
for determination of safety integrity levels. opment and testing phases, as required by
(F) IEC 61508–6 (2000–04) Part 6: Guidelines any mutually agreed upon controlling docu-
on the applications of IEC 61508–2 and –3. ments and standards and the applicable rail-
(G) IEC 61508–7 (2000–03) Part 7: Overview of road’s:
techniques and measures. (1) Railroad Safety Program Plan (RSPP)

(H) IEC 62278: 2002, Railway Applications: and Product Safety Plan (PSP) for processor
Specification and Demonstration of Reli- based systems developed under subpart H or,
904
Federal Railroad Administration, DOT Pt. 236, App. E
(2) PTC Product Development Plan ance with the applicable railroad, vendor,
(PTCDP) and PTC Safety Plan (PTCSP) for supplier, industry, national, and inter-
PTC systems developed under subpart I. national standards.
(b) The supplier may request advice and as- (h) The reviewer shall evaluate and com-
sistance of the reviewer concerning the ac- ment on the plan for installation and test
tions identified in paragraphs (c) through (g) procedures of the product for revenue serv-
of this appendix. However, the reviewer shall ice.
not engage in any design efforts associated (i) The reviewer shall prepare a final report
with the product, the products subsystems, of the assessment. The report shall be sub-
or the products components, in order to pre- mitted to the railroad prior to the com-
serve the reviewer’s independence and main- mencement of installation testing and con-
tain the supplier’s proprietary right to the tain at least the following information:
product. (1) Reviewer’s evaluation of the adequacy
(c) The supplier shall provide the reviewer of the PSP in the case of products developed
access to any and all documentation that the under subpart H, or PTCSP for products de-
reviewer requests and attendance at any de-
veloped under subpart I of this part, includ-
sign review or walkthrough that the re-
ing the supplier’s MTTHE and risk estimates
viewer determines as necessary to complete
for the product, and the supplier’s confidence
and accomplish the third party assessment.
interval in these estimates;
The reviewer may be accompanied by rep-
resentatives of FRA as necessary, in FRA’s (2) Product vulnerabilities, potentially
judgment, for FRA to monitor the assess- hazardous failure modes, or potentially haz-
ment. ardous operating circumstances which the
(d) The reviewer shall evaluate the product reviewer felt were not adequately identified,
with respect to safety and comment on the tracked, mitigated, and corrected by either
adequacy of the processes which the supplier the vendor or supplier or the railroad;
applies to the design and development of the (3) A clear statement of position for all
product. At a minimum, the reviewer shall parties involved for each product vulner-
compare the supplier processes with accept- ability cited by the reviewer;
able validation and verification methodology (4) Identification of any documentation or
and employ any other such tests or compari- information sought by the reviewer that was
sons if they have been agreed to previously denied, incomplete, or inadequate;
with FRA. Based on these analyses, the re- (5) A listing of each applicable vendor, sup-
viewer shall identify and document any sig- plier, industry, national, or international
nificant safety vulnerabilities which are not standard, procedure or process which was not
adequately mitigated by the supplier’s (or properly followed;
user’s) processes. Finally, the reviewer shall (6) Identification of the software
evaluate and document the adequacy of the verification and validation procedures, as
railroad’s well as the hardware verification validation
(1) RSPP, the PSP, and any other docu- procedures if deemed appropriate by FRA,
ments pertinent to a product being developed for the product’s safety-critical applications,
under subpart H of this part; or and the reviewer’s evaluation of the ade-
(2) PTCDP and PTCSP for systems being quacy of these procedures;
developed under subpart I of this part. (7) Methods employed by the product man-
(e) The reviewer shall analyze the Hazard ufacturer to develop safety-critical software;
Log and/or any other hazard analysis docu- (8) If deemed applicable by FRA, the meth-
ments for comprehensiveness and compli- ods employed by the product manufacturer
ance with applicable railroad, vendor, sup- to develop safety-critical hardware by gen-
plier, industry, national, and international erally acceptable techniques;
standards. (9) Method by which the supplier or rail-
(f) The reviewer shall analyze all Fault road addresses comprehensiveness of the
Tree Analyses (FTA), Failure Mode and Ef- product design which considers the safety
fects Criticality Analysis (FMECA), and elements listed in paragraph (b) of appendix
other hazard analyses for completeness, cor- C to this part.
rectness, and compliance with applicable
railroad, vendor, supplier, industry, national [75 FR 2720, Jan. 15, 2010]
and international standards.
(g) The reviewer shall randomly select var- APPENDIX E TO PART 236—HUMAN-
ious safety-critical software, and hardware MACHINE INTERFACE (HMI) DESIGN
modules, if directed by FRA, for audit to
verify whether the requirements of the appli- (a) This appendix provides human factors
cable railroad, vendor, supplier, industry, na- design criteria applicable to both subpart H
tional, and international standards were fol- and subpart I of this part. HMI design cri-
lowed. The number of modules audited must teria will minimize negative safety effects
be determined as a representative number by causing designers to consider human fac-

