Denton County Transportation
Authority
Positive Train Control Safety Plan (PTCSP)
Volume I – Main Body
Revision 1.1
April 2, 2020
Per FRA Docket FRA-2010-0074
This document is the PTC Safety Plan (PTCSP) for the Denton County Transportation
Authority (DCTA) PTC system. This Plan is submitted to the Federal Railroad
Administration (FRA) for FRA approval pursuant to 49 CFR Part 236, Subpart I,
§236.1015, as mandated by the Rail Safety Improvement Act of 2008 (RSIA 08) for
PTC system certification.
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Revision History
Date
Revision
Description
Author
August 15, 2017
0.1
Initial Document Revision –
Release for Review
RSC
December 16, 2019
0.2
Pre-FRA Submittal Version for
Review
RSC
April 1, 2020
1.0
Review comments implemented –
Initial FRA Submittal Version
RSC
April 2, 2020
1.1
Revised to align with FRA SIR
public submission criteria
RSC
Revision History
April 2, 2020
Page ii
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table of Contents
Revision History ............................................................................................................ ii
Table of Contents ......................................................................................................... iii
Table of Figures............................................................................................................ xi
List of Tables ............................................................................................................... xii
Executive Summary ...................................................................................................... 1
1
Introduction ............................................................................................................ 4
1.1
Scope ................................................................................................................. 4
1.2
DCTA System Overview .................................................................................... 4
1.3
Document Overview ........................................................................................... 8
1.4
PTCSP Drafts Previously Shared with FRA ..................................................... 28
1.5
Update of this PTCSP ...................................................................................... 28
1.6
Acronyms and Definitions ................................................................................ 28
2
Applicable Documents ........................................................................................ 34
3
Confirmation of FRA Type Designation for DCTA PTC System [49 CFR
§236.1015(e)(2)] .................................................................................................... 37
4
3.1
Reliably Execute PTC System Functions of 49 CFR §236.1005 ...................... 37
3.2
Sufficient Documentation to Fulfill 49 CFR Part 236 Appendix C Safety
Assurance Principles ....................................................................................... 37
3.3
Justification of Non-vital Classification of the Office Segment and the
Communication Segment ................................................................................. 37
3.3.1
Basic Architecture of E-ATC System ......................................................... 38
3.3.2
Non-Vitality of Office Segment and Communication Segment ................... 39
Type Approval Reference [49 CFR §236.1015(b)] ............................................. 41
4.1
Type Approval Referenced and Utilized in This PTCSP .................................. 41
4.2
PTC Product Vendors List (PTCPVL) [49 CFR §236.1015(b)(1)] .................... 41
4.3
PTC System Vendor Quality Control System [49 CFR §236.1015(b)(2)] ......... 41
Table of Contents
April 2, 2020
Page iii
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
4.4
5
6
Revision 1.1
Applicable Licensing Information [49 CFR §236.1015(b)(3)] ........................... 42
PTCDP Reference and Identification of Any Variances [49 CFR §236.1015(c)]
............................................................................................................................... 43
5.1
PTCDP and Type Approval References [49 CFR §236.1015(c)(1)] ................. 43
5.2
Any Variances from PTCDP (Type Approved) [49 CFR §236.1015(c)(2)(i)] .... 43
5.3
PTCDP (Type Approved) [49 CFR §236.1015(c)(3)] ....................................... 44
DCTA PTC System Implementation [49 CFR §236.1005(a)] [49 CFR
§236.1015(d)] ........................................................................................................ 45
6.1
Information Required for PTCDP Under 49 CFR §236.1013(a) ....................... 45
6.1.1
Incorporate PTCDP by Reference ............................................................. 45
6.1.2
E-ATC System Safety Integration Descriptions ......................................... 45
6.2
DCTA Application of E-ATC ............................................................................. 45
6.3
DCTA E-ATC Office Segment .......................................................................... 50
6.3.1
Office Segment Overview .......................................................................... 50
6.3.2
TSR, WZ, and MD Function ....................................................................... 50
6.4
E-ATC Communication Segment ..................................................................... 51
6.5
E-ATC Wayside Segment ................................................................................ 52
6.5.1
Wayside Segment Overview ...................................................................... 52
6.5.2
Local Control Mode .................................................................................... 53
6.5.3
Highway Grade Crossings ......................................................................... 54
6.5.3.1
Highway Grade Crossings Overview .................................................... 54
6.5.3.2
Highway Grade Crossings within a Control Point ................................. 54
6.5.3.3
Highway Grade Crossings Adjacent to Platforms ................................. 54
6.5.4
Enforcement of Permanent Speed Restrictions (PSRs) ............................ 55
6.5.5
Enforcement of TSR, WZ, and MD Based Speed Reductions ................... 55
6.5.5.1
6.5.6
6.6
Train Release at Level Crossing and WZ Limit .................................... 55
Effects of TSR Function on Local Control Mode ........................................ 56
E-ATC Onboard Segment ................................................................................ 57
6.6.1
E-ATC Onboard Segment Overview .......................................................... 57
Table of Contents
April 2, 2020
Page iv
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
6.6.2
Code Rates and Associated Speed Commands ........................................ 57
6.6.3
Operating Modes ....................................................................................... 57
6.7
E-ATC Interoperability ...................................................................................... 58
6.7.1
7
8
9
Revision 1.1
Failure Modes ............................................................................................ 58
