(a) The training required under Sec. 229.317 for any locomotive engineer or other person who participates in the operation of a train using an onboard electronic locomotive control system shall address all of the following elements and shall be specified in the training program.
(1) Familiarization with the electronic control system equipment onboard the locomotive and the functioning of that equipment as part of the system and in relation to other onboard systems under that person's control;
(2) Any actions required of the operating personnel to enable or enter data into the system and the role of that function in the safe operation of the train;
(3) Sequencing of interventions by the system, including notification, enforcement, penalty initiation and post penalty application procedures as applicable;
(4) Railroad operating rules applicable to control systems, including provisions for movement and protection of any unequipped trains, or trains with failed or cut-out controls;
(5) Means to detect deviations from proper functioning of onboard electronic control system equipment and instructions explaining the proper response to be taken regarding control of the train and notification of designated railroad personnel; and
(6) Information needed to prevent unintentional interference with the proper functioning of onboard electronic control equipment.
(b) The training required under this subpart for a locomotive engineer and conductor, together with required records, shall be integrated into the program of training required by parts 240 and 242 of this chapter.
Sec. Appendix A to Part 229--Form FRA 6180-49A
Editorial Note: Appendix A, published at 45 FR 21118, Mar. 31, 1980, as part of the original document, is not carried in the CFR. Copies of Form FRA F6180-49A are available by contacting the Federal Railroad Administration, Office of Standards and Procedures, 1200 New Jersey Avenue, SE., Washington, DC 20590. [45 FR 21109, Mar. 31, 1980, as amended at 74 FR 25174, May 27, 2009]
Appendix B to Part 229--Schedule of Civil Penalties \1\ ------------------------------------------------------------------------
Willful
Section Violation violation------------------------------------------------------------------------
Subpart A--General------------------------------------------------------------------------229.7 Prohibited acts: Safety deficiencies not $1,000-5,00 $2,000-7,50
governed by specific regulations: To be 0 0
assessed on relevant facts...................229.9 Movement of noncomplying locomotives.... (\1\) (\1\)229.11 Locomotive identification.............. 1,000 2,000229.13 Control of locomotives................. 2,500 5,000229.15 Remote control locomotives............. 2,500 5,000229.17 Accident reports....................... 2,500 5,000229.19 Prior Waivers.......................... (\1\) (\1\)------------------------------------------------------------------------
Subpart B--Inspection and tests
------------------------------------------------------------------------229.21 Daily inspection:
(a)(b):
(1) Inspection overdue................ 2,000 4,000
(2) Inspection report not made, 1,000 2,000
improperly executed, or not retained.
(c) Inspection not performed by a 1,000 2,000
qualified person.........................229.23 Periodic inspection General:
(a)(1) Inspection overdue................. 2,500 5,000
(1) Inspection overdue................. 2,500 5,000
(a)(2) Inspection performed improperly or 2,500 5,000
(2) Inspection performed improperly or 2,500 5,000
at a location where the underneath
portion cannot be safely inspected.......
(b)(1) Inspection overdue................. 2,500 5,000
(1) Inspection overdue................. 2,500 5,000
(b)(2) Inspection overdue................. 2,500 5,000
(2) Inspection overdue................. 2,500 5,000
(c) Inspection overdue.................... 2,500 5,000
(e):
(1) Form missing...................... 1,000 2,000
(2) Form not properly displayed....... 1,000 2,000
(3) Form improperly executed.......... 1,000 2,000
(f) Replace Form FRA F 6180.49A by April 2 ...........
or July 3................................
(g) Secondary record of the information 1,000 2,000
reported Form FRA F 6180.49A.............
229.25 Tests: every periodic inspection:
(a) through (d)(4) and (e) and (f) Tests.. 2,500 5,000
(d)(5) Ineffective maintenance............ 8,000 16,000229.27 Annual tests........................... 2,500 5,000229.29 Biennial tests......................... 2,500 5,000229.31:
(5) Ineffective maintenance............ 8,000 16,000229.27 Annual tests........................... 2,500 5,000229.29 Biennial tests......................... 2,500 5,000229.31:
(a) Biennial hydrostatic tests of main 2,500 5,000
reservoirs...............................
(b) Biennial hammer tests of main 2,500 5,000
reservoirs...............................
(c) Drilled telltale holes in welded main 2,500 5,000
reservoirs...............................
(d) Biennial tests of aluminum main 2,500 5,000
reservoirs...............................229.33 Out-of-use credit...................... 1,000 2,000------------------------------------------------------------------------
Subpart C--Safety Requirements
------------------------------------------------------------------------229.41 Protection against personal injury..... 2,500 5,000229.43 Exhaust and battery gases.............. 2,500 5,000229.45 General condition: To be assessed based 1,000-5,000 2,000-7,500
on relevant facts............................229.46 Brakes: General........................ 2,500 5,000229.47 Emergency brake valve.................. 2,500 5,000229.49 Main reservoir system:
(a)(1) Main reservoir safety valve........ 2,500 5,000
(1) Main reservoir safety valve........ 2,500 5,000
(2) Pneumatically actuated control 2,500 5,000
reservoir................................
(b)(c) Main reservoir governors........... 2,500 5,000229.51 Aluminum main reservoirs............... 2,500 5,000229.53 Brake gauges........................... 2,500 5,000229.55 Piston travel.......................... 2,500 5,000229.57 Foundation brake gear.................. 2,500 5,000229.59 Leakage................................ 2,500 5,000229.61 Draft system........................... 2,500 5,000229.63 Lateral motion......................... 2,500 5,000229.64 Plain bearing.......................... 2,500 5,000229.65 Spring rigging......................... 2,500 5,000229.67 Trucks................................. 2,500 5,000229.69 Side bearings.......................... 2,500 5,000229.71 Clearance above top of rail............ 2,500 5,000229.73 Wheel sets............................. 2,500 5,000229.75 Wheel and tire defects:
(a),(d) Slid flat or shelled spot(s):
(1) One spot 2\1/2\ or more 2,500 5,000
but less than 3 in length.
(2) One spot 3 or more in 5,000 7,500
length...............................
(3) Two adjoining spots each of which 2,500 5,000
is 2 or more in length but
less than 2\1/2\ in length
(4) Two adjoining spots each of which 5,000 7,500
are at least 2 in length,
if either spot is 2\1/2\
or more in length....................
(b) Gouge or chip in flange of:
(1) more than 1\1/2\ but 2,500 5,000
less than 1\5/8\ in
length; and more than \1/2\ but less than \5/8\ in
width................................
(2) 1\5/8\ or more in 5,000 7,500
length and \5/8\ or more
in width.............................
(c) Broken rim............................ 5,000 7,500
(e) Seam in tread......................... 2,500 5,000
(f) Flange thickness of:
(1) \7/8\ or less but more 2,500 5,000
than \13/16\..............
(2) \13/16\ or less........ 5,000 7,500
(g) Tread worn hollow..................... 2,500 5,000
(h) Flange height of:
(1) 1\1/2\ or greater but 2,500 5,000
less than 1\5/8\..........
(2) 1\5/8\ or more......... 5,000 7,000
(i) Tire thickness........................ 2,500 5,000
(j) Rim thickness:
(1) Less than 1 in road 2,500 5,000
service and \3/4\ in yard
service..............................
