Locomotive Safety Standards, 21312-21357 [2012-7995]

Agencies

• Federal Railroad Administration
• DEPARTMENT OF TRANSPORTATION

[Federal Register Volume 77, Number 68 (Monday, April 9, 2012)]
[Rules and Regulations]
[Pages 21312-21357]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-7995]



[[Page 21311]]

Vol. 77

Monday,

No. 68

April 9, 2012

Part IV





Department of Transportation





-----------------------------------------------------------------------





Federal Railroad Administration





-----------------------------------------------------------------------





49 CFR Parts 229 and 238





Locomotive Safety Standards; Final Rule

Federal Register / Vol. 77, No. 68 / Monday, April 9, 2012 / Rules 
and Regulations

[[Page 21312]]


-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Federal Railroad Administration

49 CFR Parts 229 and 238

[Docket No. FR-2009-0095; Notice No. 3]
RIN 2130-AC16


Locomotive Safety Standards

AGENCY: Federal Railroad Administration (FRA), Department of 
Transportation (DOT).

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: FRA is revising the existing regulations containing Railroad 
Locomotive Safety Standards. The revisions update, consolidate, and 
clarify the existing regulations. The final rule incorporates existing 
industry and engineering best practices related to locomotives and 
locomotive electronics. This includes the development of a safety 
analysis for new locomotive electronic systems. FRA believes this final 
rule will modernize and improve its safety regulatory program related 
to locomotives. In accordance with the requirements of the Executive 
Order 13563 (E.O. 13563), this final rule also modifies the existing 
locomotive safety standards based on what has been learned from FRA's 
retrospective review of the regulation. As a result, FRA is reducing 
the burden on the industry by modifying the regulations related to 
periodic locomotive inspection and headlights.

DATES: This final rule is effective June 8, 2012. Petitions for 
reconsideration must be received on or before June 8, 2012. Petitions 
for reconsideration will be posted in the docket for this proceeding. 
Comments on any submitted petition for reconsideration must be received 
on or before July 23, 2012.

ADDRESSES: Petitions for reconsideration or comments on such petitions: 
Any petitions and any comments to petitions related to Docket No. FRA-
2009-0095, may be submitted by any of the following methods: Web site: 
Federal eRulemaking Portal, https://www.regulations.gov. Follow the 
online instructions for submitting comments.
     Fax: 202-493-2251.
     Mail: Docket Management Facility, U.S. Department of 
Transportation, 1200 New Jersey Avenue SE., W12-140, Washington, DC 
20590.
     Hand Delivery: Room W12-140 on the Ground level of the 
West Building, 1200 New Jersey Avenue SE., W12-140, Washington, DC 
between 9 a.m. and 5 p.m. Monday through Friday, except Federal 
holidays.
     Federal eRulemaking Portal: Go to https://www.regulations.gov. Follow the online instructions for submitting 
comments.
    Instructions: All submissions must include the agency name and 
docket number or Regulatory Identification Number (RIN) for this 
rulemaking. Note that all comments received will be posted without 
change to https://www.regulations.gov including any personal 
information. Please see the Privacy Act heading in the SUPPLEMENTARY 
INFORMATION section of this document for Privacy Act information 
related to any submitted comments or materials.
    Docket: For access to the docket to read background documents or 
comments received, go to https://www.regulations.gov at any time or to 
Room W12-140 on the Ground level of the West Building, 1200 New Jersey 
Avenue SE., Washington, DC between 9 a.m. and 5 p.m. Monday through 
Friday, except Federal holidays.

FOR FURTHER INFORMATION CONTACT: Charles Bielitz, Office of Safety 
Assurance and Compliance, Motive Power & Equipment Division, RRS-14, 
Federal Railroad Administration, 1200 New Jersey Avenue SE., 
Washington, DC (telephone 202-493-6314, email charles.bielitz@dot.gov), 
or Michael Masci, Trial Attorney, Office of Chief Counsel, Federal 
Railroad Administration, 1200 New Jersey Avenue SE., Washington, DC 
(telephone 202-493-6037).

SUPPLEMENTARY INFORMATION:

I. Executive Summary
II. Statutory and Regulatory Background
III. Railroad Safety Advisory Committee (RSAC) Overview
IV. Proceedings to Date
V. General Overview of Final Rule Requirements
    A. Remote Control Locomotives
    B. Electronic Recordkeeping
    C. Brake Maintenance
    D. Brakes, General
    E. Locomotive Cab Temperature
    F. Headlights
    G. Alerters
    H. Locomotive Electronics
    I. Periodic Locomotive Inspection
    J. Rear End Markers
    K. Locomotive Horn
    L. Risk Analysis Standardization and Harmonization
    M. Locomotive Cab Securement
    N. Diesel Exhaust in Locomotive Cabs
    O. Federalism Implications
    P. E.O. 13563 Retrospective Review
VI. Section-by-Section Analysis
    A. Amendments to Part 229 Subparts A, B, and C
    B. Part 229 Subpart E--Locomotive Electronics
    C. Amendments to Part 238
VII. Regulatory Impact and Notices
    A. Executive Orders 12866, 13563, and DOT Regulatory Policies 
and Procedures
    B. Regulatory Flexibility Act and Executive Order 13272
    C. Paperwork Reduction Act
    D. Federalism Implications
    E. Environmental Impact
    F. Unfunded Mandates Reform Act of 1995
    G. Privacy Act

I. Executive Summary

    The requirements that are being established by this final rule are 
based on: existing waivers that have been granted by FRA's Safety 
Board; existing clarifications of requirements that are currently being 
enforced; new developments in technology related to locomotives; and in 
part, on a Railroad Safety Advisory Committee recommendation. On 
February 22, 2006, FRA presented, and the RSAC accepted, the task of 
reviewing existing locomotive safety needs and recommending 
consideration of specific actions useful to advance the safety of rail 
operations. The RSAC established the Locomotive Safety Standards 
Working Group (Working Group) to handle this task. The Working Group 
met twelve times between October 30, 2006, and April 16, 2009. The 
Working Group successfully reached consensus on the following 
locomotive safety issues: locomotive brake maintenance, pilot height, 
headlight operation, danger markings placement, load meter settings, 
reorganization of steam generator requirements, and the establishment 
locomotive electronics requirements based on industry best practices. 
The full RSAC voted to recommend the consensus issues to FRA on 
September 10, 2009.
    The Working Group did not reach consensus on several locomotive 
safety issues. Thus, FRA independently developed a proposal containing 
requirements related to: remote control locomotives, alerters, 
locomotive cab securement, equipping new and remanufactured locomotive 
cabs with air conditioning units, and a minimum permissible locomotive 
cab temperature. FRA also independently developed a proposal for 
locomotive securement. FRA has incorporated the Working Group's views 
to the extent possible.
    In accordance with the requirements of E.O. 13563, this final rule 
also modifies the existing locomotive safety standards based on what 
has been learned from FRA's retrospective review of the regulation. 
E.O. 13563 requires agencies to review existing regulations to identify 
rules that are overly burdensome, and when possible, modify them to 
reduce the burden. As a result its retrospective review, FRA is 
reducing the burden on the industry by

[[Page 21313]]

modifying the regulations related to periodic locomotive inspection and 
headlights. FRA believes that the modifications related to periodic 
locomotive inspection and headlights in this final rule will not reduce 
safety.

Overview of Final Rule Requirements

Remote Control Locomotives
    The rule related to remote control locomotives includes design and 
operation requirements, as well as, inspection, testing, and repair 
requirements. FRA's Remote Control Locomotive Safety Advisory, 
published in 2001, is the basis for the requirements. All of the major 
railroads have adopted the recommendations contained in the advisory, 
with only slight modifications to suit their individual operations, and 
the Association of American Railroads (AAR) issued an industry standard 
that adopted the most significant requirements of the Safety Advisory. 
During several productive meetings, the Working Group identified many 
areas of agreement regarding the regulation of remote control 
locomotive equipment. On issues that produced disagreement, FRA 
gathered useful information. Informed by the Working Group discussions 
and the comments to the NPRM related to this proceeding, this final 
rule will codify the industry's best practices related to the use and 
operation of remote control locomotives.
Electronic Recordkeeping
    The development and improved capability of electronic recordkeeping 
systems has led to the potential for safe electronic maintenance of 
records required by part 229. Since April 3, 2002, FRA has granted a 
series of waivers permitting electronic recordkeeping with certain 
conditions intended to ensure the safety, security and accessibility of 
such systems. See FRA-2001-11014. Based on the information gathered 
under the experiences of utilizing the electronic records permitted 
under these existing waivers, the Working Group discussed, and agreed 
to, generally applicable requirements for electronic recordkeeping 
systems. This final rule will establish generally applicable 
requirements based on the Working Group's recommendation.
Brake Maintenance
    The revisions to locomotive air brake maintenance are based on this 
extensive history of study and testing. Over the last several decades, 
FRA has granted several conditional waivers extending the air brake 
cleaning, repair, and test requirements of Sec. Sec.  229.27 and 
229.29. These extensions were designed to accommodate testing of the 
reliability of electronic brake systems and other brake system 
components, with the intent of moving toward performance based test 
criterion with components being replaced or repaired based upon their 
reliability. This final rule will establish generally applicable 
requirements based on the Working Group's recommendation.
Brakes, General
    At a MP&E Technical Resolution Committee (TRC) meeting in December 
of 1999, the representatives from NYAB Corporation, a brake 
manufacturer, asserted that a problem with a faulty automatic or 
independent brake valve will not create an unsafe condition when the 
locomotive is operating in the trail position, provided the locomotive 
consist has a successful brake test (application and release) from the 
lead unit. The reason offered was that in order for a locomotive to 
operate in the trailing position, the automatic and independent brake 
valves must be cut-out. FRA agrees, and currently applies this 
rationale in regards to performing a calendar day inspection. The 
calendar day inspection does not require that the operation of the 
automatic and independent brake controls be verified on trailing 
locomotives. The Working Group agreed, and recommended adding a tagging 
requirement to prevent a trailing, non-controlling locomotive with 
defective independent or automatic brakes from being used as a 
controlling locomotive. FRA adopted this recommendation in the NPRM and 
retains it in this final rule.
Locomotive Cab Temperature
    In 1998, FRA led an RSAC Working Group to address various cab 
working condition issues. To aid the Working Group discussions, FRA 
conducted a study to determine the average temperature in each type of 
locomotive cab commonly used at the time. The study concluded that at 
the location where the engineer operates the locomotive, each 
locomotive maintained an average temperature of at least 60 degrees. 
The window and door gaskets were maintained in proper condition on the 
locomotives that were studied. Now that the locomotive safety standards 
are in the process of being revised, FRA is incorporating existing 
industry practice into the regulation in an effort to maintain the 
current conditions. In addition to increasing the minimum cab 
temperature from 50 [deg]F to 60 [deg]F, FRA believes that requiring 
railroads to continue their current practice of equipping new 
locomotives with air conditioning units inside the locomotive cab and 
maintaining those units during the periodic inspection required by 
Sec.  229.23, will maintain the existing level of railroad safety.
Headlights
    The revisions to the headlight requirements incorporate waiver FRA 
2005-23107 into part 229. The waiver permits a locomotive with one 
failed 350-watt incandescent lamp to operate in the lead until the next 
daily inspection, if the auxiliary lights remain continuously 
illuminated. Under the existing requirements, a headlight with only one 
functioning 200-watt lamp is not defective and its condition does not 
affect the permissible movement of a locomotive. However, the existing 
requirements are more restrictive for a 350-watt lamp. A locomotive 
with only one functioning 350-watt lamp in the headlight can be 
properly moved only under the conditions of Sec.  229.9. This final 
rule modifies the treatment of locomotives with a failed 350-watt lamp 
to allow flexibility, and be consistent with the current treatment of 
200-watt lamps. In accordance with E.O. 13563, this modification will 
reduce the downtime for locomotives with certain headlight defects, and 
thereby, reduce the burden on the rail industry.
Alerters
    An alerter is a common safety device that is intended to verify 
that the locomotive engineer remains vigilant and capable of 
accomplishing the tasks that he or she must perform while operating a 
locomotive. An alerter will initiate a penalty brake application to 
stop the train if it does not receive the proper response from the 
engineer. As an appurtenance to the locomotive, an alerter must operate 
as intended when present on a locomotive. Section 20701 of Title 49 of 
the United States Code prohibits the use of a locomotive unless the 
entire locomotive and its appurtenances are in proper condition and 
safe to operate in the service to which they are placed. Under this 
authority, FRA has issued many violations against railroads for 
operating locomotives equipped with a non-functioning alerter. Alerters 
are currently required on passenger locomotives pursuant to Sec.  
238.237 (67 FR 19991), and are present on most freight locomotives. A 
long-standing industry standard currently contains various requirements 
for locomotive alerters. See AAR Standard S-5513, ``Locomotive Alerter 
Requirements,'' (November 26, 2007). FRA believes that the requirements 
proposed in the NPRM

[[Page 21314]]

and retained in this final rule related to alerters incorporate 
existing railroad practices and locomotive design, and address each of 
the National Transportation Safety Board (NTSB) recommendations 
discussed below in section v., ``General Overview of the Final Rule 
Requirements.''
Locomotive Electronics
    This final rule retains requirements proposed in the NPRM that 
prescribe safety standards for safety-critical electronic locomotive 
control systems, subsystems, and components including requirements to 
ensure that the development, installation, implementation, inspection, 
testing, operation, maintenance, repair, and modification of those 
products will achieve and maintain an acceptable level of safety. This 
final rule is also establishing standards to ensure that personnel 
working with safety-critical products receive appropriate training. Of 
course, each railroad would be able to prescribe additional or more 
stringent rules, and other special instructions, provided they are 
consistent with the proposed standards.
Periodic Locomotive Inspection
    The Working Group was unable to reach consensus on whether current 
locomotive inspection intervals and procedures are appropriate to 
current conditions. On June 22, 2009, FRA granted the Burlington 
Northern Santa Fe's (BNSF) request for waiver from compliance with the 
periodic locomotive inspection requirements. See Docket FRA-2008-0157. 
BNSF stated in their request that each of the subject locomotives are 
equipped with new self-diagnostic technology and advanced computer 
control, and that the locomotives were designed by the manufacturer to 
be maintained at a six month interval.
    Based on the initial results of the waiver, FRA identified the 
periodic locomotive inspection as a potential candidate for reducing 
the regulatory burden on the rail industry, as required by E.O. 13563. 
FRA's continued observations of test during joint inspections of the 
brake systems shows that the waiver has been successful. As there is no 
material difference between the locomotive models covered by the BNSF 
waiver and other self diagnostic microprocessor-based locomotives, FRA 
is modifying the existing periodic inspection requirements to provide 
for a 184-day inspection interval for all locomotives equipped with 
microprocessor-based control systems with self-diagnostic capabilities.
Locomotive Cab Securement
    By letter dated September 22, 2010, in response to a conductor 
being shot and killed during an attempted robbery on June 20, 2010, the 
Brotherhood of Locomotive Engineers and Trainmen (BLET) requested that 
FRA require door locks on locomotive cab doors. Under current industry 
practice, many locomotive cab doors are not locked. According to BLET's 
letter, requiring the use of door locks would impede unauthorized 
access to the locomotive cab and reduce the risk of violence to the 
train crew when confronted by a potential intruder.
    In the NPRM, FRA requested comments on the various securement 
options that are currently available on locomotive cab doors, and 
whether equipping the locomotive cab with a securement device would 
improve safety. Based on its review of comments received, FRA believes 
that locomotive cab securement can potentially prevent unauthorized 
access to the locomotive cab, and thereby increase train crew safety. 
Consequently, FRA is establishing in this final rule a requirement for 
new and remanufactured locomotives to be equipped with a securement 
device.

Expected Benefits

    This final rule includes numerous regulatory clarifications and 
adoption of most current part 229 waivers. The primary costs or burdens 
in this final rule are from the alerters, periodic inspection change 
and revised minimum (i.e., cold weather) cab temperature requirements. 
The savings will accrue from fewer train accidents, fewer future 
waivers, and waiver renewals. In addition, savings would also accrue 
from a reduction in downtime for locomotives due to changes to 
headlight and brake requirements. Finally the railroad industry will 
accrue significant cost savings from a change in the periodic 
inspection requirement for micro-processor based locomotives. For the 
20-year period analyzed, the estimated quantified costs total $56.2 
million, and the present value (PV) (7 percent) of the estimated costs 
is $27.7 million. The uniform adoption of some waivers will provide 
cost savings from a reduction in locomotive downtime. For example, the 
headlight and brake maintenance waiver incorporations will reduce 
future industry-wide locomotive downtime, because locomotives that are 
not currently covered by the waivers will be permitted to continue in 
use. FRA also anticipates a small reduction in future accidents from 
the proposed alerter requirements. For the 20-year period, the 
estimated quantified benefits total $806.8 million, and the PV (7 
percent) of the estimated quantified benefits is $385 million.

                          Costs for Final Rule
    [Note dollars are discounted (7%) and all costs are for a 20-year
                                 period]
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Periodic Inspection.....................................     $20,820,604
AFM Calibration.........................................         136,335
Alerters--Requirement and Trip Test.....................       4,495,455
Cab Temperature: Heaters, Maintenance & Insulation......         889,503
Locomotive Electronics: File Notice & Training Documents       1,338,763
End Plates..............................................          21,187
                                                         ---------------
    Total...............................................      27,701,846
------------------------------------------------------------------------


                         Benefits for Final Rule
  [Note dollars are discounted (7%) and all benefits are for a 20- year
                                 period]
------------------------------------------------------------------------
 
------------------------------------------------------------------------
Reduction in Locomotive Downtime--Headlights............      $1,588,995
Reduction in Locomotive Downtime--Brakes................       2,118,660
Reduced Train Accidents--Due to Alerter Requirement.....       2,318,972
Cost Savings--Reduction in Waivers......................         975,325
Savings: High Voltage Danger Signs/Markings.............         317,799
Periodic Inspection: Increased Time Interval............     377,825,552
                                                         ---------------
    Total...............................................     385,145,303
------------------------------------------------------------------------

II. Statutory and Regulatory Background

    FRA has broad statutory authority to regulate railroad safety. The 
Federal railroad safety laws (formerly the Locomotive Boiler Inspection 
Act at 45 U.S.C. 22-34, repealed and recodified at 49 U.S.C. 20701-
20703) prohibit the use of unsafe locomotives and authorize FRA to 
issue standards for locomotive maintenance and testing. In order to 
further FRA's ability to respond effectively to contemporary safety 
problems and hazards as they arise in the railroad industry, Congress 
enacted the Federal Railroad Safety Act of 1970 (Safety Act) (formerly 
45 U.S.C. 421, 431 et seq., now found primarily in chapter 201 of Title 
49). The Safety Act grants the Secretary of Transportation rulemaking 
authority over all areas of railroad safety (49 U.S.C. 20103(a)) and 
confers all powers necessary to detect and penalize violations of any 
rail safety law. This authority was subsequently delegated to the FRA 
Administrator (49 CFR 1.49). Until July 5, 1994, the

[[Page 21315]]

Federal railroad safety statutes existed as separate acts found 
primarily in title 45 of the United States Code. On that date, all of 
the acts were repealed, and their provisions were recodified into title 
49 of the United States Code. All references to parts and sections in 
this document shall be to parts and sections located in Title 49 of the 
Code of Federal Regulations.
    Pursuant to its general statutory rulemaking authority, FRA 
promulgates and enforces rules as part of a comprehensive regulatory 
program to address the safety of, inter alia, railroad track, signal 
systems, communications, rolling stock, operating practices, passenger 
train emergency preparedness, alcohol and drug testing, locomotive 
engineer certification, and workplace safety. In 1980, FRA issued the 
majority of the regulatory provisions currently found at 49 CFR part 
229 addressing various locomotive related topics including: inspections 
and tests; safety requirements for brake, draft, suspension, and 
electrical systems, and locomotive cabs; and locomotive cab equipment. 
Since 1980, various provisions currently contained in part 229 have 
been added or revised on an ad hoc basis to address specific safety 
concerns or in response to specific statutory mandates.
    Topics for new regulation typically arise from several sources. FRA 
continually reviews its regulations and revises them as needed to 
address emerging technology, changing operational realities, and to 
bolster existing standards as new safety concerns are identified. It is 
also common for the railroad industry to introduce regulatory issues 
through FRA's waiver process. Several of FRA's requirements contained 
in this final rule have been partially or previously addressed through 
FRA's waiver process. As detailed in part 211, FRA's Railroad Safety 
Board (Safety Board) reviews, and approves or denies, waiver petitions 
submitted by railroads and other parties subject to the regulations. 
Petitions granted by the Safety Board can be utilized only by the 
petitioning party. By incorporating existing relevant regulatory 
waivers into part 229, FRA intends to extend the reach of the 
regulatory flexibilities permitted under those waivers. Although, FRA 
is altering a number of regulatory requirements, the comprehensive 
safety regulatory structure remains unchanged.
    The requirement that a locomotive be safe to operate in the service 
in which it is placed remains the cornerstone of Federal regulation. 
Title 49 U.S.C. 20701 provides that ``[a] railroad carrier may use or 
allow to be used a locomotive or tender on its railroad line only when 
the locomotive or tender and its parts and appurtenances: (1) are in 
proper condition and safe to operate without unnecessary danger of 
personal injury; (2) have been inspected as required under this chapter 
and regulations prescribed by the Secretary of Transportation under 
this chapter; and (3) can withstand every test prescribed by the 
Secretary under this chapter.''
    The statute is extremely broad in scope and makes clear that each 
railroad is responsible for ensuring that locomotives used on its line 
are safe. Even the extensive requirements of part 229 are not intended 
to be exhaustive in scope, and with or without that regulatory 
structure, the railroads remain directly responsible for finding and 
correcting all hazardous conditions. For example, even without these 
regulations, a railroad would be responsible for repairing an 
inoperative alerter and an improperly functioning remote control 
transmitter, if the locomotive is equipped with these devices.
    On July 12, 2004, the AAR, on behalf of itself and its member 
railroads, petitioned FRA to delete the requirement contained in 49 CFR 
229.131 related to locomotive sanders. The petition and supporting 
documentation asserted that contrary to popular belief, depositing sand 
on the rail in front of the locomotive wheels will not have any 
significant influence on the emergency stopping distance of a train. 
While contemplating the petition, FRA and interested industry members 
began identifying other issues related to the locomotive safety 
standards. The purpose of this task was to develop information so that 
FRA could potentially address the issues through the RSAC.
    The locomotive sanders final rule was published on October 19, 2007 
(72 FR 59216). FRA continued to utilize the RSAC process to address 
additional locomotive safety issues. On September 10, 2009, after a 
series of detailed discussions, the RSAC approved and provided 
recommendations on a wide range of locomotive safety issues including, 
locomotive brake maintenance, pilot height, headlight operation, danger 
markings, and locomotive electronics. FRA generally proposed the 
consensus rule text for these issues with minor clarifying 
modifications on January 12, 2011. See 76 FR 2199. The RSAC was unable 
to reach consensus on the issues related to remote control locomotives, 
cab temperature, and locomotive alerters. Based on its consideration of 
the information and views provided by the RSAC Locomotive Safety 
Standards Working Group, FRA also proposed rule text related to the 
non-consensus items. Id. Many comments were submitted to the public 
docket in response to the NPRM. The comment period closed on March 14, 
2011. FRA is issuing this final rule after considering the comments.

III. RSAC Overview

    In March 1996, FRA established the RSAC, which provides a forum for 
developing consensus recommendations on rulemakings and other safety 
program issues. The Committee includes representation from interested 
parties, including railroads, labor organizations, suppliers and 
manufacturers, and other interested parties. A list of member groups 
follows:

American Association of Private Railroad Car Owners (AAPRCO)
American Association of State Highway & Transportation Officials 
(AASHTO)
American Public Transportation Association (APTA)
American Short Line and Regional Railroad Association (ASLRRA)
American Train Dispatchers Association (ATDA)
Amtrak
AAR
Association of Railway Museums (ARM)
Association of State Rail Safety Managers (ASRSM)
BLET
Brotherhood of Maintenance of Way Employes Division (BMWED)
Brotherhood of Railroad Signalmen (BRS)
Federal Transit Administration (FTA) *
High Speed Ground Transportation Association (HSGTA)
International Association of Machinists and Aerospace Workers
International Brotherhood of Electrical Workers (IBEW)
Labor Council for Latin American Advancement (LCLAA) *
League of Railway Industry Women *
National Association of Railroad Passengers (NARP)
National Association of Railway Business Women *
National Conference of Firemen & Oilers
National Railroad Construction and Maintenance Association
National Railroad Passenger Corporation (Amtrak)
NTSB *
Railway Supply Institute (RSI)
Safe Travel America (STA)
Secretaria de Communicaciones y Transporte *
Sheet Metal Workers International Association (SMWIA)
Tourist Railway Association Inc.
Transport Canada*
Transport Workers Union of America (TWU)
Transportation Communications International Union/BRC (TCIU/BRC)
United Transportation Union (UTU)


[[Page 21316]]


    * Indicates associate membership.

    When appropriate, FRA assigns a task to the RSAC, and after 
consideration and debate, the RSAC may accept or reject the task. If 
accepted, the RSAC establishes a working group that possesses the 
appropriate expertise and representation of interests to develop 
recommendations to FRA for action on the task. These recommendations 
are developed by consensus. A working group may establish one or more 
task forces to develop facts and options on a particular aspect of a 
given task. The task force then provides that information to the 
working group for consideration. If a working group comes to unanimous 
consensus on recommendations for action, the package is presented to 
the RSAC for a vote. If the proposal is accepted by a simple majority 
of the RSAC, the proposal is formally recommended to FRA. FRA then 
determines what action to take on the recommendation. Because FRA staff 
has played an active role at the working group level in discussing the 
issues and options and in drafting the language of the consensus 
proposal, FRA is often favorably inclined toward the RSAC 
recommendation. However, FRA is in no way bound to follow the 
recommendation and the agency exercises its independent judgment on 
whether the recommended rule achieves the agency's regulatory goal, is 
soundly supported, and is in accordance with policy and legal 
requirements. Often, FRA varies in some respects from the RSAC 
recommendation in developing the actual regulatory proposal. If the 
working group or the RSAC is unable to reach consensus on 
recommendations for action, FRA moves ahead to resolve the issue 
through conventional practices including traditional rulemaking 
proceedings.

IV. Proceedings to Date

    On February 22, 2006, FRA presented, and the RSAC accepted, the 
task of reviewing existing locomotive safety needs and recommending 
consideration of specific actions useful to advance the safety of rail 
operations. The RSAC established the Working Group to handle this task 
and develop recommendations for the full RSAC to consider. Members of 
the Working Group, in addition to FRA, included the following:

APTA
ASLRRA
Amtrak
AAR
ASRSM
BLET
BMWE
BRS
BNSF Railway Company (BNSF)
California Department of Transportation
Canadian National Railway (CN)
Canadian Pacific Railway (CP)
Conrail
CSX Transportation (CSXT)
Florida East Coast Railroad
General Electric (GE)
Genesee & Wyoming Inc.
International Association of Machinists and Aerospace Workers
IBEW
Kansas City Southern Railway (KCS)
Long Island Rail Road
Metro-North Railroad
MTA Long Island
National Conference of Firemen and Oilers
Norfolk Southern Corporation (NS)
Public Service Commission of West Virginia
Rail America, Inc.
Southeastern Pennsylvania Transportation Agency
SMWIA
STV, Inc.
Tourist Railway Association Inc.
Transport Canada
Union Pacific Railroad (UP)
UTU
Volpe Center
Wabtec Corporation
Watco Companies

    The task statement approved by the full RSAC sought immediate 
action from the Working Group regarding the need for, and usefulness 
of, the existing regulation related to locomotive sanders. The task 
statement established a target date of 90 days for the Working Group to 
report back to the RSAC with recommendations to revise the existing 
regulatory sander provision. The Working Group conducted two meetings 
that focused almost exclusively on the sander requirement. The meetings 
were held on May 8-10, 2006, in St. Louis, Missouri, and on August 9-
10, 2006, in Fort Worth, Texas. Minutes of these meetings have been 
made part of the docket in this proceeding. After broad and meaningful 
discussion related to the potential safety and operational benefits 
provided by equipping locomotives with operative sanders, the Working 
Group reached consensus on a recommendation for the full RSAC.
    On September 21, 2006, the full RSAC unanimously adopted the 
Working Group's recommendation on locomotive sanders as its 
recommendation to FRA. The next twelve Working Group meeting addressed 
a wide range of locomotive safety issues. The meetings were held at the 
following locations on the following days:

Kansas City, MO, October 30 & 31, 2006;
Raleigh, NC, January 9 & 10, 2007;
Orlando, FL, March 6 & 7, 2007;
Chicago, IL, June 6 & 7, 2007;
Las Vegas, NV, September 18 & 19, 2007;
New Orleans, LA, November 27 & 28, 2007;
Fort Lauderdale, FL, February 5 & 6, 2008;
Grapevine, TX, May 20 & 21, 2008;
Silver Spring, MD, August 5 & 6, 2008;
Overland Park, KS, October 22 & 23, 2008;
Washington, DC, January 6 & 7, 2009; and
Arlington, VA, April 15 & 16, 2009.

    At the above listed meetings, the Working Group successfully 
reached consensus on the following locomotive safety issues: locomotive 
brake maintenance, pilot height, headlight operation, danger markings 
placement, load meter settings, reorganization of steam generator 
requirements, and the establishment locomotive electronics 
requirements. Throughout the preamble discussion in the NPRM and this 
final rule, FRA refers to commentsviews, suggestions, or 
recommendations made by members of the Working Group. When using this 
terminology, FRA is referring to views, statements, discussions, or 
positions identified or contained in the minutes of the Working Group 
meetings. These documents have been made part of the docket in this 
proceeding and are available for public inspection as discussed in the 
ADDRESSES portion of this document. These points are discussed to show 
the origin of certain issues and the course of discussions on those 
issues at the task force or working group level. We believe this helps 
illuminate factors FRA has weighed in making its regulatory decisions, 
and the logic behind those decisions.
    The reader should keep in mind, of course, that only the full RSAC 
makes recommendations to FRA, and it is the consensus recommendation of 
the full RSAC on which FRA is primarily acting in this proceeding. As 
discussed above, the Working Group reported its findings and 
recommendations to the RSAC at its September 10, 2009 meeting. The RSAC 
approved the recommended consensus regulatory text proposed by the 
Working Group, which accounts for the majority of the NPRM issued in 
this proceeding. 76 FR 2199. The specific regulatory language 
recommended by the RSAC was amended slightly for clarity and 
consistency. FRA independently developed proposals related to remote 
control locomotives, alerters, and locomotive cab temperature, issues 
that the Working Group discussed, but ultimately did not reach 
consensus. Id. Many comments were submitted to the public docket in 
response to the NPRM. The comment period closed on March 14, 2011. FRA 
is issuing this final rule after considering the comments.

[[Page 21317]]

V. General Overview of Final Rule Requirements

    The retrospective review requirements of E.O. 13563, trends in 
locomotive operation, concern about the safe design of electronics, 
technology advances, and experience applying Federal regulations 
provide the main impetus for the revisions to FRA's existing standards 
related to locomotive safety. An overview of some of the major areas 
addressed in this final rule is provided below.

A. Remote Control Locomotives

    Remote control devices have been used to operate locomotives at 
various locations in the United States for many years, primarily within 
yards and certain industrial sites. Railroads in Canada have 
extensively used remote control locomotives for more than a decade. FRA 
began investigating remote control operations in 1994 and held its 
first public hearing on the subject in mid-1990s to gather information 
and examine the safety issues relating to this new technology. On July 
19, 2000, FRA conducted a technical conference in which interested 
parties, including rail unions, remote control systems suppliers, and 
railroad representatives, shared their views and described their 
experiences with remote control operations.
    On February 14, 2001, FRA published a Safety Advisory in which FRA 
issued recommended guidelines for conducting remote control locomotive 
operations. See 66 FR 10340, Notice of Safety Advisory 2001-01, Docket 
No. FRA-2000-7325. By issuing these recommendations, FRA sought to 
identify a set of ``best practices'' to guide the rail industry when 
implementing this technology. As this was an emerging technology, FRA 
believed the approach served the railroad industry by providing 
flexibility to both manufacturers designing the equipment and to 
railroads using the technology in their operations, while reinforcing 
the importance of complying with all existing railroad safety 
regulations. All of the major railroads have adopted the 
recommendations contained in the advisory, with only slight 
modifications to suit their individual operations.
    In the Safety Advisory, FRA addressed the application and 
enforcement of the Federal regulations to remote control locomotives. 
FRA discussed the existing Federal locomotive inspection requirements 
and the application of those broad requirements to remote control 
locomotive technology. The Safety Advisory explains that: ``although 
compliance with this Safety Advisory is voluntary, nothing in this 
Safety Advisory is meant to relieve a railroad from compliance with all 
existing railroad safety regulations [and] [t]herefore, when procedures 
required by regulation are cited in this Safety Advisory, compliance is 
mandatory.'' Id. at 10343. For example, the Safety Advisory states that 
the remote control locomotive ``system must be included as part of the 
calendar day inspection required by section 229.21, since this 
equipment becomes an appurtenance to the locomotive.'' Id. at 10344. 
Another example of a mandatory requirement mentioned in the Safety 
Advisory is that the remote control locomotive ``system components that 
interface with the mechanical devices of the locomotive, e.g., air 
pressure monitoring devices, pressure switches, speed sensors, etc., 
should be inspected and calibrated as often as necessary, but not less 
than the locomotive's periodic (92-day) inspection.'' Id.; see also 49 
CFR 229.23. Thus, the Safety Advisory made clear that the existing 
Federal regulations require inspection of the remote control locomotive 
equipment.
    The Safety Advisory also addressed the application of various 
requirements related to the operators of remote control locomotives. 
The Safety Advisory states that ``each person operating an RCL [remote 
control locomotive] must be certified and qualified in accordance with 
part 240 [FRA's locomotive engineer rule] if conventional operation of 
a locomotive under the same circumstances would require certification 
under that regulation.'' Id. at 10344. In 2006, FRA codified additional 
requirements to address specific operational issues such as situational 
awareness. See 71 FR 60372.
    During several productive meetings, the Working Group identified 
many areas of agreement regarding the regulation of remote control 
locomotive equipment. On issues that produced disagreement, FRA 
gathered useful information. Informed by the Working Group discussions 
and the comments to the NPRM related to this proceeding, this final 
rule will codify the industry's best practices related to the use and 
operation of remote control locomotives.