sufficient to provide confidence that all tors in the development of HMIs. The prod-
unaudited modules were developed in compli- uct design should sufficiently incorporate
905
Pt. 236, App. E 49 CFR Ch. II (10–1–16 Edition)
human factors engineering that is appro- (iii) Conduct utility tests of decision aids
priate to the complexity of the product; the to establish clear benefits such as processing
gender, educational, mental, and physical time saved or improved quality of decisions.
capabilities of the intended operators and (4) End user limited memory. HMI design
maintainers; the degree of required human must therefore minimize an operator’s infor-
interaction with the component; and the en- mation processing load.
vironment in which the product will be used. (i) To minimize short-term memory load,
(b) As used in this section, ‘‘designer’’ the designer shall integrate data or informa-
means anyone who specifies requirements tion from multiple sources into a single for-
for—or designs a system or subsystem, or mat or representation (‘‘chunking’’) and de-
both, for—a product subject to subpart H or sign so that three or fewer ‘‘chunks’’ of in-
subpart I of this part, and ‘‘operator’’ means formation need to be remembered at any one
any human who is intended to receive infor- time.
mation from, provide information to, or per- (ii) To minimize long-term memory load,
form repairs or maintenance on a safety- the designer shall design to support recogni-
critical product subject to subpart H or I of tion memory, design memory aids to mini-
this part. mize the amount of information that must
(c) Human factors issues the designers be recalled from unaided memory when mak-
must consider with regard to the general ing critical decisions, and promote active
function of a system include: processing of the information.
(1) Reduced situational awareness and over- (d) Design systems that anticipate possible
reliance. HMI design must give an operator user errors and include capabilities to catch
active functions to perform, feedback on the errors before they propagate through the
results of the operator’s actions, and infor- system;
mation on the automatic functions of the (1) Conduct cognitive task analyses prior
system as well as its performance. The oper- to designing the system to better understand
ator must be ‘‘in-the-loop.’’ Designers must the information processing requirements of
consider at a minimum the following meth- operators when making critical decisions;
ods of maintaining an active role for human and
operators: (2) Present information that accurately
(i) The system must require an operator to represents or predicts system states.
initiate action to operate the train and re- (e) When creating displays and controls,
quire an operator to remain ‘‘in-the-loop’’ the designer must consider user ergonomics
for at least 30 minutes at a time; and shall:
(1) Locate displays as close as possible to
(ii) The system must provide timely feed-
the controls that affect them;
back to an operator regarding the system’s
(2) Locate displays and controls based on
automated actions, the reasons for such ac-
an operator’s position;
tions, and the effects of the operator’s man-
ual actions on the system; (3) Arrange controls to minimize the need
for the operator to change position;
(iii) The system must warn operators in
(4) Arrange controls according to their ex-
advance when it requires an operator to take
pected order of use;
action;
(5) Group similar controls together;
(iv) HMI design must equalize an opera- (6) Design for high stimulus-response com-
tor’s workload; and patibility (geometric and conceptual);
(v) HMI design must not distract from the (7) Design safety-critical controls to re-
operator’s safety related duties. quire more than one positive action to acti-
(2) Expectation of predictability and consist- vate (e.g., auto stick shift requires two
ency in product behavior and communications. movements to go into reverse);
HMI design must accommodate an operator’s (8) Design controls to allow easy recovery
expectation of logical and consistent rela- from error; and
tionships between actions and results. Simi- (9) Design display and controls to reflect
lar objects must behave consistently when specific gender and physical limitations of
an operator performs the same action upon the intended operators.
them. (f) The designer shall also address informa-
(3) End user limited ability to process information management. To that end, HMI design
tion. HMI design must therefore minimize an shall:
operator’s information processing load. To (1) Display information in a manner which
minimize information processing load, the emphasizes its relative importance;
designer must: (2) Comply with the ANSI/HFS 100–1988
(i) Present integrated information that di- standard;
rectly supports the variety and types of deci- (3) Utilize a display luminance that has a
sions that an operator makes; difference of at least 35cd/m2 between the