(2) \15/16\ or less in road 5,000 7,500
service and \11/16\ in
yard service.........................
(k) Crack of less than 1....... 5,000 7,500
(1) Crack of less than 1... 2,500 5,000
(2) Crack of 1 or more..... 5,000 7,500
(3) Break............................. 5,000 7,500
(l) Loose wheel or tire................... 5,000 7,500
(m) Welded wheel or tire.................. 5,000 7,500229.77 Current collectors..................... 2,500 5,000229.79 Third rail shoes and beams............. 2,000 4,000229.81 Emergency pole; shoe insulation........ 2,500 5,000229.83 Insulation or grounding................ 5,000 7,500229.85 Door and cover plates marked ``Danger'' 2,500 5,000229.87 Hand operated switches................. 2,500 5,000
229.89 Jumpers; cable connections:
(a) Jumpers and cable connections; located 2,500 5,000
and guarded..............................
(b) Condition of jumpers and cable 2,500 5,000
connections..............................229.91 Motors and generators.................. 2,500 5,000229.93 Safety cut-off device.................. 2,500 5,000229.95 Venting................................ 2,500 5,000229.97 Grounding fuel tanks................... 2,500 5,000229.99 Safety hangers......................... 2,500 5,000229.101 Engines:
(a) Temperature and pressure alarms, 2,500 5,000
controls, and switches...................
(b) Warning notice........................ 2,500 5,000
(c) Wheel slip/slide protection........... 2,500 5,000229.103 Safe working pressure; factor of 2,500 5,000
safety.......................................229.105 Steam generator number................ 1,000 1,500229.107 Pressure gauge........................ 2,500 5,000229.109 Safety valves......................... 2,500 5,000229.111 Water-flow indicator.................. 2,500 5,000229.113 Warning notice........................ 2,500 5,000229.114 Steam generator inspections and tests. 2,500 5,000229.115 Slip/slide alarms..................... 2,500 5,000229.117 Speed indicators...................... 2,500 5,000229.119 Cabs, floors, and passageways:
(a)(1) Cab set not securely mounted or 2,500 5,000
(1) Cab set not securely mounted or 2,500 5,000
braced...................................
(2) Insecure or improper latching 2,500 5,000
device...............................
(b) Cab windows of lead locomotive........ 2,500 5,000
(c) Floors, passageways, and compartments. 2,500 5,000
(d) Ventilation and heating arrangement... 2,500 5,000
(e) Continuous barrier.................... 2,500 5,000
(f) Containers for fuses and torpedoes.... 2,500 5,000
(g) Failure to equip...................... 2,500 5,000
(h) Failure to maintain................... 2,500 5,000
(i) Failure to equip...................... 2,500 5,000229.121 Locomotive Cab Noise:
(a) Performance Standards
(1) Failure to meet sound level....... 5,000 7,500
(2) Improper maintenance alterations.. 2,500 5,000
(3) Failure to comply with static test 2,500 5,000
protocols............................
(b) Maintenance of Locomotives
(1) Failure to maintain excessive 2,500 5,000
noise report record or respond to
report as required...................
(3) Failure to make good faith effort 2,500 5,000
as required..........................
(4) Failure to maintain record as 2,000 4,000
required.............................229.123 Pilots, snowplows, end plates......... 2,500 5,000229.125
(a) Headlights.............................. 2,500 5,000
(d) Auxiliary lights........................ 2,500 5,000229.127 Cab lights............................ 2,500 5,000229.129 Locomotive horn:(a) Prescribed sound levels................... 2,500 5,000
Arrangement of horn....................... 2,500 5,000(b) Failure to perform sound level test....... 2,500 5,000(c) Sound level test improperly performed..... 2,500 5,000
Record of sound level test improperly 1,000 4,000
executed, or not retained................229.131 Sanders............................... 1,000 2,000229.135 Event Recorders:
(a) Lead locomotive without in-service event 2,500 5,000
recorder...................................
(b) Failure to meet equipment requirements.. 2,500 5,000
(c) Unauthorized removal or failure to 2,500 5,000
remove from service........................
(d) Improper response to out of service 2,500 5,000
event recorder.............................
(e) Failure to preserve data or unauthorized 2,500 5,000
extraction of data.........................
(g) Tampering with device or data........... 2,500 5,000229.137 Sanitation, general:
(a) Sanitation compartment in lead unit, $5,000 $10,000
complete failure to provide required
items....................................
(1) Ventilation....................... 2,500 5,000
(2) Door missing...................... 2,000 4,000
(2)(i) Door doesn't close............. 1,000 2,000
(i) Door doesn't close............. 1,000 2,000
(2)(ii) No modesty lock............... 1,000 2,000
(ii) No modesty lock............... 1,000 2,000
(3) Not equipped with toilet in lead.. 5,000 10,000
(4) Not equipped with washing system.. 1,000 2,000
(5) Lack of paper..................... 1,000 2,000
(6) Lack of trash receptacle.......... 1,000 2,000
(b) Exceptions:
(1)(i) Commuter service, failure to 2,500 5,000
(i) Commuter service, failure to 2,500 5,000
meet conditions of exception.........
(1)(ii) Switching service, failure to 2,500 5,000
(ii) Switching service, failure to 2,500 5,000
meet conditions of exception.........
(1)(iii) Transfer service, failure to 2,500 5,000
(iii) Transfer service, failure to 2,500 5,000
meet conditions of exception.........
(1)(iv) Class III, failure to meet 2,500 5,000
(iv) Class III, failure to meet 2,500 5,000
conditions of exception..............
(1)(v) Tourist, failure to meet 2,500 5,000
(v) Tourist, failure to meet 2,500 5,000
conditions of exception..............
(1)(vi) Control cab locomotive, 2,500 5,000
(vi) Control cab locomotive, 2,500 5,000
failure to meet conditions of
exception............................
(2) Noncompliant toilet............... 5,000 10,000
(c) Defective/unsanitary toilet in lead 2,500 5,000
unit.....................................
(1-5) Failure to meet conditions of 2,500 5,000
exception............................
(d) Defective/unsanitary unit; failure to 2,500 5,000
meet conditions for trailing position....
(e) Defective/sanitary unit; failure to 2,500 5,000
meet conditions for switching/transfer
service..................................
(f) Paper, washing, trash holder; failure 2,500 5,000
to equip prior to departure..............
(g) Inadequate ventilation; failure to 2,500 5,000
repair or move prior to departure........
(h) Door closure/modesty lock; failure to 1,000 2,000
repair or move...........................
(i) Failure to retain/maintain of equipped 2,500 5,000
units....................................
(j) Failure to equip new units/in-cab 2,500 5,000
facility.................................
(k) Failure to provide potable water...... 2,500 5,000229.139 Servicing requirements:
(a) Lead occupied unit not sanitary....... 2,500 5,000
(b) Components not present/operating...... 2,500 5,000
(c) Occupied unit in switching, transfer 2,500 5,000
service, in trailing position not
sanitary.................................
(d) Defective unit used more than 10 days. 2,500 5,000
(e) Failure to repair defective modesty 1,000 2,000
lock.....................................229.140 Alerters.............................. 2,500 5,000229.141 Body structure, MU locomotives........ 2,500 5,000------------------------------------------------------------------------
Subpart D--Locomotive Crashworthiness Design Requirements
------------------------------------------------------------------------229.205 General requirements:.................
