236.909—Minimum performance standard.
(a) What is the minimum performance standard for products covered by this subpart?
The safety analysis included in the railroad's PSP must establish with a high degree of confidence that introduction of the product will not result in risk that exceeds the previous condition. The railroad shall determine, prior to filing its petition for approval or informational filing, that this standard has been met and shall make available the necessary analyses and documentation as provided in this subpart.
(b) How does FRA determine whether the PSP requirements for products covered by subpart H have been met?
With respect to any FRA review of a PSP, the Associate Administrator for Safety independently determines whether the railroad's safety case establishes with a high degree of confidence that introduction of the product will not result in risk that exceeds the previous condition. In evaluating the sufficiency of the railroad's case for the product, the Associate Administrator for Safety considers, as applicable, the factors pertinent to evaluation of risk assessments, listed in § 236.913(g)(2).
(c) What is the scope of a full risk assessment required by this section?
A full risk assessment performed under this subpart must address the safety risks affected by the introduction, modification, replacement, or enhancement of a product. This includes risks associated with the previous condition which are no longer present as a result of the change, new risks not present in the previous condition, and risks neither newly created nor eliminated whose nature (probability of occurrence or severity) is nonetheless affected by the change.
(d) What is an abbreviated risk assessment, and when may it be used?
(1)
An abbreviated risk assessment may be used in lieu of a full risk assessment to show compliance with the performance standard if:
(ii)
Severity of each hazard associated with the previous condition does not increase from the previous condition; and
(2)
An abbreviated risk assessment supports the finding required by paragraph (a) of this section if it establishes that the resulting MTTHE for the proposed product is greater than or equal to the MTTHE for the system, component or method performing the same function in the previous condition. This determination must be supported by credible safety analysis sufficient to persuade the Associate Administrator for Safety that the likelihood of the new product's MTTHE being less than the MTTHE for the system, component, or method performing the same function in the previous condition is very small.
(3)
Alternatively, an abbreviated risk assessment supports the finding required by paragraph (a) of this section if:
(i)
The probability of failure for each hazard of the product is equal to or less the corresponding recommended Specific Quantitative Hazard Probability Ratings classified as more favorable than “undesirable” by AREMA Manual Part 17.3.5 (Recommended Procedure for Hazard Identification and Management of Vital Electronic/Software-Based Equipment Used in Signal and Train Control Applications), or—in the case of a hazard classified as undesirable—the Associate Administrator for Safety concurs that mitigation of the hazard within the framework of the electronic system is not practical and the railroad proposes reasonable steps to undertake other mitigation. The Director of the Federal Register approves the incorporation by reference of the entire AREMA Communications and Signal Manual, Volume 4, Section 17 —Quality Principles (2005) in this section in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. You may obtain a copy of the incorporated standard from American Railway Engineering and Maintenance of Way Association, 8201 Corporation Drive, Suite 1125, Landover, MD 20785-2230. You may inspect a copy of the incorporated standard at the Federal Railroad Administration, Docket Clerk, 1200 New Jersey Avenue, SE., or at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030, or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html ;
(A)
AREMA Manual Part 17.3.1 (Communications and Signal Manual of Recommended Practices, Recommended Safety Assurance Program for Electronic/Software Based Products Used in Vital Signal Applications);
(B)
AREMA Manual Part 17.3.3 (Communications and Signal Manual of Recommended Practices, Recommended Practice for Hardware Analysis for Vital Electronic/Software-Based Equipment Used in Signal and Train Control Applications);
(C)
AREMA Manual Part 17.3.5 (Communications and Signal Manual of Recommended Practices, Recommended Practice for Hazard Identification and Management of Vital Electronic/Software-Based Equipment Used in Signal and Train Control Applications);
(iii)
Analysis supporting the PSP suggests no credible reason for believing that the product will be less safe than the previous condition.
(e) How are safety and risk measured for the full risk assessment?