6.7.1.1
Office Segment or Communication Segment Failure ........................... 58
6.7.1.2
Wayside Segment Failure .................................................................... 59
6.7.1.3
Onboard Segment Failure .................................................................... 59
Final Human Factors Analysis [49 CFR §236.1013(a)(5)] [49 CFR §236.1015(d)]
............................................................................................................................... 60
7.1
PTC Human Factors Analysis of EDU ............................................................. 60
7.2
PTC Dispatch Human Factors Analysis ........................................................... 60
Safety Assessment and Application of 49 CFR Part 236, Appendix C [49 CFR
§236.1015(d)(5)] [49 CFR §236.1015(e)(2)(ii)] [49 CFR Part 236, Appendix C]. 61
8.1
Safety Program Scope for E-ATC .................................................................... 61
8.2
E-ATC System Safety Assessment Process .................................................... 62
8.3
Hazard Analyses and Mitigation ....................................................................... 62
8.4
Safety Critical Items List (SCIL) ....................................................................... 63
8.5
Safety Assurance Concepts ............................................................................. 63
8.6
Risk Assessment ............................................................................................. 63
8.7
Verification and Validation of E-ATC ................................................................ 64
8.8
Safety Requirements Compliance [49 CFR Part 236 Appendix C] .................. 64
Safety Critical Items List (SCIL) or Hazard Log [49 CFR §236.1015(d)(1)] ...... 65
9.1
Safety Critical Items List Description ................................................................ 65
9.2
SCIL Role in the E-ATC Safety Assessment.................................................... 65
9.3
E-ATC SCIL ..................................................................................................... 66
9.4
Conclusions Drawn from SCIL Analysis ........................................................... 66
9.5
Maintenance of the SCIL.................................................................................. 66
10 Safety Assurance Concepts [49 CFR §236.1015(d)(2)] [49 CFR Part 236
Appendix C(b)(4)] ................................................................................................. 67
Table of Contents
April 2, 2020
Page v
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
11 Risk Assessment [49 CFR §236.1015(d)(3)] [49 CFR Part 236 Appendix B (as
revised)] [49 CFR Part 236 Appendix C] ............................................................ 69
11.1 Risk Assessment Approach ............................................................................. 69
11.1.1 Risk Assessment Objectives...................................................................... 69
11.1.2 Risk Assessment Methodology .................................................................. 70
11.2 Appendix C Compliance Analysis .................................................................... 70
11.3 Railroad CTC Dispatch Systems Impact Assessment ..................................... 71
11.4 Communication Segment Impact Assessment................................................. 72
11.5 Residual Risk Assessment............................................................................... 72
11.6 MTTHE Calculation .......................................................................................... 72
12 Hazard Mitigation Analysis [49 CFR §236.1015(d)(4)] ....................................... 74
12.1 System Preliminary Hazard Analysis (PHA)..................................................... 75
12.1.1 Methodology of the PHA ............................................................................ 76
12.1.2 Results from PHA ...................................................................................... 76
12.2 System Hazard Analysis (SHA) ....................................................................... 76
12.2.1 System Hazard Analysis Methodology ...................................................... 77
12.2.2 Results from System Hazard Analysis ....................................................... 77
12.3 Operating & Support Hazard Analysis (O&SHA).............................................. 78
12.3.1 O&SHA Methodology ................................................................................. 78
12.3.2 Results from O&SHA ................................................................................. 78
12.4 System Functional Fault Tree (FFT) ................................................................ 79
12.5 Segment (Subsystem) Fault Tree Analysis (FTA) ............................................ 79
12.6 Failure Modes and Effects Analysis (FMEA) .................................................... 79
13 Verification and Validation Processes [49 CFR §236.1015(d)(5)] .................... 80
13.1 Verification and Validation of E-ATC ................................................................ 81
13.2 PTC System Verification and Validation Processes ......................................... 82
13.3 Testing E-ATC ................................................................................................. 84
13.3.1 Stage 1 - Segment Testing ........................................................................ 84
13.3.2 Stage 2 - Laboratory Integration Testing ................................................... 85
Table of Contents
April 2, 2020
Page vi
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
13.3.3 Stage 3 - Field Testing of E-ATC ............................................................... 85
13.3.4 Stage 4 - Failure Testing ........................................................................... 86
13.4 Revenue Service Demonstration ..................................................................... 86
13.5 Interoperability Testing ..................................................................................... 86
14 DCTA Training Plan [49 CFR §236.1015(d)(6)] [49 CFR §236.1041] [49 CFR
§236.1043] [49 CFR §236.1045] [49 CFR §236.1047(a),(b) & (d)] [49 CFR
§236.1049]............................................................................................................. 87
14.1 Train Dispatcher Training ................................................................................. 88
14.2 Train Operator Training .................................................................................... 88
14.3 Signal Personnel Training ................................................................................ 88
14.4 Mechanical Personnel Training ........................................................................ 88
14.5 First Line Supervisor Training .......................................................................... 88
14.6 MOW/Roadway Worker Personnel Training .................................................... 88
14.7 Training Records.............................................................................................. 89