(a)(1) Wide-nose locomotive not designed $5,000 $7,500
(1) Wide-nose locomotive not designed $5,000 $7,500
in compliance with AAR S-580-2005........
(2) Wide-nose locomotive not designed 5,000 7,500
in compliance with new approved
design standard......................
(3) Wide-nose locomotive not designed 5,000 7,500
in compliance with alternate approved
design standard......................
(b) Monocoque or semi-monocoque locomotive 5,000 7,500
not in compliance with design
requirements.............................
(c) Narrow-nose not in compliance with 5,000 7,500
design requirements......................229.206 Design requirements:
Locomotive fails to meet--
(1) Emergency egress requirements..... 2,500 5,000
(2) Emergency interior lighting 2,500 5,000
requirements.........................
(3) Interior configuration 2,500 5,000
requirements.........................229.213 Locomotive manufacturing information:
(a) Failure to retain required information 2,500 5,000
(b) Failure to produce required 2,500 5,000
information..............................229.215 Retention and inspection of designs:
(a) Failure to retain required design 2,500 5,000
records..................................
(b) Failure to retain required repair or 2,500 5,000
modification records.....................
(c) Failure to make records available when 2,500 5,000
requested................................229.217 Fuel tank:
(a) External fuel tank.................... 5,000 7,500
(b) Internal fuel tank.................... 5,000 7,500------------------------------------------------------------------------
Subpart E--Locomotive Electronics229.307 Safety analysis:
(a) Failure to establish and maintain a 5,000 10,000
safety analysis..........................
(b) Failure to provide safety analysis 2,500 5,000
upon request.............................
(c) Failure to comply with safety analysis 5,000-10,00 15,000
0229.309 Safety-critical changes and failure:
(a)(1) Failure to notify FRA.............. 1,000 2,000
(1) Failure to notify FRA.............. 1,000 2,000
(a)(2) Failure to update safety analysis.. 3,500 7,000
(2) Failure to update safety analysis.. 3,500 7,000
(a)(4) Failure to notify manufacturer..... 10,000 15,000
(4) Failure to notify manufacturer..... 10,000 15,000
(b) Failure to notify railroad............ 10,000 15,000
(c) Failure to establish and maintain 3,500 7,000
program..................................229.311 Review of SAs:
(a) Failure to notify FRA................. 1,000 2,000
(b) Failure to report..................... 1,000 2,000
(c) Failure to correct safety hazards..... 5,000-10,00 15,000
0
(d) Failure to final report............... 1,000 2,000229.313 Product testing results and records:
(a) Failure to maintain records and 5,000 10,000
database.................................
(b) Incomplete testing records............ 3,500 7,000
(c) Improper signature.................... 3,500 7,000229.315 Operations and maintenance manual:
(a) Failure to implement and maintain 5,000 10,000
manual...................................
(c) Failure to document revisions......... 5,000 10,000
(d) Failure to follow plan................ 5,000-10,00 15,000
0229.317 Training and qualification program:
(a) Failure to establish and implement 5,000 10,000
program..................................
(b) Failure to conduct training........... 2,500 5,000
(g) Failure to evaluate program........... 2,500 5,000
(h) Failure to maintain records........... 1,500 3,000229.319 Operating personnel training.......... 2,500 5,000------------------------------------------------------------------------\1\ A penalty may be assessed against an individual only for a willful
violation. Generally, when two or more violations of these regulations
are discovered with respect to a single locomotive that is used by a
railroad, the appropriate penalties set forth above are aggregated up
to a maximum of $16,000 per day. However, a failure to perform, with
respect to a particular locomotive, any of the inspections and tests
required under subpart B of this part will be treated as a violation
separate and distinct from, and in addition to, any substantive
violative conditions found on that locomotive. Moreover, the
Administrator reserves the right to assess a penalty of up to $105,000
for any violation where circumstances warrant. See 49 CFR part 209,
appendix A.Failure to observe any condition for movement set forth in Sec. 229.9
will deprive the railroad of the benefit of the movement-for-repair
provision and make the railroad and any responsible individuals liable
for penalty under the particular regulatory section(s) concerning the
substantive defect(s) present on the locomotive at the time of
movement. Failure to comply with Sec. 229.19 will result in the lapse
of any affected waiver. [53 FR 52931, Dec. 29, 1988, as amended at 58 FR 36615, July 8, 1993; 61 FR 8888, Mar. 6, 1996; 63 FR 11622, Mar. 10, 1998; 67 FR 16052, Apr. 4, 2002; 69 FR 30594, May 28, 2004; 70 FR 21920, Apr. 27, 2005; 70 FR 37942, June 30, 2005; 71 FR 36915, June 28, 2006; 71 FR 47667, Aug. 17, 2006; 71 FR 63136, Oct. 27, 2006; 72 FR 51197, Sept. 6, 2007; 73 FR 79703, Dec. 30, 2008; 77 FR 21351, Apr. 9, 2012; 77 FR 24421, Apr. 24, 2012]
Sec. Appendix C to Part 229--FRA Locomotive Standards--Code of Defects
Editorial Note: Appendix C, published at 45 FR 21121, Mar. 31, 1980, as part of the original document, is not carried in the CFR.
Sec. Appendix D to Part 229--Criteria for Certification of Crashworthy
Event Recorder Memory Module
Section 229.135(b) requires that certain locomotives be equipped with an event recorder that includes a certified crashworthy event recorder memory module. This appendix prescribes the requirements for certifying an event recorder memory module (ERMM) as crashworthy, including the performance criteria and test sequence for establishing the crashworthiness of the ERMM as well as the marking of the event recorder containing the crashworthy ERMM.
A. General Requirements
1. Each manufacturer that represents its ERMM as crashworthy shall, by marking it as specified in Section B of this appendix, certify that the ERMM meets the performance criteria contained in this appendix and that test verification data are available to a railroad or to FRA upon request.
2. The test verification data shall contain, at a minimum, all pertinent original data logs and documentation that the test sample preparation, test set up, test measuring devices and test procedures were performed by designated, qualified personnel using recognized and acceptable practices. Test verification data shall be retained by the manufacturer or its successor as long as the specific model of ERMM remains in service on any locomotive.
3. A crashworthy ERMM shall be marked by its manufacturer as specified in Section B of this appendix.
B. Marking Requirements
1. The outer surface of the event recorder containing a certified crashworthy ERMM shall be colored international orange. In addition, the outer surface shall be inscribed, on the surface allowing the most visible area, in black letters on an international orange background, using the largest type size that can be accommodated, with the words CERTIFIED DOT CRASHWORTHY, followed by the ERMM model number (or other such designation), and the name of the manufacturer of the event recorder. This information may be displayed as follows: CERTIFIED DOT CRASHWORTHY Event Recorder Memory Module Model Number Manufacturer's Name Marking ``CERTIFIED DOT CRASHWORTHY'' on an event recorder designed for installation in a railroad locomotive is the certification that all performance criteria contained in this appendix have been met and all functions performed by, or on behalf of, the manufacturer whose name appears as part of the marking, conform to the requirements specified in this appendix.
2. Retro-reflective material shall be applied to the edges of each visible external surface of an event recorder containing a certified crashworthy ERMM.