B. Electronic Recordkeeping

    The development and improved capability of electronic recordkeeping 
systems has led to the potential for safe electronic maintenance of 
records required by part 229. Since April 3, 2002, FRA has granted a 
series of waivers permitting electronic recordkeeping with certain 
conditions intended to ensure the safety, security and accessibility of 
such systems. See FRA-2001-11014. Based on the information gathered 
under the experiences of utilizing the electronic records permitted 
under these existing waivers, the Working Group discussed, and agreed 
to, generally applicable requirements for electronic recordkeeping 
systems. This final rule establishes generally applicable requirements 
based on the Working Group's recommendation.

C. Brake Maintenance

    Advances in technology have increased the longevity of locomotive 
brake system components. In conjunction with several railroads and the 
AAR, FRA has monitored the performance of new brake systems since the 
Locomotive Safety Standards regulation was first published in 1980. See 
45 FR 21092. The revisions to locomotive air brake maintenance are 
based on this extensive history of study and testing. Over the last 
several decades, FRA has granted several conditional waivers extending 
the air brake cleaning, repair, and test requirements of Sec. Sec.  
229.27 and 229.29. These extensions were designed to accommodate 
testing of the reliability of electronic brake systems and other brake 
system components, with the intent of moving toward performance based 
test criterion with components being replaced or repaired based upon 
their reliability.
    In 1981, FRA granted a test waiver (H-80-7) to eight railroads, 
permitting them to extend the annual and biennial testing requirements 
contained in Sec. Sec.  229.27 and 229.29, in order to conduct a study 
of the safe service life and reliability of the locomotive brake 
components. On January 29, 1985, FRA expanded the waiver to permit all 
railroads to inspect the 26-L type brake equipment on a triennial 
basis. In the 1990's, the Canadian Pacific Railroad (CP) and the 
Canadian National Railroad (CN) petitioned the FRA to allow them to 
operate locomotives into the United States that received periodic 
attention every four years. The requests were based on a decision by 
Transport Canada to institute a four-year inspection program following 
a thorough test program in Canada. In November 2000, FRA granted 
conditional waivers to both the CN and CP, extending the testing 
interval to four years for Canadian-based locomotives equipped with 26-
L type brake systems and air dryers. The waiver also requires all air 
brake filtering devices to be changed annually and the air

[[Page 21318]]

compressor to be overhauled not less than every six years. In 2005, 
this waiver was extended industry-wide. See FRA-2005-21325.
    In 2009, AAR petitioned for a waiver that would permit four year 
testing and maintenance intervals for locomotives that are equipped 
with 26-L type brake equipment and not equipped with air dryers. The 
petition assumed that the testing and maintenance intervals that are 
appropriate for locomotives equipped with air dryers are also 
appropriate for locomotives without air dryers. FRA denied the request, 
but granted a limited test program to determine whether the addition of 
operative air dryers on a locomotive merits different maintenance and 
testing requirements. FRA recognizes that the results of the test plan 
may indicate that locomotives that are not equipped with air dryers 
merit the same treatment as locomotives that operate without air 
dryers.
    The New York Air Brake Corporation (NYAB) sought by waiver, and was 
granted, an extension of the cleaning, repairing, and testing 
requirements for pneumatic components of the CCBI and CCBII brake 
systems (FRA-2000-7367, formerly H-95-3), and then modification of that 
waiver to include its new CCB-26 electronic airbrake system. The 
initial waiver, which was first granted on September 13, 1996, extended 
the interval for cleaning, repairing, and testing pneumatic components 
of the NYAB Computer Controlled Brake (CCB, now referred to as CCB-I) 
locomotive air brake system under 49 CFR 229.27(a)(2) and 49 CFR 
229.29(a) from 736 days to five years. The waiver was modified to 
include NYAB's CCB-II electronic air brake system on August 20, 1998.
    To confirm that the extended brake maintenance interval did not 
have a negative effect on safety, FRA required quarterly reports 
listing air brake failures, both pneumatic and electrical, of all 
locomotives operating under the waiver including: Locomotive reporting 
marks; and the cause and resolution of the problem. All verified 
failures were required to be reported to FRA prior to disassembly, so 
that NYAB, the railroad, and FRA could jointly witness the disassembly 
of the failed component to determine the cause. The last quarterly 
submission to FRA listed 1,889 CCBI and 1,806 CCBII equipped 
locomotives in the United States, all of which were operating at high 
levels of reliability and demonstrated safety. All past tests and 
teardown inspections confirm the safety and reliability of the five 
year interval.
    Based on successful performance of the two NYAB electronic air 
brake systems under the conditions of the 1996 and 1998 waivers, the 
waiver was extended for another five years on September 10, 2001 and 
the conditions of the waiver were modified on September 22, 2003. NYAB 
described the new CCB-26 electronic air brake system as an adaptation 
of the CCB-II system designed to be used on locomotives without 
integrated cab electronics. It used many of the same sub-assemblies of 
pneumatic valves, electronic controls and software (referred to as line 
replaceable units or LRUs) as the CCB-II. Some changes were made to 
simplify the system while maintaining or increasing the level of 
safety. For example, the penalty brake interface was changed to mimic 
the 26L system interface, allowing for a fully pneumatic penalty brake 
application. Also, the brake cylinder pilot pressure development has 
been simplified from an electronic control to a fully pneumatic version 
based on proven components.
    Much of the software and diagnostic logic which detects critical 
failures and takes appropriate action to effect a safe stop has been 
carried over from CCB-II. Overall, NYAB characterized the CCB-26 as 
being more similar to CCB-II than CCB-II is to CCB-I. As a final check 
on the performance of the CCB-26 system, it was included in the 
existing NYAB failure monitoring and recording systems. For the reasons 
above, FRA extended the waiver of compliance with brake maintenance 
requirements to locomotives equipped with CCB-26 brake systems.
    Similarly, WABCO Locomotive Products (WABCO), a Wabtec company, 
sought and was granted an extension of the cleaning, repairing, and 
testing requirements for pneumatic components of the EPIC brake systems 
(FRA-2002-13397, formerly H-92-3), and then modification of that waiver 
to include its new FastBrake line of electronic airbrake systems. The 
initial waiver conditionally extended to five years the clean, repair 
and test intervals for certain pneumatic air brake components contained 
in Sec. Sec.  229.27(a)(2) and 229.29(a) for WABCO's EPIC electronic 
air brake equipment. WABCO complied with all of the conditions of the 
waiver. Specifically, WABCO provided regular reports to FRA including 
summaries of locomotives equipped with EPIC brake systems and all 
pneumatic and electronic failures. FRA participated in two joint 
teardown inspections of EPIC equipment after five years of service in 
June 2000 and May 2002. After five years of service, the EPIC brake 
systems were found to function normally. No faults were found during 
locomotive tests, and the teardown revealed that the parts were clean 
and in working condition.
    In support of its proposal to extend brake maintenance for 
FastBrake brake systems, WABCO stated that virtually all of the core 
pneumatic technology that has been service proven in EPIC from the time 
of its introduction and documented as such under the provisions of the 
above waiver and were transferred into FastBrake with little or no 
change. They asserted that a further reduction of pneumatic logic 
devices had been made possible by the substitution of computer based 
logic. WABCO also provided a discussion of the similarities between the 
EPIC and FastBrake systems as well as the differences, which are 
primarily in the area of electronics rather than pneumatics. In 
conclusion, WABCO stated that the waiver could be amended without 
compromising safety. For the reasons above, FRA granted the waiver 
petition.
    Over time, several brake systems have been brought into a 
performance based standard. FRA, along with railroads and brake valve 
manufacturers, has participated in a series of brake valve evaluations. 
Each evaluation was performed after extended use of a particular brake 
valve system to determine whether it can perform safely when used 
beyond the number of days currently permitted by part 229. The Working 
Group agreed with the evidence of success and the overall approach 
taken by FRA. As a result, the Working Group reached consensus on the 
brake maintenance standards. That consensus recommendation was included 
in the NPRM and is retained in this final rule.

D. Brakes, General

    In December of 1999, a TRC, consisting of FRA and industry experts, 
met in Kansas City to consider the proper application of the phrase 
``operate as intended'' contained in Sec.  229.46 when applied to 
trailing, non-controlling locomotives. Extensive discussion failed to 
reach consensus on this issue, but revealed valuable insight into the 
technical underpinnings and operational realities surrounding the 
issue. The Working Group revived this issue, and after lengthy 
discussion, reached consensus.
    Generally, even if a locomotive has a defective brake valve that 
prevents it from functioning as a lead locomotive, its brakes will 
still properly apply and release when it is placed and operated as a 
trailing locomotive. This situation can apply on either a pneumatic 26-
L application or on the electronic versions

[[Page 21319]]

of the locomotive brake. The electronic brake often will have the 
breaker turned off, thus making the brake inoperative unless it is 
being controlled by another locomotive.
    Based on reading the plain language of the existing regulation, it 
is not clear under what conditions a trailing, non-controlling 
locomotive operates as intended. The existing regulation provides that 
``the carrier shall know before each trip that the locomotive brakes 
and devices for regulating all pressures, including but not limited to 
the automatic and independent brake valves, operate as intended * * *'' 
See 49 CFR 229.46. One could reasonably argue that a trailing non-
controlling locomotive is operating as intended when the brakes are 
able to apply and release in response to a command from a controlling 
locomotive, because the locomotive is not intended to control the 
brakes when it is used in the trailing position. It could also be 
argued that the trailing, non-controlling locomotive's automatic and 
independent brake valves must be able to control the brakes whenever it 
is called on to do so. Under this reading, a trailing, non-controlling 
locomotive does not operate as intended when it is not able to control 
the brakes.
    At the TRC meeting, the representatives from NYAB Corporation, a 
brake manufacturer, asserted that a problem with a faulty automatic or 
independent brake valve will not create an unsafe condition when the 
locomotive is operating in the trail position, provided the locomotive 
consist has a successful brake test (application and release) from the 
lead unit. The reason offered was that, in order for a locomotive to 
operate in the trailing position, the automatic and independent brake 
valves must be cut-out. FRA agrees, and currently applies this 
rationale in regards to performing a calendar day inspection. The 
calendar day inspection does not require that the operation of the 
automatic and independent brake controls be verified on trailing 
locomotives. The Working Group agreed, and recommended adding a tagging 
requirement to prevent a trailing, non-controlling locomotive with 
defective independent or automatic brakes from being used as a 
controlling locomotive. FRA adopted this recommendation in the NPRM and 
retains it in this final rule.

E. Locomotive Cab Temperature

    In 1998, FRA led an RSAC Working Group to address various cab 
working condition issues. To aid the Working Group discussions, FRA 
conducted a cold weather study to determine the average temperature in 
each type of locomotive cab commonly used at the time. The study 
concluded that at the location where the engineer operates the 
locomotive, each locomotive maintained an average temperature of at 
least 60 degrees. The window and door gaskets were maintained in proper 
condition on the locomotives that were studied. Now that the locomotive 
safety standards are in the process of being revised, FRA is 
incorporating existing industry practice into the regulation in an 
effort to maintain the current conditions. For review, the 1998 study 
has been included in the public docket related to this proceeding.
    In addition to increasing the minimum cab temperature from 50 
[deg]F to 60 [deg]F, FRA believes that requiring railroads to continue 
their current practice of equipping new locomotives with air 
conditioning units inside the locomotive cab and maintaining those 
units during the periodic inspection required by Sec.  229.23, will 
maintain the existing level of railroad safety. Current literature 
regarding the effect of low temperature on human performance indicates 
that performance decreases when the temperature decreases below 60 
[deg]F. Similarly, the literature regarding the effect of high 
temperature and humidity indicates that performance decreases when 
temperatures increase above 80 [deg]F, and that performance decreases 
to an even greater extent when the temperature increases above 90 
[deg]F. Ergonomics, 2002 vol. 45, no. 10, 682-698. Please note that 
when discussing high temperatures in the research about the effects on 
human performance, the term temperature means the Wet Bulb Globe 
temperature or WBGT. When discussing accident statistics the 
temperatures reported were ambient not accounting for humidity and 
radiant heat sources.
    In many occupational settings, it is desirable to minimize the 
health and safety effects of temperature extremes. Depending upon the 
workplace, engineering controls may be employed as well as the 
management of employee exposure to excess cold or heat using such 
methods as work-rest regimens. Because of the unique nature of the 
railroad operating environment, the locomotive cab can be viewed as a 
captive workplace where the continuous work of the locomotive crew 
takes place in a relatively small space. For this reason, in an 
excessively hot cab, a locomotive crew member may have no escape from 
extreme temperatures, since they cannot be expected to readily 
disembark the train and rest in a cooler environment as part of a work-
rest regimen without prior planning by the railroad. As such, FRA 
expects reliance upon engineering controls to limit temperature 
extremes. When FRA considered controls for cold and hot temperature cab 
environments, FRA learned that there is a range of engineering controls 
available that can be employed. Some of these controls are presently 
employed to affect the cab temperature environment. Controls include 
isolation from heat sources such as the prime mover; reduced emissivity 
of hot surfaces; insulation from hot or cold ambient environments; heat 
radiation shielding including reflective shields, absorptive shielding, 
transparent shielding, and flexible shielding; localized workstation 
heating or cooling; general and spot (fan) ventilation; evaporative 
cooling; chilled coil cooling systems.
    Locomotive crew performance is directly linked to railroad safety 
through the safe operation of trains. Locomotive engineers are 
responsible for operating trains in a safe and efficient manner. This 
requires the performance of cognitive tasks, including the mathematical 
information processing required for train handling, constant vigilance, 
and accurate perception of the train and outside environment. 
Conductors are responsible for maintaining accurate train consists, 
including the contents and position of hazardous materials cars, for 
confirming the aspects and indications of signals, and for ensuring 
compliance with written orders and instructions. A decrease in 
performance of any of these tasks that can be anticipated from relevant 
scientific findings should be avoided where amelioration can be 
applied.
    Based on the preceding discussion and its review of existing 
literature on the subject, FRA believes it is appropriate to limit 
minimum locomotive cab temperature and also require that new 
locomotives be equipped with an air conditioning unit inside the 
locomotive cab. To ensure that an air conditioning unit is properly 
maintained, the unit should be inspected and maintained so that it 
works properly and meets or exceeds the manufacturer's minimum 
operating specifications during the periodic inspection that is 
required by Sec.  229.23. Comments by AAR indicate that this is 
consistent with the current industry schedule. FRA believes that 
requiring the railroads to maintain their air conditioning units in a 
manner that meets or exceeds the manufacturer's minimum operating 
specifications should result in the sufficient maintenance of the 
units. FRA will monitor air conditioning maintenance performed by 
railroads to ensure that it

[[Page 21320]]

is being properly an adequately performed. If FRA determines that the 
prescribed level of maintenance is insufficient to ensure the proper 
functioning of the air conditioning units, FRA will consider taking 
regulatory action to address the issue in a future rulemaking.
    AAR submitted comments stating that new locomotives have been 
ordered with air conditioning units for many years and that they are 
maintained at the periodic inspection, and that these practices are 
expected to continue. FRA believes that requiring railroads to continue 
to equip new locomotives with air conditioning units inside the 
locomotive cab and maintaining those units during the periodic 
inspection required by Sec.  229.23, will maintain the existing level 
of railroad safety.
    AAR and the U.S. Army's Joint Munitions Command submitted comments 
stating that a maximum temperature requirement that is intended to 
prevent excessive heat stress from affecting locomotive crew 
performance inside the locomotive cab: would not address a safety 
issue; would be difficult to accurately measure inside the locomotive 
cab; and, would be overly burdensome. The UTU and the BLET submitted 
comments supporting the establishment of a maximum temperature 
requirement. The comments stated that such a requirement would improve 
locomotive crew performance during operation of the locomotive. FRA 
believes that the issues need to be considered further before a 
determination can be made as to whether a maximum temperature 
requirement would be appropriate. The RSAC has recently tasked a 
working group with addressing issues related to fatigue management. FRA 
believes that the fatigue management working group is an appropriate 
forum for further exploring issues related to the potential benefits 
that could result from requiring a limit to the permissible maximum 
locomotive cab temperature.

F. Headlights

    The revisions to the headlight requirements incorporate waiver FRA 
2005-23107 into part 229. The waiver permits a locomotive with one 
failed 350-watt incandescent lamp to operate in the lead until the next 
daily inspection, if the auxiliary lights remain continuously 
illuminated. Under the existing requirements, a headlight with only one 
functioning 200-watt lamp is not defective and its condition does not 
affect the permissible movement of a locomotive. However, the existing 
requirements are more restrictive for a 350-watt lamp. A locomotive 
with only one functioning 350-watt lamp in the headlight can be 
properly moved only under the conditions of section 229.9. This final 
rule modifies the treatment of locomotives with a failed 350-watt lamp 
to allow flexibility, and be consistent with the current treatment of 
200-watt lamps. In accordance with E.O. 13563, this modification will 
reduce the downtime for locomotives with certain headlight defects, and 
thereby, reduce the burden on the rail industry.
    Testing showed that production tolerances for the 350-watt 
incandescent lamp cause most individual lamps to fall below the 200,000 
candela requirement at the center of the beam. As such, two working 
350-watt lamps are required to ensure 200,000 candela at the center of 
the beam. Testing also showed that the 350-watt incandescent lamp 
produced well over 100,000 candela at the center of the beam, and its 
high power and the position of the filament within the reflector causes 
the lamp to be brighter than the 200-watt incandescent lamp at all 
angles greater than approximately 2.5 degrees off the centerline. In 
other words, the only area in which the 350-watt lamp produces 
insufficient illumination is within 2.5 degrees of the centerline. The 
new requirement compensates for the reduced amount of illumination by 
requiring the auxiliary lights to be aimed parallel to the centerline 
of the locomotive and illuminate continuously.
    Significantly, in 1980, when FRA promulgated the 200,000 candela 
requirement it could not take into consideration the light produced by 
auxiliary lights, because they were not required and not often used. 
Today, there is light in front of a locomotive produced by both the 
headlight and the auxiliary lights. When discussing AAR's request that 
the final rule permit locomotives with a nonfunctioning 350-watt lamp 
to operate without restriction, FRA stated that AAR's comments ``may 
have merit when considering locomotives with auxiliary lights aimed 
parallel to the centerline of the locomotive.'' See 69 FR 12533. While 
the auxiliary lights on some locomotives are aimed parallel to the 
centerline, on many others the auxiliary lights are aimed so that their 
light will cross 400 feet in front of the locomotive. The regulations 
only require auxiliary lights to be aimed within 15 degrees of the 
centerline. FRA is not aware of a basis for assuming that the light 
from two auxiliary lights complying with the regulations in any fashion 
would be insufficient, when combined with a 350-watt headlight lamp.

G. Alerters

    An alerter is a common safety device that is intended to verify 
that the locomotive engineer remains vigilant and capable of 
accomplishing the tasks that he or she must perform while operating a 
locomotive. An alerter will initiate a penalty brake application to 
stop the train if it does not receive the proper response from the 
engineer. As an appurtenance to the locomotive, an alerter must operate 
as intended when present on a locomotive. Section 20701 of Title 49 of 
the United States Code prohibits the use of a locomotive unless the 
entire locomotive and its appurtenances are in proper condition and 
safe to operate in the service to which they are placed. Under this 
authority, FRA has issued many violations against railroads for 
operating locomotives equipped with a non-functioning alerter. Alerters 
are currently required on passenger locomotives pursuant to Sec.  
238.237 (67 FR 19991), and are present on most freight locomotives. A 
long-standing industry standard currently contains various requirements 
for locomotive alerters. See AAR Standard S-5513, ``Locomotive Alerter 
Requirements,'' (November 26, 2007).
    After several productive meetings, the Working Group reached 
partial consensus on requirements related to the regulation of 
alerters. For those areas where agreement could not be reached, FRA has 
fully considered the information and views of the Working Group members 
and the recommendations made by the NTSB in developing the requirements 
related to locomotive alerters.
    On July 10, 2005, at about 4:15 a.m., two Canadian National (CN) 
freight trains collided head-on in Anding, Mississippi. The collision 
occurred on the CN Yazoo Subdivision, where the trains were being 
operated under a centralized traffic control signal system on single 
track. Signal data indicated that the northbound train, IC 1013 North, 
continued past a stop (red) signal at North Anding and collided with 
the southbound train, IC 1023 South, about \1/4\ mile beyond the 
signal. The collision resulted in the derailment of six locomotives and 
17 cars. Approximately 15,000 gallons of diesel fuel were released from 
the locomotives and resulted in a fire that burned for roughly 15 
hours. Two crewmembers were on each train; all four were killed. As a 
precaution, about 100 Anding residents were evacuated; fortunately, 
they did not report any injuries. Property damages exceeded $9.5 
million and

[[Page 21321]]

clearing and environmental cleanup costs totaled approximately 
$616,800.
    The NTSB has issued a series of safety recommendations that would 
require freight locomotives to be equipped with an alerter. On April 
25, 2007, the NTSB determined that a contributing cause of the head-on 
collision in Anding, Mississippi, was the lack of an alerter on the 
lead locomotive, which if present, could have prompted the crew to be 
more attentive to their operation of the train. See Recommendation R-
07-1. That recommendation provides as follows: ``[r]equire railroads to 
ensure that the lead locomotives used to operate trains on tracks not 
equipped with a positive train control system are equipped with an 
alerter.''
    Another NTSB recommendation relating to locomotive alerters was 
issued as a result of an investigation into the collision of two 
Norfolk Southern Railway freight trains at Sugar Valley, Georgia, on 
August 9, 1990. In that incident, the crew of one of the trains failed 
to stop at a signal. The NTSB concluded that the engineer of that train 
was probably experiencing a micro-sleep or was distracted. Based on 
testing, it was determined that as the train approached the stop 
signal, the alerter would have initiated an alarm cycle. The NTSB 
concluded that the engineer ``could have cancelled the alerter system 
while he was asleep by a simple reflex action that he performed without 
conscious thought.'' As a result of the investigation, the NTSB made 
the following recommendation to the FRA: ``[i]n conjunction with the 
study of fatigue of train crewmembers, explore the parameters of an 
optimum alerter system for locomotives. See NTSB Recommendation R-91-
26.
    Typically, alerter alarms occur more frequently as train speed 
increases. Unlike the Sugar Valley, Georgia, accident in which the 
train had slowed and entered a siding before overrunning a signal, the 
northbound train in the Anding, Mississippi, remained on the main track 
at higher speeds. Had an alerter been installed, there was a four 
minute time period after passing the approach signal during which the 
alerter would have activated four to five times. It seems unlikely that 
the engineer could have reset the alerter multiple times by reflex 
action without any increase in his awareness. Therefore, the NTSB 
determined that an alerter likely would have detected the lack of 
activity by the engineer and sounded an alarm that could have alerted 
one or both crewmembers. Had the crew been incapacitated or not 
responded to the alarm, the alerter would have automatically applied 
the brakes and brought the train to a stop. The NTSB concluded that had 
an alerter been installed on the lead locomotive of the northbound 
train, it may have prevented the collision.
    The NTSB also closely examined the use of locomotive alerters when 
investigating the sideswipe collision between two Union Pacific 
Railroad (UP) freight trains in Delia, Kansas, on July 2, 1997. In that 
accident, a train entered a siding but did not stop at the other end, 
and it collided with a passing train on the main track. The NTSB 
concluded that ``had the striking locomotive been equipped with an 
alerter, it may have helped the engineer stay awake while his train 
traveled through the siding.'' As a result of its investigation, the 
NTSB made the following recommendation to the FRA: ``[r]evise the 
Federal regulations to require that all locomotives operating on lines 
that do not have a positive train separation system be equipped with a 
cognitive alerter system that cannot be reset by reflex action.'' See 
NTSB Recommendation R-99-53.
    FRA believes that the requirements proposed in the NPRM and 
retained in this final rule related to alerters incorporate existing 
railroad practices and locomotive design, and address each of the NTSB 
recommendations discussed above. As with all of FRA's regulatory 
requirements, the requirements related to alerters are minimum Federal 
safety requirements that do not prohibit railroads from doing more to 
improve railroad safety. Based on industry meetings, FRA understands 
that the industry is considering establishing industry requirements 
that would be more restrictive than the Federal requirements. FRA fully 
supports such an effort by the industry.

H. Locomotive Electronics

    After extensive discussion, the Working Group reached consensus on 
the requirements related to locomotive electronic systems that were 
proposed in the NPRM. Advances in electronics and software technology 
have resulted in changes to the implementation of locomotive control 
systems. Technology changes have allowed the introduction of new 
functional capabilities as well as the integration of different 
functions in ways that advance the building, operation, and maintenance 
of locomotive control systems. FRA encourages the use of these advanced 
technologies to improve safe, efficient, and economical operations. 
However, the increased complexities and interactions associated with 
these technologies increase the potential for unintentional and 
unplanned consequences, which could adversely affect the safety of rail 
operations.
    The NPRM proposed requirements that would prescribe safety 
standards for safety-critical electronic locomotive control systems, 
subsystems, and components including requirements to ensure that the 
development, installation, implementation, inspection, testing, 
operation, maintenance, repair, and modification of those products will 
achieve and maintain an acceptable level of safety. The NPRM also 
proposed standards to ensure that personnel working with safety-
critical products receive appropriate training. Of course, each 
railroad would be able to prescribe additional or more stringent rules, 
and other special instructions, provided they are consistent with the 
final rule.
    FRA also recognizes that advances in technology may further 
eliminate the traditional distinctions between locomotive control and 
train control functionalities. Indeed, technology advances may provide 
for opportunities for increased or improved functionalities in train 
control systems that run concurrent with locomotive control. Train 
control and locomotive control, however, remain two fundamentally 
different operations with different objectives. FRA does not want to 
restrict the adoption of new locomotive control functions and 
technologies by establishing regulations for locomotive control systems 
intended to address safety issues associated with train control.

I. Periodic Locomotive Inspection

    The Locomotive Safety Standards Working Group was unable to reach 
consensus on whether current locomotive inspection intervals and 
procedures are appropriate to current conditions. On June 22, 2009, FRA 
granted the BNSF request for waiver from compliance with the periodic 
locomotive inspection requirements. See Docket FRA-2008-0157. BNSF 
stated in their request that each of the subject locomotives are 
equipped with new self-diagnostic technology and advanced computer 
control, and that the locomotives were designed by the manufacturer to 
be maintained at a six month interval.
    The modern locomotive equipped with microprocessor-based controls 
has diagnostics that monitor the functioning of locomotive equipment 
and record faults, particularly with respect to features relevant to 
the periodic inspection. Major faults are instantly addressed. Minor 
faults are addressed through later data analysis. In some cases, 
railroads have the capability of

[[Page 21322]]

analyzing the data remotely, without the need for the locomotive to be 
shopped. Among the features addressed by the self-diagnostic equipment 
on the locomotive models covered by this petition are the ground relay, 
locked power axle, slipped pinion, and traction motor flashover. Other 
faults monitored include contactor faults, electrical feedback signal 
faults, and electronic air brake faults. If the system detects an air 
brake system failure, the system goes into fail-safe mode. Another 
feature of these models is that the maintenance interval recommended by 
the manufacturers is 184 days. In 1980, the 92-day periodic-inspection 
interval instituted by FRA reflected the maintenance intervals 
recommended by the manufacturers at that time.
    The model locomotives that are the subject of the above noted 
waiver use a very viscous oil instead of grease to lubricate the 
pinions and bull gears on traction-motor wheel assemblies. The oil does 
not degrade with age or thicken or thin as ambient temperature varies. 
Years of use have demonstrated that there is no need to check oil 
levels or replenish the lubricant frequently. Other relevant features 
of the modern locomotive include:
     Traction motor brushes last well over 184 days (most last 
one year);
     Improved seals and gaskets, greatly reducing the 
occurrence of fluid leaks and the need to inspect gusseted and sealed 
joints;
     Improved insulation protecting against the deterioration 
of locomotive wiring (microprocessors have reduced the generation of 
heat, which also enhances wiring life); and,
     The traction motor support bearings are completely sealed 
roller bearings, with lubrication only required when wheels are 
changed.
    In the waiver petition, BNSF requested that the required 92-day 
periodic inspection be performed at 184-day intervals on subject 
locomotives, if qualified mechanical forces perform at least one of the 
required daily inspections every 31 days and FRA non-complying 
conditions that are discovered en-route or during any daily inspection 
are moved to a mechanical facility capable of making required repairs. 
Pursuant to the conditions of the waiver, data were collected on the 
locomotives' performance and joint FRA/BNSF inspections were conducted. 
The data show that safety was not impacted by extending the periodic 
inspection interval to 184 days. Based on the initial results of the 
waiver, FRA identified the periodic locomotive inspection as a 
potential candidate for reducing the regulatory burden on the rail 
industry, as required by E.O. 13563. FRA's continued observations of 
tests during joint inspections of the brake systems shows that the 
waiver has been successful. As there is no material difference between 
the locomotive models covered by the BNSF waiver and other self 
diagnostic microprocessor-based locomotives, FRA is modifying the 
existing periodic inspection requirements to provide for a 184-day 
inspection interval for all locomotives equipped with microprocessor-
based control systems with self-diagnostic capabilities.

J. Rear End Markers

    In 2003, the U.S. DOT's Office of Governmental Affairs received a 
letter from Senator Feinstein on behalf of one of her constituents. The 
individual suggested a revision to FRA's rear end marker regulation, 
which is found in part 221. Specifically, the constituent suggested 
that Federal regulations should require trains with distributive power 
on the rear to have a red marker, because a red marker would make for a 
safer operating environment by giving a rail worker a better indication 
of whether he or she is looking at the rear or front end of the train. 
The individual made reference to a recent fatality involving a BNSF 
conductor who jumped from his train because he observed a headlight 
that he mistakenly believed was a train on the same track, directly 
ahead of his train. As FRA is currently reviewing its existing 
requirements for locomotive safety standards, FRA requested comments on 
this rear end marker issue. AAR submitted the only comment related to 
this issue, stating that no changes should be made to the existing 
requirements based on the single incident mentioned above. FRA agrees 
that at this time there is not enough evidence to merit a change to the 
existing requirements.

K. Locomotive Horn

    In the NPRM, FRA solicited comments regarding methods currently 
being used by railroads to test locomotive horns as required by Sec.  
229.129. More than one method of testing could satisfy the current 
testing requirements. AAR submitted the only comment on this issue, 
stating that an accepted ANSI or SAE standard should satisfy the 
requirement. However, based on AAR's comment, it is unclear which 
specific ANSI and SAE standards would be applicable to locomotive horn 
testing. FRA has been considering whether certain current methods of 
testing should be preferred, or additional methods should be permitted. 
AAR's comment did not provide enough specific information to justify 
modifying the existing locomotive horn requirements. At this point, the 
great majority of initial locomotive horn testing has been performed, 
and there is no clear need to modify the requirements.

L. Risk Analysis Standardization and Harmonization

    FRA notes that it has been actively implementing, whenever 
practical, performance regulations based on the management of risk. In 
the process of doing so, a number of different system safety 
requirements, each unique to a particular regulation, have been 
promulgated. While this approach is consistent with the widely, and 
deeply, held conviction that risk management efforts should be 
specifically tailored for individual situations, it has resulted in 
confusion regarding the applicable regulatory requirements. This, in 
turn, has defeated one of the primary objectives of using performance 
based regulations, reduction in costs from simplifying regulations.
    The problem is not the concept of tailoring, but the lack of 
standard terms, basic tools, and techniques. Numerous directives, 
standards, regulations, and regulatory guides establish the authority 
for system safety engineering requirements in the acquisition, 
development, and maintenance of hardware and software-based systems. 
The lack of commonality makes extremely difficult the task of training 
system safety personnel, evaluating and comparing programs, and 
effectively monitoring and controlling system safety efforts for the 
railroads, their vendors, and the government. Even though tailoring 
will continue to be an important system safety concept, at some point 
FRA believes the proliferation of techniques, worksheets, definitions, 
formats, and approaches has to end, or at least some common ground has 
to be established.
    To accomplish this, FRA is harmonizing risk management process 
requirements across all regulations that have been promulgated by the 
agency. This will implement a systematic approach to hardware and 
software safety analysis as an integral part of a project's overall 
system safety program for protecting the public, the worker, and the 
environment. Harmonization enhances compliance and improves the 
efficiency of the transportation system by minimizing the regulatory 
burden. Harmonization also facilitates interoperability among products 
and systems, which benefits all

[[Page 21323]]

stakeholders. By overcoming institutional and financial barriers to 
technology harmonization, stakeholders could realize lower life-cycle 
costs for the acquisition and maintenance of systems. FRA will pursue 
appropriate, cost effective, performance based standards containing 
precise criteria to be used consistently as rules, guidelines, or 
definitions of characteristics, to ensure that materials, products, 
processes and services are fit for purpose, and present an acceptable 
level of risk that are applicable across all elements of the railroad 
industry. FRA believes that establishing a safety analysis requirement 
in this final rule that is based on best engineering practices and 
standards in section 237.307 is consistent with goal of standardization 
and harmonization.