14.8 Refresher Training ........................................................................................... 89
14.9 Operating Rules for PTC .................................................................................. 89
14.9.1 Books of Rules........................................................................................... 89
14.9.2 PTC Operating Instructions and Crew Record-Keeping ............................ 89
15 Procedures, Test Equipment and Operations & Maintenance Manual [49 CFR
§236.1015(d)(7)] [49 CFR §236.1039 (all)] ........................................................... 92
15.1 Maintenance Procedures and Process ............................................................ 92
15.1.1 DCTA-Specific Procedures and Test Equipment ....................................... 92
15.1.2 Controlling and Tracking Component/Product Modifications ..................... 95
15.2 PTC Operations and Maintenance Manuals .................................................... 95
16 Warnings and Warning Labels [49 CFR §236.1015(d)(8)] ................................. 98
16.1 Warnings in Vendor Manuals ........................................................................... 98
16.2 Warning Labels ................................................................................................ 98
17 Configuration Management and Revision Control Measures, DCTA [49 CFR
§236.1015(d)(9)] [49 CFR §236.1023(c)(2)] ......................................................... 99
Table of Contents
April 2, 2020
Page vii
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
17.1 Configuration Management Acronyms, Terminologies and Definitions ............ 99
17.2 Configuration Management Integration with Vendors .................................... 100
17.3 DCTA System Configuration Management .................................................... 100
17.4 DCTA Revision Control Measures ................................................................. 101
17.5 Vendor Configuration Management and Revision Control Measures ............ 101
18 Initial Implementation Testing Procedures [49 CFR §236.1015(d)(10)] ......... 102
18.1 DCTA Informational Filing and Testing Waivers ............................................ 102
18.2 Pre-Certification Field Deployment ................................................................ 103
18.3 Post-Certification Segment Definition ............................................................ 103
19 Post-Implementation Testing (Validation) and Monitoring Procedures [49 CFR
§236.1015(d)(11)]................................................................................................ 104
19.1 Post Implementation Testing and Monitoring Activities .................................. 104
20 Records [49 CFR §236.1015(d)(12)] [49 CFR §236.1023(e)] [49 CFR §236.1037]
............................................................................................................................. 106
20.1 Record Management ..................................................................................... 106
20.2 Record Description ........................................................................................ 107
20.3 Data Retention Management ......................................................................... 107
20.3.1 Type Approval, PTCDP and PTCSP........................................................ 108
20.3.2 Supporting Safety Documentation for PTCDP/PTCSP ............................ 108
20.3.3 Operations & Maintenance Manual.......................................................... 109
20.3.4 Training Records ..................................................................................... 109
20.3.5 Inspection & Test Records ....................................................................... 109
20.3.6 Hazard Log (SCIL) ................................................................................... 110
20.3.7 Product Vendor List ................................................................................. 110
21 Safety Analysis of Work Zone Incursion Protection from Human Error [49
CFR §236.1015(d)(13)] ....................................................................................... 111
21.1 Functional Description ................................................................................... 111
21.2 Identification and Mitigation of Human Errors ................................................ 111
Table of Contents
April 2, 2020
Page viii
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
21.3 DCTA Operating Rules Related to E-ATC Protection Against Work Zone
Incursion ........................................................................................................ 111
22 Alternative Arrangements for Rail At-Grade Diamond Crossings [49 CFR
§236.1005(a)(1)(i)] [49 CFR §236.1015(d)(14)] .................................................. 113
23 Authority and Signal Enforcement Exceptions Not in PTCDP [49 CFR
§236.1005(e)(4)] [49 CFR §236.1015(d)(15)] ..................................................... 114
24 Compliance with Stated MTEA [49 CFR §236.1015(d)(16)] [49 CFR
§236.1019(f)] ....................................................................................................... 115
25 Deviation in Operational Requirements for Enroute Failures [49 CFR
§236.1015(d)(17)] [49 CFR §236.1029(c)] .......................................................... 116
25.1 E-ATC Failures Enroute ................................................................................. 116
26 Enforcement of Hazard Detectors [49 CFR §236.1005(a)(4)(v)] [49 CFR
§236.1005(c)(1)] [49 CFR §236.1005(c)(2)] [49 CFR §236.1015(d)(18)] ........... 117
26.1 Function Description for Additional Non-Integrated Hazard Detectors on DCTA
117
27 Emergency and Planned Maintenance Re-Routing Management Plan [49 CFR
§236.1005(g-k)] [49 CFR §236.1015(d)(19)] [49 CFR §236.1029] ..................... 118
28 High Speed Service Requirements [49 CFR §236.1005(c)(3)] [49 CFR
§236.1007] [49 CFR §236.1015(d)(20)] .............................................................. 119
29 Communication and Security Requirements [49 CFR §236.1015(d)(20)] [49
CFR §236.1033] .................................................................................................. 120
29.1 Communications Restoration Plan ................................................................. 120
29.2 Wireless Messaging Security and Encryption ................................................ 120
29.3 Communication Security Provisions in E-ATC ............................................... 120
29.3.1 Wayside to Wayside Data Exchange ....................................................... 121
29.3.2 Wayside to CTC Servers Communications .............................................. 122
29.3.3 Communication Between CTC Servers ................................................... 122
29.3.4 CTC Servers to Dispatch Workstations ................................................... 122
Table of Contents
April 2, 2020
Page ix
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
30 Identification of Potential Data Errors and their Mitigation [49 CFR