C. Performance Criteria for the ERMM
An ERMM is crashworthy if it has been successfully tested for survival under conditions of fire, impact shock, static crush, fluid immersion, and hydro-static pressure contained in one of the two tables shown in this section of appendix D. (See Tables 1 and 2.) Each ERMM must meet the individual performance criteria in the sequence established in Section D of this appendix. A performance criterion is deemed to be met if, after undergoing a test established in this appendix D for that criterion, the ERMM has preserved all of the data stored in it. The data set stored in the ERMM to be tested shall include all the recording elements required by Sec. 229.135(b). The following tables describe alternative performance criteria that may be used when testing an ERMM's crashworthiness. A manufacturer may utilize either table during its testing but may not combine the criteria contained in the two tables.
Table 1--Acceptable Performance Criteria--Option A----------------------------------------------------------------------------------------------------------------
Parameter Value Duration Remarks----------------------------------------------------------------------------------------------------------------Fire, High Temperature............... 750 C (1400 F)......... 60 minutes............. Heat source: Oven.Fire, Low Temperature................ 260 C (500 F).......... 10 hours...............Impact Shock......................... 55g.................... 100 ms................. \1/2\ sine crash pulse.Static Crush......................... 110kN (25,000 lbf)..... 5 minutes.Fluid Immersion...................... 1 Diesel, Any single fluid, 48
2 Diesel, hours.
Water, Salt Water,
Lube Oil.
Fire Fighting Fluid.... 10 minutes, following Immersion followed by
immersion above. 48 hours in a dry
location without
further disturbance.Hydrostatic Pressure................. Depth equivalent = 15 48 hours at nominal
m. (50 ft.). temperature of 25 C
(77 F).----------------------------------------------------------------------------------------------------------------
Table 2--Acceptable Performance Criteria--Option B----------------------------------------------------------------------------------------------------------------
Parameter Value Duration Remarks----------------------------------------------------------------------------------------------------------------Fire, High Temperature............... 1000 C (1832 F)........ 60 minutes............. Heat source: Open
flame.Fire, Low Temperature................ 260 C (500 F).......... 10 hours............... Heat source: Oven.Impact Shock--Option 1............... 23gs................... 250 ms.................Impact Shock--Option 2............... 55gs................... 100 ms................. \1/2\ sine crash pulse.Static Crush......................... 111.2kN (25,000 lbf)... 5 minutes. .......................
44.5kN (10,000 lbf).... (single ``squeeze'')... Applied to 25% of
surface of largest
face.Fluid Immersion...................... 1 Diesel, 48 hours each.
2 Diesel,
Water, Salt Water,
Lube Oil, Fire
Fighting Fluid.Hydrostatic Pressure................. 46.62 psig (= 30.5 m. 48 hours at nominal
or 100 ft.). temperature of 25 C
(77 F).----------------------------------------------------------------------------------------------------------------
D. Testing Sequence
In order to reasonably duplicate the conditions an event recorder may encounter, the ERMM shall meet the various performance criteria, described in Section C of this appendix, in a set sequence. (See Figure 1). If all tests are done in the set sequence (single branch testing), the same ERMM must be utilized throughout. If a manufacturer opts for split branch testing, each branch of the test must be conducted using an ERMM of the same design type as used for the other branch. Both alternatives are deemed equivalent, and the choice of single branch testing or split branch testing may be determined by the party representing that the ERMM meets the standard. [GRAPHIC] [TIFF OMITTED] TR30JN05.002
E. Testing Exception
If a new model ERMM represents an evolution or upgrade from an older model ERMM that was previously tested and certified as meeting the performance criteria contained in Section C of this appendix, the new model ERMM need only be tested for compliance with those performance criteria contained in Section C of this appendix that are potentially affected by the upgrade or modification. FRA will consider a performance criterion not to be potentially affected if a preliminary engineering analysis or other pertinent data establishes that the modification or upgrade will not change the performance of the older model ERMM against the performance criterion in question. The manufacturer shall retain and make available to FRA upon request any analysis or data relied upon to satisfy the requirements of this paragraph to sustain an exception from testing. [70 FR 37942, June 30, 2005]
Sec. Appendix E to Part 229--Performance Criteria for Locomotive
Crashworthiness
This appendix provides performance criteria for the crashworthiness evaluation of alternative locomotive designs, and design standards for wide-nosed locomotives and any for other locomotive, except monocoque/semi-monocoque design locomotives and narrow-nose design locomotives. Each of the following criteria describes a collision scenario and a given performance measure for protection provided to cab occupants, normally through structural design. Demonstration that these performance criteria have been satisfied may be accomplished through any of the methods described in Sec. 229.205. This performance criteria is intended to prevent intrusion into the cab seating area occupied by crews. This excludes inner and outer vestibule areas.
(a) Front end structure (collision posts)--(1) Objective. The front end structure of the locomotive must withstand a frontal impact with a proxy object which is intended to simulate lading carried by a heavy highway vehicle (see figure 1).
(1) Objective. The front end structure of the locomotive must withstand a frontal impact with a proxy object which is intended to simulate lading carried by a heavy highway vehicle (see figure 1).
(2) Proxy object characteristics and orientation. The proxy object must have the following characteristics: Cylindrical shape; 48-inch diameter; 126-inch length; 65,000 pound minimum weight; and uniform density. The longitudinal axis of the proxy object must be oriented horizontally perpendicular to the longitudinal axis of the locomotive.
(3) Impact and result. The front end structure of the locomotive must withstand a 30-mph impact with the proxy object resulting in no more than 24 inches of crush along the longitudinal axis of the locomotive, measured from the foremost point on the collision post, and with no more than 12 inches of intrusion into the cab. The center of impact must be 30 inches above the top of the locomotive underframe along the longitudinal centerline of the locomotive. [GRAPHIC] [TIFF OMITTED] TR28JN06.004
(b) Front end structure (short hood) (1) Objective. The front end structure of the locomotive must withstand an oblique impact with a proxy object intended to simulate an intermodal container offset from a freight car on an adjacent parallel track (see figure 2).
(2) Proxy object characteristics and orientation. The proxy object must have the following characteristics: Block shape; 36-inch width; 60-inch height; 108-inch length; corners having 3-inch radii corners; 65,000 pound minimum weight; and uniform density. The longitudinal axis of the proxy object must be oriented parallel to the longitudinal axis of the locomotive. At impact, the proxy object must be oriented such that there are 12 inches of lateral overlap and 30 inches from the bottom of the proxy object to the top of the locomotive underframe.
(3) Impact and results. The front end structure of the locomotive must withstand a 30-mph impact with the proxy object resulting in no more than 60 inches of crush along the longitudinal axis of the locomotive, measured from the first point of contact on the short hood post, and with no more than 12 inches of intrusion into the cab. [GRAPHIC] [TIFF OMITTED] TR28JN06.005 [71 FR 36915, June 28, 2006] Sec. Appendix F to Part 229--Recommended Practices for Design and Safety
Analysis
The purpose of this appendix is to provide recommended criteria for design and safety analysis that will maximize the safety of electronic locomotive control systems and mitigate potential negative safety effects. It seeks to promote full disclosure of potential safety risks to facilitate minimizing or eliminating elements of risk where practicable. It discuses critical elements of good engineering practice that the designer should consider when developing safety critical electronic locomotive control systems to accomplish this objective. The criteria and processes specified this appendix is intended to minimize the probability of failure to an acceptable level within the limitations of the available engineering science, cost, and other constraints. Railroads procuring safety critical electronic locomotive controls are encouraged to ensure that their vendor addresses each of the elements of this appendix in the design of the product being procured. FRA uses the criteria and processes set forth in this appendix (or other technically equivalent criteria and processes that may be recommended by industry) when evaluating analyses, assumptions, and conclusions provided in the SA documents.