M. Locomotive Cab Securement

    On June 20, 2010, a CSX Conductor was shot and killed in the cab of 
the controlling locomotive of his standing train in New Orleans, during 
an attempted robbery. The Locomotive Engineer assigned to that train 
was also wounded by gunfire during the incident. This incident was 
particularly tragic, because it resulted in a fatality. By letter dated 
September 22, 2010, in response to this incident, the BLET requested 
that FRA require door locks on locomotive cab doors. Under current 
industry practice, many locomotive cab doors are not locked. According 
to BLET's letter, requiring the use of door locks would impede 
unauthorized access to the locomotive cab and reduce the risk of 
violence to the train crew when confronted by a potential intruder.
    In the NPRM, FRA requested comments on the various securement 
options that are currently available on locomotive cab doors, and 
whether equipping the locomotive cab with a securement device would 
improve safety. Based on its review of comments received, FRA believes 
that locomotive cab securement can potentially prevent unauthorized 
access to the locomotive cab, and thereby increase train crew safety.
    The BLET and UTU submitted comments stating that locks should be 
designed to open from within the locomotive cab without the use of a 
key. Locomotive cab securement demands a careful and balanced approach, 
because when emergencies requiring emergency egress or rescue access 
occur, securement systems must not hinder rapid and easy egress by 
train crews or access by emergency responders without undue delay. A 
latching device (e.g., a dead-bolt arrangement) is sufficient to 
satisfy this requirement. This final rule requires that each locomotive 
or remanufactured locomotives ordered on or after the effective date of 
the final rule, or placed in service for the first time on or after six 
months from the effective date of the rule, be equipped with a 
securement device. However, FRA believes that the decision whether to 
use the securement device is best left to the discretion of each 
railroad.
    AAR submitted comments stating that the railroad industry is 
currently developing a securement standard that will address safety 
concerns. Based on information gathered while attending industry 
meetings, FRA understands that the railroad industry is working on 
producing a standard that will require a securement device on the 
outside of an unattended locomotive cab. FRA believes that the industry 
is moving in the right direction on this issue and will continue to 
monitor the development of a new standard. If FRA determines that the 
actions currently being undertaken by the industry are not sufficient 
to ensure the proper securement of locomotive cabs from the outside, 
FRA will consider taking regulatory action to address this issue in a 
future rulemaking.
    A Battalion Fire Chief from Fairfax County, Virginia, submitted 
comments stating that a rapid-entry box system (similar to a realtor's 
lock-box system) would ensure access by emergency responders into a 
locked locomotive cab. FRA believes that a rapid-entry box system could 
improve emergency responder access into the locomotive cab. However, at 
this time, FRA believes it would be impractical to require such a 
system, due to the potential cost of equipping all locomotives with the 
locks, the significant logistic challenges involved with distributing 
keys to emergency responders throughout the country, and the inability 
of FRA to ensure that those keys are secure.

N. Diesel Exhaust in Locomotive Cabs

    In response to the NPRM, AAR submitted comments requesting that FRA 
clarify the meaning of existing Sec.  229.43. Section 229.43 requires 
that locomotives be built with exhaust systems that are properly 
designed to convey engine exhaust from the engine and release it 
outside of the locomotive, and to ensure that the exhaust system is 
maintained to prevent leaks of exhaust into an occupied locomotive cab. 
FRA has been consistent in its enforcement of this requirement. FRA has 
not discovered locomotive exhaust systems that have noncompliant 
designs. However, FRA has found mechanical defects (e.g., a cracked 
exhaust manifold) in locomotive exhaust systems that permit exhaust to 
be released into an occupied locomotive cab, and has routinely issued 
violations for the railroads' failure to comply with Sec.  229.43.
    Diesel exhaust from the locomotive engine that is released into an 
occupied locomotive cab causes a safety risk. The exhaust can adversely 
affect the train crew and their ability to operate the locomotive 
safely. Inside the locomotive cab, the exhaust causes an inhalation 
hazard and will reduce the train crew's vision and comfort. However, 
FRA did not intend for Sec.  229.43 to prevent any and all diesel 
exhaust from being present in an occupied locomotive cab. It would be 
impracticable to try to eliminate all diesel exhaust in the locomotive 
cab. A locomotive that is standing with its windows open and its engine 
not running next to an active highway will most likely be found to have 
some measurable quantity of diesel exhaust in the cab, due to the 
traffic from the highway. The same would be found if the locomotive 
were located in a similar circumstance in an active marine port. 
Similarly, FRA does not believe that it is possible to prevent the re-
entry of diesel exhaust into the locomotive cab through windows or 
ventilation system intakes, and has never enforced the existing 
regulation in such a manner.

O. Federalism Implications

    One commenter suggested that FRA should add language to its 
discussion of the federalism implications of this final rule to clarify 
the pre-emptive effect of the rule. The discussion of federalism 
contained in the NPRM explains the federalism implications of the 
Locomotive Inspection Act and the existing Locomotive Safety Standards. 
See 76 FR 2224. FRA believes that the discussion of federalism 
implications is clear, and that changes to the final rule regarding the 
pre-emptive effect of the rule are not necessary.

P. E.O. 13563 Retrospective Review

    In accordance with the requirements of E.O. 13563, this final rule 
modifies the existing locomotive safety standards based on what has 
been learned from FRA's retrospective review of the regulation. E.O. 
13563 requires agencies to review existing regulations to identify 
rules that are overly burdensome, and when possible, modify them to 
reduce the burden. As a result of its retrospective review, FRA is 
reducing the burden on the industry by modifying the regulations 
related to periodic locomotive inspection and

[[Page 21324]]

headlights. FRA believes that the modifications related to periodic 
locomotive inspection and headlights in this final rule will not reduce 
safety.

VI. Section-by-Section Analysis

    This section-by section analysis of the final rule is intended to 
explain the rationale for each section of the final rule. The analysis 
includes the requirements of the rule, the purpose that the rule will 
serve in enhancing locomotive safety, the current industry practice, 
and other pertinent information. The regulatory changes are organized 
by section number. FRA sought comments on all proposals made in the 
NPRM and considered the comments in issuing this final rule.

A. Amendments to Part 229 Subparts A, B, and C

Section 229.5 Definitions
    This section contains a set of definitions that are being 
introduced into the regulation. FRA intends these definitions to 
clarify the meaning of important terms as they are used in the text of 
the final rule. The definitions are carefully worded in an attempt to 
minimize the potential for misinterpretation of the rule. The 
definition of alerter introduces an unfamiliar term which requires 
further discussion.
    ``Alerter'' means a device or system installed in the locomotive 
cab to promote continuous, active locomotive engineer attentiveness by 
monitoring select locomotive engineer-induced control activities. If 
fluctuation of a monitored locomotive engineer-induced control activity 
is not detected within a predetermined time, a sequence of audible and 
visual alarms is activated so as to progressively prompt a response by 
the locomotive engineer. Failure by the locomotive engineer to 
institute a change of state in a monitored control, or acknowledge the 
alerter alarm activity through a manual reset provision, results in a 
penalty brake application that brings the locomotive or train to a 
stop. For regulatory consistency FRA is utilizing the same definition 
as the one provided in part 238. FRA intends for a device or system 
that satisfies an accepted industry standard including, but not limited 
to, AAR Standard S-5513, ``Locomotive Alerter Requirements,'' dated 
November 26, 2007, to constitute an alerter under this definition.
    New definitions for terms related to remote control locomotives are 
also being established. The terms, ``Assignment Address,'' ``Locomotive 
Control Unit,'' ``Operator Control Unit,'' ``Remote Control 
Locomotive,'' ``Remote Control Operator,'' and ``Remote Control 
Pullback Protection'' are common to the industry. FRA notes that new 
technology may lead to new systems that fit these definitions. For 
example, ``Remote Control Pullback Protection'' is currently a form of 
global positioning system containment system that uses automated 
equipment identifier tags to either stop the RCL or limit its speed so 
that the RCL remains within its work zone. A system that utilizes new 
technology that either stops the RCL or limits its speed so that the 
RCL remains within its work zone could also satisfy the definition. On 
February 14, 2001, FRA published a Safety Advisory in which FRA issued 
recommended guidelines for conducting remote control locomotive 
operations. See 66 FR 10340, Notice of Safety Advisory 2001-01, Docket 
No. FRA-2000-7325. The Safety Advisory includes definitions for each of 
the terms. FRA's definitions for these terms are informed by the Safety 
Advisory and Working Group discussions.
    ``Controlling locomotive'' means a locomotive from where the 
operator controls the traction and braking functions of the locomotive 
or locomotive consist, normally the lead locomotive. This definition is 
being added to help identify which locomotives are required to be 
equipped with an alerter, and when the alerter is required to be 
tested.
Section 229.7 Prohibited Acts and Penalties
    Minimal changes are being made in this section to update the 
statutory reference and the statutory penalty information.
Section 229.15 Remote Control Locomotives
    After working with the railroad industry for many years to provide 
a framework for the safe use, development, and operation of remote 
control devices, FRA is formally codifying safety standards for remote 
control operated locomotives. For convenience, this section is being 
divided into two headings: design and operation; and inspection and 
testing.
    Generally, the design and operation requirements are intended to 
prevent interference with the remote control system, maintain critical 
safety functions if a crew is conducting a movement that involves the 
pitch and catch of control between more than one operator, tag the 
equipment to notify anyone who would board the cab that the locomotive 
is operating in remote control, and bring the train to a stop if 
certain safety hazards arise. The inspection and testing requirements 
are intended to ensure that each remote control locomotive would be 
tested each time it is placed in use, and ensure that the operator is 
aware of the testing and repair history of the locomotive. It is FRA's 
understanding that virtually all railroads that operate remote control 
locomotives have already adopted similar standards, and that they have 
proven to provide consistent safety for a number of years.
    A comment was received suggesting that FRA should add an 
introductory paragraph to proposed Sec.  229.15 to address the 
applicability of the section. FRA believes that the applicability of 
this section is clear based on the description of applicability 
contained in Sec.  229.6. FRA does not intend to apply the requirements 
of Sec.  229.15 differently than other requirements contained in part 
229.
    Another comment was received stating that the language of proposed 
Sec.  229.15, if it remains unchanged in the final rule, would 
establish requirements that result in existing legacy configurations 
becoming noncompliant. According to the commentor, the legacy systems 
that they identify have been operating safely and to the railroads' 
satisfaction for years, and therefore, should be permitted to continue 
in operation as compliant systems under the requirements contained in 
Sec.  229.15. It is not clear which requirements would affect these 
legacy systems, but FRA does not intend this final rule to make any 
specific legacy configurations noncompliant.
    BLET and UTU submitted comments stating that FRA should replace the 
proposed language of paragraph Sec.  229.15(a)(12)(ii), ``throttle or 
speed control,'' with ``speed selector.'' FRA is not adopting this 
suggestion. FRA believes that the suggested language change would 
exclude throttle/brake units. In the proposed rule, FRA did not intend 
to exclude throttle/brake units. The Working Group reached consensus on 
this specific issue, and FRA continues to believe that an OCU should 
have throttle capabilities in order to safely operate throttle/brake 
units.
    AAR and HCRQ submitted comments stating that FRA should clarify 
proposed paragraph Sec.  229.15(a)(7). Proposed paragraph Sec.  
229.15(a)(7) requires an RCL to initiate a full service application of 
the locomotive and train brakes, and eliminate locomotive tractive 
effort, when main reservoir pressure drops below 90 psi. The proposed 
language did not specifically exclude an RCL that is stationary. Under 
specific conditions, such as charging a lengthy cut of cars in

[[Page 21325]]

winter conditions, it is not uncommon for the main reservoir pressure 
to drop marginally. In such cases when the main reservoir pressure 
drops below 90 psi, it's not a sign of a system failure. Instead, the 
drop in pressure is an acceptable consequence given the conditions. FRA 
intended paragraph Sec.  229.15(a)(7) to apply to moving RCLs and not 
stationary RCLs. To clarify FRA's intent, the language of this 
paragraph has been amended to include the words ``while RCL is 
moving.''
    AAR also submitted comments stating that there is no wheel slide 
issue on RCLs, and that currently wheel slip is often indicated by the 
RCL equipment and not by the OCU. FRA's proposal, in paragraph Sec.  
229.15(a)(12)(xi), would have required the OCU to provide an audio/
visual indication of wheel slip/slide. FRA agrees with AAR's comment 
and is amending the final rule by removing the wheel slide requirement 
that was in the proposal, and by permitting wheel slip to be indicated 
by the RCL as well as the OCU.
    HCRQ submitted comments stating that FRA should permit the OCU to 
provide either an audio or visual indication of RCL movement. Proposed 
Sec.  229.15(a)(12)(xii) would require an audio indication of RCL 
movement. HCRQ asserts that a visual notification should be sufficient, 
because it is equally effective. The Working Group reached consensus on 
this specific issue, and FRA continues to believe that an audio 
indication is the most effective method for indicating RCL movement. 
People, who are present in the yard where the RCL movement is taking 
place, are more likely to hear a warning than they are to see a 
warning. In a yard, vision can be obstructed by equipment or 
structures. Thus, FRA is retaining the proposed provision in this final 
rule.
    In Sec.  229.15(a)(13)(iii)(B) of the NPRM, FRA proposed requiring 
primary OCUs to be equipped with a 15 second tilt bypass feature, and 
secondary OCUs to be equipped with a 60 second tilt bypass feature. 
Based on its review of comments received, FRA is modifying the proposed 
provision in this final rule and is requiring the tilt bypass on both 
OCUs to be set at 60 seconds. AAR and HCRQ submitted comments stating 
that the requirement for the length of the tilt bypass should be 60 
seconds, because all but one of the existing OCU models have a tilt 
bypass feature that is set to 60 seconds and some actions commonly 
performed by OCU operators exhaust more than 15 seconds and up to 60 
seconds. An OCU operator may take longer than 15 seconds to throw a 
switch, set brakes, or lace together brake hoses. FRA agrees that 15 
seconds may not be enough time for an OCU operator to complete certain 
actions, but also understands that in most instances the operator of 
the secondary OCU will be the one who is responsible for those actions 
and that in general pushing a button on an OCU will extend the length 
of the tilt bypass for an additional 15 seconds. However, in the 
proposal FRA did not consider the fact that the majority of OCUs are 
set at 60 seconds, and that it would add a cost to the industry to 
modify some OCUs to 15 seconds. FRA also recognizes that during a RCL 
operation, a crew member may switch from operating the primary OCU to 
operating the secondary OCU, and vice versa. Allowing both the primary 
and secondary OCUs to be set to 60 seconds, consistent with the great 
majority of existing models, will avoid confusion during such a switch.
Section 229.19 Prior Waivers
    FRA is updating the language in Sec.  229.19 to address the 
handling of prior waivers of requirements in part 229 under the final 
rule. A number of existing waivers are incorporated into the final rule 
and others may no longer be necessary in light of the rule. The NPRM 
allowed railroads the opportunity to assert that their existing waiver 
is necessary, and should be effective after the final rule is adopted. 
No comments were received related to this section, and FRA is retaining 
the language as proposed. As a result, waivers from any requirement of 
this part, issued prior to effective date of this final rule will 
terminate on the date specified in the letter granting the waiver, and 
if no date is specified, then the waiver will automatically terminate 5 
years from the effective date of the rule.
    On February 28, 2007, in a notice, FRA proposed the sunset of 
certain waivers granted for the existing locomotive safety standards. 
72 FR 9059. The proposal urged grantees to submit existing waivers for 
consideration for renewal in light of potential revisions to the 
regulation, and explained FRA's interest in treating older waivers 
consistently with newer waivers that were limited to five years. The 
five-year limitations were issued as far back as March of 2000. The 
notice also established a docket to receive waivers for consideration.
    In addition, the notice discussed the possibility of requiring 
current grantees to re-register waivers. To streamline the process, FRA 
did not include a re-registration requirement.
Section 229.20 Electronic Recordkeeping
    As explained in paragraph (a), FRA is establishing standards for 
electronic recordkeeping that a railroad may elect to utilize to comply 
with many of the recordkeeping provisions contained in this part. As 
with any records, replacing a paper system that requires the physical 
filing of records with an electronic system and the large and 
convenient storage capabilities of computers, will result in greater 
efficiency. Increased safety will also result, as railroads will be 
able to access and share records with appropriate employees and FRA 
quicker than with a paper system. To be acceptable, electronic 
recordkeeping systems must satisfy all applicable regulatory 
requirements for records maintenance with the same degree of confidence 
as is provided with paper systems. The requirements are consistent with 
a series of waivers that FRA has granted since April 3, 2002 (Docket 
Number FRA-2001-11014), permitting electronic recordkeeping with 
certain conditions intended to ensure safety. In this section, FRA is 
adopting the Working Group's consensus regulatory text for electronic 
recordkeeping that was approved and recommended to FRA by the RSAC on 
September 10, 2009. The standards are organized into three categories: 
(1) Design requirements, (2) operational requirements, and (3) 
availability and accessibility requirements.
    To properly serve the interest of safety, records must be accurate. 
Inspection of accurate records will reveal compliance or non-compliance 
with Federal regulations and general rail safety practices. To ensure 
the authenticity and integrity of electronic records, it is important 
that security measures be in place to prevent unauthorized access to 
the data in the electronic record and to the electronic system. 
Paragraphs (b)(1) through (5) are intended to help secure the accuracy 
of the electronic records and the electronic system by preventing 
tampering, and other forms of interference, abuse, or neglect.
    Paragraphs (c)(1) and (2) are intended to utilize the improved 
safety capabilities of electronic systems. The requirements of 
paragraph (c)(1) cover both inspection and repair records. AAR 
submitted comments in response to the NPRM stating that the person who 
is performing the activity, and therefore required to make the record 
within 24 hours as required by paragraph (c)(1), may be prevented from 
making the record by Hours of Service laws. FRA

[[Page 21326]]

believes that the proposal addressed this issue. In the proposal, for 
situations when the Hours of Service laws would potentially be 
violated, the electronic system would be required to prompt the person 
to input the data as soon as he or she returns to duty. Because the 
issue was addressed in the proposal, FRA does not believe that any 
changes related to the issue are warranted.
    To properly serve the interest of safety, the electronic records 
and the electronic recordkeeping system must be made available and 
accessible to the appropriate people. FRA must have access to the 
railroads' electronic records and limited access to the electronic 
recordkeeping systems to carry out its investigative responsibilities. 
During Working Group discussions, a member representing railroad 
management explained that his railroad currently can produce an 
electronic record within ten minutes, but that a paper record may take 
up to two weeks. As such, the rule provides up to fifteen days to 
produce paper copies and requires that the electronic records will be 
provided upon request.
Section 229.23 Periodic Inspection: General
    This section requires railroads that choose to maintain and 
transfer records as provided for in Sec.  229.20, to print the name of 
the person who performed the inspections, repairs, or certified work on 
the Form FRA F 6180-49A that is displayed in the cab of each 
locomotive. This will allow the train crew to know who did the previous 
inspection when they board the locomotive cab. This requirement was 
proposed in the NPRM and is being retained in the final rule. As 
discussed above in section I., ``Periodic Locomotive Inspection,'' FRA 
is also modifying the existing periodic inspection requirements 
contained in this section to provide for a 184-day inspection interval 
for all locomotives equipped with microprocessor-based control systems 
with self-diagnostic capabilities.
Section 229.25 Test: Every Periodic Inspection
    Paragraphs (e) and (f) are added to this section to include 
inspection requirements for remote control locomotives and locomotive 
alerters during the periodic inspection. As discussed above, FRA is 
establishing new regulations for remote control locomotives, see Sec.  
229.15, and locomotive alerters, see Sec.  229.140. For convenience, 
the maintenance for remote control locomotives and locomotive alerters 
that would properly be conducted at intervals matching the periodic 
inspection are being incorporated into this section. As proposed in the 
NPRM, the existing paragraph (d) related to steam generators has been 
removed from this section and added to Sec.  229.114. As discussed 
below, FRA is consolidating all of the requirements related to steam 
generators into Sec.  229.114. The other paragraphs in this section are 
also being reorganized to accommodate the removal of paragraph (d).
Section 229.27 Annual Tests
    FRA is amending paragraph (b) of this section by deleting the 
following previous language: ``The load meters shall be tested'' from 
the paragraph. The modification clarifies the regulatory language to 
reflect the current understanding and application of the load meter 
requirement. FRA issued a clarification for load meters on AC 
locomotives on June 15, 1998. In a letter to GE Transportation Systems 
in March 2005, FRA issued a similar clarification of the requirements 
related to testing load meters on DC locomotives. The letter explained 
that on locomotives that are not equipped with load meters there are no 
testing requirements. Similarly, if a locomotive is equipped with a 
load meter but is using a proven alternative method for providing 
safety, and no longer needs to ascertain the current or amperage that 
is being applied to the traction motors, there are no testing 
requirements for the dormant load meter. Load meters have been 
eliminated or deactivated on many locomotives because the locomotives 
are equipped with thermal protection for traction motors and no longer 
require the operator to monitor locomotive traction motor load amps.
    FRA is also removing the existing paragraph (a) from this section 
and merging it into the brake requirements contained in Sec.  229.29 of 
this final rule. Section 229.29 concerns brake maintenance, and as 
discussed below, is being reorganized by this final rule to consolidate 
all existing locomotive brake maintenance into one regulation.
Section 229.29 Air Brake System Calibration, Maintenance, and Testing
    This section is re-titled by this final rule, and existing 
requirements are now consolidated and better organized to improve 
clarity. Because Sec.  229.29 concerns only brakes, it is be re-titled, 
``Air Brake System Calibration, Maintenance, and Testing'' to more 
accurately reflect the section's content. Existing Sec.  229.27(a), 
which also addresses brake maintenance is being integrated into this 
section for convenience and clarity. Recordkeeping requirements for 
this section are being moved from existing paragraphs (a) and (b), and 
merged into a single new paragraph (g). The date of air flow method 
(AFM) indicator calibration is being added to this section and will be 
required to be recorded and certified in the remarks section of Form 
F6180-49A under paragraph (g) of this final rule.
    The brake maintenance requirements contained in this section of the 
final rule extend the intervals at which required brake maintenance is 
performed for several types of locomotive brake systems. The length of 
the intervals reflects the results of studies and performance 
evaluations related to a series of waivers that have been granted by 
FRA, starting in 1981 and continuing to present day. Overall, the type 
of brake maintenance that is required remains the same. The existing 
regulation provides for two levels of brake maintenance. Existing Sec.  
229.27(a) required routine maintenance for filters and dirt collectors, 
and brake valves and existing Sec.  229.29(a) requires maintenance for 
certain brake components including parts that can deteriorate quickly 
and pieces of equipment that contain moving parts. To better tailor the 
maintenance requirements to the equipment needs and based on 
information ascertained from various studies and performance 
evaluations conducted by FRA over the last decade, filters and dirt 
collector maintenance are now being required more frequently than brake 
valve maintenance. As a result, this final rule establishes three 
levels of brake maintenance instead of two.
    In the NPRM, FRA stated that it was studying the effect, if any, 
that air dryers have on the maintenance of brake systems, and FRA 
sought comment. AAR submitted comments stating that there is no safety 
reason to treat the air dryer equipped locomotives differently than 
locomotives that are not equipped with air dryers. As evidence, AAR 
cites the results of the joint teardown tests that railroads have 
conducted with FRA as a condition to existing brake maintenance 
waivers. FRA believes that early indications from teardown testing of 
electronic air brake systems beyond five years in service support AAR's 
comments. However, because many tests and teardowns remain to be done, 
FRA believes that it is premature to discount the potential positive 
effects of air dryers on extending the life of certain brake 
components.
    Paragraph (f)(2) sets maintenance intervals at four years for slug 
units that are semi-permanently attached to a host locomotive. Slugs 
are used in situations where high tractive effort is more

[[Page 21327]]

important than extra power, such as switching operations in yards. A 
railroad slug is an accessory to a diesel-electric locomotive. It has 
trucks with traction motors but is unable to move about under its own 
power, as it does not contain a prime mover to produce electricity. 
Instead, it is connected to a locomotive, called the host, which 
provides current to operate the traction motors.
    In this final rule, FRA is incorporating locomotive brake 
maintenance requirements from part 238 into this section for 
convenience. FRA believes that there is some benefit to moving all of 
the locomotive brake maintenance requirements, including MU 
locomotives, from part 238 to part 229. Amtrak submitted comments 
stating that moving the requirements into part 229 would force them to 
remove entire Acela trainsets from service when any defects are found 
on a power car. In addition, Amtrak requested that Acela power cars be 
reclassified so that requirements from part 229 do not apply to Acela 
power cars. FRA believes that the reclassification of power cars would 
be outside of the scope of this rulemaking proceeding, and therefore, 
cannot be properly addressed in this final rule. However, FRA is open 
to discussing this issue further, outside of this rulemaking 
proceeding. FRA does not believe that moving the brake maintenance 
requirements into part 229 results in any change to the treatment of 
Acela power cars under the Federal railroad safety laws. It appears 
that Amtrak's concern is based on a misinterpretation of FRA's 
proposal. Contrary to Amtrak's assertion, FRA is not changing the 
existing Inspection, Testing, and Maintenance (ITM) requirements for 
Tier II passenger equipment under part 238. Only brake maintenance 
requirements are being moved to part 229, and their movement does not 
affect the Tier II ITM.
    Paragraph (g)(1) requires that the date of AFM indicator 
calibration shall be recorded and certified in the remarks section of 
Form F6180-49A. AAR submitted comments stating that there is no need to 
keep a separate record of the AFM calibration date, because the date 
would be the same as the date of the periodic inspection. FRA 
understands that, although the frequency of the periodic inspection and 
the AFM indicator calibration may be the same for some locomotives, 
they may not be conducted on the same day, because the AFM indicator 
calibration is not part of the periodic inspection. FRA recognizes that 
many railroads choose to perform the AFM indicator calibration and the 
periodic inspection at the same time, but other railroads may choose to 
schedule the AFM calibration on a date other than the date of the 
periodic inspection. Therefore, FRA believes a separate record of the 
AFM indicator calibration date is necessary and is retaining paragraph 
(g)(2) of the final rule as proposed.
Section 229.46 Brakes: General
    FRA is clarifying this section, and establishing standards for the 
safe use of a locomotive with an inoperative or ineffective automatic 
or independent brake control system. The section permits a locomotive 
with a defective air brake control valve to run until the next periodic 
inspection that is required by Sec.  229.23. However, the requirement 
to place a tag on the isolation switch will notify the crew that the 
locomotive can be used only if it complies with the conditions 
contained in paragraph 229.46(b) until it is repaired.
    The conditions contained in paragraphs (b)(2) through (6) clarify 
what it means for the brakes to operate as intended, as required by 
this section. Some Working Group members stated that the automatic and 
independent brake valves are not intended to function on a trailing 
unit that is isolated from the train's air brake system, therefore they 
were ``operating as intended'' when not operating at all. Generally, 
when a unit is found with an automatic or independent brake defect, the 
railroad may choose to move the unit to a trailing position, and 
because it is in a trailing position, it may be dispatched without 
record of the need for maintenance. Paragraph (b)(1) explicitly permits 
units with inoperative or ineffective automatic and/or independent 
brake valves to be used in the trailing position. Generally, paragraphs 
(b)(2) through (6) ensure that the trailing unit is handled safely, and 
that appropriate records are kept and repairs are made. Paragraph 
(b)(2) requires that the railroad and the locomotive, and/or air brake 
manufacturer determine that the control locomotive can safely operate 
with the defective unit in the trailing position.
    AAR submitted comments stating that the railroad should not be 
required to consult with the locomotive or air brake manufacturer, 
because the railroad is capable of making the safety determination on 
its own. FRA believes that input from the manufacturers will improve 
the safety determination. The manufacturers are experts on the 
sophisticated electronically controlled air brake systems that are 
currently in use in the railroad industry (e.g. air brake systems that 
contain forced lead software). It is only prudent to consult with the 
manufacturer when assessing the capabilities of the air brake system.
    GE submitted comments asking what kind of documentation will be 
required from the locomotive manufacturer in support of the 
determination required by paragraph (b)(2). The requirement contained 
in (b)(2) is intended to ensure that a proper safety determination is 
made based on the relevant knowledge of the manufacturer and the 
railroad. The locomotive and/or airbrake manufacturer should provide 
the railroad with technical information that is sufficient to establish 
the proper means for isolating or disabling the inoperative or 
ineffective automatic and/or independent air brake control valve, 
explaining how it does not pose a risk to the safe control of the 
automatic and independent brake systems by the controlling locomotive 
and, any other information that the manufacturer believes is relevant.
Section 229.61 Draft System
    FRA is removing the requirement related to MCB contour 1904 
couplers currently contained in paragraph (a)(1), because it is out 
dated. The existing requirement prohibits the use of a MCB contour 1904 
coupler, if the distance between the guard arm and the knuckle nose is 
more than 5\1/8\ inches. FRA understands that the MCB contour 1904 
coupler design has not been used in the railroad industry since the 
1930s. Most, if not all, of the current locomotive fleet are equipped 
with Type E couplers. For these couplers, the maximum distance 
permitted between the guard arm and the knuckle nose is 5\5/16\ inches, 
as identified in existing paragraph (a)(1). In the NPRM, FRA sought 
comments as to whether any locomotives are currently being operated 
with MCB contour 1904 couplers, and whether the requirement related to 
MCB contour 1904 couplers should be removed from the locomotive safety 
standards. FRA also proposed the reorganize the remaining paragraphs in 
this section to accommodate the removal of paragraph (a)(1). AAR 
submitted the only comment on this issue, stating that it is unaware of 
any locomotives that are currently operating with MCB contour 1904 
couplers, and AAR suggested removing the requirement from the 
locomotive safety standards. FRA agrees with AAR's comment and believes 
that the MCB contour 1904 coupler design is no longer being used in the 
railroad industry, and therefore, the requirement is no longer needed. 
Consequently, the final rule adopts the provision as proposed.

