(a) The purpose of this subpart is to promote the safe design, operation, and maintenance of safety-critical, as defined in § 229.305, electronic locomotive control systems, subsystems, and components.

(b) Locomotive control systems or their functions that comingle with safety critical processor based signal and train control systems are regulated under part 236 subparts H and I of this chapter.

(a) The requirements of this subpart apply to all safety-critical electronic locomotive control systems, subsystems, and components (i.e., “products” as defined in § 229.305), except for the following:

(1) Products that are fully developed prior to June 8, 2012.

(2) Products that are under development as of October 9, 2012, and are fully developed prior to October 9, 2017.

(3) Products that comingle locomotive control systems with safety critical processor based signal and train control systems;

(4) Products that are used during on-track testing within a test facility; and

(5) Products that are used during on-track testing outside a test facility, if approved by FRA. To obtain FRA approval of on-track testing outside of a test facility, a railroad shall submit a request to FRA that provides:

(i) Adequate information regarding the function and history of the product that it intends to use;

(ii) The proposed tests;

(iii) The date, time and location of the tests; and

(iv) The potential safety consequences that will result from operating the product for purposes of testing.

(b) Railroads and vendors shall identify all products identified in paragraph (a)(2) of this section to FRA by February 9, 2013.

(c) The exceptions provided in paragraph (a) of this section do not apply to products or product changes that result in degradation of safety, or a material increase in safety-critical functionality.

[77 FR 21348, Apr. 9, 2012, as amended at 77 FR 75057, Dec. 19, 2012]

As used in this subpart—

Cohesion is a measure of how strongly-related or focused the responsibilities of a system, subsystem, or component are.

Comingle refers to the act of creating systems, subsystems, or components where the systems, subsystems, or components are tightly coupled and with low cohesion.

Component means an electronic element, device, or appliance (including hardware or software) that is part of a system or subsystem.

Configuration management control plan means a plan designed to ensure that the proper and intended product configuration, including the electronic hardware components and software version, is documented and maintained through the life-cycle of the products in use.

Executive software means software common to all installations of a given electronic product. It generally is used to schedule the execution of the site-specific application programs, run timers, read inputs, drive outputs, perform self-diagnostics, access and check memory, and monitor the execution of the application software to detect unsolicited changes in outputs.

Initialization refers to the startup process when it is determined that a product has all required data input and the product is prepared to function as intended.

Loosely coupled means an attribute of systems, referring to an approach to designing interfaces across systems, subsystems, or components to reduce the interdependencies between them—in particular, reducing the risk that changes within one system, subsystem, or component will create unanticipated changes within other system, subsystem, or component.

Materials handling refers to explicit instructions for handling safety-critical components established to comply with procedures specified by the railroad.

Product means any safety critical electronic locomotive control system, subsystem, or component, not including safety critical processor based signal and train control systems, whose functions are directly related to safe movement and stopping of the train as well as the associated man-machine interfaces irrespective of the location of the control system, subsystem, or component.

Revision control means a chain of custody regimen designed to positively identify safety-critical components and spare equipment availability, including repair/replacement tracking.

Safety Analysis refers to a formal set of documentation which describes in detail all of the safety aspects of the product, including but not limited to procedures for its development, installation, implementation, operation, maintenance, repair, inspection, testing, and modification, as well as analyses supporting its safety claims.

Safety-critical, as applied to a function, a system, or any portion thereof, means the correct performance of which is essential to safety of personnel or equipment, or both; or the incorrect performance of which could cause a hazardous condition, or allow a hazardous condition which was intended to be prevented by the function or system to exist.

Subsystem means a defined portion of a system.

System refers to any electronic locomotive control system and includes all subsystems and components thereof, as the context requires.

Test facility means a track that is not part of the general railroad system of transportation and is being used exclusively for the purpose of testing equipment and has all of its public grade crossings protected.

Tightly Coupled means an attribute of systems, referring to an approach to designing interfaces across systems, subsystems, or components to maximize the interdependencies between them. In particular, increasing the risk that changes within one system, subsystem, or component will create unanticipated changes within other system, subsystem, or component.

[77 FR 21348, Apr. 9, 2012, as amended at 77 FR 75057, Dec. 19, 2012]

(a) A railroad shall develop a Safety Analysis (SA) for each product subject to this subpart prior to the initial use of such product on their railroad.

(b) The SA shall:

(1) establish and document the minimum requirements that will govern the development and implementation of all products subject to this subpart, and be based on good engineering practice and should be consistent with the guidance contained in appendix F of this part in order to establish that a product's safety-critical functions will operate with a high degree of confidence in a fail-safe manner;

(2) Include procedures for immediate repair of safety-critical functions; and

(3) Be made available to FRA upon request.

(c) Each railroad shall comply with the SA requirements and procedures related to the development, implementation, and repair of a product subject to this subpart.