§236.1015(h)] ...................................................................................................... 123
30.1 Sources of Potential Data Errors.................................................................... 123
30.2 Mitigations for Potential Data Error Hazards .................................................. 123
31 Third Party Assessment [49 CFR §236.1017] .................................................. 124
32 PTC Data Maintained in Locomotive Event Recorder [49 CFR §236.1005(d)]
............................................................................................................................. 125
33 Process for Reporting Errors and Malfunctions [49 CFR §236.1023] ........... 127
33.1 PTCPVL [49 CFR §236.1023(a)] ................................................................... 127
33.2 Failure Notification and Recording Process ................................................... 127
34 PTC System Exclusions [49 CFR §236.1027] .................................................. 128
34.1 Office E-ATC Added Functions ...................................................................... 128
34.2 Implementation of Office E-ATC Functions .................................................... 128
34.3 Summary of E-ATC CTC Automation ............................................................ 128
35 Novel Technology Employed in Highway Crossing Protection for PTC [49
CFR §234.275(c)] ................................................................................................ 129
36 List of Appendices ............................................................................................. 130
37 Redaction Matrix ................................................................................................ 131
Table of Contents
April 2, 2020
Page x
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table of Figures
Figure 1-1: DCTA Passenger Service Territory ............................................................... 7
Figure 3-1: DCTA E-ATC Architecture .......................................................................... 38
Figure 6-1: Overview of DCTA E-ATC System .............................................................. 49
Figure 12-1: Organization of Hazard Mitigation Analysis............................................... 75
Figure 13-1: DCTA Certification and V&V Flowchart ..................................................... 81
Figure 21-1: Work Zone Workflow ............................................................................... 112
Figure 29-1: Basic RP2000 Interaction........................................................................ 121
Table of Figures
April 2, 2020
Page xi
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
List of Tables
Table 1-1: 49 CFR Part 236, Subpart I Cross-Reference from Regulation to PTCSP ..... 9
Table 1-2: Abbreviations and Acronyms........................................................................ 28
Table 1-3: Definitions of Safety Terms .......................................................................... 32
Table 6-1: E-ATC Primary Functions............................................................................. 46
Table 11-1: Mean Time to Hazardous Event ................................................................. 73
Table 13-1: Test Documents ......................................................................................... 84
Table 15-1: Master Operations & Maintenance Manual List.......................................... 95
Table 17-1: CM Acronyms, Terminologies and Definitions............................................ 99
Table 20-1: Retained Documents ................................................................................ 107
Table 24-1: DCTA Corridor MTEA’s ............................................................................ 115
Table 25-1: Location(s) for Failed Onboard PTC System Replacement...................... 116
Table 36-1: List of Appendices .................................................................................... 130
List of Tables
April 2, 2020
Page xii
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Executive Summary
This document is the Denton County Transportation Authority (DCTA) Positive Train
Control Safety Plan (PTCSP) for the DCTA service territory. This information is supplied
under FRA docket FRA-2010-0074. This PTCSP provides the appropriate information
and safety analysis to gain System Certification for DCTA’s implementation of the
Enhanced Automatic Train Control (E-ATC) as a vital overlay PTC system as defined in
49 Code of Federal Regulations (CFR) §236.1015(e)(2).
This PTCSP describes the Safety Assurance Concepts employed and the results of all
Safety Assurance activities in connection with the E-ATC implementation. The outcome
is a PTC system that is certifiable as safe by the Federal Railroad Administration (FRA).
The underlying system is a vital cab signaling system operated through centralized
supervisory control using a Centralized Traffic Control (CTC) Dispatching System.
The Alstom E-ATC System (E-ATC) is used as the core technology and functionality for
the DCTA PTC implementation. The PTC system has been developed in compliance
with requirements and standards defined in response to Rail Safety Improvement Act of
2008 (RSIA08) [3].
The common operating description for E-ATC is provided in the DCTA PTCDP [13]
which has received a Type Approval from the FRA. The DCTA implementation of EATC is compliant with the description of the system in the PTCDP.
The E-ATC System is based on 40 Hz cab signaling with color-light wayside signals.
Electro Code track circuits between interlockings provide train detection as well as
convey aspect information between locations. Within interlockings, DC track circuits are
used for train detection.
The onboard component of the train control system is installed on commuter rail cars
operating on the commuter corridor. The E-ATC System provides protection against
train-to-train collisions and switch protection as well as enforcement of zero speed prior
to reaching a Stop Signal. The use of service proven track circuits, supplemented by a
vital wayside signal system and onboard logic, are the foundations of the E-ATC
System. The system includes functionality to enforce all permanent speed restrictions
(PSR), temporary speed restrictions (TSR), and mandatory directives (MD), as well as
CTC inputs to the vital wayside signal system for TSR and MD enforcement, including
Roadway Worker and grade crossing malfunction protection.
DCTA has been actively engaged within the rail industry, and with FRA, in
comprehensively reading, interpreting and compiling necessary documentation required
under FRA regulations toward implementation of PTC. DCTA has participated in
meetings with the FRA in creating a structure for this PTCSP similar to that used by the
Class 1 Railroads in their PTCSP FRA filings.
Executive Summary
April 2, 2020
Page 1
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Throughout implementation of E-ATC, DCTA has generated specific actions and
compiled critical evidence to be used to address the requirements of 49 CFR Part 236
Subpart I for PTC.
In documenting the body of evidence to support the safety plan, DCTA has:

Referenced applicable industry and safety standards and regulations

Provided FRA required regulatory submittals

Described the DCTA rail environment and application of its PTC system to its
territories

Identified hazards, defined hazard mitigations and performed or sponsored
creation of various hazard and safety analyses to justify implementation of EATC as a vital overlay

Performed a risk assessment identifying the residual risk remaining with E-ATC;
documented that it satisfies the level required for a vital overlay PTC system

Identified processes and procedures employed to perform functional, safety
verification, and validation of the implemented PTC system over its useful life
cycle

Provided results of all verification and validation activities performed

Identified the means by which DCTA is addressing special operational scenarios
(e.g., Work Zones)

Identified how DCTA is maintaining proper configurations, managing safety
related records, as well as changes to PTC system components

Provided the planning, curriculum, management of, and results of a PTC Training
program
In order to gain System Certification, 49 CFR §236.1015(e)(2)(i) requires that all PTC
systems reliably prevent train-to-train collisions, overspeed derailments, incursions into
work zones, and movements of a train through a misaligned switch. In addition, the
regulation also requires that a vital overlay PTC system integrate all authorities and
indications of a wayside or cab signal system and provide appropriate warnings and
enforcements for protection of derails or switches entering the main line, highway grade
crossing malfunctions, after arrival mandatory directives, moveable bridges, integrated
hazard detectors, and maximum train speed in areas without broken rail protection. Vital
overlay PTC systems must show that the PTC system fulfills the safety assurance
principles set forth in 49 CFR Part 236 Appendix C.
Executive Summary
April 2, 2020
Page 2
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
The E-ATC wayside signal system and onboard equipment are designed and built on
well-defined and proven fail-safe principles. Any human error by the Dispatcher or CTC
server for moving the switch position or route in an unsafe manner is prevented by the
vital wayside logic. The hardware and software are designed and installed based on the
FRA guidelines per 49 CFR Part 236. Any failures within the safety-critical circuits are
self-detected. No single point failure results in unsafe train operation. Safety assurance
concepts according to Institute for Electrical and Electronics Engineers (IEEE) 14832000 [2] are used in hardware and software design.
A Risk Assessment [A1] was performed, providing an aggregate assessment of the
residual risk of the E-ATC system and demonstrating that the system has met the
applicable requirements of 49 CFR Part 236, Subpart I. As the E-ATC system is a vital
overlay system, compliance with 49 CFR Part 236, Appendix C is demonstrated within
the Risk Assessment.
This PTCSP and the results of system testing further show that the E-ATC system
implemented by DCTA meets the requirements of 49 CFR §236.1005. DCTA’s
extensive testing program of E-ATC, and deployment and operation of the system in the
Revenue Service Demonstration (RSD) phase, provide further evidence that the E-ATC
system has been designed in compliance with 49 CFR §236.1005 and does reliably
execute the functions described herein.
Executive Summary
April 2, 2020
Page 3
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
1 Introduction
This PTC Safety Plan (PTCSP) is submitted by Denton County Transportation Authority
(DCTA) pursuant to 49 CFR §236.1015 to meet the PTCSP requirements specified in
Subpart I of 49 CFR Part 236 [6]. The DCTA system is classified according to FRA
definitions as a “Vital Overlay” PTC system, employing fail-safe design throughout to
achieve the FRA-required level of safety.
DCTA understands that PTC system certification using the E-ATC architecture is
dependent on fulfilling all FRA requirements found in 49 CFR §236.1015. The
accompanying safety analysis in this PTCSP provides the quantitative and qualitative
analysis required to show that the DCTA PTC system, evaluated as a whole, can
receive System Certification as a vital overlay PTC.
1.1
Scope
This PTCSP provides the analysis necessary to show that the PTC system, as a whole,
is a vital overlay system. The scope of the safety assessment concentrates on the
installed elements of PTC and their interfaces to existing railroad systems and
operations. The elements that make up the proposed PTC system consist of four
segments:
1. Office Segment – Non-vital (justification provided in Section 3.3)
2. Communication Segment – Non-Vital (justification provided in Section 3.3)
3. Onboard Segment – Vital
4. Wayside Segment – Vital
E-ATC is a wayside-centric, vital overlay system that operates through wayside speed
code transmissions to the vehicle, and the assimilation and processing of data by the
Onboard Segment. The vital Onboard Segment continuously accepts, validates, and
processes operating data obtained from onboard peripheral devices and from the
Wayside (Signaling) Segment through traditional track codes impressed on the rails.
The data elements are validated and combined in such a way as to eliminate single
points of failure at a system level and reduce the overall probability of unsafe failure to
an acceptable level. This wayside-centric approach minimizes the effect of
communications data errors, data conflicts, data latency and malicious datacomm
actions, facilitating safe operation.
1.2
DCTA System Overview
Denton County Transportation Authority (DCTA) is a coordinated county transportation
authority created by House Bill 3323, under Chapter 460 of the Texas Transportation
Code, approved by the 77th Texas Legislature and signed into law by the Governor in
PTCSP Section 1
April 2, 2020
Page 4
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
2001. Since being formed in 2002 and funded in 2003, DCTA has worked to establish
bus and rail service and to meet the transportation needs of Denton County.
With that authorization, the citizens adopted the authority’s Service Plan which details
the new transit entity’s future priorities to enhance mobility, provide transportation
alternatives and develop solutions to growing congestion and air quality issues. These
service priorities included five layers of transportation service:

Bus service,

ADA paratransit,

Van pool service,

A University shuttle system, and

A Regional rail system.
The DCTA regional rail system, known as the A-train, began service in June 2011 and
operates between Carrollton, TX and Denton, TX. The DCTA A-train operates on the
21.3-mile rail corridor and provides service Monday through Friday between the hours
of 4:27 a.m. and 11:47 p.m. and service on Saturday between the hours of 7:40 a.m.
and 12:25 a.m. The trains operate on approximately 20-minute frequency during peak
periods and operate approximately hourly frequency during the off-peak periods with the
Stadler GTW cars.
DCTA contracts with a third party to provide maintenance for the rolling stock, right-ofway, and dispatching services for the commuter system, and operations of the
commuter rail service. The rolling stock is maintained at the DCTA maintenance facility
located in Lewisville, Texas.
The DCTA rail line, known as the A-train, is a regional rail commuter line providing a
commuter rail link between the cities of Denton at the north end and Carrollton at the
south end of the rail line. The A-train is fed both from DCTA bus lines at each station, as
well as the Dallas Area Rapid Transit (DART) light rail transit (LRT) system and DART
buses at the Trinity Mills station. The A-train commuter line has a daily ridership of
1,900 passengers. Annual ridership on DCTA averages approximately 550,000
passengers.
The northern terminus of the DCTA line is the Downtown Denton Station located at mile
post (MP) 721.53. The line runs generally southeast passing the Denton Regional
Medical Center at the MedPark Station, the Highland Village/Lewisville Lake Station, the
Old Town Station, and the Hebron Station before ending at the Trinity Mills Station at
MP 742.5 in Carrollton, TX, where passengers can transfer to the DART LRT Green
Line. From the north the railroad starts at the bumping posts at Denton (MP 721.53) and
ends at Ismaili Center Circle crossing (MP 742.83) for a total of 21.3 miles. There is a
PTCSP Section 1
April 2, 2020
Page 5
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
total of six regular station stops. Stations include basic passenger amenities such as
boarding platforms, canopies, windscreens, access for the physically challenged,
passenger information, ticketing, walkways and bicycle facilities, bus and auto drop-off
areas, as well as general parking.
The trip from Downtown Denton Station to Trinity Mills Station takes approximately 32
minutes. Currently, the route is single-track, requiring northbound and southbound trains
to pass at passing siding locations. A station map of the DCTA A-train route is shown in
Figure 1-1.
DART directly owns the DCTA mainline and maintains trackage rights agreements with
freight railroads for operation on the line. The single tenant railroad on the DCTA
mainline is the Dallas, Garland and Northeastern Railroad (DGNO).
The DCTA mainline operates over a section of a line known as the MKT. The MKT
(previously part of the Union Pacific Railroad), originates in downtown Dallas, passes to
the south of Love Field Airport and then continues north through Farmers Branch,
Carrollton, Lewisville and terminates in Denton. DART ownership of this line begins
south of MP 742.6, the southern terminus of the DCTA line (south of the Trinity Mills
Station) and ends at MP 721.53 in downtown Denton. This is an important resource to
local freight service customers. Freight service is provided by the DGNO to various
customers, currently a total of five (5), in the Lewisville area.
As permitted by 49 CFR §236.1006(b)(4), DGNO locomotives will not be equipped with
an onboard PTC apparatus. DGNO is temporally separated from commuter passenger
operation, operates less than four trains per day (2 train per day or a single train
conducting a “turn” operation), and operates on less than 20 miles of PTC track (max
9.6 miles). Shared track area is that between MP 733.2 Control Point (CP) North Lake
and MP 742.8 (CP Mill).
PTCSP Section 1
April 2, 2020
Page 6
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Figure 1-1: DCTA Passenger Service Territory
PTCSP Section 1
April 2, 2020
Page 7
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
1.3
Revision 1.1
Document Overview
This section provides an overview of this DCTA PTC Safety Plan for the implementation
of a PTC system in accordance with the mandate of RSIA08 [3], and the requirements
of the final regulations in 49 CFR Part 236, Subpart I.
This document consists of 37 main sections and 10 appendices containing documents
that are referenced by the PTCSP sections and support the safety case and analysis.
The appendices provide reference material required by the regulations in order to fully
demonstrate the PTC system’s compliance with the FRA regulations.
This PTCSP:
1. Directly follows the structure of 49 CFR Part 236, Subpart I, §236.1015(d),
beginning with PTCSP Section 8;
2. Incorporates by reference the Type Approved E-ATC PTCDP under FRA-granted
Type Approval: FRA-TA-2013-01-A [13];
3. Provides specific responses to all regulatory requirements for a PTCSP.
Because the correlation between this PTCSP document and the clauses in 49 CFR Part
236, Subpart I, is not always one-to-one, a cross-reference between the applicable
Subpart I requirement and the relevant PTCSP section, subsection, or appendix is
provided in Table 1-1, below.
PTCSP Section 1
April 2, 2020
Page 8
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1: 49 CFR Part 236, Subpart I Cross-Reference from Regulation to PTCSP
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1001(c)(2)
Subpart does not
exempt railroad
(RR) from A-H
compliance unless
in approved PTCSP
… subpart does not exempt a railroad from compliance
with … subparts A through H … or parts 233, 234, and
235 …, unless the applicable PTCSP, as defined under
§236.1003 and approved by FRA under §236.1015,
provides for such an exception per §236.1013.
PTCDP [13]
§236.1005(a)(1)
PTC system
prevents hazards
Demonstrate that the PTC system will reliably and
functionally prevent stated hazards
§§3, 8 - 13
§236.1005(a)(1)(i)
Alternative
arrangements to
prevent train-totrain collisions
Specify alternative arrangement described in
§236.1005(a)(1)(i) refers to rail to rail at grade crossings
providing an equivalent level of safety in regards to trainto-train collisions, if applicable.
§22
§236.1005(a)(2)
Include safetycritical integration
of authorities and
indications from
wayside or cab
Include safety-critical integration of all authorities and
indications of a wayside or cab signal system, or other
similar appliance, method, device, or system of
equivalent safety, in a manner by which the PTC system
shall provide associated warning and enforcement to the
extent, and except as, described and justified in the FRA
approved PTCDP or PTCSP, as applicable;
§§3 & 6;
PTCSP Section 1
PTCDP [13] in
Appendix B
§11
April 2, 2020
Page 9
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1005(a)(4)(i)
Derail or switch
protecting access
to the main line
A derail or switch protecting access to the main line
required by §236.1007, or otherwise provided for in the
applicable PTCSP, is not in its derailing or protecting
position, respectively;
§§3 & 6
§236.1005(a)(4)(v)
Hazard detection
detects unsafe
condition
A hazard detector integrated into the PTC system that is
required by paragraph (c) of this section, or otherwise
provided for in the applicable PTCSP, detects an unsafe
condition or transmits an alarm;
§26
§236.1005(c)(1)
Hazard detector
integrated into a
signal or train
control system
Describes the appropriate and timely enforcement of
warnings of integrated hazard detectors
§26
§236.1005(c)(2)