[[Page 21328]]

Section 229.85 High Voltage Markings: Doors, Cover Plates, or Barriers
    FRA is clarifying this section. The purpose of this section is to 
warn people of a potential shock hazard before the high voltage 
equipment is exposed. A conspicuous marking on the last cover, door, or 
barrier guarding the high voltage equipment satisfies the purpose of 
this section. Many locomotives have multiple doors in front of high 
voltage equipment. Often there is a door on the car body that provides 
access to the interior of the car body which contains high voltage 
equipment that is guarded by an additional door, for example, main 
generator covers and electrical lockers. FRA's intent has been to 
require the danger marking only on the last door that guards the high 
voltage equipment. Thus, FRA has slightly modified the language 
currently contained in this section to make this intent clear and 
unambiguous. To further clarify the intent of this section, FRA is also 
changing the title.
    MTA submitted comments stating that the proposed wording did not 
make clear the intent of the change, which as noted in the preamble, is 
to require the warning marking on the last object before accessing the 
high voltage equipment. According to MTA, if one did not read the 
preamble, it would not be apparent that ``direct'' was meant to convey 
this intent and the wording would be too subjective. MTA did not 
explain why it believes that the word ``direct'' is too subjective or 
provide language that would better clarify the intent of this section. 
FRA continues to believe that the word ``direct,'' as used in the 
proposed language, sufficiently identifies the cover, door, or barrier 
that is located immediately in front of the high voltage equipment. The 
Working Group reached consensus on the proposed language with agreement 
that the proposed language would require the danger marking only on the 
last door that guards the high voltage equipment. Based on the Working 
Group's consensus, and without alternative language to consider, FRA is 
adopting the proposed language in the final rule without change. If 
needed, FRA believes that the explanation of the intent of the 
requirement that is contained in this preamble will add clarity to the 
rule text.
Section 229.114 Steam Generator Inspections and Tests
    FRA is adding this section in order to consolidate the steam 
generator requirements contained in various sections of part 229 into a 
single section. Current requirements related to steam generators could 
be found in Sec. Sec.  229.23, 229.25, and 229.27. Consolidating the 
requirements into one section makes them easier to find for the 
regulated community, and helps simplify and clarify each of the 
sections that currently include a requirement related to steam 
generators. The requirements contained in this section are not intended 
to change the substance of any of the existing requirements.
Section 229.119 Cabs, Floors, and Passageways
    In paragraph (d), FRA is raising the minimum allowable temperature 
in an occupied locomotive cab from 50 degrees to 60 degrees. Each 
occupied locomotive cab would be required to maintain a minimum 
temperature of 60 degrees Fahrenheit when the locomotive is in use. FRA 
recognizes that it takes some time for the cab to heat up when the 
locomotive is first turned on, and that some crew members may prefer to 
work in slightly cooler temperatures and temporarily turn off the 
heater. Thus, this requirement will only be applicable in situations 
where the locomotive has had sufficient time to warm-up and where the 
crew has not adjusted that temperature to a personal setting.
    In paragraph (e), FRA is clarifying the existing requirement 
related to the continuous barrier on an open-end platform by adding a 
hyphen between words ``open'' and ``end.'' In the old part 230, issued 
in 1968, paragraph 230.229 (g) addressing the required continuous 
barrier, contains the wording ``Safe and suitable means shall be 
provided for passage between units with open-end platforms.'' The 
hyphen makes clear that the requirement is referring to locomotive 
platforms that are open at the end, and not locomotive platforms that 
are open to the sky. In 1980, when the Locomotive Safety Standards were 
revised, the hyphen was inadvertently removed without explanation, and 
without intention to change the meaning of the existing requirement. 
FRA believes that reinserting the hyphen clarifies the requirement 
without changing it.
    In paragraphs (g) and (h), FRA is establishing requirements related 
to air conditioning units inside of locomotive cabs. Paragraph (g) will 
require all new locomotives to be equipped with an air conditioning 
unit. The requirement will only apply to locomotives ordered after the 
effective date of the rule and to any locomotive placed in service 
after the effective date of the final rule. Paragraph (h) will require 
air conditioning units on such locomotives to be maintained during the 
periodic inspection that is required by Sec.  229.23. FRA expects the 
maintenance to be sufficient to sustain or restore proper functionality 
of the air conditioning unit, meeting or exceeding the manufacturer's 
minimum operating specifications. FRA believes that requiring the 
railroads to maintain their air conditioning units in a manner that 
meets or exceeds the manufacturer's minimum operating specifications 
should result in the sufficient maintenance of the units. FRA will 
monitor air conditioning maintenance performed by railroads to ensure 
that it is being properly and adequately performed. If FRA determines 
that the prescribed level of maintenance is insufficient to ensure the 
proper functioning of the air conditioning units, FRA will consider 
taking regulatory action to address the issue in a future rulemaking.
    FRA understands that railroad's often replace defective air 
conditioning units, rather than make repairs. If a railroad elects to 
replace its air conditioning unit during the periodic inspection, the 
replacement will be considered appropriate maintenance.
    In paragraph (i), FRA is requiring new locomotives to be equipped 
with a securement device that will secure each locomotive cab from the 
inside. The locomotive cab is secured when the door cannot be opened 
from the outside by an unauthorized person, unless broken by force. A 
dead-bolt type arrangement can satisfy this requirement, but FRA 
expects that other designs may also satisfy this requirement. The 
requirement will apply only to locomotives ordered after the effective 
date of the rule and to any locomotive placed in service 6 months after 
the effective date of the final rule to allow railroads a reasonable 
amount of time to comply. However, FRA does expect all new locomotives, 
as of the implementation date of paragraph Sec.  229.119(i), to fully 
comply with the new requirements.
Section 229.123 Pilots, Snowplows, End Plates
    FRA is clarifying paragraph (a) of this section. Based on 
experience applying the regulation, FRA recognizes that a reasonable, 
but improper, reading of the existing language could lead to the 
incorrect impression that a pilot or snowplow is not required to extend 
across both rails. To prevent this misunderstanding and to clarify the 
existing requirement, the phrase ``pilot, snowplow or end plate that 
extends across both rails'' is substituted for ``end plate which 
extends across both rails, a pilot, or a snowplow.'' FRA believes this 
language makes clear that any of the

[[Page 21329]]

above mentioned items must extend across both rails.
    Due to the height of retarders in hump yards, it is not uncommon 
for the pilot, snowplow, or endplate to strike the retarder during 
ordinary hump yard operations. To accommodate the retarders and prevent 
unnecessary damage, FRA has issued waivers to permit more clearance 
(the amount of vertical space between the bottom of the pilot, 
snowplow, or endplate and the top of the rail) in hump yards, if 
certain conditions are met. FRA is adding paragraph (b) to this section 
to obviate the need for individual waivers by incorporating these 
conditions into the revised regulation. The conditions that were 
included in the waivers are reflected in paragraphs (b)(1) through (5).
    The clearance requirement is intended to ensure that obstructions 
are cleared from in front of the locomotive and to prevent the 
locomotive from climbing and derailing. In FRA's experience, hump yards 
contain few obstructions that present this potential risk. The 
protections provided by a pilot, snowplow, or endplate are most 
desirable at grade crossings where the requirement would remain without 
change. This section also establishes various requirements to ensure 
that the train crew is notified of the increased amount of clearance 
and to prevent the improper use of the locomotive. Locomotives with 
additional clearance are required to be stenciled at two locations; the 
train crew must be notified of any restrictions being placed on the 
locomotive; and, the amount of clearance must be noted on the Form FRA 
6180-49a that is maintained in the cab of the locomotive.
    AAR submitted comments stating that FRA should not require the 
increased amount of clearance to be noted on the Form FRA 6180-49a that 
is maintained in the cab of the locomotive. AAR believes that 
stenciling the increased amount of clearance on both ends of the 
locomotive will provide sufficient notice of the clearance height. FRA 
continues to believe that noting the increased amount of clearance on 
the Form FRA 6180-49a that is maintained in the cab of the locomotive 
will benefit safety. The Form FRA 6180-49a provides a routinely used, 
centralized location for the railroad to record important information 
about the locomotive. As a result, the information is made easily 
accessible to train crew members and to FRA inspectors inside the 
locomotive cab. The stenciling will provide additional notification to 
train crew members and FRA inspectors who are on the ground during the 
movement of the locomotive.
Section 229.125 Headlights and Auxiliary Lights
    To incorporate an existing waiver, this section permits a 
locomotive to remain in the lead position until the next calendar day 
inspection after an en route failure of one incandescent PAR 56, 74 
Volt, 350 Watt lamp, if certain safety conditions are satisfied. FRA is 
also extending the existing auxiliary intensity requirements at 7.5 
degrees and 20 degrees to the headlight to clarify the criteria by 
which equivalence of new design head-light lamps will be evaluated to 
achieve the same safety benefit.
    When one of two lamps in a headlight utilizing PAR-56, 350-watt, 74 
volt lamps is inoperative, the center beam illumination for that 
headlight often drops below 200,000 candela due to manufacturing 
tolerances. FRA issued a waiver that allowed a locomotive equipped with 
these lamps to continue in service as a lead unit until the next 
calendar day inspection, when one of the two lamps becomes inoperative. 
Alternatively, when locomotives are handled under the general movement 
for repair provision of Sec.  229.9, they are required to be repaired 
or switched to a trailing position at the next forward location where 
either could be accomplished. Paragraph (a)(2)(i) of this section, 
incorporates the waiver into the regulation. Conditions listed in 
paragraphs (a)(2)(i)(A), (B), and (C) ensure that neither locomotive 
conspicuity at grade crossings, nor the illumination of the right of 
way will be compromised.
Section 229.133 Interim Locomotive Conspicuity Measures--Auxiliary 
External Lights
    To update the regulations related to locomotive conspicuity, FRA is 
removing the ditch light and crossing light requirements contained in 
Sec.  229.133 that have been superseded by similar requirements in 
Sec.  229.125. Section 229.133 currently contains interim locomotive 
conspicuity measures that were incorporated into the regulations in 
1993 while the final provisions related to locomotive auxiliary lights 
were being developed. See 58 FR 6899; 60 FR 44457; and 61 FR 8881. The 
requirements related to ditch lights and crossing lights in Sec.  
229.133 were later superseded by similar requirements in Sec.  229.125, 
published in 1996, and revised in 2003 and 2004. See 68 FR 49713; and 
69 FR 12532. In 1996, locomotives equipped with ditch lights or 
crossing lights that were in compliance with the requirements of Sec.  
229.133 were temporarily deemed to be in compliance with Sec.  229.125 
(i.e., grandfathered into the new regulation). However, that provision 
expired on March 6, 2000. As a result, ditch lights and crossing lights 
that comply with Sec.  229.133 have not satisfied the requirements of 
Sec.  229.125 for more than 10 years. No substantive changes to the 
auxiliary external light requirements were proposed in this section.
Section 229.140 Alerters
    This section requires locomotives that operate over 25 mph to be 
equipped with an alerter and requires the alerters to perform certain 
functions. Today, a majority of locomotives are equipped with alerters. 
As an appurtenance to the locomotive, the alerters have been required 
to function as intended, if installed in the locomotive cab. The 
requirements contained in this final rule will increase the number of 
locomotives equipped with an alerter, and provide specific standards to 
ensure that the alerters are used and maintained in a manner that 
increases safety.
    EMD and AAR submitted comments related to paragraph (a) stating 
that the implementation period for this section should be 1 year, 
rather than the 90 days that FRA proposed in the NPRM. FRA agrees that 
it is reasonable to provide up to 1 year for the railroads to comply, 
because the manufacturers need sufficient time to complete work on 
existing orders that were made before the rule became effective and 
would not comply with the rule. Accordingly, FRA is establishing an 
implementation period of 1 year in paragraph (a)(1).
    During Working Group discussions, all parties agreed that an 
alerter would be considered non-compliant if it failed to reset in 
response to at least three of the commands listed in paragraphs (b)(1) 
through (6) of this section, in addition to the manual reset. It is 
important that locomotives equipped with an alerter adhere to minimum 
performance standards to ensure that the alerter serves its intended 
safety function. Utilizing several different reset options for the 
warning timing cycle increases the effectiveness of the alerter, as it 
will require differentiated cognitive actions by the operator. This 
will help prevent the operator from repeating the same reset many times 
as a reflex, without having full awareness of the action.
    BLET and UTU submitted comments stating that alerter requirements 
for locomotives that operate at speeds less than 25 MPH would improve 
safety. FRA believes that tailoring the alerter

[[Page 21330]]

standard to a minimum operational speed will permit operational 
flexibility while maintaining safety. Many freight railroads only 
operate over small territories. They generally move freight equipment 
between two industries or interchange traffic with other, larger 
railroads. For these operations, the advantages of and the ability to 
move at higher speeds are non-existent. Moreover, movements at these 
lower speeds greatly reduce the risk of injury to the public and damage 
to equipment. For these reasons, there is a reduced safety need for 
requiring alerters on locomotives conducting these shorter, low speed 
movements. In addition, as an appurtenance to the locomotive, an 
alerter must operate as intended when present on a locomotive. Section 
20701 of Title 49 of the United States Code prohibits the use of a 
locomotive unless the entire locomotive and its appurtenances are in 
proper condition and safe to operate in the service to which they are 
placed. Therefore, if a locomotive that operates at speeds less than 25 
MPH is equipped with an alerter, the alerter will be required to 
function. Under this authority, FRA has issued many violations against 
railroads for operating locomotives equipped with a non-functioning 
alerter.
    Paragraph (f) will ensure that the locomotive alerter on the 
controlling locomotive is always tested prior to being used as the 
controlling locomotive. The test is required during the trip that the 
locomotive is used as a controlling locomotive. This requirement allows 
the crew to know the alerter functions as intended each time a 
locomotive becomes the controlling locomotive.

B. Part 229 Subpart E--Locomotive Electronics

    Comments on the proposed part 229 subpart E were received from the 
AAR, GE, MTA, and CATRON/CHRQ. AAR noted that the requirements of Sec.  
229.20 would more comprehensively satisfy the discussion of electronic 
record keeping in Sec.  229.313(e). FRA agrees, and has revised Sec.  
229.213(e) to reference the requirements of Sec.  229.20. FRA has 
further modified Sec.  229.20 in this final rule to clarify the issue 
of record accessibility raised by MTA raised in conjunction with Sec.  
229.313(e) that was proposed in the NPRM.
    AAR also noted that the locomotive electronics section imposes very 
technical obligations on railroads and that railroads will not possess 
the technical expertise to carry out these obligations but would have 
to rely on the suppliers of the equipment FRA believes that AAR and the 
railroads are being much too modest regarding their technical 
capabilities, and points to the AAR's own ``Manual of Recommended 
Standards and Practices'' as an example of the outstanding technical 
capabilities of the railroads. FRA does appreciate that there may be 
areas where the railroads' expertise may not fully align with that of 
their suppliers, and has modified the language in various portions 
subpart E to reflect this reality.
    Both GE and MTA commented that the definition of ``product'' as 
proposed in the regulatory text of Sec.  229.305 was overly broad, and 
might be subject to misinterpretation as it could be interpreted to 
cover locomotive functionality not directly required for the operation 
of the locomotive, such as prime mover fuel injection, ventilation 
louver, and fan control. While FRA believes that the intent not to 
include such functionality is clear in the preamble to the NPRM and the 
preamble to this final rule, FRA has modified the definition of 
``product'' to more narrowly focus on the locomotive functionality 
which is covered by this part. The final rule definition of ``product'' 
in Sec.  229.305 clarifies that a product, for the purposes of this 
subpart, is related to train movement functions and interfaces between 
man and machine, and it specifically excludes signal and train control 
functions. The preamble language has also been modified to further 
clarify applicability.
    GE, in its comments to the NPRM, requested additional guidance 
related to the meaning of the terms ``interfaced,'' ``comingled,'' 
``integrated,'' ``loosely coupled,'' and ``primary train control 
systems'' as used in part 229. FRA has added additional clarification 
in the preamble to this final rule these terms that are consistent with 
the RSAC working group discussions as well as Part 236 Subpart I. 
Specifically, FRA has:
    1. Changed Sec.  229.301(b) to delete the term ``interfaces'' and 
modified the preamble discussion accordingly.
    2. Modified the definition of ``new or next generation locomotive 
control systems'' to include systems under development identified to 
FRA within six months of date of publication of the final rule, and 
implemented within 42 months after the date of publication of the final 
rule.
    3. Modified the definition of ``product'' contained in Sec.  
229.305, as discussed earlier.
    4. Provided a clearer definition of what is meant by ``comingle.'' 
Comingle is now defined in terms of coupling and cohesion, with new 
definitions for tightly coupled, loosely coupled, and cohesion added to 
Sec.  229.305
    In its comments, GE recommended the addition of ANSI/GEIA-STD-0010 
as a recognized standard in terms of providing appropriate risk 
analysis processes for incorporation into verification and validation 
standards in proposed Appendix F. FRA agrees and has added ANSI/GEIA 
STD 0010 to the list of appropriate risk analysis procedures. CATRON/
HCRQ also noted in their comments that ANSI/HFS 100-1988 referenced in 
Appendix F has been superseded by ANSI 100-2007 and that ANSI 100-2007 
accommodates additional new technology (LCD and luminescent displays). 
FRA agrees and has changed the reference to identify ANSI/HFS 100-2007. 
CATRON/HCRQ also noted that ``Railway Applications Specification and 
Demonstration of Reliability Availability, Maintainability and Safety 
(RAMS); Safety (RAMS) (ii) EN50128 (May 2001), Railway Applications: 
Software for Railway Control and Protection Systems'' has been adopted 
by the IEC as ``Railway Applications Specification and Demonstration of 
Reliability Availability, Maintainability and Safety (RAMS) IEC 
62279:2002 (May 2001), Railway Applications: Software for Railway 
Control and Protection Systems;'' FRA agrees and has retained the 
applicable CENLEC numbers and added the appropriate IEC numbers where 
applicable.
    CATRON/HCRQ also made a large number of other recommendations 
regarding the wording of the language in the preamble, the rule text, 
and Appendix F to add clarity and accuracy. Generally, FRA agreed with 
the proposed changes, and they have been incorporated in the final 
rule.
    FRA, however, does not agree with some of the recommendations made 
by CATRON/HCRQ in their comments. CATRON/HCRQ recommended removing the 
requirement for conducting sensitivity analysis, stating the ``* * * 
[s]ensitivity analysis places an undue burden on suppliers. It is 
costly to perform in terms of the software tool and the effort 
required. It does not comply with the Executive Order of January 18, 
2011 which targets Improving Regulation and Regulatory Review.'' FRA 
believes that the sensitivity analysis is necessary to determine which 
elements/factors have the greatest impact on the safety of a system if 
assumptions are incorrect. Sensitivity analysis answers the question. 
``[I]f these variables deviate from expectations, what will the effect 
be (on the business, model, system, or whatever is being analyzed)?'' 
In more

[[Page 21331]]

general terms, uncertainty and sensitivity analysis investigate the 
robustness of a design. Due to the importance of understanding the 
potential impact on system safety if design assumptions are incorrect, 
FRA declines to change the requirement for conducting a sensitivity 
analysis. Without conducting such an analysis, FRA believes that it 
would be difficult to assert with any degree of confidence that a 
presumed risk metric and risk mitigation is appropriate. FRA believes 
that the use of a sensitivity analysis is consistent with Section 5 of 
E.O. 13563, issued on January 18, 2011, which requires that ``each 
agency shall ensure the objectivity of any scientific and technological 
information and processes used to support the agency's regulatory 
actions.'' The revised section-by-section analysis for Subpart E 
reflecting the received comments follows:
Section 229.301 Purpose and Scope
    The purpose of this subpart is to promote the safe design, 
operation, and maintenance of safety-critical electronic locomotive 
control systems, subsystems, and components. Safety-critical electronic 
systems identified in proposed paragraph (a) would include, but would 
not be limited to: directional control, graduated throttle or speed 
control, graduated locomotive independent brake application and 
release, train brake application and release, emergency air brake 
application and release, fuel shut-off and fire suppression, alerters, 
wheel slip/slide applications, audible and visual warnings, remote 
control locomotive systems, remote control transmitters, pacing 
systems, and speed control systems.
    In paragraph (b), FRA emphasizes that when a new or proposed 
locomotive control system function interfaces or comingles with a 
safety critical train control system covered by 49 CFR 236 Subpart H or 
I, the locomotive control system functionality would be required to be 
addressed in the train control systems Product Safety Plan or the 
Positive Train Control Safety Plan, as appropriate. FRA recognizes that 
advances in technology may further eliminate the traditional 
distinctions between locomotive control and train control 
functionalities. Indeed, technology advances may provide for 
opportunities for increased or improved functionalities in train 
control systems that run concurrent with locomotive control. Train 
control and locomotive control, however, remain two fundamentally 
different operations with different objectives. FRA does not intend to 
restrict the adoption of new locomotive control functions and 
technologies by imposing regulations on locomotive control systems 
intended to address safety issues associated with train control.
Section 229.303 Applicability
    A safety analysis would be required for new electronic equipment 
that is deployed for locomotives. However, FRA does not intend to 
impose retroactive safety analysis requirements for existing equipment. 
FRA recognizes that railroads and vendors may have already invested 
large sums of time, effort, and money in the development of new 
products that were envisioned prior to this proposed rule. Accordingly, 
the requirements of this subpart are not retroactive and do not apply 
to existing equipment that is currently in use, nor does it apply to 
new products that are actively under development. For that reason, FRA 
provides a grace period in paragraphs (a) and (b) to allow the 
completion of existing new developments. This provides sufficient time 
for railroads and vendors to realize profits on their investment in new 
technologies made prior to the adoption of this rule. Any system that 
has not been placed in use by the end of the grace period would be 
required to comply with the safety analysis requirements. Vendors are 
required to identify these projects to FRA within 6 months after the 
effective date of this rule. FRA believes this will avoid 
misunderstandings concerning which systems receive the grace period. 
FRA will consider any systems not identified to FRA within the 6-month 
window to be a new product start that would require a safety analysis.
    In paragraph (c), FRA makes clear that the exemption is limited in 
scope. Products that result in degradation of safety or a material 
increase in safety-critical functionality are not exempt. Products with 
slightly different specifications that are used to allow the gradual 
enhancement of the product's capabilities do not require a full safety 
analysis as specified in Appendix F (or equivalent), but do require a 
formal verification and validation to the extent that the changes 
involve safety-critical functions.
Section 229.305 Definitions
    Generally, this section standardizes similar definitions between 49 
CFR part 236 subpart H and I, and this part. Although 49 CFR part 236 
subpart H and I addresses train control systems, and this subpart 
addresses locomotive control systems, both reflect the adoption of a 
risk-based engineering design and review process. The definition 
section, however, does introduce several new definitions applicable to 
locomotive control systems.
    ``Loosely coupled'' means an attribute of systems, specifically 
referring to an approach to designing interfaces across systems, 
subsystems, or components to reduce the interdependencies between 
them--in particular, reducing the risk that changes within one system, 
subsystem, or component will create unanticipated changes within other 
system, subsystem, or component systems. Loosely coupled systems reduce 
this risk by enforcing standards for behavior at the interfaces of 
between systems, subsystems, or components while providing a great deal 
of freedom to modify activity within the systems, subsystems, or 
components. What happens within any one system, subsystem, or component 
matters little to the other systems, subsystems, or components as long 
as each system, subsystem, or component meets the specifications for 
deliverables at the interface of the systems, subsystems, or 
components. This is the opposite of ``tightly coupled''.
    ``New or next-generation locomotive control system'' refers to 
locomotive control products using technologies or combinations of 
technologies not in use on the effective date of this regulation, 
products that are under development as of October 9, 2012, and are 
placed in service prior to October 9, 2015, or without established 
histories of safe practice. Traditional, non-microprocessor systems, as 
well as microprocessor and software based locomotive control systems, 
are currently in use. These systems have used existing technologies, 
existing architectures, or combinations of these to implement their 
functionality. Development of a safety analysis to accomplish the 
requirements of this part would require reverse engineering these 
products. Reverse engineering a product is both time consuming and 
expensive. Requiring the performance of a safety analysis on existing 
products would present a large economic burden on both the railroads 
and the original equipment manufacturers (OEM). The economic burden 
would likely be significantly less for new combinations of technology 
and architectures that either implement existing functionality, or 
implement new functionality. These types of systems lack a proven 
service history and the safety analysis would be accomplished in the 
normal course of system design to mitigate the lack of a proven service 
history. The fundamental differences make it necessary to clearly

[[Page 21332]]

distinguish between the two classes of locomotive control systems 
products.
    ``Product'' means any safety critical locomotive control system 
processor-based system, subsystem, or component whose functions are 
directly related to safe movement and stopping of the train as well as 
the associated man-machine interfaces, regardless of the location of 
the control system, subsystem, or component. It specifically excludes 
safety critical processor based signal and train control systems. The 
definition identifies the covered systems that would require a safety 
analysis. Generally, locomotive manufacturers consider their product to 
be the entire locomotive. This includes systems and subsystems. In this 
situation, the manufacturers' extensive knowledge of the product allows 
them to conduct a safety analysis on the safety critical elements, 
including locomotive control systems. Similarly, major suppliers to 
locomotive manufacturers are also familiar with their own products. 
They too can clearly identify the safety critical elements and conduct 
the safety analysis accordingly. However, the same is not necessarily 
true for suppliers without extensive railroad domain knowledge. These 
suppliers may not understand that their product requires a safety 
analysis, or may lack experience to recognize that the subsystems or 
components of the product are subject to the safety analysis of this 
part. Accordingly, the definition of ``product'' indentifies the 
covered systems requiring a safety analysis. The definition of 
``product'' also clarifies the location of the functionality. As 
advanced technologies like a remote control locomotive demonstrates the 
system, subsystem, or components responsible for the safe movement and 
stopping of the train need not be physically located on the locomotive.
    The definition of ``Safety Analysis'' refers to a formal set of 
documentation that describes in detail all of the safety aspects of the 
product, including but not limited to procedures for its development, 
installation, implementation, operation, maintenance, repair, 
inspection, testing, and modification, as well as analyses supporting 
its safety claims. A Safety Analysis (SA) is similar to the Product 
Safety Plan (PSP) required by 49 CFR part 236 subpart H or the Positive 
Train Control Safety Plan (PTCSP) required by 49 CFR part 236 subpart I 
for signal and train control systems. There is, however, a fundamental 
difference between the PSP or PTCSP safety analysis, and the SA 
contained in this subpart. The products covered by a PSP and PTCSP 
require formal FRA approval prior to the product being placed in use, 
and products covered by a SA do not. This difference is rooted in 
fundamental differences between functionality of signal and train 
control and locomotive control. Although developers of an SA and a PSP 
or PTCSP may merge functions to operate together on a common platform, 
different safety analyses would be required. In order to ensure that 
there is no confusion between the safety analyses required by 49 CFR 
part 236 subparts H or I, and the safety analysis required in this 
subpart, a different definition is provided for the SA in this part.
    The definition of ``Safety-critical,'' as applied to a function, a 
system, or any portion thereof, means an aspect of the locomotive 
electronic control system that requires correct performance to provide 
for the safety of personnel, equipment, environment, or any combination 
of the three; or the incorrect performance of which could cause a 
hazardous condition, or allow a hazardous condition which was intended 
to be prevented by the function or system to exist. This definition is 
substantially similar to that found in 49 CFR part 236 Subparts H and 
I. FRA recognizes that functionality differs between locomotive control 
systems and signal and train control systems, and further recognizes 
that the failure modes, the probabilities of failure, and the specific 
consequences of a failure differ. Despite the differences between 
locomotive control systems and signal and train control systems, the 
result of a safety critical failure is the same, creation of a 
hazardous condition that could affect the safety of the personnel, 
equipment, or the environment. The same is also true for systems 
designed to prevent adverse hazards in locomotive control systems, 
signal and train control systems, or both. The failure of these types 
of systems would either create a new hazard, or allow a system intended 
to prevent a hazard to occur, regardless of domain.
    ``Tightly coupled'' is an attribute of systems, referring to an 
approach to designing interfaces across systems, subsystems, or 
components to maximize the interdependencies between them--in 
particular, increasing the risk that changes within one system, 
subsystem, or component will create unanticipated changes within other 
system, subsystem, or component. Tightly coupled systems offer the 
potential for improved operational efficiencies compared to loosely 
coupled systems because of reduced message and parameter creation, 
transmission, translation and interpretation overhead and sharing of 
critical systems, subsystems, and components. However tightly coupled 
systems tend to exhibit the following characteristics, which are often 
seen as disadvantages:
    1. A change in one system, subsystem, or component usually forces a 
ripple effect of changes in other systems, subsystems, or components
    2. Assembly of system, subsystem, or component might require more 
effort and/or time due to the increased inter- system, subsystem, or 
component dependencies.
    3. A particular system, subsystem, or component might be harder to 
reuse and/or test because dependent system, subsystem, or component 
must be included.
    Cohesion is a measure of how strongly-related or focused are the 
responsibilities of a system, subsystem, or component. There are a 
number of different degrees of cohesion, of which the most desirable 
are communicational, sequential cohesion, and functional cohesion. 
Communicational cohesion is when system, subsystem, or components are 
grouped because they operate on the same data. Sequential cohesion is 
when parts of a system, subsystem, or component are grouped because the 
output from one system, subsystem, or component is the input to another 
part. It is analogous to an assembly line. Functional cohesion is when 
systems, subsystems, or components are grouped because they all 
contribute to a single well-defined task. While functional cohesion is 
considered the most desirable type of cohesion for a system, subsystem, 
or component, it may not be achievable. There are cases where 
communicational cohesion is the highest level of cohesion that can be 
attained under the circumstances. Low cohesion implies that a system, 
subsystem, or component performs tasks which are not very related to 
each other and hence can create problems as the system, subsystem, or 
component becomes large.
    Comingle can be, therefore, expressed in terms the nature of the 
coupling and cohesion between the relevant systems, subsystems, or 
components. Comingle refers to the act of creating systems, subsystems, 
or components where the systems, subsystems, or components are tightly 
coupled and where the resulting systems, subsystems, or components 
exhibit a low degree of cohesion.
Section 229.307 Safety Analysis
    The SA serves as the principal safety documentation for a safety-
critical locomotive control system product. Engineering best practice 
today

[[Page 21333]]

recognizes that elimination of all risk is impossible. It recognizes 
that the traditional design philosophy that eliminates all risk (risk 
avoidance) adversely affects a product's cost and performance. 
Consequently, designers have adopted a philosophy of risk management. 
Under this philosophy, designers consider both the consequences of a 
failure and the probability of a failure. Designers then select the 
appropriate risk mitigation technique. The risk mitigation philosophy 
reduces cost and improves performance compared to risk avoidance.
    Fundamental to the execution of the risk management philosophy is 
the development and documentation of a SA that closely examines the 
relationship between consequences of a failure, probability of 
occurrence, failure modes, and their mitigation strategies. Paragraph 
(a) of this section clearly recognizes this, and would address this 
need by requiring the development of the SA documentation. It also 
recognizes that some developers of SAs may have little experience in 
risk-based design. Appendix F offers one approach. There are a number 
of equally effective or better approaches. FRA encourages railroads and 
OEMs to select an approach best suited to their business model. FRA 
would consider as acceptable any approach that would be equal to, or 
more effective than, the one outlined in Appendix F.
    Paragraph (b) along with paragraph (a) of this section, further 
establish a regulatory mandate for risk management design. Railroads 
that elect to allow a locomotive control system to be placed in use on 
its property are required to ensure that an appropriate SA is completed 
first.
    Generally, only a single SA would be required for a product. 
Therefore, FRA would recognize as acceptable any appropriate SA done 
under the auspices of one railroad, or a consortium of railroads. FRA 
also recognizes that railroads may lack the necessary product 
familiarity or technical expertise to prepare the SA. FRA anticipates 
that vendors will accomplish the bulk of preparing the SA in the course 
of the product development.
    FRA also recognizes that product vendors may develop a product 
prior to its procurement by a railroad. In this situation, FRA would 
provide review and comment as requested by the vendor. This review by 
FRA would not represent an endorsement of the product. FRA expects that 
the vendor would work with a railroad, or a consortium of railroads, 
for final review and approval of the SA. FRA also wishes to make clear 
that the SA would only be required for new or next generation 
locomotive control systems, as defined in Sec.  229.305, or for 
substantive changes to an existing product. The latter would include: 
The addition or deletion of safety critical functionality to the 
product; significant paradigm shifts in the underlying systems' 
architecture or implementation technologies; or, significant departures 
from widely accepted and service proven industry best past practices. 
The half-life of microprocessor-based hardware is relatively short, and 
the associated software is subject to change as technical issues are 
discovered with existing functionality. FRA anticipates that there will 
be maintenance-related changes of software, as well as replacement of 
functionally identical hardware components as exiting hardware 
undergoes repair or reaches the end of its useful service life. These 
changes, which potentially may be extensive, do not change the safety 
critical functionality, the underlying implementation paradigm shift, 
or mark a significant departure from current industry practice. FRA 
emphasizes that these non-safety critical products would not require a 
SA.
    The railroads and vendors have generally demonstrated, with a high 
degree of confidence, that existing systems can safely operate. In 
response to potential liability issues, railroads have shown they 
carefully examine the safety of a product prior to placing it in use. 
FRA fully expects that the railroads would continue to apply the same 
due diligence to new or next generation systems as they review the SA 
for these more complex products. Paragraph (b) is intended to limit 
FRA's review of the SAs. This, of course, would not restrict FRA review 
where it appears that due diligence has not been exercised, there are 
indications of fraud or malfeasance, or the underlying technology or 
architecture represent significant departures from existing practice.
    In paragraph (b), FRA requires that the SA establish with a high 
degree of confidence that safety-critical functions of the product will 
operate in a fail-safe manner in the operating environment in which it 
will be used. FRA anticipates that the railroad and vendor community 
would exercise due diligence in the design and review process prior to 
placing the product in use. Due diligence would typically be 
demonstrated by the completion, review and internal approval of the SA. 
The railroad will be required to determine that this standard has been 
met, prior to a product change, or placing a new or next generation 
product in use.
    Paragraph (b) also requires that the railroads identify appropriate 
procedures to immediately repair safety-critical functions when they 
fail. If the procedures are not followed, it would result in a 
violation for failing to comply with the SA.
Section 229.309 Safety Critical Changes and Failures
    Safety critical microprocessors, like any electronics available 
today, are subject to significant change. It is necessary for railroads 
to ensure that safe system operations continue in the event of planned 
changes to the software or hardware maintenance of hardware and 
software configurations. Failure to maintain hardware and software 
configurations increases the probability that unintended consequences 
will occur during system operation. These unintended consequences do 
not necessarily reveal themselves on initial installation and 
operation, but may occur much later.
    Not all railroads may experience the same software or hardware 
faults. The SA developer's software and hardware development, 
configuration management, and fault tracking play an important role in 
ensuring system safety. Without an effective configuration management 
and fault reporting system, it is difficult, if not impossible to 
evaluate the associated risks. The number of failures experienced by 
one railroad may not exceed the number of failures identified in the 
SA, but the aggregate from multiple railroads may. The vendor is best 
positioned to aggregate identified faults, and is best able to 
determine that the design and failure assumptions exceed those 
predicted by the safety analysis. An ongoing relationship between a 
railroad and its vendor is, therefore, essential to ensure that 
problems encountered by the railroad are promptly reported to the 
vendor for correction, and that problems encountered and reported by 
other railroads to the vendor are shared with other railroads. 
Furthermore, changes to the system developed by the vendor must be 
promptly provided to all railroads in order to eliminate the reported 
hazard. A formal, contractual relationship would provide the best 
vehicle for ensuring this relationship. This section clearly identifies 
the responsibility of railroads, and car owners, to establish such a 
relationship for both reporting hazards.
    In order to accomplish their responsibilities, FRA expects that 
each railroad would have a configuration tracking system that will 
allow for the identification and reporting of hardware

