(a) The railroad shall comply with all applicable requirements under 49 U.S.C. 20157, including, but not limited to, the statutory requirement to fully implement an FRA-certified PTC system prior to commencing revenue service.

(b) The railroad's PTC system shall be designed to prevent train-to-train collisions, over-speed derailments, incursions into established work zone limits, and movements of trainset through switches left in the wrong position, reliably and functionally, in accordance with § 236.1005(a) and (c) through (f) of this chapter.

(c) The railroad is authorized to conduct field testing of its PTC system on its system, prior to obtaining PTC System Certification from FRA, in accordance with its system-wide qualification test plan under § 299.603. During any field testing of its uncertified PTC system and regression testing of its FRA-certified PTC system, FRA may oversee the railroad's testing, audit any applicable test plans and procedures, and impose additional testing conditions that FRA believes may be necessary for the safety of trainset operations.

(d) The railroad is not exempted from compliance with any requirement of subparts A through G of 49 CFR part 236, or 49 CFR parts 233 and 235, unless the railroad's FRA-approved PTCSP provides for such an exemption.

(e)(1) All materials filed in accordance with this subpart must be in the English language, or have been translated into English and attested as true and correct.

(2) Each filing referenced in this subpart may include a request for full or partial confidentiality in accordance with § 209.11 of this chapter. If confidentiality is requested as to a portion of any applicable document, then in addition to the filing requirements under § 209.11 of this chapter, the person filing the document shall also file a copy of the original unredacted document, marked to indicate which portions are redacted in the document's confidential version without obscuring the original document's contents.

The railroad shall not commence revenue service prior to installing and making operative its FRA-certified PTC system.

(a) Prior to operating its PTC system in revenue service, the railroad must first obtain a PTC System Certification from FRA by submitting an acceptable PTCSP and obtaining FRA's approval of its PTCSP.

(b) Each PTCSP requirement under this subpart shall be supported by information and analysis sufficient to establish that the PTC system meets the requirements of § 236.1005(a) and (c) through (f) of this chapter.

(c) If the Associate Administrator finds that the PTCSP and its supporting documentation support a finding that the PTC system complies with § 236.1005(a) and (c) through (f) of this chapter and § 299.211, the Associate Administrator shall approve the PTCSP. If the Associate Administrator approves the PTCSP, the railroad shall receive PTC System Certification for its PTC system and shall implement the PTC system according to the PTCSP.

(d) Issuance of a PTC System Certification is contingent upon FRA's confidence in the implementation and operation of the subject PTC system. This confidence may be based on FRA-monitored field testing or an independent assessment performed in accordance with § 236.1017 of this chapter.

(e)(1) As necessary to ensure safety, FRA may attach special conditions to its certification of the railroad's PTC System.

(2) After granting a PTC System Certification, FRA may reconsider the PTC System Certification upon revelation of any of the following factors concerning the contents of the PTCSP:

(i) Potential error or fraud;

(ii) Potentially invalidated assumptions determined as a result of in-service experience or one or more unsafe events calling into question the safety analysis supporting the approval.

(3) During FRA's reconsideration in accordance with this paragraph, the PTC system may remain in use if otherwise consistent with the applicable law and regulations, and FRA may impose special conditions for use of the PTC system.

(4) After FRA's reconsideration in accordance with this paragraph, FRA may:

(i) Dismiss its reconsideration and continue to recognize the existing PTC System Certification;

(ii) Allow continued operations under such conditions the Associate Administrator deems necessary to ensure safety; or

(iii) Revoke the PTC System Certification and direct the railroad to cease operations.

(f) FRA shall be afforded reasonable access to monitor, test, and inspect processes, procedures, facilities, documents, records, design and testing materials, artifacts, training materials and programs, and any other information used in the design, development, manufacture, test, implementation, and operation of the system, as well as interview any personnel.

(g) Information that has been certified under the auspices of a foreign regulatory entity recognized by the Associate Administrator may, at the Associate Administrator's sole discretion, be accepted as independently verified and validated and used to support the railroad's PTCSP.

(h) The railroad shall file its PTCSP in FRA's Secure Information Repository at https://sir.fra.dot.gov, consistent with § 299.201(e).