(ii) Provide information in a format or rep- foreground and background (the displays
resentation that minimizes the time re- should be capable of a minimum contrast 3:1
quired to understand and act; and with 7:1 preferred, and controls should be
906
Federal Railroad Administration, DOT Pt. 236, App. F
provided to adjust the brightness level and (ii) OET Bulletin 63: (October 1993) Under-
contrast level); standing The FCC Part 15 Regulations for
(4) Display only the information necessary Low Power, Non-Licensed Transmitters.
to the user; This document provides a basic under-
(5) Where text is needed, use short, simple standing of the FCC regulations for low
sentences or phrases with wording that an power, unlicensed transmitters, and includes
operator will understand and appropriate to answers to some commonly-asked questions.
the educational and cognitive capabilities of This edition of the bulletin does not contain
the intended operator; information concerning personal commu-
(6) Use complete words where possible; nication services (PCS) transmitters oper-
where abbreviations are necessary, choose a ating under Part 15, Subpart D of the rules.
commonly accepted abbreviation or con- (iii) 47 Code of Federal Regulations Parts 0
sistent method and select commonly used to 19. The FCC rules and regulations gov-
terms and words that the operator will un- erning PCS transmitters may be found in 47
derstand; CFR, Parts 0 to 19.
(7) Adopt a consistent format for all dis- (iv) OET Bulletin 62 (December 1993) Un-
play screens by placing each design element derstanding The FCC Regulations for Com-
in a consistent and specified location; puters and other Digital Devices. This docu-
(8) Display critical information in the cen- ment has been prepared to provide a basic
ter of the operator’s field of view by placing understanding of the FCC regulations for
items that need to be found quickly in the digital (computing) devices, and includes an-
upper left hand corner and items which are swers to some commonly-asked questions.
not time-critical in the lower right hand cor- (2) Designers must comply with FCC re-
ner of the field of view; quirements for Maximum Permissible Expo-
(9) Group items that belong together; sure limits for field strength and power den-
(10) Design all visual displays to meet sity for the transmitters operating at fre-
human performance criteria under mono- quencies of 300 kHz to 100 GHz and specific
chrome conditions and add color only if it absorption rate (SAR) limits for devices op-
will help the user in performing a task, and erating within close proximity to the body.
use color coding as a redundant coding tech- The Commission’s requirements are detailed
nique; in parts 1 and 2 of the FCC’s Rules and Regu-
(11) Limit the number of colors over a lations (47 CFR 1.1307(b), 1.1310, 2.1091, 2.1093).
group of displays to no more than seven; The following documentation is applicable to
(12) Design warnings to match the level of demonstrating whether proposed or existing
risk or danger with the alerting nature of transmitting facilities, operations or devices
the signal; and comply with limits for human exposure to
(13) With respect to information entry, radiofrequency RF fields adopted by the
avoid full QWERTY keyboards for data FCC:
entry. (i) OET Bulletin No. 65 (Edition 97–01, Au-
(g) With respect to problem management, gust 1997), ‘‘Evaluating Compliance With
the HMI designer shall ensure that the: FCC Guidelines For Human Exposure To Ra-
(1) HMI design must enhance an operator’s diofrequency Electromagnetic Fields’’,
situation awareness; (ii) OET Bulletin No 65 Supplement A,
(2) HMI design must support response se- (Edition 97–01, August 1997), OET Bulletin No
lection and scheduling; and 65 Supplement B (Edition 97–01, August 1997)
(3) HMI design must support contingency and
planning. (iii) OET Bulletin No 65 Supplement C
(h) Ensure that electronics equipment (Edition 01–01, June 2001).
radio frequency emissions are compliant (3) The bulletin and supplements offer
with appropriate Federal Communications guidelines and suggestions for evaluating
Commission regulations. The FCC rules and compliance. However, they are not intended
regulations are codified in Title 47 of the to establish mandatory procedures. Other
Code of Federal Regulations (CFR). methods and procedures may be acceptable if
(1) Electronics equipment must have ap- based on sound engineering practice.
propriate FCC Equipment Authorizations.
The following documentation is applicable to [75 FR 2720, Feb. 15, 2010]
obtaining FCC Equipment Authorization:
(i) OET Bulletin Number 61 (October, 1992 APPENDIX F TO PART 236—MINIMUM RE-
Supersedes May, 1987 issue) FCC Equipment QUIREMENTS OF FRA DIRECTED
Authorization Program for Radio Frequency INDEPENDENT THIRD-PARTY ASSESS-
Devices. This document provides an overview MENT OF PTC SYSTEM SAFETY
of the equipment authorization program to VERIFICATION AND VALIDATION
control radio interference from radio trans-