Definitions
In addition to the definitions contained in Sec. 229.305, the following definitions are applicable to this Appendix:
Hazard means an existing or potential condition that can result in an accident.
High degree of confidence, as applied to the highest level of aggregation, means there exists credible safety analysis supporting the conclusion that the risks associated with the product have been adequately mitigated.
Human factors refers to a body of knowledge about human limitations, human abilities, and other human characteristics, such as behavior and motivation, that shall be considered in product design.
Human-machine interface (HMI) means the interrelated set of controls and displays that allows humans to interact with the machine.
Risk means the expected probability of occurrence for an individual accident event (probability) multiplied by the severity of the expected consequences associated with the accident (severity).
Risk assessment means the process of determining, either quantitatively or qualitatively, the measure of risk associated with use of the product under all intended operating conditions.
System Safety Precedence means the order of precedence in which methods used to eliminate or control identified hazards within a system are implemented.
Validation means the process of determining whether a product's design requirements fulfill its intended design objectives during its development and life-cycle. The goal of the validation process is to determine ``whether the correct product was built.''
Verification means the process of determining whether the results of a given phase of the development cycle fulfill the validated requirements established at the start of that phase. The goal of the verification process is to determine ``whether the product was built correctly.''
Safety Assessments--Recommended Contents
The safety-critical assessment of each product should include all of its interconnected subsystems and components and, where applicable, the interaction between such subsystems. FRA recommends that such assessments contain the following:
(a) A complete description of the product, including a list of all product components and their physical relationship in the subsystem or system;
(b) A description of the railroad operation or categories of operations on which the product is designed to be used;
(c) An operational concepts document, including a complete description of the product functionality and information flows; as well as identifying which functions are intended to enhance or preserve safety and the manner in which the product architecture implements these functions;
(d) A safety requirements document, including a list with complete descriptions of all functions, which the product performs to enhance or preserve safety, and that describes the manner in which product architecture satisfies safety requirements;
(e) A hazard log consisting of a comprehensive description of all safety relevant hazards addressed during the life cycle of the product, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);
(f) A risk assessment and analysis.
(1) The risk metric for the proposed product should describe with a high degree of confidence the accumulated risk of a locomotive control system that operates over the intended product life. Each risk metric for the proposed product should be expressed with an upper bound, as estimated with a sensitivity analysis, and the risk value selected is demonstrated to have a high degree of confidence.
(2) Each risk calculation should consider the totality of the locomotive control system and its method of operation. The failure modes of each subsystem or component, or both, should be determined for the integrated hardware/software (where applicable) as a function of the Mean Time to Hazardous Events (MTTHE), failure restoration rates, and the integrated hardware/software coverage of all processor based subsystems or components, or both. Train operating and movement rules, along with components that are layered in order to enhance safety-critical behavior, should also be considered.
(3) An MTTHE value should be calculated for each subsystem or component, or both, indicating the safety-critical behavior of the integrated hardware/software subsystem or component, or both. The human factor impact should be included in the assessment, whenever applicable, to provide an integrated MTTHE value. The MTTHE calculation should consider the rates of failures caused by permanent, transient, and intermittent faults accounting for the fault coverage of the integrated hardware/software subsystem or component, phased-interval maintenance, and restoration of the detected failures.
(4) The analysis should clearly document:
(i) Any assumptions regarding the reliability or availability of mechanical, electric, or electronic components. Such assumptions include MTTF projections, as well as Mean Time To Repair (MTTR) projections, unless the risk assessment specifically explains why these assumptions are not relevant. The analysis should document these assumptions in such a form as to permit later comparisons with in-service experience (e.g., a spreadsheet). The analysis should also document any assumptions regarding human performance. The documentation should be in a form that facilitates later comparisons with in-service experience.
(ii) Any assumptions regarding software defects. These assumptions should be in a form which permits the railroad to project the likelihood of detecting an in-service software defect and later comparisons with in-service experience.
(iii) All of the identified safety-critical fault paths leading to a mishap as predicted by the SA. The documentation should be in a form that facilitates later comparisons with in-service faults.
(4) MTTHE compliance verification and validation should be based on the assessment of the design for verification and validation process, historical performance data, analytical methods and experimental safety critical performance testing performed on the subsystem or component. The compliance process shall be demonstrated to be compliant and consistent with the MTTHE metric and demonstrated to have a high degree of confidence.
(5) The safety-critical behavior of all non-processor based components, which are part of a processor-based system or subsystem, should be quantified with an MTTHE metric. The MTTHE assessment methodology should consider failures caused by permanent, transient, and intermittent faults, phase interval maintenance and restoration of failures and the effect of fault coverage of each non-processor-based subsystem or component. The MTTHE compliance verification and validation should be based on the assessment of the design for verification and validation process, historical performance data, analytical methods and experimental safety critical performance testing performed on the subsystem or component. The non-processor based quantification compliance should also be demonstrated to have a high degree of confidence.
(g) A hazard mitigation analysis, including a complete and comprehensive description of all hazards to be addressed in the system design and development, mitigation techniques used, and system safety precedence followed;
(h) A complete description of the safety assessment and verification and validation processes applied to the product and the results of these processes;
(i) A complete description of the safety assurance concepts used in the product design, including an explanation of the design principles and assumptions; the designer should address each of the following safety considerations when designing and demonstrating the safety of products covered by this part. In the event that any of these principles are not followed, the analysis should describe both the reason(s) for departure and the alternative(s) utilized to mitigate or eliminate the hazards associated with the design principle not followed.
(1) Normal operation. The system (including all hardware and software) should demonstrate safe operation with no hardware failures under normal anticipated operating conditions with proper inputs and within the expected range of environmental conditions. All safety-critical functions should be performed properly under these normal conditions. Absence of specific operator actions or procedures will not prevent the system from operating safely. Hazards categorized as unacceptable should be eliminated by design. Best effort should also be made by the designer to eliminate hazards that are undesirable. Those undesirable hazards that cannot be eliminated must be mitigated to an acceptable level.
(2) Systematic failure. It should be shown how the product is designed to mitigate or eliminate unsafe systematic failures--those conditions which can be attributed to human error that could occur at various stages throughout product development. This includes unsafe errors in the software due to human error in the software specification, design or coding phase, or both; human errors that could impact hardware design; unsafe conditions that could occur because of an improperly designed human-machine interface; installation and maintenance errors; and errors associated with making modifications.