[[Page 21334]]

and software issues, as well as promptly implementing changes to the 
safety critical systems provided by the vendor, regardless of the 
original reporting source of the problem. This section requires 
railroads to identify, and create such a system if they have not 
already done so.
    Paragraph (b) requires immediate notification to a railroad of real 
or potential safety hazards identified by the private car suppliers and 
private car owners. This allows affected railroads to take appropriate 
actions to ensure the safety of rail operations.
    In paragraph (c), the private car owner's configuration/revision 
control measures should be accepted by the railroad that would be using 
the car and implementing the system. The private car owner may have 
placed safety critical equipment on his car that is unfamiliar to the 
railroad using that car, and the necessary contractual relationship 
that would be required in paragraph (a)(3) of this section may not 
exist because the equipment in question is not part of the railroad's 
inventory. The private car owners are expected to communicate these 
issues with the host railroads. This requirement is intended to ensure 
that the safety-functional and safety-critical hazard mitigation 
processes are not compromised by unknown changes to software or 
hardware. Reporting responsibilities, as well as the configuration 
management, and tracking responsibilities also extend to private car 
owners.
Section 229.311 Review of SAs
    In paragraph (a), FRA requires railroads to notify FRA before 
covered locomotive electronic products are placed in use. As discussed 
above, FRA anticipates that review of the SA and amendments would be 
the exception, rather than the normal practice. However, FRA believes 
it is appropriate to have the opportunity to review products and 
product changes to ensure safety. FRA requires that it have the 
opportunity to have products and product changes identified to it, and 
the opportunity to elect a review. FRA also realizes that development 
of these products represents a significant financial investment, and 
that the railroad would like to utilize the products as soon as 
possible in order to recover its investment.
    Paragraph (b) reflects the expectation that FRA will decide whether 
to review an SA within 60 days after receipt of the requested 
information. Based on the information provided to FRA, the Associate 
Administrator for Safety will evaluate the need and scope of any 
review. Within 60 days of receipt of the notification required in 
paragraph (a), FRA will either decline to review or request to review. 
If FRA has not notified the railroad of its intent to review or audit 
the SA within the 60 day period, the railroad may assume that FRA does 
not intend to review or audit, and place the product in use. FRA 
reserves the right to conduct a review at a later date. Examples of 
causes for a review or audit prior to placing the product in use would 
include: Products with unique architectural concepts; products that use 
design or safety assurance concepts considered outside existing 
accepted practices; and, products that appear to comingle the 
locomotive control function with a safety-critical train control 
processing function. FRA may convene technical consultations, as 
necessary, to discuss issues related to the design and planned 
development of the product. Causes for an audit of the SA after a 
product is placed in service would include, but are not limited to, 
such circumstances as a credible allegation of error or fraud, SA 
assumptions determined to be invalid as a result of in-service 
experience, one or more unsafe events calling into question the safety 
analysis, or changes to the product.
    If FRA elects not to review a product's SA, railroads would be able 
to put the product immediately in use after notification that FRA 
elects not to review. In the event that FRA would elect to review, FRA 
would attempt to complete the review within 120 days. FRA's ability to 
complete the review within 120 days will depend upon various factors, 
such as the complexity of the new product or product change, its 
deviation from current practice, the functionality, the architecture, 
the extent of interfaces with other systems, and the number of 
technical consultations required. Products reviewed by FRA under these 
circumstances may not be placed in use until FRA's review is complete.
Section 229.313 Product Testing Results and Records
    This section requires that records of product testing conducted in 
accordance with this subpart be maintained. To effectively evaluate the 
degree to which the SA reflects real, as opposed to predicted 
performance, it is necessary to keep accurate records of performance 
for the product. In addition to collecting these records, it is also 
essential for regular comparison of the real performance results with 
the predicted performance. Thus, in this section, FRA requires such 
records to be maintained. Where the real performance, as measured by 
the collected data, exceeds the predicted performance of the SA, FRA 
requires no action. If the real performance is worse than the predicted 
performance, this section requires that the railroad take immediate 
action to improve performance to satisfy the predicted standard. Prompt 
and effective action would be required to bring the non-compliant 
system into compliance.
    FRA encourages, but does not require a railroad to proactively 
evaluate their systems, and take corrective action prior to the system 
becoming non-compliant with the predicted performance standard. If an 
unpredicted hazard would occur, the system would be required to be 
immediately evaluated, and the appropriate corrective action would need 
to be taken. FRA would not expect a railroad to defer any corrective 
action.
    This section establishes a requirement for a railroad to keep 
detailed records to evaluate the system. However, the railroad may 
elect to have the system supplier keep these records. There would be 
many advantages to the later approach, primarily that the vendor would 
receive an aggregate of the technical issues, making them better 
positioned to analyze the system performance. Although a railroad may 
delegate recordkeeping, the railroad would retain the responsibility 
for keeping records of performance on their property. The railroads 
would be responsible for ensuring the safe operation of systems on 
their property, and would be required to have access to the performance 
data if they are to carry out their responsibilities under this 
proposed section.
    This section also requires detailed handling requirements for 
required records. Paragraph (a) requires specific content in the 
record. FRA will accept paper records or electronic records. Electronic 
recordkeeping is encouraged, as it reduces storage costs, simplifies 
collection of information, and allows data mining of the collected 
information. However, to ensure that the electronic records provide all 
required information, approval by the Associate Administrator for 
Safety is required.
    Signatures on paper records are required to uniquely identify the 
person certifying the information contained in the record in such a 
manner that would enable detection of a forgery. Paragraph (a) ensures 
that an electronic signature could be attributable to single individual 
as reliably as paper records. It will be possible to meet the storage 
requirement in several different ways. Physical paper records will be 
expected to be kept at the physical location of the supervising 
official. Electronic records

[[Page 21335]]

will be permitted to be either stored locally, or remotely. FRA has no 
preference as long as the records are promptly accessible for FRA 
review.
    Paragraph (b) specifies the required retention period for the 
records. FRA recognizes that retaining records involves a cost to 
railroads, and appreciates their desire to minimize both the number, 
and the required retention period. To this end, FRA has identified two 
different categories of records, and proposes differing retention 
periods for each. The first category involves records associated with 
installation or modification of a system and would contain data 
required for evaluating the product's performance and compliance to the 
safety case conditions throughout the life of the product. FRA will 
consider the life of the product to begin when the product is first 
placed in use and end with the permanent withdrawal of the product from 
service. In the event of permanent transfer of the product to another 
railroad, the receiving railroad would become responsible for 
maintaining the records. This responsibility will continue until the 
product is completely withdrawn from rail service. The second category 
of records addresses periodic testing and will have a retention period 
of at least one year, or the periodicity of the subsequent test, 
whichever is greater. Results obtained by subsequent tests will 
supersede the earlier test. The earlier test results will be moot for 
evaluating the current condition.
    Regrettably, in some cases, the use of electronic records may not 
meet the minimum standards required by FRA. Consequently, FRA 
establishes procedural requirements related to withdrawing 
authorization to use electronic records in paragraph (c). If FRA finds 
it necessary to withdraw an authorization, FRA will explain the reason 
in writing.
Section 229.315 Operation Maintenance Manual
    This section requires that each railroad have a manual covering the 
requirements for the installation, periodic maintenance and testing, 
modification, and repair of its safety critical locomotive control 
systems. This manual can be kept in paper or electronic form. It is 
recommended that electronic copies of the manual be maintained in the 
same manner as other electronic records kept for this part and that it 
be included in the railroad's configuration management plan (with the 
master copy and dated amendments carefully maintained so that the 
status of instructions to the field as of any given date can be readily 
determined).
    Paragraph (a) requires that the manual be available to both persons 
required to perform such tasks and to FRA. Paragraph (b) requires that 
plans necessary for proper maintenance and testing of products be 
correct, legible, and available where such systems are deployed or 
maintained. The paragraph also requires that the manual identify the 
current version of software installed, revisions, and revision dates. 
Paragraph (c) requires that the manual identify the hardware, software, 
and firmware revisions in accordance with the configuration management 
requirement. Paragraph (d) requires the identification, replacement, 
handling, and repair of safety critical components in accordance with 
the configuration management requirements. Finally, paragraph (e) 
requires the manual be ready for use prior to deployment of the 
product, and that it be available for FRA review.
Section 229.317 Training and Qualification Program
    This section provides specific parameters for training railroad 
employees and contractor employees to ensure they have the necessary 
knowledge and skills to complete their duties related to safety-
critical products. Paragraph (a) requires the training to be formally 
conducted and documented based on educational best practices. 
Paragraphs (b) and (c) require the employer to identify employees that 
will be performing inspection, testing, maintenance, repairing, 
dispatching, and operating tasks related to the safety critical 
locomotive systems, and develop a written task analysis for the 
performance of duties. The employer is required to identify additional 
knowledge and skills above those required for basic job performance 
necessary to perform each task. Work situations often present 
unexpected challenges, and employees who understand the context within 
which the job is to be done would be better able to respond with 
actions that preserve safety. Further, the specific requirements of the 
job would be better understood, and requirements that are better 
understood are more likely to be adhered to. Well-informed employees 
would be less likely to conduct ad hoc trouble shooting; and therefore, 
should be of greater value in assisting with trouble shooting.
    AAR submitted comments stating that it seems unnecessary to publish 
training requirements that specifically address locomotive electronics, 
and claiming that requiring a formal task analysis is overly 
burdensome. Training for personnel that works with locomotive 
electronics is technical and specialized. As such, FRA continues to 
believe that the training requirements for locomotive electronics 
should be addressed specifically in Sec. Sec.  229.17 and 229.19. FRA 
also believes that a formal task analysis as part of training is vital 
to preparing personnel to operate locomotive electronics safely. AAR 
failed to explain why requiring a formal task analysis will be overly 
burdensome and they failed to suggest any alternative training. 
Accordingly, in this final rule, FRA retains the proposed training 
requirements.
    Paragraph (d) requires the employer to develop a training 
curriculum that includes either classroom, hands-on, or other formally-
structured training designed to impart the knowledge and skills 
necessary to perform each task.
    Paragraph (e) adds a requirement that all persons subject to 
training requirements and their direct supervisors must successfully 
complete the training curriculum and pass an examination for the tasks 
for which they are responsible. Generally, giving appropriate training 
to each of these employees prior to task assignment will be required. 
The exception would be when an employee, who has not received the 
appropriate training, is conducting the task under the direct, on-site 
supervision of a qualified person.
    Paragraph (f) requires periodic refresher training. This periodic 
training must include classroom, hands-on, computer-based training, or 
other formally structured training. The intent is for personnel to 
maintain the knowledge and skills required to perform their assigned 
task safely.
    Paragraph (g) adds a requirement to compare and evaluate the 
effectiveness of training. The evaluation would first determine whether 
the training program materials and curriculum are imparting the 
specific skills, knowledge, and abilities to accomplish the stated 
goals of the training program; and second, determine whether the stated 
goals of the training program reflect the correct, and current, 
products and operations.
    Paragraph (h) requires the railroad to maintain records that 
designate qualified persons. Records retention is required until 
recording new qualifications, or for at least one year after such 
person(s) leave applicable service. The records are required to be 
available for FRA inspection and copying.

[[Page 21336]]

Section 229.319 Operating Personnel Training
    This section contains minimum training requirements for locomotive 
engineers and other operating personnel who interact with safety 
critical locomotive control systems. ``Other operating personnel'' 
refers to onboard train and engine crew members (i.e., conductors, 
brakemen, and assistant engineers).
    Paragraph (a) requires training program to cover familiarization 
with the onboard equipment and the functioning of that equipment as 
part of, and its relationship to, other onboard systems under that 
person's control. The training program must cover all notifications by 
the system (i.e., onboard displays) and actions or responses to such 
notifications required by onboard personnel. The training is also 
required to address how each action or response ensures proper 
operation of the system and safe operation of the train.
    During system operations emergent conditions could arise which 
would affect the safe operation of the system. This section also 
requires operating personnel to be informed as soon as practical after 
discovery of the condition, and any special actions required for safe 
train operations.
    For certified locomotive engineers and conductors, paragraph (b) 
requires that the training requirements of this section be integrated 
into the training requirements of parts 240 and 242. Although this 
requirement only addresses engineers, in the event of certification of 
other operating personnel, the expectation is that these requirements 
would be included in their training requirements.

Appendix F--Recommended Practices for Design and Safety Analysis

    Appendix F provides an optional set of criteria for performing risk 
management design of locomotive control systems. FRA recognizes that 
not all safety risks associated with human error can be eliminated by 
design, no matter how well trained and skilled the designers, 
implementers, and operators. The intention of the appendix is to 
provide one set of safety guidelines distilled from proven design 
considerations. There are numerous other approaches to risk management-
based design. The basic principles of this appendix capture the lessons 
learned from the research, design, and implementation of similar 
technology in other modes of transportation and other industries. The 
overriding goal of this appendix is to minimize the potential for 
design-induced error by ensuring that systems are suitable for 
operators, and their tasks and environment.
    FRA believes that new locomotive systems will be in service for a 
long period. Over time, there will be modifications from the original 
design. FRA is concerned that subsequent modifications to a product 
might not conform to the product's original design philosophy. The 
original designers of products could likely be unavailable after 
several years of operation of the product. FRA believes mitigating this 
is most successful by fully explaining and documenting the original 
design decisions and their rationale. Further, FRA feels that 
assumption of long product life cycles during the design and analysis 
phase will force product designers and users to consider long-term 
effects of operation. Such a criterion would not be applicable if, for 
instance, the railroad limited the product's term of proposed use.
    Translation of these guidelines into processes helps ensure the 
safe performance of the product and minimizes failures that would have 
the potential to affect the safety of railroad operations. The 
identification of fault paths are essential to establishing failure 
modes and appropriate mitigations. Failing to identify a fault path can 
have the effect of making a system seem safer on paper than it actually 
is. When an unidentified fault path is discovered in service which 
leads to a previously unidentified safety-relevant hazard, the 
threshold in the safety analysis is automatically exceeded, and both 
the designer and the railroad must take mitigating measures. The 
frequency of such discoveries relates to the quality of the safety 
analysis efforts. Safety analyses of poor quality are more likely to 
lead to in-service discovery of unidentified fault paths. Some of those 
paths might lead to potential serious consequences, while others might 
have less serious consequences.
    Given technology, cost, and other constraints, there are 
limitations regarding the level of safety obtainable. FRA recognizes 
this. However, FRA also believes that there are well-established and 
proven design and analysis techniques that can successfully mitigate 
these design restrictions. The use of proven safety considerations and 
concepts is necessary for the development of products. Only by forcing 
conscious decisions by the designer on risk mitigation techniques 
adopted, and justifying those choices (and their decision that a 
mitigation technique is not applicable) does the designer fully 
consider the implications of those choices. FRA notes that in normal 
operation, the product design should preclude human errors that cause a 
safety hazard. In addition to documenting design decisions, describing 
system requirements within the context of the concept of operations 
further mitigates against the loss of individual designers. In summary, 
the recommended approach ensures retention of a body of corporate 
knowledge regarding the product, and influences on the safety of the 
design. It also promotes full disclosure of safety risks to minimize or 
eliminate elements of risk where practical.

C. Amendments to Part 238

Section 238.105 Train Electronic Hardware and Software Safety
    This section incorporates existing waivers and addresses certain 
operational realities. Since the implementation of the Passenger 
Equipment Safety Standards, FRA has granted two waivers from the 
requirements of Sec.  238.105(d) (FRA-2004-19396 and FRA-2008-0139). 
The first waiver is for 26 EMU bi-level passenger cars operated by 
Northeastern Illinois Regional Commuter Railroad Corporation (METRA). 
The second waiver is for 14 new EMU bi-level passenger cars to be 
operated by Northern Indiana Commuter Transportation District. There 
are over 1,000 EMU passenger cars (M-7) being operated by Long Island 
Railroad & Metro-North Commuter Railroad (MNCW) for the past five years 
that FRA has discovered will need a waiver to be in compliance with 
Sec.  238.105(d). The MNCW has placed an order for additional 300 plus 
options, EMU passenger cars (M-8) that will also need a waiver from the 
requirements of existing Sec.  238.105(d).
    The portion of the requirements that these cars' brake systems 
cannot satisfy is the requirement for a full service brake in the event 
of hardware/software failure of the brake system or access to direct 
manual control of the primary braking system, both service and 
emergency braking. The braking system on these cars does not have the 
full service function but does default to emergency brake application 
in the event of hardware/software failure of the brake system, and the 
operator has the ability to apply the brake system at an emergency rate 
from the conductor's valve located in the cab. A slight change to the 
language in Sec.  238.105, that will permit a service or emergency 
braking, rather than requiring the capability to execute both a service 
and emergency brake, will alleviate the need for these waivers and 
would not reduce the braking rate of the equipment or the

[[Page 21337]]

stop distances. Accordingly, the language in Sec.  238.105(d)(1)(ii) in 
this final rule has been modified to permit either a ``service or 
emergency braking.''
Section 238.309 Periodic Brake Equipment Maintenance
    For convenience and clarity, FRA is consolidating locomotive air 
brake maintenance for conventional locomotives into part 229. 
Currently, because conventional locomotives are used in passenger 
service, certain air brake maintenance requirements are included in the 
Passenger Equipment Safety Standards contained in this section. Placing 
all of the requirements for conventional locomotives in part 229 will 
make the standards easier to follow and avoid confusion.
    The brake maintenance requirements that are included in this final 
rule in part 229 extend the intervals at which required brake 
maintenance is performed for several types of brake systems for non-
conventional locomotives. The length of the intervals reflects the 
results of studies and performance evaluations related to a series of 
waivers starting in 1981 and continuing to present day. Overall, the 
type of brake maintenance required for passenger equipment will remain 
the same.

VII. Regulatory Impact and Notices

A. Executive Orders 12866 and 13563 and DOT Regulatory Policies and 
Procedures

    This final rule has been evaluated in accordance with existing 
policies and procedures, and determined to be non-significant under 
both Executive Orders 12866 and 13563, and DOT policies and procedures 
(44 FR 11034; February 26, 1979). FRA has prepared and placed in the 
docket a regulatory impact analysis addressing the economic impact of 
this final rule. Document inspection and copying facilities are 
available at Room W12-140 on the Ground level of the West Building, 
1200 New Jersey Avenue SE., Washington, DC 20590.
    As part of the regulatory impact analysis, FRA has assessed 
quantitative measurements of cost and benefit streams expected from the 
adoption of this final rule. This analysis includes qualitative 
discussions and quantitative measurements of costs and benefits in this 
rulemaking. The primary costs or burdens in this final rule are from 
the alerter and revised minimum (i.e., cold weather) cab temperature 
requirements. There is also a cost associated with certain daily 
inspections required when periodic inspections are conducted less 
frequently. Although the final rule includes requirements for new 
locomotives to have air conditioning units and cab securement there are 
no additional costs for these requirements since they are current 
industry practice. Safety benefits will accrue from fewer train 
accidents. Cost savings will result from fewer waivers and waiver 
renewals, a reduction in downtime for locomotives due to the changes to 
headlight and brake requirements, and an increased interval between 
periodic inspection of certain micro-processor based locomotives. This 
last benefit consists of cost savings from a reduction of employee time 
for the periodic inspections and saving from reduced locomotive down-
time. For the twenty year period the estimated quantified costs have a 
Present Value (PV) 7% of $27.7 million. For this period the estimated 
quantified benefits have a PV, 7% of $385 million.

B. Regulatory Flexibility Act and Executive Order 13272

    FRA developed this final rule in accordance with Executive Order 
13272 (``Proper Consideration of Small Entities in Agency Rulemaking'') 
and DOT's procedures and policies to promote compliance with the 
Regulatory Flexibility Act (5 U.S.C. 601 et seq.) to ensure potential 
impacts of rules on small entities are properly considered.
    The Regulatory Flexibility Act requires an agency to review 
regulations to assess their impact on small entities. An agency must 
conduct a regulatory flexibility analysis unless it determines and 
certifies that a rule is not expected to have a significant impact on a 
substantial number of small entities.
    As discussed earlier, FRA has initiated this rulemaking in its 
efforts to update and reevaluate current regulations. Therefore, FRA is 
revising the Locomotive Safety Standards to update, consolidate and 
clarify existing rules, incorporate existing industry and engineering 
best practices, and incorporate former waivers into the regulation. FRA 
believes this final rule will modernize and improve its safety 
regulatory program related to locomotives. Pursuant to the Regulatory 
Flexibility Act (5 U.S.C. 605(b)), FRA certifies that this final rule 
will not have a significant economic impact on a substantial number of 
small entities. Although a substantial number of small railroads will 
be affected by this final rule, none will be significantly impacted. 
FRA invited all interested parties to submit data and information 
regarding the potential economic impact that will result from the 
adoption of the final rule.
1. Description of Regulated Entities and Impacts
    The ``universe'' of the entities to be considered generally 
includes only those small entities that are reasonably expected to be 
directly regulated by this action. For this rulemaking, the types of 
small entities that are potentially affected by this rulemaking are: 
(a) small railroads and (b) governmental jurisdictions of small 
communities.
    ``Small entity'' is defined in 5 U.S.C. 601 as having the same 
meaning as ``small business concern'' under Section 3 of the Small 
Business Act. This includes any small business concern that is 
independently owned and operated, and is not dominant in its field of 
operation. Section 601(4) includes nonprofit enterprises that are 
independently owned and operated, and are not dominant in their field 
of operations within the definition of ``small entities.'' 
Additionally, 5 U.S.C. 601(5) defines ``small entities'' as governments 
of cities, counties, towns, townships, villages, school districts, or 
special districts with populations less than 50,000.
    The U.S. Small Business Administration (SBA) stipulates ``size 
standards'' for small entities. It provides that the largest for-profit 
railroad business firm may be (and still classify as a ``small 
entity'') 1,500 employees for ``line-haul operating'' railroads, and 
500 employees for ``shortline operating'' railroads.
    Federal agencies may adopt their own size standards for small 
entities in consultation with SBA and in conjunction with public 
comment. Pursuant to the authority provided to it by SBA, FRA has 
published a final policy, which formally establishes small entities as 
railroads that meet the line haulage revenue requirements of a Class 
III railroad. Currently, the revenue requirements are $20 million or 
less in annual operating revenue, adjusted annually for inflation. The 
$20 million limit (adjusted annually for inflation) is based on the 
Surface Transportation Board's threshold of a Class III railroad 
carrier, which is adjusted by applying the railroad revenue deflator 
adjustment. The same dollar limit on revenues is established to 
determine whether a railroad shipper or contractor is a small entity. 
Governments of cities, counties, towns, townships, villages, school 
districts, or special districts with populations less than 50,000 are 
also considered small entities under FRA's policy. FRA is using this 
definition for this rulemaking.

[[Page 21338]]

2. Small Entities
a. Railroads
    There are approximately 702 \1\ small railroads meeting the 
definition of ``small entity'' as described above. FRA estimates that 
all of these small entities could potentially be impacted by one or 
more of the requirements in this final rule. Note, however, that 
approximately fifty of these railroads are subsidiaries of large short 
line holding companies with the technical multidisciplinary expertise 
and resources comparable to larger railroads. It is important to note 
that many of the changes or additions in this rulemaking will not 
impact all or many small railroads. The nature of some of the changes 
will dictate that the impacts primarily fall on large railroads that 
purchase new and/or electronically advanced locomotives. Small 
railroads generally do not purchase new locomotives, they tend to buy 
used locomotives from larger railroads. Also, some of the final rule's 
requirements, i.e., requirements for alerters, cab door securement and 
air conditioning units, will be a burden to very few, if any, small 
railroads. The most burdensome requirement for small railroads will be 
the revisions to cab cold weather temperature requirements since older 
locomotives are less likely to meet the revised standards and small 
railroads tend to own older locomotives. However, even this burden not 
significant. FRA has estimated the total burden for the cold weather 
requirements is less than $900,000 (PV, 7%) over the 20 year analysis.
---------------------------------------------------------------------------

    \1\ For 2010 there were 754 total railroads reporting to the 
FRA. Total small railroads potentially impacted by this rulemaking 
would equal 754-26 (commuter railroads)--2 (intercity railroads)--7 
(Class I railroads)--12 (Class II railroads)--5 (Steam railroads) = 
702.
---------------------------------------------------------------------------

    It is also important to note that this final rule only applies to 
non-steam locomotives. There are some small railroads that own one or 
more steam locomotives which these changes will not impact. There are a 
few small railroads that own all or almost all steam locomotives. Most 
of these entities are either museum railroads or tourist railroads. For 
these entities, this final rule's regulations will have no impact. FRA 
estimates that there are about five small railroads that only own steam 
locomotives.
b. Governmental Jurisdictions of Small Communities
    Small entities that are classified as governmental jurisdictions 
will also be affected by the requirements in this rulemaking. As stated 
above, and defined by SBA, this term refers to governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts with populations of less than 50,000. FRA does not expect 
this group of entities to be impacted. The final rule will apply to 
governmental jurisdictions or transit authorities that provide commuter 
rail service--none of which is small as defined above (i.e., no entity 
serves a locality with a population less than 50,000). These entities 
also receive Federal transportation funds. Intercity rail service 
providers Amtrak and the Alaska Railroad Corporation will also be 
subject to this rule, but they are not small entities and likewise 
receive Federal transportation funds. While other railroads are subject 
to this final rule by the application of Sec.  238.3, FRA is not aware 
of any railroad subject to this rule that is a small entity that will 
be impacted by this rule.
3. Economic Impacts on Small Entities (railroads)
    This certification is not intended to be a stand-alone document. In 
order to get a better understanding of the total costs for the railroad 
industry, which forms the base for these estimates or more cost detail 
on any specific requirement, a review of FRA's RIA is recommended. FRA 
has placed a copy of the RIA in the docket for this rulemaking.
    Based on information currently available, FRA estimates that the 
average small railroad will spend approximately $1,000 over 20 years to 
comply with this final rule. This is because most of the regulatory 
changes in the Locomotive Safety Standards final rule are oriented 
towards new and remanufactured locomotives. Most small railroads do not 
purchase new or remanufactured locomotives. Therefore, the impact for 
most, if not all small railroads will be minimal.
4. Significant Economic Impact Criteria
    Previously, FRA sampled small railroads and found that revenue 
averaged approximately $4.7 million (not discounted) in 2006. One 
percent of average annual revenue per small railroad is $47,000. FRA 
estimates that the average small railroad will spend approximately 
$1,000 over twenty years to comply with the requirements in this final 
rule. Based on this, FRA concludes that the expected burden of this 
final rule will not have a significant impact on the competitive 
position of small entities, or on the small entity segment of the 
railroad industry as a whole.
5. Substantial Number Criteria
    This final rule will likely burden all small railroads that are not 
exempt from its scope or application. Therefore, as noted above this 
rule will impact a substantial number of small railroads.
6. Certification
    Pursuant to the Regulatory Flexibility Act (5 U.S.C. 605(b)), FRA 
certifies that this final rule is not expected to have a significant 
economic impact on a substantial number of small entities. Although a 
substantial number of small railroads will be affected by this final 
rule, none of these entities will be significantly impacted.

C. Paperwork Reduction Act

    The information collection requirements in this final rule have 
been submitted for approval to the Office of Management and Budget 
(OMB) under the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. 
The sections that contain the new and current information collection 
requirements and the estimated time to fulfill each requirement are as 
follows:

----------------------------------------------------------------------------------------------------------------
                                      Respondent         Total annual      Average time per      Total annual
           CFR Section                 universe            responses           response          burden hours
----------------------------------------------------------------------------------------------------------------
229.9--Movement of Non-Complying  44 Railroads......  21,000 tags.......  1 minute..........  350 hours.
 Locomotives.
229.15--Remote Control
 Locomotives (RCL)--(New
 Requirements)
    --Tagging at Control Stand    44 Railroads......  3,000 tags........  2 minutes.........  100 hours.
     Throttle.
    --Testing and Repair of       44 Railroads......  200 testing/repair  5 minutes.........  17 hours.
     Operational Control Unit                          records.
     (OCU) on RCL--Records.

[[Page 21339]]

 
229.17--Accident Reports........  44 Railroads......  1 report..........  15 minutes........  .25 hour.
229.20--Electronic Recordkeeping
    --Electronic Record of        44 Railroads......  21,000              1 second..........  6 hours.
     Inspections and Maintenance                       notifications.
     and Automatic Notification
     to Railroad that Locomotive
     is Due for Inspection (New
     Requirement).
229.21--Daily Inspection........  754 Railroads.....  6,890,000 records.  16 or 18 min......  1,911,780 hours.
    --MU Locomotives: Written     754 Railroads.....  250 reports.......  13 minutes........  54 hours.
     Reports.
Form FRA F 6180.49A Locomotive    754 Railroads.....  4,000 forms.......  2 minutes.........  133 hours.
 Inspection/Repair Record.
229.23/229.27/229.31--Periodic    754 Railroads.....  9,500 insp./tests/  8 hours...........  76,000 hours.
 Inspection Annual. Biennial/                          forms.
 Main Reservoir Tests--FRA F
 6180.49A.
229.23/229.27/229.29/229.31--     754 Railroads.....  9,500 records.....  2 minutes.........  317 hours.
 Periodic Inspection/Annual
 Biennial Tests/Main Res. Tests--
 Secondary Records on Form FRA F
 6180.49A.
    --List of Defects and         754 Railroads.....  4,000 lists +       2 minutes.........  266 hours.
     Repairs on Each Locomotive                        4,000 copies.
     and Copy to Employees
     Performing Insp. (New
     Requirement).
    --Document to Employees       754 Railroads.....  9,500 documents...  2 minutes.........  317 hours.
     Performing Inspections of
     All Tests Since Last
     Periodic Inspection (New
     Requirement).
229.33--Out-of Use Credit.......  754 Railroads.....  500 notations.....  5 minutes.........  42 hours.
229.25(1)--Test: Every Periodic   754 Railroads.....  200 amendments....  15 minutes........  50 hours.
 Insp.--Written Copies of
 Instruction.
229.25(2)--Duty Verification      754 Railroads.....  4,025 records.....  90 minutes........  6,038 hours.
 Readout Rec.
229.25(3)--Pre-Maintenance Test-- 754 Railroads.....  700 notations.....  30 minutes........  350 hours.
 Failures.
229.135(A.)--Removal From         754 Railroads.....  1,000 tags........  1 minute..........  17 hours.
 Service.
229.135(B.)--Preserving Accident  754 Railroads.....  10,000 reports....  15 minutes........  2,500 hours.
 Data.
229.27--Annual Tests............  754 Railroads.....  700 test records..  90 minutes........  1,050 hours.
229.29--Air Brake System
 Maintenance and Testing (New
 Requirement).
    --Air Flow Meter Testing--    754 Railroads.....  88,000 tests/       15 seconds........  367 hours.
     Record.                                           records.
229.46--Brakes General
    --Tagging Isolation Switch    754 Railroads.....  2,100 tags........  2 minutes.........  70 hours.
     of Locomotive That May Only
     Be Used in Trailing
     Position (New Requirement).
229.85--Danger Markings on All    754 Railroads.....  1,000 decals......  1 minute..........  17 hours.
 Doors, Cover Plates, or
 Barriers.
229.123--Pilots, Snowplows, End   754 Railroads.....  20 stencilling....  2 minutes.........  1 hour.
 Plates--Markings--Stencilling
 (New Requirement).
    --Notation on Form FRA F      754 Railroads.....  20 notations......  2 minutes.........  1 hour.
     6180.49A for Pilot,
     Snowplows, or End Plate
     Clearance Above Six Inches
     (New Requirement).
229.135--Event Recorders
    229.135(b)(5)--Equipment      754 Railroads.....  1,000 Certified     2 hours...........  2,000 hours.
     Requirements--Remanufacture                       Memory Modules.
     d Locomotives with
     Certified Crashworthy
     Memory Module.
229.140--Alerters--Visual         600 Locomotives...  74,880,000 visual   4 seconds.........  83,200 hours.
 Indication to Locomotive                              indications.
 Operator before Alarm Sounds on
 New Locomotives (New
 Requirement).
NEW REQUIREMENTS--SUBPART E--
 LOCOMOTIVE ELECTRONICS

[[Page 21340]]

 
229.303--Requests to FRA for      754 Railroads.....  20 requests.......  8 hours...........  160 hours.
 Approval of On-Track Testing of
 Products Outside a Test
 Facility.
    --Identification to FRA of    754 Railroads/3     20 products.......  2 hours...........  40 hours.
     Products Under Development.   Manufacturers.
229.307--Safety Analysis by RR    754 Railroads.....  300 analyses......  240 hours.........  72,000 hours.
 of Each Product Developed.
229.309--Notification to FRA of   754 Railroads.....  10 notification...  16 hours..........  160 hours.
 Safety-Critical Change in
 Product.
    Report to Railroad by         3 Manufacturers...  10 reports........  8 hours...........  80 hours.
     Product Suppliers/Private
     Equipment Owners of
     Previously Unidentified
     Hazards of a Product.
229.311--Review of Safety
 Analyses (SA)
    --Notification to FRA of      754 Railroads.....  300 notifications.  2 hours...........  600 hours.
     Railroad Intent to Place
     Product In Service.
    --RR Documents That           754 Railroads.....  300 documents.....  2 hours...........  600 hours.
     Demonstrate Product Meets
     Safety Requirements of the
     SA for the Life-Cycle of
     Product.
    --RR Database of All Safety   754 Railroads.....  300 databases.....  4 hours...........  1,200 hours.
     Relevant Hazards
     Encountered with Product
     Placed in Service.
    --Written Reports to FRA If   754 Railroads.....  10 reports........  2 hours...........  20 hours.
     Frequency of Safety-
     Relevant Hazards Exceeds
     Threshold.
    --Final Reports to FRA on     754 Railroads.....  10 reports........  4 hours...........  40 hours.
     Countermeasures to Reduce
     Frequency of Safety-
     Relevant Hazard(s).
229.313--Product Testing          754 Railroads.....  120,000 records...  5 minutes.........  10,000 hours.
 Results--Records.
229.315--Operations and           754 Railroads.....  300 manuals.......  40 hours..........  12,000 hours.
 Maintenance Manual--All Product
 Documents.
    --Configuration Management    754 Railroads.....  300 plans.........  8 hours...........  2,400 hours.
     Control Plans.
    --Identification of Safety-   754 Railroads.....  60,000 components.  5 minutes.........  5,000 hours.
     Critical Components.
229.317--Product Training and     754 Railroads.....  300 programs......  40 hours..........  12,000 hours.
 Qualifications Program.
    --Product Training of         754 Railroads.....  10,000 trained      30 minutes........  5,000 hours.
     Individuals.                                      employees.
    --Refresher Training........  754 Railroads.....  1,000 trained       20 minutes........  333 hours.
                                                       employees.
    --RR Regular and Periodic     754 Railroads.....  300 evaluations...  4 hours...........  1,200 hours.
     Evaluation of Effectiveness
     of Training Program.
    --Records of Qualified        754 Railroads.....  10,000 records....  10 minutes........  1,667 hours.
     Individuals.
Appendix F--Guidance for          754 Railroads/3     1 assessment......  4,000 hours.......  4,000 hours.
 Verification and Validation of    Manufacturers.
 Product--Third Party Assessment.
    --Reviewer Final Report.....  754 Railroads/3     1 report..........  80 hours..........  80 hours.
                                   Manufacturers.
----------------------------------------------------------------------------------------------------------------

    All estimates include the time for reviewing instructions; 
searching existing data sources; gathering or maintaining the needed 
data; and reviewing the information. Pursuant to 44 U.S.C. 
3506(c)(2)(B), FRA solicits comments concerning: whether these 
information collection requirements are necessary for the proper 
performance of the functions of FRA, including whether the information 
has practical utility; the accuracy of FRA's estimates of the burden of 
the information collection requirements; the quality, utility, and 
clarity of the information to be collected; and whether the burden of 
collection of information on those who are to respond, including 
through the use of automated collection techniques or other forms of 
information technology, may be minimized. For information or a copy of 
the paperwork package submitted to OMB, contact Mr. Robert Brogan, 
Office of Safety, Information Clearance Officer, at 202-493-6292, or 
Ms. Kimberly Toone, Office of Information Technology, at 202-493-6139.
    Organizations and individuals desiring to submit comments on the 
collection of information requirements should direct them to Mr. Robert 
Brogan or Ms. Kimberly Toone, Federal

[[Page 21341]]

Railroad Administration, 1200 New Jersey Avenue SE., 3rd Floor, 
Washington, DC 20590. Comments may also be submitted via email to Mr. 
Brogan or Ms. Toone at the following address: Robert.Brogan@dot.gov; 
Kimberly.Toone@dot.gov.
    OMB is required to make a decision concerning the collection of 
information requirements contained in this proposed rule between 30 and 
60 days after publication of this document in the Federal Register. 
Therefore, a comment to OMB is best assured of having its full effect 
if OMB receives it within 30 days of publication. The final rule will 
respond to any OMB or public comments on the information collection 
requirements contained in this proposal.
    FRA cannot impose a penalty on persons for violating information 
collection requirements which do not display a current OMB control 
number, if required. FRA intends to obtain current OMB control numbers 
for any new information collection requirements resulting from this 
rulemaking action prior to the effective date of the final rule. The 
OMB control number, when assigned, will be announced by separate notice 
in the Federal Register.