(a) The railroad's PTCSP shall contain the following elements:

(1) A hazard log consisting of a comprehensive description of all safety-relevant hazards of the PTC system, specific to implementation on the railroad, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);

(2) A description of the safety assurance concepts that are to be used for system development, including an explanation of the design principles and assumptions;

(3) A risk assessment of the as-built PTC system;

(4) A hazard mitigation analysis, including a complete and comprehensive description of each hazard and the mitigation techniques used;

(5) A complete description of the safety assessment and Verification and Validation processes applied to the PTC system, their results, and whether these processes address the safety principles described in appendix C to part 236 of this chapter directly, using other safety criteria, or not at all;

(6) A complete description of the railroad's training plan for railroad, and contractor employees and supervisors necessary to ensure safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system;

(7) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system on the railroad and establish safety-critical hazards are appropriately mitigated. These procedures, including calibration requirements, shall be consistent with or explain deviations from the equipment manufacturer's recommendations;

(8) A complete description of the configuration or revision control measures designed to ensure that the railroad or its contractor does not adversely affect the safety-functional requirements and that safety-critical hazard mitigation processes are not compromised as a result of any such change;

(9) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;

(10) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (adjustment, repair, or replacement) is performed;

(11) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, adjustments, repairs, or replacements, and the system's resulting conditions, including records of component failures resulting in safety-relevant hazards (see § 299.213);

(12) A safety analysis to determine whether, when the system is in operation, any risk remains of an unintended incursion into a roadway work zone due to human error. If the analysis reveals any such risk, the PTCSP shall describe how that risk will be mitigated;

(13) A complete description of how the PTC system will enforce authorities and signal indications;

(14) A complete description of how the PTC system will appropriately and timely enforce all integrated hazard detectors in accordance with § 236.1005 of this chapter;

(15) The documents and information required under § 299.211;

(16) A summary of the process for the product supplier or vendor to promptly and thoroughly report any safety-relevant failures or previously unidentified hazards to the railroad, including when another user of the product experiences a safety-relevant failure or discovers a previously unidentified hazard;

(17) Documentation establishing—by design, data, or other analysis—that the PTC system meets the fail-safe operation criteria under paragraph (b)(4)(v) of appendix C to part 236 of this chapter; and,

(18) An analysis establishing that the PTC system will be operated at a level of safety comparable to that achieved over the 5-year period prior to the submission of the railroad's PTCSP by other train control systems that perform PTC functions, and which have been utilized on high-speed rail systems with similar technical and operational characteristics in the United States or in foreign service.

(b) As the railroad's PTC system may be considered a standalone system pursuant to § 236.1015(e)(3) of this chapter, the following requirements apply:

(1) The PTC system shall reliably execute the functions required by § 236.1005 of this chapter and be demonstrated to do so to FRA's satisfaction; and

(2) The railroad's PTCSP shall establish, with a high degree of confidence, that the system will not introduce any hazards that have not been sufficiently mitigated.

(c) When determining whether the PTCSP fulfills the requirements under this section, the Associate Administrator may consider all available evidence concerning the reliability of the proposed system.

(d) When reviewing the issue of the potential data errors (for example, errors arising from data supplied from other business systems needed to execute the braking algorithm, survey data needed for location determination, or mandatory directives issued through the computer-aided dispatching system), the PTCSP must include a careful identification of each of the risks and a discussion of each applicable mitigation. In an appropriate case, such as a case in which the residual risk after mitigation is substantial, the Associate Administrator may require submission of a quantitative risk assessment addressing these potential errors.

(e) The railroad must comply with the applicable requirements under § 236.1021 of this chapter prior to modifying a safety-critical element of an FRA-certified PTC system.

(f) If a PTCSP applies to a PTC system designed to replace an existing certified PTC system, the PTCSP will be approved provided that the PTCSP establishes with a high degree of confidence that the new PTC system will provide a level of safety not less than the level of safety provided by the system to be replaced.

(a) When any safety-critical PTC system component fails to perform its intended function, the cause must be determined and the faulty component adjusted, repaired, or replaced without undue delay. Until repair of such essential components is completed, the railroad shall take appropriate action as specified in its PTCSP.

(b) Where a trainset that is operating in, or is to be operated within, a PTC-equipped track segment experiences a PTC system failure or the PTC system is otherwise cut out while en route (i.e., after the trainset has departed its initial terminal), the trainset may only continue in accordance with all of the following:

(1) Except as provided in paragraph (b)(4) of this section, when no absolute block protection is established, the trainset may proceed at a speed not to exceed restricted speed.

(2) When absolute block protection can be established in advance of the trainset, the trainset may proceed at a speed not to exceed 120 km/h (75 mph), and the trainset shall not exceed restricted speed until the absolute block in advance of the trainset is established.

(3) A report of the failure or cut-out must be made to a designated railroad officer of the railroad as soon as safe and practicable.

(4) Where the PTC system is the exclusive method of delivering mandatory directives, an absolute block must be established in advance of the trainset as soon as safe and practicable, and the trainset shall not exceed restricted speed until the absolute block in advance of the trainset is established.