(3) Random failure. The product should be shown to operate safely under conditions of random hardware failure. This includes single as well as multiple hardware failures, particularly in instances where one or more failures could occur, remain undetected (latent) and react in combination with a subsequent failure at a later time to cause an unsafe operating situation. In instances involving a latent failure, a subsequent failure is similar to there being a single failure. In the event of a transient failure, and if so designed, the system should restart itself if it is safe to do so. Frequency of attempted restarts should be considered in the hazard analysis. There should be no single point failures in the product that can result in hazards categorized as unacceptable or undesirable. Occurrence of credible single point failures that can result in hazards shall be detected and the product shall be detected and the product should achieve a known state that eliminates the possibility of false activation of any physical appliance. If one non-self-revealing failure combined with a second failure can cause a hazard that is categorized as unacceptable or undesirable, then the second failure should be detected and the product must achieve a known safe state that eliminates the possibility of false activation.
(4) Common Mode failure. Another concern of multiple failures involves common mode failure in which two or more subsystems or components intended to compensate one another to perform the same function all fail by the same mode and result in unsafe conditions. This is of particular concern in instances in which two or more elements (hardware or software, or both) are used in combination to ensure safety. If a common mode failure exists, then any analysis cannot rely on the assumption that failures are independent. Examples include: the use of redundancy in which two or more elements perform a given function in parallel and when one (hardware or software) element checks/monitors another element (of hardware or software) to help ensure its safe operation. Common mode failure relates to independence, which shall be ensured in these instances. When dealing with the effects of hardware failure, the designer should address the effects of the failure not only on other hardware, but also on the execution of the software, since hardware failures can greatly affect how the software operates.
(5) External influences. The product should operate safely when subjected to different external influences, including:
(i) Electrical influences such as power supply anomalies/transients, abnormal/improper input conditions (e.g., outside of normal range inputs relative to amplitude and frequency, unusual combinations of inputs) including those related to a human operator, and others such as electromagnetic interference or electrostatic discharges, or both;
(ii) Mechanical influences such as vibration and shock; and climatic conditions such as temperature and humidity.
(6) Modifications. Safety must be ensured following modifications to the hardware or software, or both. All or some of the concerns previously identified may be applicable depending upon the nature and extent of the modifications.
(7) Software. Software faults should not cause hazards categorized as unacceptable or undesirable.
(8) Closed Loop Principle. The product design should require positive action to be taken in a prescribed manner to either begin product operation or continue product operation.
(j) A human factors analysis, including a complete description of all human-machine interfaces, a complete description of all functions performed by humans in connection with the product to enhance or preserve safety, and an analysis of the physical ergonomics of the product on the operators and the safe operation of the system;
(k) A complete description of the specific training of railroad and contractor employees and supervisors necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the product;
(l) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, test, and modification of the product. These procedures, including calibration requirements, should be consistent with or explain deviations from the equipment manufacturer's recommendations;
(m) A complete description of the necessary security measures for the product over its life-cycle;
(n) A complete description of each warning to be placed in the Operations and Maintenance Manual and of all warning labels required to be placed on equipment as necessary to ensure safety;
(o) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;
(p) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (repair, replacement, adjustment) is performed; and
(q) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, repairs, replacements, adjustments, and the system's resulting conditions, including records of component failures resulting in safety relevant hazards;
(r) A complete description of any safety-critical assumptions regarding availability of the product, and a complete description of all backup methods of operation; and
(s) The configuration/revision control measures designed to ensure that safety-functional requirements and safety-critical hazard mitigation processes are not compromised as a result of any change. Changes classified as maintenance require validation.
Guidance Regarding the Application of Human Factors in the Design of
Products
The product design should sufficiently incorporate human factors engineering that is appropriate to the complexity of the product; the gender, educational, mental, and physical capabilities of the intended operators and maintainers; the degree of required human interaction with the component; and the environment in which the product will be used. HMI design criteria minimize negative safety effects by causing designers to consider human factors in the development of HMIs. As used in this discussion, ``designer'' means anyone who specifies requirements for--or designs a system or subsystem, or both, for--a product subject to this part, and ``operator'' means any human who is intended to receive information from, provide information to, or perform repairs or maintenance on a safety critical locomotive control product subject to this part.
I. FRA recommends that system designers should:
(a) Design systems that anticipate possible user errors and include capabilities to catch errors before they propagate through the system;
(b) Conduct cognitive task analyses prior to designing the system to better understand the information processing requirements of operators when making critical decisions;
(c) Present information that accurately represents or predicts system states; and
(d) Ensure that electronics equipment radio frequency emissions are compliant with appropriate Federal Communications Commission (FCC) regulations. The FCC rules and regulations are codified in Title 47 of the Code of Federal Regulations (CFR). The following documentation is applicable to obtaining FCC Equipment Authorization:
(1) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987 issue) FCC Equipment Authorization Program for Radio Frequency Devices. This document provides an overview of the equipment authorization program to control radio interference from radio transmitters and certain other electronic products and how to obtain an equipment authorization.
(2) OET Bulletin 63: (October 1993) Understanding The FCC Part 15 Regulations for Low Power, Non-Licensed Transmitters. This document provides a basic understanding of the FCC regulations for low power, unlicensed transmitters, and includes answers to some commonly-asked questions. This edition of the bulletin does not contain information concerning personal communication services (PCS) transmitters operating under Part 15, Subpart D of the rules.
(3) Title 47 Code of Federal Regulations Parts 0 to 19. The FCC rules and regulations governing PCS transmitters may be found in 47 CFR, Parts 0 to 19.
(4) OET Bulletin 62 (December 1993) Understanding The FCC Regulations for Computers and other Digital Devices. This document has been prepared to provide a basic understanding of the FCC regulations for digital (computing) devices, and includes answers to some commonly-asked questions.
II. Human factors issues designers should consider with regard to the general functioning of a system include:
(a) Reduced situational awareness and over-reliance. HMI design shall give an operator active functions to perform, feedback on the results of the operator's actions, and information on the automatic functions of the system as well as its performance. The operator shall be ``in-the loop.'' Designers should consider at minimum the following methods of maintaining an active role for human operators:
(1) The system should require an operator to initiate action to operate the train and require an operator to remain ``in-the-loop'' for at least 30 minutes at a time;
(2) The system should provide timely feedback to an operator regarding the system's automated actions, the reasons for such actions, and the effects of the operator's manual actions on the system;
(3) The system should warn operators in advance when they require an operator to take action;
(4) HMI design should equalize an operator's workload; and
(5) HMI design should not distract from the operator's safety related duties.
(b) Expectation of predictability and consistency in product behavior and communications. HMI design should accommodate an operator's expectation of logical and consistent relationships between actions and results. Similar objects should behave consistently when an operator performs the same action upon them. End users have a limited memory and ability to process information. Therefore, HMI design should also minimize an operator's information processing load.
(1) To minimize information processing load, the designer should:
(i) Present integrated information that directly supports the variety and types of decisions that an operator makes;
(ii) Provide information in a format or representation that minimizes the time required to understand and act; and
(iii) Conduct utility tests of decision aids to establish clear benefits such as processing time saved or improved quality of decisions.
(2) To minimize short-term memory load, the designer should integrate data or information from multiple sources into a single format or representation (``chunking'') and design so that three or fewer ``chunks'' of information need to be remembered at any one time. To minimize long-term memory load, the designer should design to support recognition memory, design memory aids to minimize the amount of information that should be recalled from unaided memory when making critical decisions, and promote active processing of the information.
