Positive Train Control (PTC) Analyses
The regulatory requirements to establish the standards for development and use of processor-based signal and train control systems are described in 49 CFR Part 236, Subpart H. This subpart, adopted on March 7, 2005, along with amendments to 49 CFR Parts 209 and 234, prescribes minimum, performance-based safety standards for safety-critical products. These regulations require railroads to ensure that the development, installation, implementation, inspection, testing, operation, maintenance, repair and modification of those products will achieve and maintain an acceptable level of safety. A major part of these requirements is the analyses for validation and verification.
Validation means the process of determining whether a product’s design requirements fulfill its intended design objectives during its development and life-cycle. The goal of the validation process is to determine “whether the correct product was built.” Analyses weigh heavily in this process. Besides the risk and hazard analyses that FRA requires for such validation purposes, other analyses in communication throughput, capacity limits, tracking accuracy requirement, and computer and electronics performance are parts of the validation process.
Verification means the process of determining whether the results of a given phase of the development cycle fulfill the validated requirements established at the start of that phase. The goal of the verification process is to determine “whether the product was built correctly." This process will involve heavy physical testing in the laboratory, in the field, and in revenue service.
Validation involves miscellaneous analyses to verify that the requirements would indeed provide the end-results that the developer is seeking, i.e. prevent train-to-train, train-to-vehicle, and train-to-worker collisions and over-speed derailments. A Railroad Safety Program Plan (RSPP) and a Product Safety Plan (PSP) are required to be submitted to FRA for approval to allow a PTC system to be operated in revenue service. The RSPP serves as a principal safety document for a railroad for all safety-critical products to be deployed on that railroad. The RSPP must establish the minimum PSP requirements that will ensure that the PTC system to be deployed complies with the regulatory requirements and undergoes the necessary analyses for such a safety-critical system. Along with extensive documentation that describes the product and its operation, the types of analyses expected to be contained in the PSP are:
- A hazard log consisting of a comprehensive description of all safety-relevant hazards to be addressed during the life cycle of the product
- A human factors analysis including an analysis of the Human Machine Interface (HMI)
- A risk assessment that will evaluate the potential hazards and risks to the fullest extent possible to verify that the PTC system is equal to or better than the previous condition, referred to as the base case. Under special circumstances and considering the severity of potential incidents, abbreviated risk assessment may be used, but for most PTC systems, a full risk assessment would be required. Risk assessments must identify the total cost, including fatalities, injuries, property damage and societal costs.
- To support risk assessment, these analyses are expected to be included in the overall risk evaluation:
- Failure Mode & Effects Analyses
- Preliminary Hazard Analyses
- Functional Fault Tree
- Fault Tree Analyses
- Subsystem Hazard Analyses
- Operation & Support Hazard Analyses
- Hazard Mitigation Analysis.
PTC developers should review 49 CFR Part 236, Subpart H for details of the documentation and analyses required for the approval of a PTC system.