(a) The railroad's PTCSP shall contain the following elements:
(1) A hazard log consisting of a comprehensive description of all safety-relevant hazards of the PTC system, specific to implementation on the railroad, including maximum threshold limits for each hazard (for unidentified hazards, the threshold shall be exceeded at one occurrence);
(2) A description of the safety assurance concepts that are to be used for system development, including an explanation of the design principles and assumptions;
(3) A risk assessment of the as-built PTC system;
(4) A hazard mitigation analysis, including a complete and comprehensive description of each hazard and the mitigation techniques used;
(5) A complete description of the safety assessment and Verification and Validation processes applied to the PTC system, their results, and whether these processes address the safety principles described in appendix C to part 236 of this chapter directly, using other safety criteria, or not at all;
(6) A complete description of the railroad's training plan for railroad, and contractor employees and supervisors necessary to ensure safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system;
(7) A complete description of the specific procedures and test equipment necessary to ensure the safe and proper installation, implementation, operation, maintenance, repair, inspection, testing, and modification of the PTC system on the railroad and establish safety-critical hazards are appropriately mitigated. These procedures, including calibration requirements, shall be consistent with or explain deviations from the equipment manufacturer's recommendations;
(8) A complete description of the configuration or revision control measures designed to ensure that the railroad or its contractor does not adversely affect the safety-functional requirements and that safety-critical hazard mitigation processes are not compromised as a result of any such change;
(9) A complete description of all initial implementation testing procedures necessary to establish that safety-functional requirements are met and safety-critical hazards are appropriately mitigated;
(10) A complete description of all post-implementation testing (validation) and monitoring procedures, including the intervals necessary to establish that safety-functional requirements, safety-critical hazard mitigation processes, and safety-critical tolerances are not compromised over time, through use, or after maintenance (adjustment, repair, or replacement) is performed;
(11) A complete description of each record necessary to ensure the safety of the system that is associated with periodic maintenance, inspections, tests, adjustments, repairs, or replacements, and the system's resulting conditions, including records of component failures resulting in safety-relevant hazards (see § 299.213);
(12) A safety analysis to determine whether, when the system is in operation, any risk remains of an unintended incursion into a roadway work zone due to human error. If the analysis reveals any such risk, the PTCSP shall describe how that risk will be mitigated;
(13) A complete description of how the PTC system will enforce authorities and signal indications;
(14) A complete description of how the PTC system will appropriately and timely enforce all integrated hazard detectors in accordance with § 236.1005 of this chapter;
(15) The documents and information required under § 299.211;
(16) A summary of the process for the product supplier or vendor to promptly and thoroughly report any safety-relevant failures or previously unidentified hazards to the railroad, including when another user of the product experiences a safety-relevant failure or discovers a previously unidentified hazard;
(17) Documentation establishing—by design, data, or other analysis—that the PTC system meets the fail-safe operation criteria under paragraph (b)(4)(v) of appendix C to part 236 of this chapter; and,
(18) An analysis establishing that the PTC system will be operated at a level of safety comparable to that achieved over the 5-year period prior to the submission of the railroad's PTCSP by other train control systems that perform PTC functions, and which have been utilized on high-speed rail systems with similar technical and operational characteristics in the United States or in foreign service.
(b) As the railroad's PTC system may be considered a standalone system pursuant to § 236.1015(e)(3) of this chapter, the following requirements apply:
(1) The PTC system shall reliably execute the functions required by § 236.1005 of this chapter and be demonstrated to do so to FRA's satisfaction; and
(2) The railroad's PTCSP shall establish, with a high degree of confidence, that the system will not introduce any hazards that have not been sufficiently mitigated.
(c) When determining whether the PTCSP fulfills the requirements under this section, the Associate Administrator may consider all available evidence concerning the reliability of the proposed system.
(d) When reviewing the issue of the potential data errors (for example, errors arising from data supplied from other business systems needed to execute the braking algorithm, survey data needed for location determination, or mandatory directives issued through the computer-aided dispatching system), the PTCSP must include a careful identification of each of the risks and a discussion of each applicable mitigation. In an appropriate case, such as a case in which the residual risk after mitigation is substantial, the Associate Administrator may require submission of a quantitative risk assessment addressing these potential errors.
(e) The railroad must comply with the applicable requirements under § 236.1021 of this chapter prior to modifying a safety-critical element of an FRA-certified PTC system.
(f) If a PTCSP applies to a PTC system designed to replace an existing certified PTC system, the PTCSP will be approved provided that the PTCSP establishes with a high degree of confidence that the new PTC system will provide a level of safety not less than the level of safety provided by the system to be replaced.