(3) When creating displays and controls, the designer shall consider user ergonomics and should:
(i) Locate displays as close as possible to the controls that affect them;
(ii) Locate displays and controls based on an operator's position;
(iii) Arrange controls to minimize the need for the operator to change position;
(iv) Arrange controls according to their expected order of use;
(v) Group similar controls together;
(vi) Design for high stimulus-response compatibility (geometric and conceptual);
(vii) Design safety-critical controls to require more than one positive action to activate (e.g., auto stick shift requires two movements to go into reverse);
(viii) Design controls to allow easy recovery from error; and
(ix) Design display and controls to reflect specific gender and physical limitations of the intended operators.
(4) Detailed locomotive ergonomics human machine interface guidance may be found in ``Human Factors Guidelines for Locomotive Cabs'' (FRA/ORD-98/03 or DOT-VNTSC-FRA-98-8).
(5) The designer should also address information management. To that end, HMI design should:
(i) Display information in a manner which emphasizes its relative importance;
(ii) Comply with the ANSI/HFS 100-2007, or more recent standard;
(iii) Utilize a display luminance that has a difference of at least 35cd/m2 between the foreground and background (the displays should be capable of a minimum contrast 3:1 with 7:1 preferred, and controls should be provided to adjust the brightness level and contrast level);
(iv) Display only the information necessary to the user;
(v) Where text is needed, use short, simple sentences or phrases with wording that an operator will understand and appropriate to the educational and cognitive capabilities of the intended operator;
(vi) Use complete words where possible; where abbreviations are necessary, choose a commonly accepted abbreviation or consistent method and select commonly used terms and words that the operator will understand;
(vii) Adopt a consistent format for all display screens by placing each design element in a consistent and specified location;
(viii) Display critical information in the center of the operator's field of view by placing items that need to be found quickly in the upper left hand corner and items which are not time-critical in the lower right hand corner of the field of view;
(ix) Group items that belong together;
(x) Design all visual displays to meet human performance criteria under monochrome conditions and add color only if it will help the user in performing a task, and use color coding as a redundant coding technique;
(xi) Limit the number of colors over a group of displays to no more than seven;
(xii) Design warnings to match the level of risk or danger with the alerting nature of the signal; and
(xiii) With respect to information entry, avoid full QWERTY keyboards for data entry.
(6) With respect to problem management, the HMI designer should ensure that the HMI design:
(i) enhances an operator's situation awareness;
(ii) supports response selection and scheduling; and
(iii) supports contingency planning.
(7) Designers should comply with FCC requirements for Maximum Permissible Exposure limits for field strength and power density for the transmitters operating at frequencies of 300 kHz to 100 GHz and specific absorption rate (SAR) limits for devices operating within close proximity to the body. The Commission's requirements are detailed in Parts 1 and 2 of the FCC's Rules and Regulations (47 CFR 1.1307(b), 1.1310, 2.1091, 2.1093). The FCC has a number of bulletins and supplements that offer guidelines and suggestions for evaluating compliance. These documents are not intended to establish mandatory procedures; other methods and procedures may be acceptable if based on sound engineering practice.
(i) OET Bulletin No. 65 (Edition 97-01, August 1997), ``Evaluating Compliance With FCC Guidelines For Human Exposure To Radio frequency Electromagnetic Fields'';
(ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August 1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997); and
(iii) OET Bulletin No 65 Supplement C (Edition 01-01, June 2001). This bulletin provides assistance in determining whether proposed or existing transmitting facilities, operations, or devices comply with limits for human exposure to radio frequency RF fields adopted by the FCC.
Guidance for Verification and Validation of Products
The goal of this assessment is to provide an evaluation of the product manufacturer's utilization of safety design practices during the product's development and testing phases, as required by the applicable railroad's requirements, the requirements of this part, and any other previously agreed-upon controlling documents or standards. The standards employed for verification or validation, or both, of products shall be sufficient to support achievement of the applicable requirements of this part.
(a) The latest version of the following standards have been recognized by FRA as providing appropriate risk analysis processes for incorporation into verification and validation standards.
(1) U.S. Department of Defense Military Standard (MIL-STD) 882C, ``System Safety Program Requirements'' (January 19, 1993);
(2) The most recent CENLE/IEC Standards as follows:
(i) EN50126:/IEC 62278, Railway Applications: Communications, Signaling, and Processing Systems Specification and Demonstration of Reliability, Availability, Maintainability and Safety (RAMS);
(ii) EN50128/IEC 62279, Railway Applications: Communications, Signaling, and Processing Systems Software for Railway Control and Protection Systems;
(iii) EN50129, Railway Applications: Communications, Signaling, and Processing Systems-Safety Related Electronic Systems for Signaling; and
(iv) EN50155, Railway Applications: Electronic Equipment Used in Rolling Stock.
(3) ATCS Specification 140, Recommended Practices for Safety and Systems Assurance.
(4) ATCS Specification 130, Software Quality Assurance.
(5) Safety of High Speed Ground Transportation Systems. Analytical Methodology for Safety Validation of Computer Controlled Subsystems. Volume II: Development of a Safety Validation Methodology. Final Report September 1995. Author: Jonathan F. Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
(6) IEC 61508 (International Electro-technical Commission), Functional Safety of Electrical/Electronic/Programmable/Electronic Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
(i) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 61508-1 Corr. (1999-05) Corrigendum 1-Part 1: General Requirements;
(ii) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems;
(iii) IEC 61508-3 (1998-12) Part 3: Software requirements and IEC 61508-3 Corr.1(1999-04) Corrigendum 1-Part3: Software requirements;
(iv) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations and IEC 61508-4 Corr.1(1999-04) Corrigendum 1-Part 4: Definitions and abbreviations;
(v) IEC 61508-5 (1998-12) Part 5: Examples of methods for the determination of safety integrity levels and IEC 61508-5 Corr.1 (1999-04) Corrigendum 1 Part 5: Examples of methods for determination of safety integrity levels;
(vi) 1IEC 61508-6 (2000-04) Part 6: Guidelines on the applications of IEC 61508-2 and -3; and,
(vii) IEC 61508-7 (2000-03) Part 7: Overview of techniques and measures.
(7) ANSI/GEIA-STD-0010: Standard Best Practices for System Safety Program Development and Execution
(b) When using unpublished standards, including proprietary standards, the standards should be available for inspection and replication by the railroad and FRA and should be available for public examination.
(c) Third party assessments. The railroad, the supplier, or FRA may conclude it is necessary for a third party assessment of the system. A third party assessor should be ``independent''. An ``independent third party'' means a technically competent entity responsible to and compensated by the railroad (or an association on behalf of one or more railroads) that is independent of the supplier of the product. An entity that is owned or controlled by the supplier, that is under common ownership or control with the supplier, or that is otherwise involved in the development of the product would not be considered ``independent''.
(1) The reviewer should not engage in design efforts, in order to preserve the reviewer's independence and maintain the supplier's proprietary right to the product. The supplier should provide the reviewer access to any, and all, documentation that the reviewer requests and attendance at any design review or walk through that the reviewer determines as necessary to complete and accomplish the third party assessment. Representatives from FRA or the railroad might accompany the reviewer.