D. Federalism Implications

    FRA has analyzed this rule in accordance with the principles and 
criteria contained in Executive Order 13132, issued on August 4, 1999, 
which directs Federal agencies to exercise great care in establishing 
policies that have federalism implications. See 64 FR 43255. This final 
rule will not have a substantial effect on the States, on the 
relationship between the national government and the States, or on the 
distribution of power and responsibilities among various levels of 
government. This final rule will not have federalism implications that 
impose any direct compliance costs on State and local governments.
    FRA notes that the RSAC, which endorsed and recommended the 
majority of this final rule to FRA, has as permanent members, two 
organizations representing State and local interests: AASHTO and the 
Association of State Rail Safety Managers (ASRSM). Both of these State 
organizations concurred with the RSAC recommendation endorsing this 
final rule. The RSAC regularly provides recommendations to the FRA 
Administrator for solutions to regulatory issues that reflect 
significant input from its State members. To date, FRA has received no 
indication of concerns about the Federalism implications of this 
rulemaking from these representatives or of any other representatives 
of State government. Consequently, FRA concludes that this proposed 
rule has no federalism implications, other than the preemption of state 
laws covering the subject matter of this final rule, which occurs by 
operation of law as discussed below.
    This final rule could have preemptive effect by operation of law 
under certain provisions of the Federal railroad safety statutes, 
specifically, the former Federal Railroad Safety Act of 1970 (former 
FRSA), repealed and recodified at 49 U.S.C. 20106, and the former 
Locomotive Boiler Inspection Act at 45 U.S.C. 22-34, repealed and 
recodified at 49 U.S.C. 20701-20703. The former FRSA provides that 
States may not adopt or continue in effect any law, regulation, or 
order related to railroad safety or security that covers the subject 
matter of a regulation prescribed or order issued by the Secretary of 
Transportation (with respect to railroad safety matters) or the 
Secretary of Homeland Security (with respect to railroad security 
matters), except when the State law, regulation, or order qualifies 
under the ``local safety or security hazard'' exception to section 
20106. Moreover, the former LIA has been interpreted by the Supreme 
Court as preempting the field concerning locomotive safety. See Kurns 
v. Railroad Friction Products Corp., 565 U.S. -------- (2012); Kurns v. 
Railroad Friction Products Corp., 132 S.CT. 1262; and Napier v. 
Atlantic Coast Line R.R., 272 U.S. 605 (1926).

E. Environmental Impact

    FRA has evaluated this final rule in accordance with its 
``Procedures for Considering Environmental Impacts'' (FRA's Procedures) 
(64 FR 28545, May 26, 1999) as required by the National Environmental 
Policy Act (42 U.S.C. 4321 et seq.), other environmental statutes, 
Executive Orders, and related regulatory requirements. FRA has 
determined that this final rule is not a major FRA action (requiring 
the preparation of an environmental impact statement or environmental 
assessment) because it is categorically excluded from detailed 
environmental review pursuant to section 4(c)(20) of FRA's Procedures. 
64 FR 28547, May 26, 1999. Section 4(c)(20) reads as follows: (c) 
Actions categorically excluded. Certain classes of FRA actions have 
been determined to be categorically excluded from the requirements of 
these Procedures as they do not individually or cumulatively have a 
significant effect on the human environment. Promulgation of railroad 
safety rules and policy statements that do not result in significantly 
increased emissions or air or water pollutants or noise or increased 
traffic congestion in any mode of transportation are excluded.
    In accordance with section 4(c) and (e) of FRA's Procedures, the 
agency has further concluded that no extraordinary circumstances exist 
with respect to this final rule that might trigger the need for a more 
detailed environmental review. As a result, FRA finds that this final 
rule is not a major Federal action significantly affecting the quality 
of the human environment.

F. Unfunded Mandates Reform Act of 1995

    Pursuant to Section 201 of the Unfunded Mandates Reform Act of 1995 
(Pub. L. 104-4, 2 U.S.C. 1531), each Federal agency ``shall, unless 
otherwise prohibited by law, assess the effects of Federal regulatory 
actions on State, local, and tribal governments, and the private sector 
(other than to the extent that such regulations incorporate 
requirements specifically set forth in law).'' Section 202 of the Act 
(2 U.S.C. 1532) further requires that ``before promulgating any general 
notice of proposed rulemaking that is likely to result in the 
promulgation of any rule that includes any Federal mandate that may 
result in expenditure by State, local, and tribal governments, in the 
aggregate, or by the private sector, of $100,000,000 or more (adjusted 
annually for inflation) in any 1 year, and before promulgating any 
final rule for which a general notice of proposed rulemaking was 
published, the agency shall prepare a written statement'' detailing the 
effect on State, local, and tribal governments and the private sector. 
For the year 2010, this monetary amount of $100,000,000 has been 
adjusted to $140,800,000 to account for inflation. This final rule 
would not result in the expenditure of more than $140,800,000 by the 
public sector in any one year, and thus preparation of such a statement 
is not required.

G. Privacy Act

    Anyone is able to search the electronic form of any comment or 
petition received into any of FRA's dockets by the name of the 
individual submitting the comment or petition (or signing the comment 
or petition, if submitted on behalf of an association, business, labor 
union, etc.). Please visit https://www.regulations.gov/#!privacyNotice. 
You may also review DOT's complete Privacy Act Statement in the Federal 
Register published on April 11, 2000 (65 FR 19477-19478), or you may 
visit https://www.dot.gov/privacy.html.

[[Page 21342]]

List of Subjects

49 CFR Part 229

    Locomotive headlights, Locomotives, Railroad safety, Remote control 
locomotives.

49 CFR Part 238

    Passenger equipment, Penalties, Railroad safety, Reporting and 
recordkeeping requirements.

The Final Rule

    For the reasons discussed in the preamble, FRA amends parts 229 and 
238 of chapter II, subtitle B of Title 49, Code of Federal Regulations, 
as follows:

PART 229--[AMENDED]

0
1. The authority citation for part 229 continues to read as follows:

    Authority:  49 U.S.C. 20102-03, 20107, 20133, 20137-38, 20143, 
20701-03, 21301-02, 21304; 28 U.S.C. 2401, note; and 49 CFR 1.49.

0
2. Section 229.5 is amended by adding in alphabetical order the 
following definitions to read as follows:


Sec.  229.5  Definitions.

* * * * *
    Alerter means a device or system installed in the locomotive cab to 
promote continuous, active locomotive engineer attentiveness by 
monitoring select locomotive engineer-induced control activities. If 
fluctuation of a monitored locomotive engineer-induced control activity 
is not detected within a predetermined time, a sequence of audible and 
visual alarms is activated so as to progressively prompt a response by 
the locomotive engineer. Failure by the locomotive engineer to 
institute a change of state in a monitored control, or acknowledge the 
alerter alarm activity through a manual reset provision, results in a 
penalty brake application that brings the locomotive or train to a 
stop.
* * * * *
    Assignment Address means a unique identifier of the RCL that 
insures that only the OCU's linked to a specific RCL can command that 
RCL.
* * * * *
    Controlling locomotive means a locomotive from where the operator 
controls the traction and braking functions of the locomotive or 
locomotive consist, normally the lead locomotive.
* * * * *
    Locomotive Control Unit (LCU) means a system onboard an RCL that 
communicates via a radio link which receives, processes, and confirms 
commands from the OCU, which directs the locomotive to execute them.
* * * * *
    Operator Control Unit (OCU) means a mobile unit that communicates 
via a radio link the commands for movement (direction, speed, braking) 
or for operations (bell, horn, sand) to an RCL.
* * * * *
    Qualified mechanical inspector means a person who has received 
instruction and training that includes ``hands-on'' experience (under 
appropriate supervision or apprenticeship) in one or more of the 
following functions: troubleshooting, inspection, testing, maintenance 
or repair of the specific locomotive equipment for which the person is 
assigned responsibility. This person shall also possess a current 
understanding of what is required to properly repair and maintain the 
locomotive equipment for which the person is assigned responsibility. 
Further, the qualified mechanical inspector shall be a person whose 
primary responsibility includes work generally consistent with the 
functions listed in this definition.
* * * * *
    Remote Control Locomotive (RCL) means a remote control locomotive 
that, through use of a radio link can be operated by a person not 
physically within the confines of the locomotive cab. For purposes of 
this part, the term RCL does not refer to a locomotive or group of 
locomotives remotely controlled from the lead locomotive of a train, as 
in a distributed power arrangement.
    Remote Control Operator (RCO) means a person who utilizes an OCU in 
connection with operations involving a RCL with or without cars.
    Remote Control Pullback Protection means a function of a RCL that 
enforces speeds and stops in the direction of pulling movement.
* * * * *

0
3. Section 229.7 is revised to read as follows:


Sec.  229.7  Prohibited acts and penalties.

    (a) Federal Rail Safety Laws (49 U.S.C. 20701-20703) make it 
unlawful for any carrier to use or permit to be used on its line any 
locomotive unless the entire locomotive and its appurtenances--
    (1) Are in proper condition and safe to operate in the service to 
which they are put, without unnecessary peril to life or limb; and
    (2) Have been inspected and tested as required by this part.
    (b) Any person (including but not limited to a railroad; any 
manager, supervisor, official, or other employee or agent of a 
railroad; any owner, manufacturer, lessor, or lessee of railroad 
equipment, track, or facilities; any employee of such owner, 
manufacturer, lessor, lessee, or independent contractor) who violates 
any requirement of this part or of the Federal Rail Safety Laws or 
causes the violation of any such requirement is subject to a civil 
penalty of at least $650, but not more than $25,000 per violation, 
except that: Penalties may be assessed against individuals only for 
willful violations, and, where a grossly negligent violation or a 
pattern of repeated violations has created an imminent hazard of death 
or injury to persons, or has caused death or injury, a penalty not to 
exceed $100,000 per violation may be assessed. Each day a violation 
continues shall constitute a separate offense. Appendix B of this part 
contains a statement of agency civil penalty policy.
    (c) Any person who knowingly and willfully falsifies a record or 
report required by this part is subject to criminal penalties under 49 
U.S.C. 21311.

0
4. Section 229.15 is added to read as follows:


Sec.  229.15  Remote Control Locomotives.

    (a) Design and operation. (1) Each locomotive equipped with a 
locomotive control unit (LCU) shall respond only to the operator 
control units (OCUs) assigned to that receiver.
    (2) If one or more OCUs are assigned to a LCU, the LCU shall 
respond only to the OCU that is in primary command. If a subsequent OCU 
is assigned to a LCU, the previous assignment will be automatically 
cancelled.
    (3) If more than one OCU is assigned to a LCU, the secondary OCUs' 
man down feature, bell, horn, and emergency brake application functions 
shall remain active. The remote control system shall be designed so 
that if the signal from the OCU to the RCL is interrupted for a set 
period not to exceed five seconds, the remote control system shall 
cause:
    (i) A full service application of the locomotive and train brakes; 
and
    (ii) The elimination of locomotive tractive effort.
    (4) Each OCU shall be designed to control only one RCL at a time. 
OCU's having the capability to control more than one RCL shall have a 
means to lock in one RCL ``assignment address'' to prevent simultaneous 
control over more than one locomotive.
    (5) If an OCU is equipped with an ``on'' and ``off'' switch, when 
the switch is moved from the ``on'' to the ``off''

[[Page 21343]]

position, the remote control system shall cause:
    (i) A full service application of the locomotive train brakes; and
    (ii) The elimination of locomotive tractive effort.
    (6) Each RCL shall have a distinct and unambiguous audible or 
visual warning device that indicates to nearby personnel that the 
locomotive is under active remote control operation.
    (7) When the main reservoir pressure drops below 90 psi while the 
RCL is moving, the RCL shall initiate a full service application of the 
locomotive and train brakes, and eliminate locomotive tractive effort.
    (8) When the air valves and the electrical selector switch on the 
RCL are moved from manual to remote control mode or from remote control 
to manual mode, an emergency application of the locomotive and train 
brakes shall be initiated.
    (9) Operating control handles located in the RCL cab shall be 
removed, pinned in place, protected electronically, or otherwise 
rendered inoperable as necessary to prevent movement caused by the 
RCL's cab controls while the RCL is being operated by remote control.
    (10) The RCL system (both the OCU and LCU), shall be designed to 
perform a self diagnostic test of the electronic components of the 
system. The system shall be designed to immediately effect a full 
service application of the locomotive and train brakes and the 
elimination of locomotive tractive effort in the event a failure is 
detected.
    (11) Each RCL shall be tagged at the locomotive control stand 
throttle indicating the locomotive is being used in a remote control 
mode. The tag shall be removed when the locomotive is placed back in 
manual mode.
    (12) Each OCU shall have the following controls and switches and 
shall be capable of performing the following functions:
    (i) Directional control;
    (ii) Throttle or speed control;
    (iii) Locomotive independent air brake application and release;
    (iv) Automatic train air brake application and release control;
    (v) Audible warning device control (horn);
    (vi) Audible bell control, if equipped;
    (vii) Sand control (unless automatic);
    (viii) Bi-directional headlight control;
    (ix) Emergency air brake application switch;
    (x) Generator field switch or equivalent to eliminate tractive 
effort to the locomotive;
    (xi) Audio/visual indication of wheel slip, only if an audio/visual 
indication is not provided by the RCL;
    (xii) Audio indication of movement of the RCL; and
    (xiv) Require at least two separate actions by the RCO to begin 
movement of the RCL.
    (13) Each OCU shall be equipped with the following features:
    (i) A harness with a breakaway safety feature;
    (ii) An operator alertness device that requires manual resetting or 
its equivalent. The alertness device shall incorporate a timing 
sequence not to exceed 60 seconds. Failure to reset the switch within 
the timing sequence shall cause a service application of the locomotive 
and train brakes, and the elimination of locomotive tractive effort; 
and,
    (iii) A tilt feature that, when tilted to a predetermined angle, 
shall cause:
    (A) An emergency application of the locomotive and train brakes, 
and the elimination of locomotive tractive effort; and
    (B) If the OCU is equipped with a tilt bypass system that permits 
the tilt protection feature to be temporarily disabled, this bypass 
feature shall deactivate within 60 seconds on the primary OCU and 
within 60 seconds for all secondary OCUs, unless reactivated by the 
RCO.
    (14) Each OCU shall be equipped with one of the following control 
systems:
    (i) An automatic speed control system with a maximum 15 mph speed 
limiter; or
    (ii) A graduated throttle and brake. A graduated throttle and brake 
control system built after September 6, 2012, shall be equipped with a 
speed limiter to a maximum of 15 mph.
    (15) RCL systems built after September 6, 2012, shall be equipped 
to automatically notify the railroad in the event the RCO becomes 
incapacitated or OCU tilt feature is activated.
    (16) RCL systems built prior to September 6, 2012, not equipped 
with automatic notification of operator incapacitated feature may not 
be utilized in one-person operation. (b) Inspection, testing, and 
repair.
    (1) Each time an OCU is linked to a RCL, and at the start of each 
shift, a railroad shall test:
    (i) The air brakes and the OCU's safety features, including the 
tilt switch and alerter device; and
    (ii) The man down/tilt feature automatic notification.
    (2) An OCU shall not continue in use with any defective safety 
feature identified in paragraph (b)(1) of this section.
    (3) A defective OCU shall be tracked under its own identification 
number assigned by the railroad. Records of repairs shall be maintained 
by the railroad and made available to FRA upon request.
    (4) Each time an RCL is placed in service and at the start of each 
shift locomotives that utilize a positive train stop system shall 
perform a conditioning run over tracks that the positive train stop 
system is being utilized on to ensure that the system functions as 
intended.

0
5. Section 229.19 is revised to read as follows:


Sec.  229.19  Prior waivers.

    Waivers from any requirement of this part, issued prior to June 8, 
2012, shall terminate on the date specified in the letter granting the 
waiver. If no date is specified, then the waiver shall automatically 
terminate on June 8, 2017.

0
6. Section 229.20 is added to read as follows:


Sec.  229.20  Electronic recordkeeping.

    (a) For purposes of compliance with the recordkeeping requirements 
of this part, except for the daily inspection record maintained on the 
locomotive required by Sec.  229.21, the cab copy of Form FRA F 6180-
49-A required by Sec.  229.23, the fragmented air brake maintenance 
record required by Sec.  229.27, and records required under Sec.  
229.9, a railroad may create, maintain, and transfer any of the records 
required by this part through electronic transmission, storage, and 
retrieval provided that all of the requirements contained in this 
section are met.
    (b) Design requirements. Any electronic record system used to 
create, maintain, or transfer a record required to be maintained by 
this part shall meet the following design requirements:
    (1) The electronic record system shall be designed such that the 
integrity of each record is maintained through appropriate levels of 
security such as recognition of an electronic signature, or other 
means, which uniquely identify the initiating person as the author of 
that record. No two persons shall have the same electronic identity;
    (2) The electronic system shall ensure that each record cannot be 
modified, or replaced, once the record is transmitted;
    (3) Any amendment to a record shall be electronically stored apart 
from the record which it amends. Each amendment to a record shall 
uniquely identify the person making the amendment;
    (4) The electronic system shall provide for the maintenance of 
inspection records as originally submitted without corruption or loss 
of data; and

[[Page 21344]]

    (5) Policies and procedures shall be in place to prevent persons 
from altering electronic records, or otherwise interfering with the 
electronic system.
    (c) Operational requirements. Any electronic record system used to 
create, maintain, or transfer a record required to be maintained by 
this part shall meet the following operating requirements:
    (1) The electronic storage of any record required by this part 
shall be initiated by the person performing the activity to which the 
record pertains within 24 hours following the completion of the 
activity; and
    (2) For each locomotive for which records of inspection or 
maintenance required by this part are maintained electronically, the 
electronic record system shall automatically notify the railroad each 
time the locomotive is due for an inspection, or maintenance that the 
electronic system is tracking. The automatic notification tracking 
requirement does not apply to daily inspections.
    (d) Accessibility and availability requirements. Any electronic 
record system used to create, maintain, or transfer a record required 
to be maintained by this part shall meet the following access and 
availability requirements:
    (1) Except as provided in Sec.  229.313(c)(2), the carrier shall 
provide FRA with all electronic records maintained for compliance with 
this part for any specific locomotives at any mechanical department 
terminal upon request;
    (2) Paper copies of electronic records and amendments to those 
records that may be necessary to document compliance with this part, 
shall be provided to FRA for inspection and copying upon request https://web2.westlaw.com/find/default.wl?DB=1000547&DocName=49CFRS213%2E305&FindType=L&AP=&mt=Westlaw&fn=_top&sv=Split&vr=2.0&rs=. Paper copies shall be provided to FRA no 
later than 15 days from the date the request is made; and,
    (3) Inspection records required by this part shall be available to 
persons who performed the inspection and to persons performing 
subsequent inspections on the same locomotive.

0
7. Section 229.23 is revised to read as follows:


Sec.  229.23  Periodic inspection: general.

    (a) Each locomotive shall be inspected at each periodic inspection 
to determine whether it complies with this part. Except as provided in 
Sec.  229.9, all non-complying conditions shall be repaired before the 
locomotive is used. Except as provided in Sec.  229.33 and paragraph 
(b) of this section, the interval between any two periodic inspections 
may not exceed 92 days. Periodic inspections shall only be made where 
adequate facilities are available. At each periodic inspection, a 
locomotive shall be positioned so that a person may safely inspect the 
entire underneath portion of the locomotive.
    (b) For each locomotive equipped with advanced microprocessor-based 
on-board electronic condition monitoring controls:
    (1) The interval between periodic inspections shall not exceed 184 
days; and
    (2) At least once each 31 days, the daily inspection required by 
Sec.  229.21, shall be performed by a qualified mechanical inspector as 
defined in Sec.  229.5. A record of the inspection that contains the 
name of the person performing the inspection and the date that it was 
performed shall be maintained in the locomotive cab until the next 
periodic inspection is performed.
    (c) Each new locomotive shall receive an initial periodic 
inspection before it is used.
    (d) At the initial periodic inspection, the date and place of the 
last tests performed that are the equivalent of the tests required by 
Sec. Sec.  229.27, 229.29, and 229.31 shall be entered on Form FRA F 
6180-49A. These dates shall determine when the tests first become due 
under Sec. Sec.  229.27, 229.29, and 229.31. Out of use credit may be 
carried over from Form FRA F 6180-49 and entered on Form FRA F 6180-
49A.
    (e) Each periodic inspection shall be recorded on Form FRA F 6180-
49A. The form shall be signed by the person conducting the inspection 
and certified by that person's supervisor that the work was done. The 
form shall be displayed under a transparent cover in a conspicuous 
place in the cab of each locomotive. A railroad maintaining and 
transferring records as provided for in Sec.  229.20 shall print the 
name of the person who performed the inspections, repairs, or certified 
work on the Form FRA F 6180-49A that is displayed in the cab of each 
locomotive.
    (f) At the first periodic inspection in each calendar year, the 
carrier shall remove from each locomotive Form FRA F 6180-49A covering 
the previous calendar year. If a locomotive does not receive its first 
periodic inspection in a calendar year before April 2, or July 3 if 
it's a locomotive equipped with advanced microprocessor-based on-board 
electronic condition monitoring controls, because it is out of use, the 
form shall be promptly replaced. The Form FRA F 6180-49A covering the 
preceding year for each locomotive, in or out of use, shall be signed 
by the railroad official responsible for the locomotive and filed as 
required in Sec.  229.23(f). The date and place of the last periodic 
inspection and the date and place of the last tests performed under 
Sec. Sec.  229.27, 229.29, and 229.31 shall be transferred to the 
replacement Form FRA F 6180-49A.
    (g) The railroad mechanical officer who is in charge of a 
locomotive shall maintain in his office a secondary record of the 
information reported on Form FRA F 6180-49A. The secondary record shall 
be retained until Form FRA F 6180-49A has been removed from the 
locomotive and filed in the railroad office of the mechanical officer 
in charge of the locomotive. If the Form FRA F 6180-49A removed from 
the locomotive is not clearly legible, the secondary record shall be 
retained until the Form FRA F 6180-49A for the succeeding year is 
filed. The Form F 6180-49A removed from a locomotive shall be retained 
until the Form FRA F 6180-49A for the succeeding year is filed.
    (h) The railroad shall maintain, and provide employees performing 
inspections under this section with, a list of the defects and repairs 
made on each locomotive over the last ninety-two days;
    (i) The railroad shall provide employees performing inspections 
under this section with a document containing all tests conducted since 
the last periodic inspection, and procedures needed to perform the 
inspection.

0
8. Section 229.25 is amended by revising paragraphs (d) and (e) and 
adding paragraph (f) to read as follows:


Sec.  229.25  Tests: Every periodic inspection.

* * * * *
    (d) Event recorder. A microprocessor-based self-monitoring event 
recorder, if installed, is exempt from periodic inspection under 
paragraphs (d)(1) through (5) of this section and shall be inspected 
annually as required by Sec.  229.27(c). Other types of event 
recorders, if installed, shall be inspected, maintained, and tested in 
accordance with instructions of the manufacturer, supplier, or owner 
thereof and in accordance with the following criteria:
    (1) A written or electronic copy of the instructions in use shall 
be kept at the point where the work is performed and a hard-copy 
version, written in the English language, shall be made available upon 
request to FRA.
    (2) The event recorder shall be tested before any maintenance work 
is performed on it. At a minimum, the

[[Page 21345]]

event recorder test shall include cycling, as practicable, all required 
recording elements and determining the full range of each element by 
reading out recorded data.
    (3) If the pre-maintenance test reveals that the device is not 
recording all the specified data and that all recordings are within the 
designed recording elements, this fact shall be noted, and maintenance 
and testing shall be performed as necessary until a subsequent test is 
successful.
    (4) When a successful test is accomplished, a copy of the data-
verification results shall be maintained in any medium with the 
maintenance records for the locomotive until the next one is filed.
    (5) A railroad's event recorder periodic maintenance shall be 
considered effective if 90 percent of the recorders on locomotives 
inbound for periodic inspection in any given calendar month are still 
fully functional; maintenance practices and test intervals shall be 
adjusted as necessary to yield effective periodic maintenance.
    (e) Remote control locomotive. Remote control locomotive system 
components that interface with the mechanical devices of the locomotive 
shall be tested including, but not limited to, air pressure monitoring 
devices, pressure switches, and speed sensors.
    (f) Alerters. The alerter shall be tested, and all automatic timing 
resets shall function as intended.

0
9. Section 229.27 is revised to read as follows:


Sec.  229.27  Annual tests.

    (a) All testing under this section shall be performed at intervals 
that do not exceed 368 calendar days.
    (b) Load meters that indicate current (amperage) being applied to 
traction motors shall be tested. Each device used by the engineer to 
aid in the control or braking of the train or locomotive that provides 
an indication of air pressure electronically shall be tested by 
comparison with a test gauge or self-test designed for this purpose. An 
error greater than five percent or greater than three pounds per square 
inch shall be corrected. The date and place of the test shall be 
recorded on Form FRA F 6180-49A, and the person conducting the test and 
that person's supervisor shall sign the form.
    (c) A microprocessor-based event recorder with a self-monitoring 
feature equipped to verify that all data elements required by this part 
are recorded, requires further maintenance and testing only if either 
of the following conditions exist:
    (1) The self-monitoring feature displays an indication of a 
failure. If a failure is displayed, further maintenance and testing 
must be performed until a subsequent test is successful. When a 
successful test is accomplished, a record, in any medium, shall be made 
of that fact and of any maintenance work necessary to achieve the 
successful result. This record shall be available at the location where 
the locomotive is maintained until a record of a subsequent successful 
test is filed; or,
    (2) A download of the event recorder, taken within the preceding 30 
days and reviewed for the previous 48 hours of locomotive operation, 
reveals a failure to record a regularly recurring data element or 
reveals that any required data element is not representative of the 
actual operations of the locomotive during this time period. If the 
review is not successful, further maintenance and testing shall be 
performed until a subsequent test is successful. When a successful test 
is accomplished, a record, in any medium, shall be made of that fact 
and of any maintenance work necessary to achieve the successful result. 
This record shall be kept at the location where the locomotive is 
maintained until a record of a subsequent successful test is filed. The 
download shall be taken from information stored in the certified 
crashworthy crash hardened event recorder memory module if the 
locomotive is so equipped.

0
10. Section 229.29 is revised to read as follows:


Sec.  229.29  Air brake system calibration, maintenance, and testing.

    (a) A locomotive's air brake system shall receive the calibration, 
maintenance, and testing as prescribed in this section. The level of 
maintenance and testing and the intervals for receiving such 
maintenance and testing of locomotives with various types of air brake 
systems shall be conducted in accordance with paragraphs (d) through 
(f) of this section. Records of the maintenance and testing required in 
this section shall be maintained in accordance with paragraph (g) of 
this section.
    (b) Except for DMU or MU locomotives covered under Sec.  238.309 of 
this chapter, the air flow method (AFM) indicator shall be calibrated 
in accordance with Sec.  232.205(c)(1)(iii) at intervals not to exceed 
92 days, and records shall be maintained as prescribed paragraph (g)(1) 
of this section.
    (c) Except for DMU or MU locomotives covered under Sec.  238.309 of 
this chapter, the extent of air brake system maintenance and testing 
that is required on a locomotive shall be in accordance with the 
following levels:
    (1) Level one: Locomotives shall have the filtering devices or dirt 
collectors located in the main reservoir supply line to the air brake 
system cleaned, repaired, or replaced.
    (2) Level two: Locomotives shall have the following components 
cleaned, repaired, and tested: brake cylinder relay valve portions; 
main reservoir safety valves; brake pipe vent valve portions; and, feed 
and reducing valve portions in the air brake system (including related 
dirt collectors and filters).
    (3) Level three: Locomotives shall have the components identified 
in this paragraph removed from the locomotive and disassembled, cleaned 
and lubricated (if necessary), and tested. In addition, all parts of 
such components that can deteriorate within the inspection interval as 
defined in paragraphs (d) through (f) of this section shall be replaced 
and tested. The components include: all pneumatic components of the 
locomotive equipment's brake system that contain moving parts, and are 
sealed against air leaks; all valves and valve portions; electric-
pneumatic master controllers in the air brake system; and all air brake 
related filters and dirt collectors.
    (d) Except for MU locomotives covered under Sec.  238.309 of this 
chapter, all locomotives shall receive level one air brake maintenance 
and testing as described in this section at intervals that do not 
exceed 368 days.
    (e) Locomotives equipped with an air brake system not specifically 
identified in paragraphs (f)(1) through (3) of this section shall 
receive level two air brake maintenance and testing as described in 
this section at intervals that do not exceed 368 days and level three 
air brake maintenance and testing at intervals that do not exceed 736 
days.
    (f) Level two and level three air brake maintenance and testing 
shall be performed on each locomotive identified in this paragraph at 
the following intervals:
    (1) At intervals that do not exceed 1,104 days for a locomotive 
equipped with a 26-L or equivalent brake system;
    (2) At intervals that do not exceed 1,472 days for locomotives 
equipped with an air dryer and a 26-L or equivalent brake system and 
for locomotives not equipped with an air compressor and that are semi-
permanently coupled and dedicated to locomotives with an air dryer; or
    (3) At intervals that do not exceed 1,840 days for locomotives 
equipped

[[Page 21346]]

with CCB-1, CCB-2, CCB-26, EPIC 1 (formerly EPIC 3102), EPIC 3102D2, 
EPIC 2, KB-HS1, or Fastbrake brake systems.
    (g) Records of the air brake system maintenance and testing 
required by this section shall be generated and maintained in 
accordance with the following:
    (1) The date of AFM indicator calibration shall be recorded and 
certified in the remarks section of Form F6180-49A.
    (2) The date and place of the cleaning, repairing and testing 
required by this section shall be recorded on Form FRA F 6180-49A, and 
the work shall be certified. A record of the parts of the air brake 
system that are cleaned, repaired, and tested shall be kept in the 
railroad's files or in the cab of the locomotive.
    (3) At its option, a railroad may fragment the work required by 
this section. In that event, a separate record shall be maintained 
under a transparent cover in the cab. The air record shall include: the 
locomotive number; a list of the air brake components; and the date and 
place of the inspection and testing of each component. The signature of 
the person performing the work and the signature of that person's 
supervisor shall be included for each component. A duplicate record 
shall be maintained in the railroad's files.

0
11. Section 229.46 is revised to read as follows:


Sec.  229.46  Brakes: general.

    (a) Before each trip, the railroad shall know the following:
    (1) The locomotive brakes and devices for regulating pressures, 
including but not limited to the automatic and independent brake 
control systems, operate as intended; and
    (2) The water and oil have been drained from the air brake system 
of all locomotives in the consist.
    (b) A locomotive with an inoperative or ineffective automatic or 
independent brake control system will be considered to be operating as 
intended for purposes of paragraph (a) of this section, if all of the 
following conditions are met:
    (1) The locomotive is in a trailing position and is not the 
controlling locomotive in a distributed power train consist;
    (2) The railroad has previously determined, in conjunction with the 
locomotive and/or airbrake manufacturer, that placing such a locomotive 
in trailing position adequately isolates the non-functional valves so 
as to allow safe operation of the brake systems from the controlling 
locomotive;
    (3) If deactivation of the circuit breaker for the air brake system 
is required, it shall be specified in the railroad's operating rules;
    (4) A tag shall immediately be placed on the isolation switch of 
the locomotive giving the date and location and stating that the unit 
may only be used in a trailing position and may not be used as a lead 
or controlling locomotive;
    (5) The tag required in paragraph (b)(4) of this section remains 
attached to the isolation switch of the locomotive until repairs are 
made; and
    (6) The inoperative or ineffective brake control system is repaired 
prior to or at the next periodic inspection.