mitters and certain other electronic prod- (a) This appendix provides minimum re-
ucts and an overview of how to obtain an quirements for mandatory independent
equipment authorization. third-party assessment of PTC system safety
907
Pt. 237 49 CFR Ch. II (10–1–16 Edition)
verification and validation pursuant to sub- be determined as a representative number
part H or I of this part. The goal of this as- sufficient to provide confidence that all
sessment is to provide an independent eval- unaudited modules were developed in compli-
uation of the PTC system manufacturer’s ance with railroad, vendor, supplier, indus-
utilization of safety design practices during try, national, or international standards
the PTC system’s development and testing (h) The reviewer shall evaluate and com-
phases, as required by the applicable PSP, ment on the plan for installation and test
PTCDP, and PTCSP, the applicable require- procedures of the PTC system for revenue
ments of subpart H or I of this part, and any service.
other previously agreed-upon controlling (i) The reviewer shall prepare a final report
documents or standards. of the assessment. The report shall be sub-
(b) The supplier may request advice and as- mitted to the railroad prior to the com-
sistance of the independent third-party re- mencement of installation testing and con-
viewer concerning the actions identified in tain at least the following information:
paragraphs (c) through (g) of this appendix. (1) Reviewer’s evaluation of the adequacy
However, the reviewer should not engage in of the PSP or PTCSP including the sup-
design efforts in order to preserve the re- plier’s MTTHE and risk estimates for the
viewer’s independence and maintain the sup- PTC system, and the supplier’s confidence
plier’s proprietary right to the PTC system. interval in these estimates;
(c) The supplier shall provide the reviewer (2) PTC system vulnerabilities, potentially
access to any and all documentation that the hazardous failure modes, or potentially haz-
reviewer requests and attendance at any de- ardous operating circumstances which the
sign review or walkthrough that the re- reviewer felt were not adequately identified,
viewer determines as necessary to complete tracked or mitigated;
and accomplish the third party assessment. (3) A clear statement of position for all
The reviewer may be accompanied by rep- parties involved for each PTC system vulner-
resentatives of FRA as necessary, in FRA’s ability cited by the reviewer;
judgment, for FRA to monitor the assess- (4) Identification of any documentation or
ment. information sought by the reviewer that was
(d) The reviewer shall evaluate with re- denied, incomplete, or inadequate;
spect to safety and comment on the ade- (5) A listing of each applicable vendor, sup-
quacy of the processes which the supplier ap- plier, industry, national or international
plies to the design and development of the standard, process, or procedure which was
PTC system. At a minimum, the reviewer not properly followed;
shall evaluate the supplier design and devel- (6) Identification of the hardware and soft-
opment process regarding the use of an ap- ware verification and validation procedures
propriate design methodology. The reviewer for the PTC system’s safety-critical applica-
may use the comparison processes and test tions, and the reviewer’s evaluation of the
procedures that have been previously agreed adequacy of these procedures;
to with FRA. Based on these analyses, the (7) Methods employed by PTC system man-
reviewer shall identify and document any ufacturer to develop safety-critical software;
significant safety vulnerabilities which are and
not adequately mitigated by the supplier’s (8) If directed by FRA, methods employed
(or user’s) processes. Finally, the reviewer by PTC system manufacturer to develop
shall evaluate the adequacy of the railroad’s safety-critical hardware.
applicable PSP or PTCSP, and any other
documents pertinent to the PTC system [75 FR 2721, Jan. 15, 2010]
being assessed.
(e) The reviewer shall analyze the Hazard PART 237—BRIDGE SAFETY
Log and/or any other hazard analysis docu- STANDARDS
ments for comprehensiveness and compli-
ance with railroad, vendor, supplier, indus-
try, national, or international standards.
Subpart A—General
(f) The reviewer shall analyze all Fault Sec.
Tree Analyses (FTA), Failure Mode and Ef- 237.1 Application.
fects Criticality Analysis (FMECA), and 237.3 Responsibility for compliance.
other hazard analyses for completeness, cor- 237.5 Definitions.
rectness, and compliance with railroad, ven- 237.7 Penalties.
dor, supplier, industry, national, or inter- 237.9 Waivers.
national standards.
(g) The reviewer shall randomly select var- Subpart B—Railroad Bridge Safety
ious safety-critical software modules, as well Assurance
as safety-critical hardware components if re-
quired by FRA for audit to verify whether 237.31 Adoption of bridge management pro-
the railroad, vendor, supplier, industry, na- grams.