(2) Third party reviews can occur at a preliminary level, a functional level, or implementation level. At the preliminary level, the reviewer should evaluate with respect to safety and comment on the adequacy of the processes, which the supplier applies to the design, and development of the product. At a minimum, the reviewer should compare the supplier processes with industry best practices to determine if the vendor methodology is acceptable and employ any other such tests or comparisons if they have been agreed to previously with the railroad or FRA. Based on these analyses, the reviewer shall identify and document any significant safety vulnerabilities that are not adequately mitigated by the supplier's (or user's) processes. At the functional level, the reviewer evaluates the adequacy, and comprehensiveness, of the safety analysis, and any other documents pertinent to the product being assessed for completeness, correctness, and compliance with applicable standards. This includes, but is not limited to the Preliminary Hazard Analysis (PHA), the Hazard Log (HL), all Fault Tree Analyses (FTA), all Failure Mode and Effects Criticality Analysis (FMECA), and other hazard analyses. At the implementation level, the reviewer randomly selects various safety-critical software modules for audit to verify whether the system process and design requirements were followed. The number of modules audited shall be determined as a representative number sufficient to provide confidence that all un-audited modules were developed in similar manner as the audited module. During this phase the reviewer would also evaluate and comment on the adequacy of the plan for installation and test of the product for revenue service.
(d) Reviewer Report. Upon completion of an assessment, the reviewer prepares a final report of the assessment. The report should contain the following information:
(1) The reviewer's evaluation of the adequacy of the risk analysis, including the supplier's MTTHE and risk estimates for the product, and the supplier's confidence interval in these estimates;
(2) Product vulnerabilities which the reviewer felt were not adequately mitigated, including the method by which the railroad would assure product safety in the event of a hardware or software failure (i.e., how does the railroad or vendor assure that all potentially hazardous failure modes are identified?) and the method by which the railroad or vendor addresses comprehensiveness of the product design for the requirements of the operations it will govern (i.e., how does the railroad and/or vendor assure that all potentially hazardous operating circumstances are identified? Who records any deficiencies identified in the design process? Who tracks the correction of these deficiencies and confirms that they are corrected?);
(3) A clear statement of position for all parties involved for each product vulnerability cited by the reviewer;
(4) Identification of any documentation or information sought by the reviewer that was denied, incomplete, or inadequate;
(5) A listing of each design procedure or process which was not properly followed;
(6) Identification of the software verification and validation procedures for the product's safety-critical applications, and the reviewer's evaluation of the adequacy of these procedures;
(7) Methods employed by the product manufacturer to develop safety-critical software, such as use of structured language, code checks, modularity, or other similar generally acceptable techniques; and
(8) Methods by which the supplier or railroad addresses comprehensiveness of the product design which considers the safety elements. [77 FR 21352, Apr. 9, 2012]
Sec. Appendix G to Part 229 [Reserved]
Sec. Appendix H to Part 229--Static Noise Test Protocols--In-Cab Static
This appendix prescribes the procedures for the in-cab static measurements of locomotives.
I. Measurement Instrumentation
The instrumentation used should conform to the following: An integrating-averaging sound level meter shall meet all the requirements of ANSI S1.43-1997 (Reaffirmed 2002), ``Specifications for Integrating-Averaging Sound Level Meters,'' for a Type 1 Instrument. In the event that a Type 1 instrument is not available, the measurements may be conducted with a Type 2 instrument. The acoustic calibrator shall meet the requirement of the ANSI S1.40-1984 (Reaffirmed 2001), ``Specification for Acoustical Calibrators.'' The Director of the Federal Register approves the incorporation by reference of ANSI S1.43-1997 (Reaffirmed 2002) and ANSI S1.40-1984 (Reaffirmed 2001) in this section in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. You may obtain a copy of the incorporated standards from the American National Standards Institute at 1819 L Street, NW., Washington, DC 20036 or http://www.ansi.org. You may inspect a copy of the incorporated standards at the Federal Railroad Administration, Docket Room, 1200 New Jersey Avenue, SE., Washington, DC 20950, or at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030, or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html
II. Test Site Requirements
The test site shall meet the following requirements:
(1) The locomotive to be tested should not be positioned where large reflective surfaces are directly adjacent to or within 25 feet of the locomotive cab.
(2) The locomotive to be tested should not be positioned where other locomotives or rail cars are present on directly adjacent tracks next to or within 25 feet of the locomotive cab.
(3) All windows, doors, cabinets seals, etc., must be installed in the locomotive cab and be closed.
(4) The locomotive must be running for sufficient time before the test to be at normal operating temperature.
(5) The heating, ventilation and air conditioning (HVAC) system or a dedicated heating or air conditioner system must be operating on high, and the vents must be open and unobstructed.
(6) The locomotive shall not be tested in any site specifically designed to artificially lower in-cab noise levels.
III. Procedures for Measurement
(1) LAeq, T is defined as the A-weighted, equivalent sound level for a duration of T seconds, and the sound level meter shall be set for A-weighting with slow response.
(2) The sound level meter shall be calibrated with the acoustic calibrator immediately before and after the in-cab static tests. The calibration levels shall be recorded.
(3) Any change in the before and after calibration level(s) shall be less than 0.5 dB.
(4) The sound level meter shall be measured at each of the following locations:
(A) 30 inches above the center of the left seat;
(B) Centered in the middle of the cab between the right and left seats, and 56 inches above the floor;
(C) 30 inches above the center of the right seat; and
(D) One foot (0.3 meters) from the center of the back interior wall of the cab and 56 inches above the floor. See Figure 1. [GRAPHIC] [TIFF OMITTED] TR27OC06.005
(5) The observer shall stand as far from the microphone as possible. No more than two people (tester, observers or crew members) shall be inside the cab during measurements.
(6) The locomotive shall be tested under self-loading conditions if so equipped. If the locomotive is not equipped with self load, the locomotive shall be tested with no-load (No-load defined as maximum RPM--no electric load) and an adjustment of 3 dB added to the measured level.
(7) The sound level shall be recorded at the highest horsepower or throttle setting.
(8) After the engine speed has become constant and the in-cab noise is continuous, LAeq, T shall be measured, either directly or using a 1 second sampling interval, for a minimum duration of 30 seconds at each measurement position (LAeq, 30s).
(9) The highest LAeq, 30s of the 4 measurement positions shall be used for determining compliance with Sec. 229.121(a).
(10) A locomotive that has failed to meet the static test requirements of this regulation may be re-tested in accordance with the requirements in section II of this appendix.
IV. Recordkeeping
To demonstrate compliance, the entity conducting the test shall maintain records of the following data. The records created under this procedure shall be retained and made readily accessible for review for a minimum of three years. All records may be maintained in either written or electronic form.
(1) Name(s) of persons conducting the test, and the date of the test.
(2) Description of locomotive being tested, including: make, model number, serial number, and date of manufacture.
(3) Description of sound level meter and calibrator, including: make, model, type, serial number, and manufacturer's calibration date.
(4) The recorded measurement during calibration and for each microphone location during operating conditions.
(5) Other information as appropriate to describe the testing conditions and procedure, including whether or not the locomotive was tested under self-loading conditions, or not.
(6) Where a locomotive fails a test and is re-tested under the provisions of Sec. III(9) of this appendix, the suspected reason(s) for the failure. [71 FR 63136, Oct. 27, 2006, as amended at 74 FR 25174, May 27, 2009]