49 C.F.R. Appendix B to Part 236—Risk Assessment Criteria
Title 49 - Transportation
The safety-critical performance of each product for which risk assessment is required under this part must be assessed in accordance with the following criteria or other criteria if demonstrated to the Associate Administrator for Safety to be equally suitable: (a) How are risk metrics to be expressed? The risk metric for the proposed product must describe with a high degree of confidence the accumulated risk of a train system that operates over a life-cycle of 25 years or greater. Each risk metric for the proposed product must be expressed with an upper bound, as estimated with a sensitivity analysis, and the risk value selected must be demonstrated to have a high degree of confidence. (b) How does the risk assessment handle interaction risks for interconnected subsystems/components? The safety-critical assessment of each product must include all of its interconnected subsystems and components and, where applicable, the interaction between such subsystems. (c) How is the previous condition computed? Each subsystem or component of the previous condition must be analyzed with a Mean Time to Hazardous Event (MTTHE) as specified subject to a high degree of confidence. (d) What major risk characteristics must be included when relevant to assessment? Each risk calculation must consider the total signaling and train control system and method of operation, as subjected to a list of hazards to be mitigated by the signaling and train control system. The methodology requirements must include the following major characteristics, when they are relevant to the product being considered: (1) Track plan infrastructure; (2) Total number of trains and movement density; (3) Train movement operational rules, as enforced by the dispatcher and train crew behaviors; (4) Wayside subsystems and components; and (5) Onboard subsystems and components. (e) What other relevant parameters must be determined for the subsystems and components? The failure modes of each subsystem or component, or both, must be determined for the integrated hardware/software (where applicable) as a function of the Mean Time to Failure (MTTF) failure restoration rates, and the integrated hardware/software coverage of all processor-based subsystems or components, or both. Train operating and movement rules, along with components that are layered in order to enhance safety-critical behavior, must also be considered. (f) How are processor-based subsystems/components assessed? (1) An MTTHE value must be calculated for each processor-based subsystem or component, or both, indicating the safety-critical behavior of the integrated hardware/software subsystem or component, or both. The human factor impact must be included in the assessment, whenever applicable, to provide an integrated MTTHE value. The MTTHE calculation must consider the rates of failures caused by permanent, transient, and intermittent faults accounting for the fault coverage of the integrated hardware/software subsystem or component, phased-interval maintenance, and restoration of the detected failures. (2) MTTHE compliance verification and validation must be based on the assessment of the design for verification and validation process, historical performance data, analytical methods and experimental safety-critical performance testing performed on the subsystem or component. The compliance process must be demonstrated to be compliant and consistent with the MTTHE metric and demonstrated to have a high degree of confidence. (g) How are non-processor-based subsystems/components assessed? (1) The safety-critical behavior of all non-processor-based components, which are part of a processor-based system or subsystem, must be quantified with an MTTHE metric. The MTTHE assessment methodology must consider failures caused by permanent, transient, and intermittent faults, phase-interval maintenance and restoration of failures and the effect of fault coverage of each non-processor-based subsystem or component. (2) MTTHE compliance verification and validation must be based on the assessment of the design for verification and validation process, historical performance data, analytical methods and experimental safety-critical performance testing performed on the subsystem or component. The non-processor-based quantification compliance must be demonstrated to have a high degree of confidence. (h) What assumptions must be documented? (1) The railroad shall document any assumptions regarding the reliability or availability of mechanical, electric, or electronic components. Such assumptions must include MTTF projections, as well as Mean Time to Repair (MTTR) projections, unless the risk assessment specifically explains why these assumptions are not relevant to the risk assessment. The railroad shall document these assumptions in such a form as to permit later automated comparisons with in-service experience (e.g., a spreadsheet). (2) The railroad shall document any assumptions regarding human performance. The documentation shall be in such a form as to facilitate later comparisons with in-service experience. (3) The railroad shall document any assumptions regarding software defects. These assumptions shall be in a form which permits the railroad to project the likelihood of detecting an in-service software defect. These assumptions shall be documented in such a form as to permit later automated comparisons with in-service experience. (4) The railroad shall document all of the identified safety-critical fault paths. The documentation shall be in such a form as to facilitate later comparisons with in-service faults. [70 FR 11105, Mar. 7, 2005]
Title 49: Transportation
PART 236—RULES, STANDARDS, AND INSTRUCTIONS GOVERNING THE INSTALLATION, INSPECTION, MAINTENANCE, AND REPAIR OF SIGNAL AND TRAIN CONTROL SYSTEMS, DEVICES, AND APPLIANCES
Subpart H—Standards for Processor-Based Signal and Train Control Systems
Appendix B to Part 236—Risk Assessment Criteria