tional, or international standards were fol- 237.33 Content of bridge management pro-
lowed. The number of modules audited must grams.
908

49 CFR Ch. II (10-1-16 Edition) 236.929: Subpart I-Positive Train Control Systems

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

49 CFR Ch. II (10-1-16 Edition) 236.929: Subpart I-Positive Train Control Systems

Uploaded by

Copyright:

Available Formats

§ 236.929 49 CFR Ch.

(A) Manual operation of a train for a Subpart I—Positive Train Control

moving train or other on-track equip- Class I railroad means a railroad

threshold established under regulations PIH materials means materials poi-

NPI means a Notice of Product Intent required.

Type Approval means a number as- § 236.1005 Requirements for Positive

(ii) Overspeed derailments, including (4) Provide an appropriate warning or

by the transferring railroad, routing priately and timely enforced as de-

any track segment equipped with a owned by a Class II or III railroad) is

‘‘turn’’ operation (e.g., moving to a (B) No working limits are established

to perform functions related to the tem:

with § 236.1005(b); or shall file prior to or simultaneously

(2) All materials filed in accordance (3) During FRA’s reconsideration in

riod and not revoked. Approval previously issued by the As-

(1) Maintains a continually updated (2) A description of the safety assur-

through (k); and tem exists, as a replacement for an ex-

through the computer-aided dis- PTC system is not considered ‘‘inde-

patcher permission; and under paragraph (c) is subject to FRA

amendment (‘‘RFA’’) to the applicable ministrator, they have been correctly

upon their receipt of notification of form acceptable to the Associate Ad-

tem, subsystem, or component fails to of any loss of electronic control; and

mented and operational prior to March of this part.

APPENDIX A TO PART 236—CIVIL PENALTIES 1, 2

Subpart A—Rules and Instructions—All Systems

Roadway Signals and Cab Signals—

236.23 Aspects and indications .......................................................................................................... 1,000 2,000

Subpart B—Automatic Block Signal Systems

236.201 Track circuit control of signals .............................................................................................. 1,000 2,000

236.207 Electric lock on hand-operated switch; control:

236.305 Approach or time locking ...................................................................................................... 1,000 2,000

236.309 Loss of shunt protection; where required:

Subpart D—Traffic Control Systems Standards

Rules and Instructions—

236.501 Forestalling device and speed control .................................................................................. 1,000 2,000

236.601 Signals controlled by devices; location ................................................................................ 1,000 2,000

236.905 Railroad Safety Program Plan (RSPP):

236.1005 Positive Train Control System Requirements:

Operation of passenger trains at speed equal to or greater than 60 mph on non-PTC-

236.1043 Task analysis and basic requirements:

APPENDIX B TO PART 236—RISK of accidents assessed for both previous and

consequences that are related as described in trains.

techniques and measures. (1) Railroad Safety Program Plan (RSPP)

be determined as a representative number by causing designers to consider human fac-

the railroad, vendor, supplier, industry, na- grams.

You might also like