Additional nonintegrated hazard
detectors
Specifies actions to be taken by the system and
crewmembers based on the receipt and presentation to
the locomotive engineer and Train Crew of warnings
generated as the result of any additional non-integrated
hazard detectors.
§26
§236.1005(c)(3)
Hazard analysis for
any new service
conducted over 90
miles per hour
(MPH)
Describes the hazard analysis for operations over 90
miles an hour, to include hazards based on specific
routes, the basis for decisions concerning hazard
detectors and the manner in which such hazard
detectors will be interfaced with the PTC system.
§28 (DCTA
has no
operations
over 90 MPH)
PTCSP Section 1
April 2, 2020
Page 10
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1005(d)(i), (ii)
Event recorder
operation
(Concerning the items of locomotive data to be archived
to the FRA Event Recorder or an equivalent crashhardened memory module, regardless of its
configuration).
Lead locomotive operating PTC must be equipped with
an operative event recorder that shall record safetycritical train control data routed to the locomotive
engineer’s display with which the engineer is required to
comply, specifically including text messages conveying
mandatory directives and maximum authorized speed.
§32
§236.1005(d)(1)(iii)
Event recorders How info will be
displayed,
examples, retention
Include examples of how the captured data will be
displayed during playback along with the format, content,
and data retention duration requirements specified in the
PTCSP submitted and approved pursuant to this
paragraph.
§32
§236.1005(e)(3)
Switch position
detection
A PTC system required by this subpart shall be
designed, installed, and maintained to perform the switch
position detection and enforcement described in
paragraphs (e)(1) and (e)(2) of this section, except as
provided for and justified in the applicable, FRA
approved PTCDP or PTCSP.
§6;
PTCDP [13]
PTCSP Section 1
April 2, 2020
Page 11
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1005(e)(4)
Exceptions to the
switch protection
Circuits or electronic equivalent shall be arranged so that
any movement authorities less restrictive than those
prescribed in paragraphs (e)(1) and (e)(2) of this section
can only be provided when each switch, movable-point
frog, or derail in the route governed is in proper position,
and shall be in accordance with subparts A through G of
Part 236, unless it is otherwise provided in a PTCSP
approved under Subpart I.
§23
§236.1005(g) – (k)
Emergency and
planned
maintenance rerouting plan
Describes requirements for re-routing of trains based on
PTC territory and the operation under planned
maintenance or emergency conditions.
§27
§236.1006(a)
Each train
operating on PTC
track shall be
controlled by
equipped
locomotive in
accordance with
PTCSP
Each train operating on PTC track segment equipped
with a PTC system shall be controlled by a locomotive
equipped with an onboard PTC apparatus that is
operative and functioning in accordance with the
applicable PTCSP.
§§3 & 25
PTCSP Section 1
April 2, 2020
Page 12
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1007
Additional
requirements for
high speed service
Operations conducted for passenger trains at greater
than 90 MPH.
§28
(DCTA has no
operations
over 90 MPH)
§236.1009(d)(1)
Reference to
PTCDP
A PTC System Certification for a PTC system may be
§5
obtained by submitting an acceptable PTCSP. If the PTC
system is the subject of a Type Approval, the safety case
elements contained in the PTCDP may be incorporated
by reference into the PTCSP, subject to finalization of the
human factors analysis contained in the PTCDP.
§236.1009(d)(2)
PTCSP document
overview
Each requirement under §236.1015 shall be supported
by information and analysis to establish the requirements
of this subpart have been met.
§1.3
§236.1015(a)
Must File PTCSP
Before placing a PTC system … in service, the host
railroad must submit to FRA a PTCSP and receive a
PTC System Certification.
§1
§236.1015(b)
PTCSP may utilize
Type Approval
Type Approval Reference
§§4.1 & 5.1
§236.1015(b)(1)
PTCPVL
Maintains a continually updated PTCPVL pursuant to
§236.1023
§§4 & 33.1
PTCSP Section 1
April 2, 2020
Page 13
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(b)(2)
Shows supplier has
appropriate Safety
measures
Demonstrate Supplier has Quality Control System
§4
§236.1015(b)(3)
Provides applicable
licensing info
Applicable Licensing Information
§4
§236.1015(c)(1)
Include PTCDP or
Type Approval
PTCDP or TA incorporation
§5
§236.1015(c)(2)(i)
Document any
variances from DP
Variances in Operating conditions from description in
PTCDP
§5
§236.1015(c)(2)(ii)
… or attest there
are none
Attestation of no variances in operating conditions from
PTCDP
§5
§236.1015(c)(3)
Attest system was
built in accordance
with DP and
achieves level of
safety
Attest that the system was otherwise built in accordance §5
with the applicable PTCDP and PTCSP and achieves the
level of safety represented therein.
§236.1015(d)
Include same info
as in PTCDP, must
include final human
factors analysis
A PTCSP shall include the same information required for
a PTCDP under §236.1013(a). If a PTCDP has been
filed and approved prior to filing of the PTCSP, PTCSP
may incorporate the PTCDP by reference, with the
exception that a final human factors analysis shall be
provided.
PTCSP Section 1
§§6 & 7
April 2, 2020
Page 14
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(d)(1)
Hazard log
A hazard log (HL) consisting of a comprehensive
description of all safety-relevant hazards not previously
addressed by the vendor to be addressed during the life
cycle of the PTC system, including maximum threshold
limits for each hazard (for unidentified hazards, the
threshold shall be exceeded at one occurrence). For the
DCTA PTC system, the Safety Critical Items List (SCIL)
is the same as a Hazard Log.
§9
§236.1015(d)(2)
Safety Assurance
Concepts (SAC)
A description of the safety assurance concepts used in
the product design, including an explanation of the
design principles and assumptions.
§10
§236.1015(d)(3)
Risk assessment
A risk assessment of the as-built PTC system described;
§11
§236.1015(d)(4)
Hazard mitigation
analysis
A hazard mitigation analysis, including a complete and
comprehensive description of each hazard and the
mitigation techniques used;
§12
§236.1015(d)(5)
V&V description
A complete description of the safety assessment and
Verification and Validation processes applied to the PTC
system, their results, and whether these processes
address the safety principles described in Appendix C to
this part directly, using other safety criteria, or not at all.
§13
PTCSP Section 1
April 2, 2020
Page 15
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(d)(6)
Training plan
A complete description of the railroad’s training plan for
railroad and contractor employees and supervisors
necessary to ensure safe and proper installation,
implementation, operation, maintenance, repair,
inspection, testing, and modification of the PTC system;
§14
§236.1015(d)(7)
Test procedures for
equipment installs,
repair, operations,
etc…
A complete description of the specific procedures and
test equipment necessary to ensure the safe and proper
installation, implementation, operation, maintenance,
repair, inspection, testing, and modification of the PTC
system on the railroad and establish safety-critical
hazards are appropriately mitigated. These procedures,
including calibration requirements, shall be consistent
with or explain deviations from the equipment
manufacturer’s recommendations.
§15
§236.1015(d)(8)
Additional warnings
A complete description of each warning to be placed in
the Operations and Maintenance Manual identified in