0
12. Section 229.61 is revised to read as follows:


Sec.  229.61  Draft system.

    (a) A coupler may not have any of the following conditions:
    (1) A distance between the guard arm and the knuckle nose of more 
than 5 5/16 inches on D&E couplers.
    (2) A crack or break in the side wall or pin bearing bosses outside 
of the shaded areas shown in Figure 1 or in the pulling face of the 
knuckle.
[GRAPHIC] [TIFF OMITTED] TR09AP12.000

    (3) A coupler assembly without anti-creep protection.
    (4) Free slack in the coupler or drawbar not absorbed by friction 
devices or draft gears that exceeds one-half inches.
    (5) A broken or cracked coupler carrier.
    (6) A broken or cracked yoke.
    (7) A broken draft gear.
    (b) A device shall be provided under the lower end of all drawbar 
pins and articulated connection pins to prevent the pin from falling 
out of place in case of breakage.

0
13. Section 229.85 is revised to read as follows:


Sec.  229.85   High voltage markings: doors, cover plates, or barriers.

    All doors, cover plates, or barriers providing direct access to 
high voltage equipment shall be marked ``Danger-High Voltage'' or with 
the word ``Danger'' and the normal voltage carried by the parts so 
protected.

0
14. Section 229.114 is added to read as follows:


Sec.  229.114  Steam generator inspections and tests.

    (a) Periodic steam generator inspection. Except as provided in 
Sec.  229.33, each steam generator shall be inspected and tested in 
accordance with paragraph (d) of this section at intervals not to 
exceed 92 days, unless the steam generator is isolated in accordance 
with paragraph (b) of this section. All non-complying conditions shall 
be repaired or the steam generator shall be isolated as prescribed in 
paragraph (b) of this section before the locomotive is used.
    (b) Isolation of a steam generator. A steam generator will be 
considered isolated if the water suction pipe to the water pump and the 
leads to the main switch (steam generator switch) are disconnected, and 
the train line shut-off-valve is wired closed or a blind gasket is 
applied. Before an isolated steam generator is returned to use, it 
shall be inspected and tested pursuant to paragraph (d) of this 
section.
    (c) Forms. Each periodic steam generator inspection and test shall 
be recorded on Form FRA F 6180-49A required by paragraph Sec.  229.23. 
When Form FRA F 6180-49A for the locomotive is replaced, data for the 
steam generator inspections shall be transferred to the new Form FRA 
F6180-49A.
    (d) Tests and requirements. Each periodic steam generator 
inspection and test shall include the following tests and requirements:
    (1) All electrical devices and visible insulation shall be 
inspected.
    (2) All automatic controls, alarms, and protective devices shall be 
inspected and tested.
    (3) Steam pressure gauges shall be tested by comparison with a 
dead-weight tester or a test gauge designed for this purpose. The 
siphons to the steam gauges shall be removed and their connections 
examined to determine that they are open.
    (4) Safety valves shall be set and tested under steam after the 
steam pressure gauge is tested.
    (e) Annual steam generator tests. Each steam generator that is not 
isolated in accordance with paragraph (b) of this section, shall be 
subjected to a hydrostatic pressure at least 25 percent above the 
working pressure and the visual return water-flow indicator shall be 
removed and inspected. The testing under this paragraph shall be 
performed at intervals that do not exceed 368 calendar days.

0
15. Section 229.119 is amended by revising paragraphs (d) and (e) and

[[Page 21347]]

adding paragraphs (g) through (i) to read as follows:


Sec.  229.119  Cabs, floors, and passageways.

* * * * *
    (d) Any occupied locomotive cab shall be provided with proper 
ventilation and with a heating arrangement that maintains a temperature 
of at least 60 degrees Fahrenheit 6 inches above the center of each 
seat in the cab compartment.
    (e) Similar locomotives with open-end platforms coupled in multiple 
control and used in road service shall have a means of safe passage 
between them; no passageway is required through the nose of car body 
locomotives. There shall be a continuous barrier across the full width 
of the end of a locomotive or a continuous barrier between locomotives.
* * * * *
    (g) Each locomotive or remanufactured locomotive placed in service 
for the first time on or after June 8, 2012, shall be equipped with an 
air conditioning unit in the locomotive cab compartment.
    (h) Each air conditioning unit in the locomotive cab on a 
locomotive identified in paragraph (g) of this section shall be 
inspected and maintained to ensure that it operates properly and meets 
or exceeds the manufacturer's minimum operating specifications during 
the periodic inspection required for the locomotive pursuant to Sec.  
229.23 of this part.
    (i) Each locomotive or remanufactured locomotive ordered on or 
after June 8, 2012, or placed in service for the first time on or after 
December 10, 2012, shall be equipped with a securement device on each 
exterior locomotive cab door that is capable of securing the door from 
inside of the cab.

0
16. Section 229.123 is revised to read as follows:


Sec.  229.123  Pilots, snowplows, end plates.

    (a) Each lead locomotive shall be equipped with a pilot, snowplow, 
or end plate that extends across both rails. The minimum clearance 
above the rail of the pilot, snowplow or end plate shall be 3 inches. 
Except as provided in paragraph (b) of this section, the maximum 
clearance shall be 6 inches. When the locomotive is equipped with a 
combination of the equipment listed in this paragraph, each extending 
across both rails, only the lowest piece of that equipment must satisfy 
clearance requirements of this section.
    (b) To provide clearance for passing over retarders, locomotives 
utilized in hump yard or switching service at hump yard locations may 
have pilot, snowplow, or end plate maximum height of 9 inches.
    (1) Each locomotive equipped with a pilot, snowplow, or end plate 
with clearance above 6 inches shall be prominently stenciled at each 
end of the locomotive with the words ``9-inch Maximum End Plate Height, 
Yard or Trail Service Only.''
    (2) When operated in switching service in a leading position, 
locomotives with a pilot, snowplow, or end plate clearance above 6 
inches shall be limited to 10 miles per hour over grade crossings.
    (3) Train crews shall be notified in writing of the restrictions on 
the locomotive, by label or stencil in the cab, or by written operating 
instruction given to the crew and maintained in the cab of the 
locomotive.
    (4) Pilot, snowplow, or end plate clearance above 6 inches shall be 
noted in the remarks section of Form FRA 6180-49a.
    (5) Locomotives with a pilot, snowplow, or end plate clearance 
above 6 inches shall not be placed in the lead position when being 
moved under section Sec.  229.9.
    17. Section 229.125 is amended by revising paragraphs (a) and 
(d)(2) and (3) to read as follows:


Sec.  229.125  Headlights and auxiliary lights.

    (a) Each lead locomotive used in road service shall illuminate its 
headlight while the locomotive is in use. When illuminated, the 
headlight shall produce a peak intensity of at least 200,000 candela 
and produce at least 3,000 candela at an angle of 7.5 degrees and at 
least 400 candela at an angle of 20 degrees from the centerline of the 
locomotive when the light is aimed parallel to the tracks. If a 
locomotive or locomotive consist in road service is regularly required 
to run backward for any portion of its trip other than to pick up a 
detached portion of its train or to make terminal movements, it shall 
also have on its rear a headlight that meets the intensity requirements 
above. Each headlight shall be aimed to illuminate a person at least 
800 feet ahead and in front of the headlight. For purposes of this 
section, a headlight shall be comprised of either one or two lamps.
    (1) If a locomotive is equipped with a single-lamp headlight, the 
single lamp shall produce a peak intensity of at least 200,000 candela 
and shall produce at least 3,000 candela at an angle of 7.5 degrees and 
at least 400 candela at an angle of 20 degrees from the centerline of 
the locomotive when the light is aimed parallel to the tracks. The 
following operative lamps meet the standard set forth in this 
paragraph: a single incandescent PAR-56, 200-watt, 30-volt lamp; a 
single halogen PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 
350-watt, 75-volt lamp, or a single lamp meeting the intensity 
requirements given above.
    (2) If a locomotive is equipped with a dual-lamp headlight, a peak 
intensity of at least 200,000 candela and at least 3,000 candela at an 
angle of 7.5 degrees and at least 400 candela at an angle of 20 degrees 
from the centerline of the locomotive when the light is aimed parallel 
to the tracks shall be produced by the headlight based either on a 
single lamp capable of individually producing the required peak 
intensity or on the candela produced by the headlight with both lamps 
illuminated. If both lamps are needed to produce the required peak 
intensity, then both lamps in the headlight shall be operational. The 
following operative lamps meet the standard set forth in this paragraph 
(a)(2): A single incandescent PAR-56, 200-watt, 30-volt lamp; a single 
halogen PAR-56, 200-watt, 30-volt lamp; a single halogen PAR-56, 350-
watt, 75-volt lamp; two incandescent PAR-56, 350-watt, 75-volt lamps; 
or lamp(s) meeting the intensity requirements given above.
    (i) A locomotive equipped with the two incandescent PAR-56, 350-
watt, 75 volt lamps which has an en route failure of one lamp in the 
headlight fixture, may continue in service as a lead locomotive until 
its next daily inspection required by Sec.  229.21 only if:
    (A) Auxiliary lights burn steadily;
    (B) Auxiliary lights are aimed horizontally parallel to the 
longitudinal centerline of the locomotive or aimed to cross no less 
than 400 feet in front of the locomotive.
    (C) Second headlight lamp and both auxiliary lights continue to 
operate.
    (ii) [Reserved].
* * * * *
    (d) * * *
    (2) Each auxiliary light shall produce a peak intensity of at least 
200,000 candela or shall produce at least 3,000 candela at an angle of 
7.5 degrees and at least 400 candela at an angle of 20 degrees from the 
centerline of the locomotive when the light is aimed parallel to the 
tracks. Any of the following operative lamps meet the standard set 
forth in this paragraph: an incandescent PAR-56, 200-watt, 30-volt 
lamp; a halogen PAR-56, 200-watt, 30-volt lamp; a halogen PAR-56, 350-
watt, 75-volt lamp; an incandescent PAR-56, 350-watt, 75-volt lamp; or 
a single lamp having equivalent intensities at the specified angles.
    (3) The auxiliary lights shall be aimed horizontally within 15 
degrees of the

[[Page 21348]]

longitudinal centerline of the locomotive.
* * * * *

0
18. Section 229.133 is amended by revising paragraphs (b)(1) and (2) 
and (c)(1) and (2) to read as follows:


Sec.  229.133  Interim locomotive conspicuity measures--auxiliary 
external lights.

* * * * *
    (b) * * *
    (1) Strobe lights. (i) Strobe lights shall consist of two white 
stroboscopic lights, each with ``effective intensity,'' as defined by 
the Illuminating Engineering Society's Guide for Calculating the 
Effective Intensity of Flashing Signal Lights (November 1964), of at 
least 500 candela.
    (ii) The flash rate of strobe lights shall be at least 40 flashes 
per minute and at most 180 flashes per minute.
    (iii) Strobe lights shall be placed at the front of the locomotive, 
at least 48 inches apart, and at least 36 inches above the top of the 
rail.
    (2) Oscillating light. (i) An oscillating light shall consist of:
    (A) One steadily burning white light producing at least 200,000 
candela in a moving beam that depicts a circle or a horizontal figure 
``8'' to the front, about the longitudinal centerline of the 
locomotive; or
    (B) Two or more white lights producing at least 200,000 candela 
each, at one location on the front of the locomotive, that flash 
alternately with beams within five degrees horizontally to either side 
of the longitudinal centerline of the locomotive.
    (ii) An oscillating light may incorporate a device that 
automatically extinguishes the white light if display of a light of 
another color is required to protect the safety of railroad operations.
* * * * *
    (c)(1) Any lead locomotive equipped with oscillating lights as 
described in paragraph (b)(2) of this section that were ordered for 
installation on that locomotive prior to January 1, 1996, is considered 
in compliance with Sec.  229.125(d)(1) through (3).
    (2) Any lead locomotive equipped with strobe lights as described in 
paragraph (b)(1) and operated at speeds no greater than 40 miles per 
hour, is considered in compliance with Sec.  229.125(d)(1) through (3) 
until the locomotive is retired or rebuilt, whichever comes first.
* * * * *

0
19. Section 229.140 is added to read as follows:


Sec.  229.140  Alerters.

    (a) Except for locomotives covered by part 238 of this chapter, 
each of the following locomotives shall be equipped with a functioning 
alerter as described in paragraphs (b) through (d) of this section:
    (1) A locomotive that is placed in service for the first time on or 
after June 10, 2013, when used as a controlling locomotive and operated 
at speeds in excess of 25 mph.
    (2) All controlling locomotives operated at speeds in excess of 25 
mph on or after January 1, 2017.
    (b) The alerter on locomotives subject to paragraph (a) of this 
section shall be equipped with a manual reset and the alerter warning 
timing cycle shall automatically reset as the result of any of the 
following operations, and at least three of the following automatic 
resets shall be functional at any given time:
    (1) Movement of the throttle handle;
    (2) Movement of the dynamic brake control handle;
    (3) Movement of the operator's horn activation handle;
    (4) Movement of the operator's bell activation switch;
    (5) Movement of the automatic brake valve handle; or
    (6) Bailing the independent brake by depressing the independent 
brake valve handle.
    (c) All alerters shall provide an audio alarm upon expiration of 
the timing cycle interval. An alerter on a locomotive that is placed in 
service for the first time on or after June 10, 2013, shall display a 
visual indication to the operator at least five seconds prior to an 
audio alarm. The visual indication on an alerter so equipped shall be 
visible to the operator from their normal position in the cab.
    (d) Alerter warning timing cycle interval shall be within 10 
seconds of the calculated setting utilizing the formula (timing cycle 
specified in seconds = 2400 / track speed specified in miles per hour).
    (e) Any locomotive that is equipped with an alerter shall have the 
alerter functioning and operating as intended when the locomotive is 
used as a controlling locomotive.
    (f) A controlling locomotive equipped with an alerter shall be 
tested prior to departure from each initial terminal, or prior to being 
coupled as the lead locomotive in a locomotive consist by allowing the 
warning timing cycle to expire that results in an application of the 
locomotive brakes at a penalty rate.
0
20. Part 229 is amended by adding subpart E to read as follows:
Subpart E--Locomotive Electronics
Sec.
229.301 Purpose and scope.
229.303 Applicability.
229.305 Definitions.
229.307 Safety analysis.
229.309 Safety-critical changes and failures.
229.311 Review of SAs.
229.313 Product testing results and records.
229.315 Operations and maintenance manual.
229.317 Training and qualification program.
229.319 Operating Personnel Training.

Subpart E--Locomotive Electronics


Sec.  229.301  Purpose and scope.

    (a) The purpose of this subpart is to promote the safe design, 
operation, and maintenance of safety-critical, as defined in Sec.  
229.305, electronic locomotive control systems, subsystems, and 
components.
    (b) Locomotive control systems or their functions that comingle 
with safety critical processor based signal and train control systems 
are regulated under part 236 subparts H and I of this chapter.


Sec.  229.303  Applicability.

    (a) The requirements of this subpart apply to all safety-critical 
electronic locomotive control systems, subsystems, and components 
(i.e., ``products'' as defined in Sec.  229.305), except for the 
following:
    (1) Products that are in service prior to June 8, 2012.
    (2) Products that are under development as of October 9, 2012, and 
are placed in service prior to October 9, 2017.
    (3) Products that comingle locomotive control systems with safety 
critical processor based signal and train control systems;
    (4) Products that are used during on-track testing within a test 
facility; and
    (5) Products that are used during on-track testing outside a test 
facility, if approved by FRA. To obtain FRA approval of on-track 
testing outside of a test facility, a railroad shall submit a request 
to FRA that provides:
    (i) Adequate information regarding the function and history of the 
product that it intends to use;
    (ii) The proposed tests;
    (iii) The date, time and location of the tests; and
    (iv) The potential safety consequences that will result from 
operating the product for purposes of testing.
    (b) Railroads and vendors shall identify all products that are 
under development to FRA by October 9, 2012.
    (c) The exceptions provided in paragraph (a) of this section do not 
apply to products or product changes that result in degradation of 
safety, or a material increase in safety-critical functionality.

[[Page 21349]]

Sec.  229.305  Definitions.

    As used in this subpart--
    Cohesion is a measure of how strongly-related or focused the 
responsibilities of a system, subsystem, or component are.
    Comingle refers to the act of creating systems, subsystems, or 
components where the systems, subsystems, or components are tightly 
coupled and with low cohesion.
    Component means an electronic element, device, or appliance 
(including hardware or software) that is part of a system or subsystem.
    Configuration management control plan means a plan designed to 
ensure that the proper and intended product configuration, including 
the electronic hardware components and software version, is documented 
and maintained through the life-cycle of the products in use.
    Executive software means software common to all installations of a 
given electronic product. It generally is used to schedule the 
execution of the site-specific application programs, run timers, read 
inputs, drive outputs, perform self-diagnostics, access and check 
memory, and monitor the execution of the application software to detect 
unsolicited changes in outputs.
    Initialization refers to the startup process when it is determined 
that a product has all required data input and the product is prepared 
to function as intended.
    Loosely coupled means an attribute of systems, referring to an 
approach to designing interfaces across systems, subsystems, or 
components to reduce the interdependencies between them--in particular, 
reducing the risk that changes within one system, subsystem, or 
component will create unanticipated changes within other system, 
subsystem, or component.
    Materials handling refers to explicit instructions for handling 
safety-critical components established to comply with procedures 
specified by the railroad.
    New or next-generation locomotive control system means a locomotive 
control system using technologies or combinations of technologies that 
are not in use in revenue service, products that are under development 
as of October 9, 2012, are placed into service prior to October 9, 
2015, or products without established histories of safe practice.
    Product means any safety critical electronic locomotive control 
system, subsystem, or component, not including safety critical 
processor based signal and train control systems, whose functions are 
directly related to safe movement and stopping of the train as well as 
the associated man-machine interfaces irrespective of the location of 
the control system, subsystem, or component.
    Revision control means a chain of custody regimen designed to 
positively identify safety-critical components and spare equipment 
availability, including repair/replacement tracking.
    Safety Analysis refers to a formal set of documentation which 
describes in detail all of the safety aspects of the product, including 
but not limited to procedures for its development, installation, 
implementation, operation, maintenance, repair, inspection, testing, 
and modification, as well as analyses supporting its safety claims.
    Safety-critical, as applied to a function, a system, or any portion 
thereof, means the correct performance of which is essential to safety 
of personnel or equipment, or both; or the incorrect performance of 
which could cause a hazardous condition, or allow a hazardous condition 
which was intended to be prevented by the function or system to exist.
    Subsystem means a defined portion of a system.
    System refers to any electronic locomotive control system and 
includes all subsystems and components thereof, as the context 
requires.
    Test facility means a track that is not part of the general 
railroad system of transportation and is being used exclusively for the 
purpose of testing equipment and has all of its public grade crossings 
protected.
    Tightly Coupled means an attribute of systems, referring to an 
approach to designing interfaces across systems, subsystems, or 
components to maximize the interdependencies between them. In 
particular, increasing the risk that changes within one system, 
subsystem, or component will create unanticipated changes within other 
system, subsystem, or component.


Sec.  229.307  Safety analysis.

    (a) A railroad shall develop a Safety Analysis (SA) for each 
product subject to this subpart prior to the initial use of such 
product on their railroad.
    (b) The SA shall:
    (1) establish and document the minimum requirements that will 
govern the development and implementation of all products subject to 
this subpart, and be based on good engineering practice and should be 
consistent with the guidance contained in Appendix F of this part in 
order to establish that a product's safety-critical functions will 
operate with a high degree of confidence in a fail-safe manner;
    (2) Include procedures for immediate repair of safety-critical 
functions; and
    (3) Be made available to FRA upon request.
    (c) Each railroad shall comply with the SA requirements and 
procedures related to the development, implementation, and repair of a 
product subject to this subpart.


Sec.  229.309  Safety-critical changes and failures.

    (a) Whenever a planned safety-critical design change is made to a 
product that is in use by a railroad and subject to this subpart, the 
railroad shall:
    (1) Notify FRA's Associate Administrator for Safety of the design 
changes made by the product supplier;
    (2) Ensure that the SA is updated as required;
    (3) Conduct all safety-critical changes in a manner that allows the 
change to be audited;
    (4) Specify all contractual arrangements with suppliers and private 
equipment owners for notification of any and all electronic safety-
critical changes as well as safety-critical failures in the suppliers 
and private equipment owners' system, subsystem, or components, and the 
reasons for that change or failure from the suppliers or equipment 
owners, whether or not the railroad has experienced a failure of that 
safety critical system, sub-system, or component;
    (5) Specify the railroad's procedures for action upon receipt of 
notification of a safety-critical change or failure of an electronic 
system, sub-system, or component, and until the upgrade or revision has 
been installed; and
    (6) Identify all configuration/revision control measures designed 
to ensure that safety-functional requirements and safety-critical 
hazard mitigation processes are not compromised as a result of any such 
change, and that any such change can be audited.
    (b) Product suppliers and private equipment owners shall report any 
safety-critical changes and previously unidentified hazards to each 
railroad using the product or equipment.
    (c) Private equipment owners shall establish configuration/revision 
control measures for control of safety-critical changes and 
identification of previously unidentified hazards.


Sec.  229.311  Review of SAs.

    (a) Prior to the initial planned use of a product subject to this 
subpart, a railroad shall inform the Associate Administrator for 
Safety/Chief Safety Officer, FRA, 1200 New Jersey Avenue SE., Mail Stop 
25, Washington, DC 20590 of the intent to place this product

[[Page 21350]]

in service. The notification shall provide a description of the 
product, and identify the location where the complete SA documentation 
described in Sec.  229.307, the testing records contained in Sec.  
229.313, and the training and qualification program described in Sec.  
229.319 is maintained.
    (b) FRA may review or audit the SA within 60 days of receipt of the 
notification or anytime after the product is placed in use. If FRA has 
not notified the railroad of its intent to review or audit the SA 
within the 60-day period, the railroad may assume that FRA does not 
intend to review or audit, and place the product in use. FRA reserves 
the right, however, to conduct a review or audit at a later date.
    (c) A railroad shall maintain and make available to FRA upon 
request all railroad or vendor documentation used to demonstrate that 
the product meets the safety requirements of the SA for the life-cycle 
of the product.
    (d) After a product is placed in service, the railroad shall 
maintain a database of all safety-relevant hazards encountered with the 
product. The database shall include all hazards identified in the SA 
and those that had not been previously identified in the SA. If the 
frequency of the safety-relevant hazards exceeds the threshold set 
forth in the SA, then the railroad shall:
    (1) Report the inconsistency by mail, facsimile, email, or hand 
delivery to the Director, Office of Safety Assurance and Compliance, 
FRA, 1200 New Jersey Ave. SE., Mail Stop 25, Washington, DC 20590, 
within 15 days of discovery;
    (2) Take immediate countermeasures to reduce the frequency of the 
safety-relevant hazard(s) below the threshold set forth in the SA; and
    (3) Provide a final report to FRA's Director, Office of Safety 
Assurance and Compliance, on the results of the analysis and 
countermeasures taken to reduce the frequency of the safety-relevant 
hazard(s) below the calculated probability of failure threshold set 
forth in the SA when the problem is resolved. For hazards not 
identified in the SA the threshold shall be exceeded at one occurrence.


Sec.  229.313  Product testing results and records.

    (a) Results of product testing conducted by a railroad as required 
by this subpart shall be recorded on preprinted forms provided by the 
railroad, or stored electronically. Electronic recordkeeping or 
automated tracking systems, subject to the provisions contained in 
paragraph (e) of this section, may be utilized to store and maintain 
any testing or training record required by this subpart. Results of 
product testing conducted by a vendor or private equipment owner in 
support of a SA shall be provided to the railroad as part of the SA.
    (b) The testing records shall contain all of the following:
    (1) The name of the railroad;
    (2) The location and date that the test was conducted;
    (3) The equipment tested;
    (4) The results of tests;
    (5) The repairs or replacement of equipment;
    (6) Any preventative adjustments made; and
    (7) The condition in which the equipment is left.
    (c) Each record shall be:
    (1) Signed by the employee conducting the test, or electronically 
coded, or identified by the automated test equipment number;
    (2) Filed in the office of a supervisory official having 
jurisdiction, unless otherwise noted; and
    (3) Available for inspection and copying by FRA.
    (d) The results of the testing conducted in accordance with this 
subpart shall be retained as follows:
    (1) The results of tests that pertain to installation or 
modification of a product shall be retained for the life-cycle of the 
product tested and may be kept in any office designated by the 
railroad;
    (2) The results of periodic tests required for the maintenance or 
repair of the product tested shall be retained until the next record is 
filed and in no case less than one year; and
    (3) The results of all other tests and training shall be retained 
until the next record is filed and in no case less than one year.
    (e) Electronic or automated tracking systems used to meet the 
requirements contained in paragraph (a) of this section shall be 
capable of being reviewed and monitored by FRA at any time to ensure 
the integrity of the system. FRA's Associate Administrator for Safety 
may prohibit or revoke a railroad's authority to utilize an electronic 
or automated tracking system in lieu of preprinted forms if FRA finds 
that the electronic or automated tracking system is not properly 
secured, is inaccessible to FRA, or railroad employees requiring access 
to discharge their assigned duties, or fails to adequately track and 
monitor the equipment. The Associate Administrator for Safety will 
provide the affected railroad with a written statement of the basis for 
the decision prohibiting or revoking the railroad from utilizing an 
electronic or automated tracking system.


Sec.  229.315  Operations and maintenance manual.

    (a) The railroad shall maintain all documents pertaining to the 
installation, maintenance, repair, modification, inspection, and 
testing of a product subject to this part in one Operations and 
Maintenance Manual (OMM).
    (1) The OMM shall be legible and shall be readily available to 
persons who conduct the installation, maintenance, repair, 
modification, inspection, and testing, and for inspection by FRA.
    (2) At a minimum, the OMM shall contain all product vendor 
operation and maintenance guidance.
    (b) The OMM shall contain the plans and detailed information 
necessary for the proper maintenance, repair, inspection, and testing 
of products subject to this subpart. The plans shall identify all 
software versions, revisions, and revision dates.
    (c) Hardware, software, and firmware revisions shall be documented 
in the OMM according to the railroad's configuration management control 
plan.
    (d) Safety-critical components, including spare products, shall be 
positively identified, handled, replaced, and repaired in accordance 
with the procedures specified in the railroad's configuration 
management control plan.
    (e) A railroad shall determine that the requirements of this 
section have been met prior to placing a product subject to this 
subpart in use on their property.


Sec.  229.317  Training and qualification program.

    (a) A railroad shall establish and implement training and 
qualification program for products subject to this subpart prior to the 
product being placed in use. These programs shall meet the requirements 
set forth in this section and in Sec.  229.319.
    (b) The program shall provide training for the individuals 
identified in this paragraph to ensure that they possess the necessary 
knowledge and skills to effectively complete their duties related to 
the product. These include:
    (1) Individuals whose duties include installing, maintaining, 
repairing, modifying, inspecting, and testing safety-critical elements 
of the product;
    (2) Individuals who operate trains or serve as a train or engine 
crew member subject to instruction and testing under part 217 of this 
chapter;
    (3) Roadway and maintenance-of-way workers whose duties require 
them to know and understand how the product affects their safety and 
how to avoid interfering with its proper functioning; and

[[Page 21351]]

    (4) Direct supervisors of the individuals identified in paragraphs 
(b)(1) through (3) of this section.
    (c) When developing the training and qualification program required 
in this section, a railroad shall conduct a formal task analysis. The 
task analysis shall:
    (1) Identify the specific goals of the program for each target 
population (craft, experience level, scope of work, etc.), task(s), and 
desired success rate;
    (2) Identify the installation, maintenance, repair, modification, 
inspection, testing, and operating tasks that will be performed on the 
railroad's products, including but not limited to the development of 
failure scenarios and the actions expected under such scenarios;
    (3) Develop written procedures for the performance of the tasks 
identified; and
    (4) Identify any additional knowledge, skills, and abilities above 
those required for basic job performance necessary to perform each 
task.
    (d) Based on the task analysis, a railroad shall develop a training 
curriculum that includes formally structured training designed to 
impart the knowledge, skills, and abilities identified as necessary to 
perform each task.
    (e) All individuals identified in paragraph (b) of this section 
shall successfully complete a training curriculum and pass an 
examination that covers the product and appropriate rules and tasks for 
which they are responsible (however, such persons may perform such 
tasks under the direct onsite supervision of a qualified person prior 
to completing such training and passing the examination).
    (f) A railroad shall conduct periodic refresher training at 
intervals to be formally specified in the program, except with respect 
to basic skills for which proficiency is known to remain high as a 
result of frequent repetition of the task.
    (g) A railroad shall conduct regular and periodic evaluations of 
the effectiveness of the training program, verifying the adequacy of 
the training material and its validity with respect to the railroad's 
products and operations.
    (h) A railroad shall maintain records that designate individuals 
who are qualified under this section until new designations are 
recorded or for at least one year after such persons leave applicable 
service. These records shall be maintained in a designated location and 
be available for inspection and replication by FRA.


Sec.  229.319  Operating Personnel Training.

    (a) The training required under Sec.  229.317 for any locomotive 
engineer or other person who participates in the operation of a train 
using an onboard electronic locomotive control system shall address all 
of the following elements and shall be specified in the training 
program.
    (1) Familiarization with the electronic control system equipment 
onboard the locomotive and the functioning of that equipment as part of 
the system and in relation to other onboard systems under that person's 
control;
    (2) Any actions required of the operating personnel to enable or 
enter data into the system and the role of that function in the safe 
operation of the train;
    (3) Sequencing of interventions by the system, including 
notification, enforcement, penalty initiation and post penalty 
application procedures as applicable;
    (4) Railroad operating rules applicable to control systems, 
including provisions for movement and protection of any unequipped 
trains, or trains with failed or cut-out controls;
    (5) Means to detect deviations from proper functioning of onboard 
electronic control system equipment and instructions explaining the 
proper response to be taken regarding control of the train and 
notification of designated railroad personnel; and
    (6) Information needed to prevent unintentional interference with 
the proper functioning of onboard electronic control equipment.
    (b) The training required under this subpart for a locomotive 
engineer and conductor, together with required records, shall be 
integrated into the program of training required by parts 240 and 242 
of this chapter.

0
21. Appendix B is amended by:
0
a. Adding an entry under subpart A for 229.15;
0
b. Revising the entries under subpart B for 229.23 and 229.25 and under 
subpart C for 229.105;
0
c. Adding an entry under subpart C for 229.114;
0
d. Adding in the entry under subpart C for 229.119 entries for 
paragraphs (g), (h), and (i);
0
e. Adding an entry under subpart C for 229.140;
0
f. Moving the entry for 229.141 into numerical order under subpart C; 
and
0
g. Adding an entry for subpart E.
    The additions and revisions read as follows:

Appendix B to Part 229--Schedule of Civil Penalties \(1)\

------------------------------------------------------------------------
                                                               Willful
                 Section                      Violation       violation
------------------------------------------------------------------------
                           Subpart A--General
 
                              * * * * * * *
229.15 Remote control locomotives.......              2,500        5,000
 
                              * * * * * * *
                     Subpart B--Inspection and tests
 
                              * * * * * * *
229.23 Periodic inspection General:
    (a)(1) Inspection overdue...........              2,500        5,000
    (a)(2) Inspection performed                       2,500        5,000
     improperly or at a location where
     the underneath portion cannot be
     safely inspected...................
    (b)(1) Inspection overdue...........              2,500        5,000
    (b)(2) Inspection overdue...........              2,500        5,000
    (c) Inspection overdue..............              2,500        5,000
    (e):
        (1) Form missing................              1,000        2,000
        (2) Form not properly displayed.              1,000        2,000
        (3) Form improperly executed....              1,000        2,000
    (f) Replace Form FRA F 6180.49A by    .................  ...........
     April 2 or July 3..................
    (g) Secondary record of the                       1,000        2,000
     information reported Form FRA F
     6180.49A...........................

[[Page 21352]]

 
 
                              * * * * * * *
229.25 Tests: every periodic inspection:
    (a) through (d)(4) and (e) and (f)                2,500        5,000
     Tests..............................
    (d)(5) Ineffective maintenance......              8,000       16,000
 
                              * * * * * * *
229.105 Steam generator number..........              1,000        1,500
 
                              * * * * * * *
229.114 Steam generator inspections and               2,500        5,000
 tests..................................
 
