The regulatory requirements to establish the standards for development and use of processor-based signal and train control systems are described in 49 CFR Part 236 Subpart H. This subpart, adopted on March 7, 2005 along with amendments to 49 CFR Parts 209 and 234, prescribes minimum, performance-based safety standards for safety-critical products, including requirements to ensure that the development, installation, implementation, inspection, testing, operation, maintenance, repair and modification of those products will achieve and maintain an acceptable level of safety. A major part of these requirements is the analyses for validation and verification.
Validation means the process of determining whether a product’s design requirements fulfill its intended design objectives during its development and life-cycle. The goal of the validation process is to determine “whether the correct product was built.” Analyses weigh heavily in this process. Besides the risk and hazard analyses which FRA requires for such validation purpose, other analyses in communication throughput, capacity limits, tracking accuracy requirement, and computer and electronics performance are parts of the validation process.
Verification means the process of determining whether the results of a given phase of the development cycle fulfill the validated requirements established at the start of that phase. The goal of the verification process is to determine “whether the product was built correctly. This process will involve heavily physical testing in the laboratory, in the field, as well as in revenue service.
Validation involves miscellaneous analyses to verify that the requirements would indeed provide the end-results that the developer is seeking, i.e. prevent train-to-train, train-to-vehicle, and train-to-worker collisions and over-speed derailments. A Railroad Safety Program Plan (RSPP) and a Product Safety Plan (PSP) are requirement to be submitted to FRA for approval to allow a PTC system operated in revenue service. The RSPP serves as a principal safety document for a railroad for all safety-critical products to be deployed on that railroad. The RSPP must establish the minimum PSP requirements that will ensure that the PTC system to be deployed complies with the regulatory requirements and undergoes the necessary analyses for such a safety-critical system. Along with a number of documents that describes the product and its operation, the types of analyses expected to be contained in the PSP are:
- A hazard log consisting of a comprehensive description of all safety-relevant hazards to be addressed during the life cycle of the product
- A human factors analysis including an analysis of Human Machine Interface (HMI)
- A risk assessment that will evaluate the potential hazards and risks to the fullest extent possible to verify that the PTC system is equal to or better than the previous condition, referred to as the base case. Under special circumstances, abbreviated risk assessment may be used, but for most PTC systems, a full risk assessment would be required. Severity of the incidents is to be considered. Consequences must identify the total cost including fatalities, injuries, property damage and societal costs.
- To support the risk assessment, these analyses are expected to be included in the overall risk evaluation:
- Failure Mode & Effects Analyses
- Preliminary Hazard Analyses
- Functional Fault Tree
- Fault Tree Analyses
- Subsystem Hazard Analyses
- Operation & Support Hazard Analyses
- Hazard Mitigation Analysis.
PTC developers should review 49 CFR Part 236, Subpart H for details of the documentation and analyses required for the approval of a PTC system.