(a) Whenever a planned safety-critical design change is made to a product that is in use by a railroad and subject to this subpart, the railroad shall:

(1) Notify FRA's Associate Administrator for Safety of the design changes made by the product supplier;

(2) Ensure that the SA is updated as required;

(3) Conduct all safety-critical changes in a manner that allows the change to be audited;

(4) Specify all contractual arrangements with suppliers and private equipment owners for notification of any and all electronic safety-critical changes as well as safety-critical failures in the suppliers and private equipment owners' system, subsystem, or components, and the reasons for that change or failure from the suppliers or equipment owners, whether or not the railroad has experienced a failure of that safety critical system, sub-system, or component;

(5) Specify the railroad's procedures for action upon receipt of notification of a safety-critical change or failure of an electronic system, sub-system, or component, and until the upgrade or revision has been installed; and

(6) Identify all configuration/revision control measures designed to ensure that safety-functional requirements and safety-critical hazard mitigation processes are not compromised as a result of any such change, and that any such change can be audited.

(b) Product suppliers and private equipment owners shall report any safety-critical changes and previously unidentified hazards to each railroad using the product or equipment.

(c) Private equipment owners shall establish configuration/revision control measures for control of safety-critical changes and identification of previously unidentified hazards.

(a) Prior to the initial planned use of a product subject to this subpart, a railroad shall inform the Associate Administrator for Safety/Chief Safety Officer, FRA, 1200 New Jersey Avenue SE., Mail Stop 25, Washington, DC 20590 of the intent to place this product in service. The notification shall provide a description of the product, and identify the location where the complete SA documentation described in § 229.307, the testing records contained in § 229.313, and the training and qualification program described in § 229.319 is maintained.

(b) FRA may review or audit the SA within 60 days of receipt of the notification or anytime after the product is placed in use. If FRA has not notified the railroad of its intent to review or audit the SA within the 60-day period, the railroad may assume that FRA does not intend to review or audit, and place the product in use. FRA reserves the right, however, to conduct a review or audit at a later date.

(c) A railroad shall maintain and make available to FRA upon request all railroad or vendor documentation used to demonstrate that the product meets the safety requirements of the SA for the life-cycle of the product.

(d) After a product is placed in service, the railroad shall maintain a database of all safety-relevant hazards encountered with the product. The database shall include all hazards identified in the SA and those that had not been previously identified in the SA. If the frequency of the safety-relevant hazards exceeds the threshold set forth in the SA, then the railroad shall:

(1) Report the inconsistency by mail, facsimile, email, or hand delivery to the Director, Office of Safety Assurance and Compliance, FRA, 1200 New Jersey Ave. SE., Mail Stop 25, Washington, DC 20590, within 15 days of discovery;

(2) Take immediate countermeasures to reduce the frequency of the safety-relevant hazard(s) below the threshold set forth in the SA; and

(3) Provide a final report to FRA's Director, Office of Safety Assurance and Compliance, on the results of the analysis and countermeasures taken to reduce the frequency of the safety-relevant hazard(s) below the calculated probability of failure threshold set forth in the SA when the problem is resolved. For hazards not identified in the SA the threshold shall be exceeded at one occurrence.

(a) Results of product testing conducted by a railroad as required by this subpart shall be recorded on preprinted forms provided by the railroad, or stored electronically. Electronic recordkeeping or automated tracking systems, subject to the provisions contained in paragraph (e) of this section, may be utilized to store and maintain any testing or training record required by this subpart. Results of product testing conducted by a vendor or private equipment owner in support of a SA shall be provided to the railroad as part of the SA.

(b) The testing records shall contain all of the following:

(1) The name of the railroad;

(2) The location and date that the test was conducted;

(3) The equipment tested;

(4) The results of tests;

(5) The repairs or replacement of equipment;

(6) Any preventative adjustments made; and

(7) The condition in which the equipment is left.

(c) Each record shall be:

(1) Signed by the employee conducting the test, or electronically coded, or identified by the automated test equipment number;

(2) Filed in the office of a supervisory official having jurisdiction, unless otherwise noted; and

(3) Available for inspection and copying by FRA.

(d) The results of the testing conducted in accordance with this subpart shall be retained as follows:

(1) The results of tests that pertain to installation or modification of a product shall be retained for the life-cycle of the product tested and may be kept in any office designated by the railroad;

(2) The results of periodic tests required for the maintenance or repair of the product tested shall be retained until the next record is filed and in no case less than one year; and

(3) The results of all other tests and training shall be retained until the next record is filed and in no case less than one year.