                              * * * * * * *
229.119 Cabs, floors, and passageways:
 
                              * * * * * * *
    (g) Failure to equip................              2,500        5,000
    (h) Failure to maintain.............              2,500        5,000
    (i) Failure to equip................              2,500        5,000
 
                              * * * * * * *
229.140 Alerters........................              2,500        5,000
 
                              * * * * * * *
                    Subpart E--Locomotive Electronics
229.307 Safety analysis:
    (a) Failure to establish and                      5,000       10,000
     maintain a safety analysis.........
    (b) Failure to provide safety                     2,500        5,000
     analysis upon request..............
    (c) Failure to comply with safety          5,000-10,000       15,000
     analysis...........................
229.309 Safety-critical changes and
 failure:
    (a)(1) Failure to notify FRA........              1,000        2,000
    (a)(2) Failure to update safety                   3,500        7,000
     analysis...........................
    (a)(4) Failure to notify                         10,000       15,000
     manufacturer.......................
    (b) Failure to notify railroad......             10,000       15,000
    (c) Failure to establish and                      3,500        7,000
     maintain program...................
229.311 Review of SAs:
    (a) Failure to notify FRA...........              1,000        2,000
    (b) Failure to report...............              1,000        2,000
    (c) Failure to correct safety              5,000-10,000       15,000
     hazards............................
    (d) Failure to final report.........              1,000        2,000
229.313 Product testing results and
 records:
    (a) Failure to maintain records and               5,000       10,000
     database...........................
    (b) Incomplete testing records......              3,500        7,000
    (c) Improper signature..............              3,500        7,000
229.315 Operations and maintenance
 manual:
    (a) Failure to implement and                      5,000       10,000
     maintain manual....................
    (c) Failure to document revisions...              5,000       10,000
    (d) Failure to follow plan..........       5,000-10,000       15,000
229.317 Training and qualification
 program:
    (a) Failure to establish and                      5,000       10,000
     implement program..................
    (b) Failure to conduct training.....              2,500        5,000
    (g) Failure to evaluate program.....              2,500        5,000
    (h) Failure to maintain records.....              1,500        3,000
229.319 Operating personnel training....              2,500        5,000
------------------------------------------------------------------------
\1\ A penalty may be assessed against an individual only for a willful
  violation. Generally, when two or more violations of these regulations
  are discovered with respect to a single locomotive that is used by a
  railroad, the appropriate penalties set forth above are aggregated up
  to a maximum of $16,000 per day. However, a failure to perform, with
  respect to a particular locomotive, any of the inspections and tests
  required under subpart B of this part will be treated as a violation
  separate and distinct from, and in addition to, any substantive
  violative conditions found on that locomotive. Moreover, the
  Administrator reserves the right to assess a penalty of up to $100,000
  for any violation where circumstances warrant. See 49 CFR part 209,
  appendix A.
Failure to observe any condition for movement set forth in Sec.   229.9
  will deprive the railroad of the benefit of the movement-for-repair
  provision and make the railroad and any responsible individuals liable
  for penalty under the particular regulatory section(s) concerning the
  substantive defect(s) present on the locomotive at the time of
  movement. Failure to comply with Sec.   229.19 will result in the
  lapse of any affected waiver.


0
22. Part 229 is amended by adding Appendix F to read as follows:

Appendix F to Part 229--Recommended Practices for Design and Safety 
Analysis

    The purpose of this appendix is to provide recommended criteria 
for design and safety analysis that will maximize the safety of 
electronic locomotive control systems and mitigate potential 
negative safety effects. It seeks to promote full disclosure of 
potential safety risks to facilitate minimizing or eliminating 
elements of risk where practicable. It discuses critical elements of 
good engineering practice that the designer should consider when 
developing safety critical electronic locomotive control systems

[[Page 21353]]

to accomplish this objective. The criteria and processes specified 
this appendix is intended to minimize the probability of failure to 
an acceptable level within the limitations of the available 
engineering science, cost, and other constraints. Railroads 
procuring safety critical electronic locomotive controls are 
encouraged to ensure that their vendor addresses each of the 
elements of this appendix in the design of the product being 
procured. FRA uses the criteria and processes set forth in this 
appendix (or other technically equivalent criteria and processes 
that may be recommended by industry) when evaluating analyses, 
assumptions, and conclusions provided in the SA documents.

Definitions

    In addition to the definitions contained in Sec.  229.305, the 
following definitions are applicable to this Appendix:
    Hazard means an existing or potential condition that can result 
in an accident.
    High degree of confidence, as applied to the highest level of 
aggregation, means there exists credible safety analysis supporting 
the conclusion that the risks associated with the product have been 
adequately mitigated.
    Human factors refers to a body of knowledge about human 
limitations, human abilities, and other human characteristics, such 
as behavior and motivation, that shall be considered in product 
design.
    Human-machine interface (HMI) means the interrelated set of 
controls and displays that allows humans to interact with the 
machine.
    Risk means the expected probability of occurrence for an 
individual accident event (probability) multiplied by the severity 
of the expected consequences associated with the accident 
(severity).
    Risk assessment means the process of determining, either 
quantitatively or qualitatively, the measure of risk associated with 
use of the product under all intended operating conditions.
    System Safety Precedence means the order of precedence in which 
methods used to eliminate or control identified hazards within a 
system are implemented.
    Validation means the process of determining whether a product's 
design requirements fulfill its intended design objectives during 
its development and life-cycle. The goal of the validation process 
is to determine ``whether the correct product was built.''
    Verification means the process of determining whether the 
results of a given phase of the development cycle fulfill the 
validated requirements established at the start of that phase. The 
goal of the verification process is to determine ``whether the 
product was built correctly.''

Safety Assessments--Recommended Contents

    The safety-critical assessment of each product should include 
all of its interconnected subsystems and components and, where 
applicable, the interaction between such subsystems. FRA recommends 
that such assessments contain the following:
    (a) A complete description of the product, including a list of 
all product components and their physical relationship in the 
subsystem or system;
    (b) A description of the railroad operation or categories of 
operations on which the product is designed to be used;
    (c) An operational concepts document, including a complete 
description of the product functionality and information flows; as 
well as identifying which functions are intended to enhance or 
preserve safety and the manner in which the product architecture 
implements these functions;
    (d) A safety requirements document, including a list with 
complete descriptions of all functions, which the product performs 
to enhance or preserve safety, and that describes the manner in 
which product architecture satisfies safety requirements;
    (e) A hazard log consisting of a comprehensive description of 
all safety relevant hazards addressed during the life cycle of the 
product, including maximum threshold limits for each hazard (for 
unidentified hazards, the threshold shall be exceeded at one 
occurrence);
    (f) A risk assessment and analysis.
    (1) The risk metric for the proposed product should describe 
with a high degree of confidence the accumulated risk of a 
locomotive control system that operates over the intended product 
life. Each risk metric for the proposed product should be expressed 
with an upper bound, as estimated with a sensitivity analysis, and 
the risk value selected is demonstrated to have a high degree of 
confidence.
    (2) Each risk calculation should consider the totality of the 
locomotive control system and its method of operation. The failure 
modes of each subsystem or component, or both, should be determined 
for the integrated hardware/software (where applicable) as a 
function of the Mean Time to Hazardous Events (MTTHE), failure 
restoration rates, and the integrated hardware/software coverage of 
all processor based subsystems or components, or both. Train 
operating and movement rules, along with components that are layered 
in order to enhance safety-critical behavior, should also be 
considered.
    (3) An MTTHE value should be calculated for each subsystem or 
component, or both, indicating the safety-critical behavior of the 
integrated hardware/software subsystem or component, or both. The 
human factor impact should be included in the assessment, whenever 
applicable, to provide an integrated MTTHE value. The MTTHE 
calculation should consider the rates of failures caused by 
permanent, transient, and intermittent faults accounting for the 
fault coverage of the integrated hardware/software subsystem or 
component, phased-interval maintenance, and restoration of the 
detected failures.
    (4) The analysis should clearly document:
    (i) Any assumptions regarding the reliability or availability of 
mechanical, electric, or electronic components. Such assumptions 
include MTTF projections, as well as Mean Time To Repair (MTTR) 
projections, unless the risk assessment specifically explains why 
these assumptions are not relevant. The analysis should document 
these assumptions in such a form as to permit later comparisons with 
in-service experience (e.g., a spreadsheet). The analysis should 
also document any assumptions regarding human performance. The 
documentation should be in a form that facilitates later comparisons 
with in-service experience.
    (ii) Any assumptions regarding software defects. These 
assumptions should be in a form which permits the railroad to 
project the likelihood of detecting an in-service software defect 
and later comparisons with in-service experience.
    (iii) All of the identified safety-critical fault paths leading 
to a mishap as predicted by the SA. The documentation should be in a 
form that facilitates later comparisons with in-service faults.
    (4) MTTHE compliance verification and validation should be based 
on the assessment of the design for verification and validation 
process, historical performance data, analytical methods and 
experimental safety critical performance testing performed on the 
subsystem or component. The compliance process shall be demonstrated 
to be compliant and consistent with the MTTHE metric and 
demonstrated to have a high degree of confidence.
    (5) The safety-critical behavior of all non-processor based 
components, which are part of a processor-based system or subsystem, 
should be quantified with an MTTHE metric. The MTTHE assessment 
methodology should consider failures caused by permanent, transient, 
and intermittent faults, phase interval maintenance and restoration 
of failures and the effect of fault coverage of each non-processor-
based subsystem or component. The MTTHE compliance verification and 
validation should be based on the assessment of the design for 
verification and validation process, historical performance data, 
analytical methods and experimental safety critical performance 
testing performed on the subsystem or component. The non-processor 
based quantification compliance should also be demonstrated to have 
a high degree of confidence.
    (g) A hazard mitigation analysis, including a complete and 
comprehensive description of all hazards to be addressed in the 
system design and development, mitigation techniques used, and 
system safety precedence followed;
    (h) A complete description of the safety assessment and 
verification and validation processes applied to the product and the 
results of these processes;
    (i) A complete description of the safety assurance concepts used 
in the product design, including an explanation of the design 
principles and assumptions; the designer should address each of the 
following safety considerations when designing and demonstrating the 
safety of products covered by this part. In the event that any of 
these principles are not followed, the analysis should describe both 
the reason(s) for departure and the alternative(s) utilized to 
mitigate or eliminate the hazards associated with the design 
principle not followed.
    (1) Normal operation. The system (including all hardware and 
software) should demonstrate safe operation with no hardware 
failures under normal anticipated operating conditions with proper 
inputs and within the

[[Page 21354]]

expected range of environmental conditions. All safety-critical 
functions should be performed properly under these normal 
conditions. Absence of specific operator actions or procedures will 
not prevent the system from operating safely. Hazards categorized as 
unacceptable should be eliminated by design. Best effort should also 
be made by the designer to eliminate hazards that are undesirable. 
Those undesirable hazards that cannot be eliminated must be 
mitigated to an acceptable level.
    (2) Systematic failure. It should be shown how the product is 
designed to mitigate or eliminate unsafe systematic failures--those 
conditions which can be attributed to human error that could occur 
at various stages throughout product development. This includes 
unsafe errors in the software due to human error in the software 
specification, design or coding phase, or both; human errors that 
could impact hardware design; unsafe conditions that could occur 
because of an improperly designed human-machine interface; 
installation and maintenance errors; and errors associated with 
making modifications.
    (3) Random failure. The product should be shown to operate 
safely under conditions of random hardware failure. This includes 
single as well as multiple hardware failures, particularly in 
instances where one or more failures could occur, remain undetected 
(latent) and react in combination with a subsequent failure at a 
later time to cause an unsafe operating situation. In instances 
involving a latent failure, a subsequent failure is similar to there 
being a single failure. In the event of a transient failure, and if 
so designed, the system should restart itself if it is safe to do 
so. Frequency of attempted restarts should be considered in the 
hazard analysis. There should be no single point failures in the 
product that can result in hazards categorized as unacceptable or 
undesirable. Occurrence of credible single point failures that can 
result in hazards shall be detected and the product shall be 
detected and the product should achieve a known state that 
eliminates the possibility of false activation of any physical 
appliance. If one non-self-revealing failure combined with a second 
failure can cause a hazard that is categorized as unacceptable or 
undesirable, then the second failure should be detected and the 
product must achieve a known safe state that eliminates the 
possibility of false activation.
    (4) Common Mode failure. Another concern of multiple failures 
involves common mode failure in which two or more subsystems or 
components intended to compensate one another to perform the same 
function all fail by the same mode and result in unsafe conditions. 
This is of particular concern in instances in which two or more 
elements (hardware or software, or both) are used in combination to 
ensure safety. If a common mode failure exists, then any analysis 
cannot rely on the assumption that failures are independent. 
Examples include: the use of redundancy in which two or more 
elements perform a given function in parallel and when one (hardware 
or software) element checks/monitors another element (of hardware or 
software) to help ensure its safe operation. Common mode failure 
relates to independence, which shall be ensured in these instances. 
When dealing with the effects of hardware failure, the designer 
should address the effects of the failure not only on other 
hardware, but also on the execution of the software, since hardware 
failures can greatly affect how the software operates.
    (5) External influences. The product should operate safely when 
subjected to different external influences, including:
    (i) Electrical influences such as power supply anomalies/
transients, abnormal/improper input conditions (e.g., outside of 
normal range inputs relative to amplitude and frequency, unusual 
combinations of inputs) including those related to a human operator, 
and others such as electromagnetic interference or electrostatic 
discharges, or both;
    (ii) Mechanical influences such as vibration and shock; and 
climatic conditions such as temperature and humidity.
    (6) Modifications. Safety must be ensured following 
modifications to the hardware or software, or both. All or some of 
the concerns previously identified may be applicable depending upon 
the nature and extent of the modifications.
    (7) Software. Software faults should not cause hazards 
categorized as unacceptable or undesirable.
    (8) Closed Loop Principle. The product design should require 
positive action to be taken in a prescribed manner to either begin 
product operation or continue product operation.
    (j) A human factors analysis, including a complete description 
of all human-machine interfaces, a complete description of all 
functions performed by humans in connection with the product to 
enhance or preserve safety, and an analysis of the physical 
ergonomics of the product on the operators and the safe operation of 
the system;
    (k) A complete description of the specific training of railroad 
and contractor employees and supervisors necessary to ensure the 
safe and proper installation, implementation, operation, 
maintenance, repair, inspection, testing, and modification of the 
product;
    (l) A complete description of the specific procedures and test 
equipment necessary to ensure the safe and proper installation, 
implementation, operation, maintenance, repair, inspection, test, 
and modification of the product. These procedures, including 
calibration requirements, should be consistent with or explain 
deviations from the equipment manufacturer's recommendations;
    (m) A complete description of the necessary security measures 
for the product over its life-cycle;
    (n) A complete description of each warning to be placed in the 
Operations and Maintenance Manual and of all warning labels required 
to be placed on equipment as necessary to ensure safety;
    (o) A complete description of all initial implementation testing 
procedures necessary to establish that safety-functional 
requirements are met and safety-critical hazards are appropriately 
mitigated;
    (p) A complete description of all post-implementation testing 
(validation) and monitoring procedures, including the intervals 
necessary to establish that safety-functional requirements, safety-
critical hazard mitigation processes, and safety-critical tolerances 
are not compromised over time, through use, or after maintenance 
(repair, replacement, adjustment) is performed; and
    (q) A complete description of each record necessary to ensure 
the safety of the system that is associated with periodic 
maintenance, inspections, tests, repairs, replacements, adjustments, 
and the system's resulting conditions, including records of 
component failures resulting in safety relevant hazards;
    (r) A complete description of any safety-critical assumptions 
regarding availability of the product, and a complete description of 
all backup methods of operation; and
    (s) The configuration/revision control measures designed to 
ensure that safety-functional requirements and safety-critical 
hazard mitigation processes are not compromised as a result of any 
change. Changes classified as maintenance require validation.

Guidance Regarding the Application of Human Factors in the Design of 
Products

    The product design should sufficiently incorporate human factors 
engineering that is appropriate to the complexity of the product; 
the gender, educational, mental, and physical capabilities of the 
intended operators and maintainers; the degree of required human 
interaction with the component; and the environment in which the 
product will be used. HMI design criteria minimize negative safety 
effects by causing designers to consider human factors in the 
development of HMIs. As used in this discussion, ``designer'' means 
anyone who specifies requirements for--or designs a system or 
subsystem, or both, for--a product subject to this part, and 
``operator'' means any human who is intended to receive information 
from, provide information to, or perform repairs or maintenance on a 
safety critical locomotive control product subject to this part.
    I. FRA recommends that system designers should:
    (a) Design systems that anticipate possible user errors and 
include capabilities to catch errors before they propagate through 
the system;
    (b) Conduct cognitive task analyses prior to designing the 
system to better understand the information processing requirements 
of operators when making critical decisions;
    (c) Present information that accurately represents or predicts 
system states; and
    (d) Ensure that electronics equipment radio frequency emissions 
are compliant with appropriate Federal Communications Commission 
(FCC) regulations. The FCC rules and regulations are codified in 
Title 47 of the Code of Federal Regulations (CFR). The following 
documentation is applicable to obtaining FCC Equipment 
Authorization:
    (1) OET Bulletin Number 61 (October, 1992 Supersedes May, 1987 
issue) FCC Equipment Authorization Program for Radio Frequency 
Devices. This document provides an overview of the equipment 
authorization

[[Page 21355]]

program to control radio interference from radio transmitters and 
certain other electronic products and how to obtain an equipment 
authorization.
    (2) OET Bulletin 63: (October 1993) Understanding The FCC Part 
15 Regulations for Low Power, Non-Licensed Transmitters. This 
document provides a basic understanding of the FCC regulations for 
low power, unlicensed transmitters, and includes answers to some 
commonly-asked questions. This edition of the bulletin does not 
contain information concerning personal communication services (PCS) 
transmitters operating under Part 15, Subpart D of the rules.
    (3) Title 47 Code of Federal Regulations Parts 0 to 19. The FCC 
rules and regulations governing PCS transmitters may be found in 47 
CFR, Parts 0 to 19.
    (4) OET Bulletin 62 (December 1993) Understanding The FCC 
Regulations for Computers and other Digital Devices. This document 
has been prepared to provide a basic understanding of the FCC 
regulations for digital (computing) devices, and includes answers to 
some commonly-asked questions.
    II. Human factors issues designers should consider with regard 
to the general functioning of a system include:
    (a) Reduced situational awareness and over-reliance. HMI design 
shall give an operator active functions to perform, feedback on the 
results of the operator's actions, and information on the automatic 
functions of the system as well as its performance. The operator 
shall be ``in-the loop.'' Designers should consider at minimum the 
following methods of maintaining an active role for human operators:
    (1) The system should require an operator to initiate action to 
operate the train and require an operator to remain ``in-the-loop'' 
for at least 30 minutes at a time;
    (2) The system should provide timely feedback to an operator 
regarding the system's automated actions, the reasons for such 
actions, and the effects of the operator's manual actions on the 
system;
    (3) The system should warn operators in advance when they 
require an operator to take action;
    (4) HMI design should equalize an operator's workload; and
    (5) HMI design should not distract from the operator's safety 
related duties.
    (b) Expectation of predictability and consistency in product 
behavior and communications. HMI design should accommodate an 
operator's expectation of logical and consistent relationships 
between actions and results. Similar objects should behave 
consistently when an operator performs the same action upon them. 
End users have a limited memory and ability to process information. 
Therefore, HMI design should also minimize an operator's information 
processing load.
    (1) To minimize information processing load, the designer 
should:
    (i) Present integrated information that directly supports the 
variety and types of decisions that an operator makes;
    (ii) Provide information in a format or representation that 
minimizes the time required to understand and act; and
    (iii) Conduct utility tests of decision aids to establish clear 
benefits such as processing time saved or improved quality of 
decisions.
    (2) To minimize short-term memory load, the designer should 
integrate data or information from multiple sources into a single 
format or representation (``chunking'') and design so that three or 
fewer ``chunks'' of information need to be remembered at any one 
time. To minimize long-term memory load, the designer should design 
to support recognition memory, design memory aids to minimize the 
amount of information that should be recalled from unaided memory 
when making critical decisions, and promote active processing of the 
information.
    (3) When creating displays and controls, the designer shall 
consider user ergonomics and should:
    (i) Locate displays as close as possible to the controls that 
affect them;
    (ii) Locate displays and controls based on an operator's 
position;
    (iii) Arrange controls to minimize the need for the operator to 
change position;
    (iv) Arrange controls according to their expected order of use;
    (v) Group similar controls together;
    (vi) Design for high stimulus-response compatibility (geometric 
and conceptual);
    (vii) Design safety-critical controls to require more than one 
positive action to activate (e.g., auto stick shift requires two 
movements to go into reverse);
    (viii) Design controls to allow easy recovery from error; and
    (ix) Design display and controls to reflect specific gender and 
physical limitations of the intended operators.
    (4) Detailed locomotive ergonomics human machine interface 
guidance may be found in ``Human Factors Guidelines for Locomotive 
Cabs'' (FRA/ORD-98/03 or DOT-VNTSC-FRA-98-8).
    (5) The designer should also address information management. To 
that end, HMI design should:
    (i) Display information in a manner which emphasizes its 
relative importance;
    (ii) Comply with the ANSI/HFS 100-2007, or more recent standard;
    (iii) Utilize a display luminance that has a difference of at 
least 35cd/m2 between the foreground and background (the displays 
should be capable of a minimum contrast 3:1 with 7:1 preferred, and 
controls should be provided to adjust the brightness level and 
contrast level);
    (iv) Display only the information necessary to the user;
    (v) Where text is needed, use short, simple sentences or phrases 
with wording that an operator will understand and appropriate to the 
educational and cognitive capabilities of the intended operator;
    (vi) Use complete words where possible; where abbreviations are 
necessary, choose a commonly accepted abbreviation or consistent 
method and select commonly used terms and words that the operator 
will understand;
    (vii) Adopt a consistent format for all display screens by 
placing each design element in a consistent and specified location;
    (viii) Display critical information in the center of the 
operator's field of view by placing items that need to be found 
quickly in the upper left hand corner and items which are not time-
critical in the lower right hand corner of the field of view;
    (ix) Group items that belong together;
    (x) Design all visual displays to meet human performance 
criteria under monochrome conditions and add color only if it will 
help the user in performing a task, and use color coding as a 
redundant coding technique;
    (xi) Limit the number of colors over a group of displays to no 
more than seven;
    (xii) Design warnings to match the level of risk or danger with 
the alerting nature of the signal; and
    (xiii) With respect to information entry, avoid full QWERTY 
keyboards for data entry.
    (6) With respect to problem management, the HMI designer should 
ensure that the HMI design:
    (i) enhances an operator's situation awareness;
    (ii) supports response selection and scheduling; and
    (iii) supports contingency planning.
    (7) Designers should comply with FCC requirements for Maximum 
Permissible Exposure limits for field strength and power density for 
the transmitters operating at frequencies of 300 kHz to 100 GHz and 
specific absorption rate (SAR) limits for devices operating within 
close proximity to the body. The Commission's requirements are 
detailed in Parts 1 and 2 of the FCC's Rules and Regulations (47 CFR 
1.1307(b), 1.1310, 2.1091, 2.1093). The FCC has a number of 
bulletins and supplements that offer guidelines and suggestions for 
evaluating compliance. These documents are not intended to establish 
mandatory procedures; other methods and procedures may be acceptable 
if based on sound engineering practice.
    (i) OET Bulletin No. 65 (Edition 97-01, August 1997), 
``Evaluating Compliance With FCC Guidelines For Human Exposure To 
Radio frequency Electromagnetic Fields'';
    (ii) OET Bulletin No 65 Supplement A, (Edition 97-01, August 
1997), OET Bulletin No 65 Supplement B (Edition 97-01, August 1997); 
and
    (iii) OET Bulletin No 65 Supplement C (Edition 01-01, June 
2001). This bulletin provides assistance in determining whether 
proposed or existing transmitting facilities, operations, or devices 
comply with limits for human exposure to radio frequency RF fields 
adopted by the FCC.

Guidance for Verification and Validation of Products

    The goal of this assessment is to provide an evaluation of the 
product manufacturer's utilization of safety design practices during 
the product's development and testing phases, as required by the 
applicable railroad's requirements, the requirements of this part, 
and any other previously agreed-upon controlling documents or 
standards. The standards employed for verification or validation, or 
both, of products shall be sufficient to support achievement of the 
applicable requirements of this part.
    (a) The latest version of the following standards have been 
recognized by FRA as

[[Page 21356]]

providing appropriate risk analysis processes for incorporation into 
verification and validation standards.
    (1) U.S. Department of Defense Military Standard (MIL-STD) 882C, 
``System Safety Program Requirements'' (January 19, 1993);
    (2) The most recent CENLE/IEC Standards as follows:
    (i) EN50126:/IEC 62278, Railway Applications: Communications, 
Signaling, and Processing Systems Specification and Demonstration of 
Reliability, Availability, Maintainability and Safety (RAMS);
    (ii) EN50128/IEC 62279, Railway Applications: Communications, 
Signaling, and Processing Systems Software for Railway Control and 
Protection Systems;
    (iii) EN50129, Railway Applications: Communications, Signaling, 
and Processing Systems-Safety Related Electronic Systems for 
Signaling; and
    (iv) EN50155, Railway Applications: Electronic Equipment Used in 
Rolling Stock.
    (3) ATCS Specification 140, Recommended Practices for Safety and 
Systems Assurance.
    (4) ATCS Specification 130, Software Quality Assurance.
    (5) Safety of High Speed Ground Transportation Systems. 
Analytical Methodology for Safety Validation of Computer Controlled 
Subsystems. Volume II: Development of a Safety Validation 
Methodology. Final Report September 1995. Author: Jonathan F. 
Luedeke, Battelle. DOT/FRA/ORD-95/10.2.
    (6) IEC 61508 (International Electro-technical Commission), 
Functional Safety of Electrical/Electronic/Programmable/Electronic 
Safety (E/E/P/ES) Related Systems, Parts 1-7 as follows:
    (i) IEC 61508-1 (1998-12) Part 1: General requirements and IEC 
61508-1 Corr. (1999-05) Corrigendum 1-Part 1: General Requirements;
    (ii) IEC 61508-2 (2000-05) Part 2: Requirements for electrical/
electronic/programmable electronic safety-related systems;
    (iii) IEC 61508-3 (1998-12) Part 3: Software requirements and 
IEC 61508-3 Corr.1(1999-04) Corrigendum 1-Part3: Software 
requirements;
    (iv) IEC 61508-4 (1998-12) Part 4: Definitions and abbreviations 
and IEC 61508-4 Corr.1(1999-04) Corrigendum 1-Part 4: Definitions 
and abbreviations;
    (v) IEC 61508-5 (1998-12) Part 5: Examples of methods for the 
determination of safety integrity levels and IEC 61508-5 Corr.1 
(1999-04) Corrigendum 1 Part 5: Examples of methods for 
determination of safety integrity levels;
    (vi) 1IEC 61508-6 (2000-04) Part 6: Guidelines on the 
applications of IEC 61508-2 and -3; and,
    (vii) IEC 61508-7 (2000-03) Part 7: Overview of techniques and 
measures.
    (7) ANSI/GEIA-STD-0010: Standard Best Practices for System 
Safety Program Development and Execution
    (b) When using unpublished standards, including proprietary 
standards, the standards should be available for inspection and 
replication by the railroad and FRA and should be available for 
public examination.
    (c) Third party assessments. The railroad, the supplier, or FRA 
may conclude it is necessary for a third party assessment of the 
system. A third party assessor should be ``independent''. An 
``independent third party'' means a technically competent entity 
responsible to and compensated by the railroad (or an association on 
behalf of one or more railroads) that is independent of the supplier 
of the product. An entity that is owned or controlled by the 
supplier, that is under common ownership or control with the 
supplier, or that is otherwise involved in the development of the 
product would not be considered ``independent''.
    (1) The reviewer should not engage in design efforts, in order 
to preserve the reviewer's independence and maintain the supplier's 
proprietary right to the product. The supplier should provide the 
reviewer access to any, and all, documentation that the reviewer 
requests and attendance at any design review or walk through that 
the reviewer determines as necessary to complete and accomplish the 
third party assessment. Representatives from FRA or the railroad 
might accompany the reviewer.
    (2) Third party reviews can occur at a preliminary level, a 
functional level, or implementation level. At the preliminary level, 
the reviewer should evaluate with respect to safety and comment on 
the adequacy of the processes, which the supplier applies to the 
design, and development of the product. At a minimum, the reviewer 
should compare the supplier processes with industry best practices 
to determine if the vendor methodology is acceptable and employ any 
other such tests or comparisons if they have been agreed to 
previously with the railroad or FRA. Based on these analyses, the 
reviewer shall identify and document any significant safety 
vulnerabilities that are not adequately mitigated by the supplier's 
(or user's) processes. At the functional level, the reviewer 
evaluates the adequacy, and comprehensiveness, of the safety 
analysis, and any other documents pertinent to the product being 
assessed for completeness, correctness, and compliance with 
applicable standards. This includes, but is not limited to the 
Preliminary Hazard Analysis (PHA), the Hazard Log (HL), all Fault 
Tree Analyses (FTA), all Failure Mode and Effects Criticality 
Analysis (FMECA), and other hazard analyses. At the implementation 
level, the reviewer randomly selects various safety-critical 
software modules for audit to verify whether the system process and 
design requirements were followed. The number of modules audited 
shall be determined as a representative number sufficient to provide 
confidence that all un-audited modules were developed in similar 
manner as the audited module. During this phase the reviewer would 
also evaluate and comment on the adequacy of the plan for 
installation and test of the product for revenue service.
    (d) Reviewer Report. Upon completion of an assessment, the 
reviewer prepares a final report of the assessment. The report 
should contain the following information:
    (1) The reviewer's evaluation of the adequacy of the risk 
analysis, including the supplier's MTTHE and risk estimates for the 
product, and the supplier's confidence interval in these estimates;
    (2) Product vulnerabilities which the reviewer felt were not 
adequately mitigated, including the method by which the railroad 
would assure product safety in the event of a hardware or software 
failure (i.e., how does the railroad or vendor assure that all 
potentially hazardous failure modes are identified?) and the method 
by which the railroad or vendor addresses comprehensiveness of the 
product design for the requirements of the operations it will govern 
(i.e., how does the railroad and/or vendor assure that all 
potentially hazardous operating circumstances are identified? Who 
records any deficiencies identified in the design process? Who 
tracks the correction of these deficiencies and confirms that they 
are corrected?);
    (3) A clear statement of position for all parties involved for 
each product vulnerability cited by the reviewer;
    (4) Identification of any documentation or information sought by 
the reviewer that was denied, incomplete, or inadequate;
    (5) A listing of each design procedure or process which was not 
properly followed;
    (6) Identification of the software verification and validation 
procedures for the product's safety-critical applications, and the 
reviewer's evaluation of the adequacy of these procedures;
    (7) Methods employed by the product manufacturer to develop 
safety-critical software, such as use of structured language, code 
checks, modularity, or other similar generally acceptable 
techniques; and
    (8) Methods by which the supplier or railroad addresses 
comprehensiveness of the product design which considers the safety 
elements.

PART 238 [AMENDED]

0
23. The authority citation for part 238 continues to read as follows:

    Authority:  49 U.S.C. 20103, 20107, 20133, 20141, 20302-20303, 
20306, 20701-20702, 21301-21302, 21304; 28 U.S.C. 2461, note; and 49 
CFR 1.49.

0
24. Section 238.105 is amended by revising paragraph (d)(1) to read as 
follows:


Sec.  238.105  Train electronic hardware and software safety.

* * * * *
    (d) * * *
    (1) Hardware and software that controls or monitors a train's 
primary braking system shall either:
    (i) Fail safely by initiating a full service or emergency brake 
application in the event of a hardware or software failure that could 
impair the ability of the engineer to apply or release the brakes; or
    (ii) Provide the engineer access to direct manual control of the 
primary braking system (service or emergency braking).
* * * * *

[[Page 21357]]


0
25. Section 238.309 is amended by revising paragraphs (b), (c), and (e) 
to read as follows:


Sec.  238.309  Periodic brake equipment maintenance.

* * * * *
    (b) DMU and MU locomotives. The brake equipment and brake cylinders 
of each DMU or MU locomotive shall be cleaned, repaired, and tested, 
and the filtering devices or dirt collectors located in the main 
reservoir supply line to the air brake system cleaned, repaired, or 
replaced at intervals in accordance with the following schedule:
    (1) Every 736 days if the DMU or MU locomotive is part of a fleet 
that is not 100 percent equipped with air dryers;
    (2) Every 1,104 days if the DMU or MU locomotive is part of a fleet 
that is 100 percent equipped with air dryers and is equipped with PS-
68, 26-C, 26-L, PS-90, CS-1, RT-2, RT-5A, GRB-1, CS-2, or 26-R brake 
systems. (This listing of brake system types is intended to subsume all 
brake systems using 26 type, ABD, or ABDW control valves and PS68, PS-
90, 26B-1, 26C, 26CE, 26-B1, 30CDW, or 30ECDW engineer's brake 
valves.);
    (3) Every 1,840 days if the DMU or MU locomotive is part of a fleet 
that is 100 percent equipped with air dryers and is equipped with KB-
HL1, KB-HS1, or KBCT1; and,
    (4) Every 736 days for all other DMU or MU locomotives.
    (c) Conventional locomotives. The brake equipment of each 
conventional locomotive shall be cleaned, repaired, and tested in 
accordance with the schedule provided in Sec.  229.29 of this chapter.
* * * * *
    (e) Cab cars. The brake equipment of each cab car shall be cleaned, 
repaired, and tested at intervals in accordance with the following 
schedule:
    (1) Every 1,840 days for locomotives equipped with CCB-1, CCB-2, 
CCB-26, EPIC 1 (formerly EPIC 3102), EPIC 3102D2, EPIC 2, KB-HS1, or 
Fastbrake brake systems.
    (2) Every 1,476 days for that portion of the cab car brake system 
using brake valves that are identical to the passenger coach 26-C brake 
system;
    (3) Every 1,104 days for that portion of the cab car brake system 
using brake valves that are identical to the locomotive 26-L brake 
system; and
    (4) Every 736 days for all other types of cab car brake valves.
* * * * *

    Issued in Washington, DC, on March 28, 2012.
Joseph C. Szabo,
Administrator.
[FR Doc. 2012-7995 Filed 4-6-12; 8:45 am]
BILLING CODE 4910-06-P