(5) Where the failure or cut-out is a result of a defective onboard PTC apparatus, the trainset may be moved in passenger service only to the next forward location where the necessary repairs can be made; however, if the next forward location where the necessary repairs can be made does not have the facilities to handle the safe unloading of passengers, the trainset may be moved past the repair location in service only to the next forward passenger station in order to facilitate the unloading of passengers. When the passengers have been safely unloaded, the defective trainset shall be moved to the nearest location where the onboard PTC apparatus can be repaired or exchanged.

(c) The railroad shall comply with all provisions in its PTCSP for each PTC system it uses and shall operate within the scope of initial operational assumptions and predefined changes identified.

(d) The normal functioning of any safety-critical PTC system must not be interfered with in testing or otherwise without first taking measures to provide for the safe movement of trainsets that depend on the normal functioning of the system.

(e) The railroad shall comply with the reporting requirements under § 236.1029(h) of this chapter.

(f) The railroad and the PTC system vendors and/or suppliers must comply with each applicable requirement under § 236.1023 of this chapter.

(a) All wireless communications between the office, wayside, and onboard components in a PTC system shall provide cryptographic message integrity and authentication.

(b) Cryptographic keys required under this section shall—

(1) Use an algorithm approved by the National Institute of Standards or a similarly recognized and FRA-approved standards body;

(2) Be distributed using manual or automated methods, or a combination of both; and

(3) Be revoked—

(i) If compromised by unauthorized disclosure of the cleartext key; or

(ii) When the key algorithm reaches its lifespan as defined by the standards body responsible for approval of the algorithm.

(c) The cleartext form of the cryptographic keys shall be protected from unauthorized disclosure, modification, or substitution, except during key entry when the cleartext keys and key components may be temporarily displayed to allow visual verification. When encrypted keys or key components are entered, the cryptographically protected cleartext key or key components shall not be displayed.

(d) Access to cleartext keys shall be protected by a tamper-resistant mechanism.

(e) If the railroad elects to also provide cryptographic message confidentiality, it shall:

(1) Comply with the same requirements for message integrity and authentication under this section; and

(2) Only use keys meeting or exceeding the security strength required to protect the data as defined in the railroad's PTCSP.

(f) The railroad, or its vendor or supplier, shall have a prioritized service restoration and mitigation plan for scheduled and unscheduled interruptions of service. This plan shall be made available to FRA upon request, without undue delay, for restoration of communication services that support PTC system services.

(a) The railroad shall maintain at a designated office on the railroad—

(1) A current copy of each FRA-approved PTCSP that it holds;

(2) Adequate documentation to demonstrate that the PTCSP meets the safety requirements of this RPA, including the risk assessment;

(3) An Operations and Maintenance Manual, pursuant to § 299.215; and

(4) Training and testing records pursuant to § 236.1043(b) of this chapter.

(b) Results of inspections and tests specified in the PTCSP must be recorded pursuant to § 236.110 of this chapter.

(c) Each contractor providing services relating to the testing, maintenance, or operation of the railroad's PTC system shall maintain at a designated office training records required under §§ 236.1043(b) of this chapter, and 299.207(a)(6).

(d) After the PTC system is placed in service, the railroad shall maintain a database of all safety-relevant hazards as set forth in its PTCSP and those that had not been previously identified in its PTCSP. If the frequency of the safety-relevant hazards exceeds the threshold set forth in its PTCSP, then the railroad shall—

(1) Report the inconsistency in writing to FRA's Secure Information Repository at https://sir.fra.dot.gov, within 15 days of discovery;

(2) Take prompt countermeasures to reduce the frequency of each safety-relevant hazard to below the threshold set forth in its PTCSP; and

(3) Provide a final report when the inconsistency is resolved to FRA's Secure Information Repository at https://sir.fra.dot.gov, on the results of the analysis and countermeasures taken to reduce the frequency of the safety-relevant hazard(s) below the threshold set forth in its PTCSP.

(a) The railroad shall catalog and maintain all documents as specified in its PTCSP for the operation, installation, maintenance, repair, modification, inspection, and testing of the PTC system and have them in one Operations and Maintenance Manual, readily available to persons required to perform such tasks and for inspection by FRA and FRA-certified state inspectors.

(b) Plans required for proper maintenance, repair, inspection, and testing of safety-critical PTC systems must be adequate in detail and must be made available for inspection by FRA and FRA-certified state inspectors where such PTC systems are deployed or maintained. They must identify all software versions, revisions, and revision dates. Plans must be legible and correct.

(c) Hardware, software, and firmware revisions must be documented in the Operations and Maintenance Manual according to the railroad's configuration management control plan and any additional configuration/revision control measures specified in its PTCSP.

(d) Safety-critical components, including spare equipment, must be positively identified, handled, replaced, and repaired in accordance with the procedures specified in the railroad's PTCSP.

(e) The railroad shall designate in its Operations and Maintenance Manual an appropriate railroad officer responsible for issues relating to scheduled interruptions of service.