(e) Electronic or automated tracking systems used to meet the requirements contained in paragraph (a) of this section shall be capable of being reviewed and monitored by FRA at any time to ensure the integrity of the system. FRA's Associate Administrator for Safety may prohibit or revoke a railroad's authority to utilize an electronic or automated tracking system in lieu of preprinted forms if FRA finds that the electronic or automated tracking system is not properly secured, is inaccessible to FRA, or railroad employees requiring access to discharge their assigned duties, or fails to adequately track and monitor the equipment. The Associate Administrator for Safety will provide the affected railroad with a written statement of the basis for the decision prohibiting or revoking the railroad from utilizing an electronic or automated tracking system.

(a) The railroad shall maintain all documents pertaining to the installation, maintenance, repair, modification, inspection, and testing of a product subject to this part in one Operations and Maintenance Manual (OMM).

(1) The OMM shall be legible and shall be readily available to persons who conduct the installation, maintenance, repair, modification, inspection, and testing, and for inspection by FRA.

(2) At a minimum, the OMM shall contain all product vendor operation and maintenance guidance.

(b) The OMM shall contain the plans and detailed information necessary for the proper maintenance, repair, inspection, and testing of products subject to this subpart. The plans shall identify all software versions, revisions, and revision dates.

(c) Hardware, software, and firmware revisions shall be documented in the OMM according to the railroad's configuration management control plan.

(d) Safety-critical components, including spare products, shall be positively identified, handled, replaced, and repaired in accordance with the procedures specified in the railroad's configuration management control plan.

(e) A railroad shall determine that the requirements of this section have been met prior to placing a product subject to this subpart in use on their property.

(a) A railroad shall establish and implement training and qualification program for products subject to this subpart prior to the product being placed in use. These programs shall meet the requirements set forth in this section and in § 229.319.

(b) The program shall provide training for the individuals identified in this paragraph to ensure that they possess the necessary knowledge and skills to effectively complete their duties related to the product. These include:

(1) Individuals whose duties include installing, maintaining, repairing, modifying, inspecting, and testing safety-critical elements of the product;

(2) Individuals who operate trains or serve as a train or engine crew member subject to instruction and testing under part 217 of this chapter;

(3) Roadway and maintenance-of-way workers whose duties require them to know and understand how the product affects their safety and how to avoid interfering with its proper functioning; and

(4) Direct supervisors of the individuals identified in paragraphs (b)(1) through (3) of this section.

(c) When developing the training and qualification program required in this section, a railroad shall conduct a formal task analysis. The task analysis shall:

(1) Identify the specific goals of the program for each target population (craft, experience level, scope of work, etc.), task(s), and desired success rate;

(2) Identify the installation, maintenance, repair, modification, inspection, testing, and operating tasks that will be performed on the railroad's products, including but not limited to the development of failure scenarios and the actions expected under such scenarios;

(3) Develop written procedures for the performance of the tasks identified; and

(4) Identify any additional knowledge, skills, and abilities above those required for basic job performance necessary to perform each task.

(d) Based on the task analysis, a railroad shall develop a training curriculum that includes formally structured training designed to impart the knowledge, skills, and abilities identified as necessary to perform each task.

(e) All individuals identified in paragraph (b) of this section shall successfully complete a training curriculum and pass an examination that covers the product and appropriate rules and tasks for which they are responsible (however, such persons may perform such tasks under the direct onsite supervision of a qualified person prior to completing such training and passing the examination).

(f) A railroad shall conduct periodic refresher training at intervals to be formally specified in the program, except with respect to basic skills for which proficiency is known to remain high as a result of frequent repetition of the task.

(g) A railroad shall conduct regular and periodic evaluations of the effectiveness of the training program, verifying the adequacy of the training material and its validity with respect to the railroad's products and operations.

(h) A railroad shall maintain records that designate individuals who are qualified under this section until new designations are recorded or for at least one year after such persons leave applicable service. These records shall be maintained in a designated location and be available for inspection and replication by FRA.

(a) The training required under § 229.317 for any locomotive engineer or other person who participates in the operation of a train using an onboard electronic locomotive control system shall address all of the following elements and shall be specified in the training program.

(1) Familiarization with the electronic control system equipment onboard the locomotive and the functioning of that equipment as part of the system and in relation to other onboard systems under that person's control;

(2) Any actions required of the operating personnel to enable or enter data into the system and the role of that function in the safe operation of the train;

(3) Sequencing of interventions by the system, including notification, enforcement, penalty initiation and post penalty application procedures as applicable;

(4) Railroad operating rules applicable to control systems, including provisions for movement and protection of any unequipped trains, or trains with failed or cut-out controls;

(5) Means to detect deviations from proper functioning of onboard electronic control system equipment and instructions explaining the proper response to be taken regarding control of the train and notification of designated railroad personnel; and

(6) Information needed to prevent unintentional interference with the proper functioning of onboard electronic control equipment.

(b) The training required under this subpart for a locomotive engineer and conductor, together with required records, shall be integrated into the program of training required by parts 240 and 242 of this chapter.