Risk assessment techniques, including both qualitative and quantitative methods, are recognized as providing credible and useful results for purposes of this section if they apply the following principles:
(1)
Safety levels must be measured using competent risk assessment methods and must be expressed as the total residual risk in the system over its expected life-cycle after implementation of all mitigating measures described in the PSP. The total risk assessment must have a supporting sensitivity analysis. The analysis must confirm that the risk metrics of the system are not negatively affected by sensitivity analysis input parameters including, for example, component failure rates, human factor error rates, and variations in train traffic affecting exposure. In this context, “negatively affected” means that the final residual risk metric does not exceed that of the base case or that which has been otherwise established through MTTHE target. The sensitivity analysis must document the sensitivity to worst case failure scenarios. Appendix B to this part provides criteria for acceptable risk assessment methods. Other methods may be acceptable if demonstrated to the satisfaction of the Associate Administrator for Safety to be equally suitable.
(2)
For the previous condition and for the life-cycle of the product, risk levels must be expressed in units of consequences per unit of exposure.
(i)
In all cases exposure must be expressed as total train miles traveled per year over the relevant railroad infrastructure. Consequences must identify the total cost, including fatalities, injuries, property damage, and other incidental costs, such as potential consequences of hazardous materials involvement, resulting from preventable accidents associated with the function(s) performed by the system.
(ii)
In those cases where there is passenger traffic, a second risk metric must be calculated, using passenger-miles traveled per year as the exposure, and total societal costs of passenger injuries and fatalities, resulting from preventable accidents associated with the function(s) performed by the system, as the consequences.
(3)
If the description of railroad operations for the product required by § 236.907(a)(2) involves changes to the physical or operating conditions on the railroad prior to or within the expected life cycle of the product subject to review under this subpart, the previous condition shall be adjusted to reflect the lower risk associated with systems needed to maintain safety and performance at higher speeds or traffic volumes. In particular, the previous condition must be adjusted for assumed implementation of systems necessary to support higher train speeds as specified in § 236.0, as well as other changes required to support projected increases in train operations. The following specific requirements apply:
(i)
If the current method of operation would not be adequate under § 236.0 for the proposed operations, then the adjusted previous condition must include a system as required under § 236.0, applied as follows:
(A)
The minimum system where a passenger train is operated at a speed of 60 or more miles per hour, or a freight train is operated at a speed of 50 or more miles per hour, shall be a traffic control system;
(B)
The minimum system where a train is operated at a speed of 80 or more miles per hour, but not more than 110 miles per hour, shall be an automatic cab signal system with automatic train control; and
(C)
The minimum system where a train is operated at a speed of more than 110 miles per hour shall be a system determined by the Associate Administrator for Safety to provide an equivalent level of safety to systems required or authorized by FRA for comparable operations.
(ii)
If the current method of operation would be adequate under § 236.0 for the proposed operations, but the current system is not at least as safe as a traffic control system, then the adjusted previous condition must include a traffic control system in the event of any change that results in:
(B)
An increase in the annual average daily density of passenger trains of more than four trains per day.
(iii)
Paragraph (e)(3)(ii)(A) of this section shall apply in all situations where train volume will exceed more than 20 trains per day but shall not apply to situations where train volume will exceed 12 trains per day but not exceed 20 trains per day, if in its PSP the railroad makes a showing sufficient to establish, in the judgment of the Associate Administrator for Safety, that the current method of operation is adequate for a specified volume of traffic in excess of 12 trains per day, but not more than 20 trains per day, without material delay in the movement of trains over the territory and without unreasonable expenditures to expedite those movements when compared with the expense of installing and maintaining a traffic control system.
(4)
In the case review of a PSP that has been consolidated with a proceeding pursuant to part 235 of this subchapter (see § 236.911(b) ), the base case shall be determined as follows:
(i)
If FRA determines that discontinuance or modification of the system should be granted without regard to whether the product is installed on the territory, then the base case shall be the conditions that would obtain on the territory following the discontinuance or modification. Note: This is an instance in which the base case is posited as greater risk than the actual (unadjusted) previous condition because the railroad would have obtained relief from the requirement to maintain the existing signal or train control system even if no new product had been proffered.
(ii)
If FRA determines that discontinuance or modification of the system should be denied without regard to whether the product is installed on the territory, then the base case shall remain the previous condition (unadjusted).
(iii)
If, after consideration of the application and review of the PSP, FRA determines that neither paragraph (e)(4)(i) nor paragraph (e)(4)(ii) of this section should apply, FRA will establish a base case that is consistent with safety and in the public interest.
[70 FR 11095, Mar. 7, 2005, as amended at 74 FR 25174, May 27, 2009; 75 FR 2699, Jan. 15, 2010]