§236.919, and of all warning labels required to be placed
on equipment as necessary to ensure safety.
§16
PTCSP Section 1
April 2, 2020
Page 16
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(d)(9)
Configuration
control
A complete description of the configuration or revision
control measures designed to ensure that the railroad or
its contractor does not adversely affect the safety
functional requirements and that safety-critical hazard
mitigation processes are not compromised as a result of
any such change;
§17
§236.1015(d)(10)
Initial
implementation
procedures
A complete description of all initial implementationtesting procedures necessary to establish that safetyfunctional requirements are met and safety-critical
hazards are appropriately mitigated.
§18
§236.1015(d)(11)
Post
implementation
procedures
A complete description of all post-implementation testing
(validation) and monitoring procedures, including the
intervals necessary to establish that safety-related
functional requirements, safety-critical hazard mitigation
processes, and safety-critical tolerances are not
compromised over time, through use, or after
maintenance (adjustment, repair, or replacement) is
performed;
§19
PTCSP Section 1
April 2, 2020
Page 17
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(d)(12)
Description of
records to ensure
system safety
A complete description of each record necessary to
ensure the safety of the system that is associated with
periodic maintenance, inspections, tests, adjustments,
repairs, or replacements, and the system’s resulting
conditions, including records of component failures
resulting in safety-relevant hazards (see §236.1037)
§20
§236.1015(d)(13)
Safety Analysis
A safety analysis to determine whether, when the system
is in operation, any risk remains of an unintended
incursion into a roadway work zone due to human error.
If the analysis reveals any such risk, the PTCDP and
PTCSP shall describe how that risk will be mitigated;
§21
§236.1015(d)(14)
Description of
alternate
arrangements
made in
236.1005(a)(1)(i)
A more detailed description of any alternative
arrangements as already provided under
§236.1005(a)(1)(i).
§22
§236.1015(d)(15)
PTC enforcement
of authorities
A complete description of how the PTC system will
enforce authorities and signal indications, unless already
completely provided for in the PTCDP;
§23
§236.1015(d)(16)
How does system
comply with
236.1019(f)
A description of how the PTCSP complies with
§236.1019(f), if applicable;
§24
PTCSP Section 1
April 2, 2020
Page 18
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(d)(17)
Deviation of op
procedures for
enroute failures
A description of any deviation in operational
requirements for enroute failures as specified under
§236.1029(c), if applicable and unless already
completely provided for in the PTCDP;
§25
§236.1015(d)(18)
Enforcement of
Integrated hazard
detectors
A complete description of how the PTC system will
appropriately and timely enforce all integrated hazard
detectors in accordance with §236.1005(c);
§26
§236.1015(d)(19)
Emergency rerouting plan
An emergency and planned maintenance temporary
rerouting plan indicating how operations on the subject
PTC system will take advantage of the benefits provided
under §236.1005(g) – (k);
§27
§236.1015(d)(20)
High Speed Rail
and Comms.
Security
Documents
The documents and information required under
§236.1007 and §236.1033.
§§28 & 29
§236.1015(d)(21)
Locations for
Repair of Failed
PTC Apparatus
Identify where exchange or repair of failed PTC
apparatus will take place
§25
PTCSP Section 1
April 2, 2020
Page 19
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1015(d)(21)
• Location of Repair
to be specified for
PTC failed
locomotive
apparatus.
• Movements over
500 miles to repair
to be specified.
A list of each location where a locomotive with a failed
onboard PTC apparatus will regularly be exchanged or
repaired pursuant to §236.1029(b)(6) and a list of each
movement that could take place pursuant to
§236.1029(b)(6) if the movement potentially could
exceed 500 miles.
§25
§236.1015(e)(2)(i)
Reliably execute
functions in
236.1005
Reliably perform the functions stated in §236.1005 when
employing a vital overlay PTC system
§3
§236.1015(e)(2)(ii)
Sufficient
documentation to
demonstrate as
built fulfills SACs
Compliance required with Appendix C, risk assessment
may be abbreviated as defined in Subpart H.
§§8, 10 & 11
§236.1015(f)
Adequate data
regarding safety
impacts of
proposed changes
The FRA may consider reliability and availability data in
determining if the PTCSP adequately complies with
§236.1015(d). In any case, where the PTCSP lacks
adequate data regarding safety impacts of the proposed
changes, the Associate Administrator may request the
necessary data from the applicant. If the requested data
is not provided, the Associate Administrator may find that
potential hazards could or will arise.
§13
PTCSP Section 1
April 2, 2020
Page 20
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
§236.1015(g)
PTC system
replacing an
existing PTC
system provides
same level of safety
as old version
When replacing existing certified PTC system: PTCSP
N/A
establishes with a high degree of confidence that the
new system will provide a level of safety not less than the
level of safety provided by the system to be replaced.
§236.1015(h)
Potential data error
identification and
mitigation
Potential Data Errors: PTCSP must include a careful
identification of each of the risks and a discussion of
each applicable mitigation. In an appropriate case, such
as a case in which the residual risk after mitigation is
substantial or the underlying method of operation will be
significantly altered, the Associate Administrator may
require submission of a quantitative risk assessment
addressing these potential errors.
§30
§236.1017(a)
Supported by
independent 3rd
party assessment
The PTCSP must be supported by an independent thirdparty assessment when the Associate Administrator
concludes that it is necessary.
§31
PTCSP Section 1
PTCSP
Section
References
April 2, 2020
Page 21
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
§236.1019(f)
MTEA, RR must
certify that no
changes have been
made to PTCIP
previously
approved
Main Line Track Exceptions: No PTCSP—filed after the
§24
approval of a PTCIP with an MTEA—shall be approved
by FRA unless it attests that no changes, except for
those included in an FRA approved request for
amendment (RFA), have been made to the information in
the PTCIP and MTEA required by paragraph (b) or (c) of
this section.
§236.1021(a)(1)
No changes as
defined by this
section to a PTCSP
shall be made
unless:
No changes, as defined by this section, to a PTC system, §1.5
PTCIP, PTCDP, or PTCSP, shall be made unless the
railroad files a request for amendment (‘‘RFA’’), and per
§236.1021(a)(2) the RFA is approved by the Associate
Administrator.
§236.1023(a)
PTCPVL
The PTC Product Vendor List (PTCPVL) catalogs all
vendors and suppliers of its E-ATC system
§236.1023(b)(1)
All contractual
relationships with
hardware and
software vendors
Specify all contractual arrangements with hardware and
§33
software suppliers or vendors for immediate notification
between the parties of any and all safety-critical software
failures, upgrades, patches, or revisions, as well as any
hardware repairs, replacements, or modifications for their
PTC system, subsystems, or components.
PTCSP Section 1
PTCSP
Section
References
§§4 & 33
April 2, 2020
Page 22
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1023(c)(1)
Procedures for
actions when
notified of safety
critical failure
Specify the railroad’s process and procedures for action
upon their receipt of notification of safety-critical failure,
as well as receipt of a safety-critical upgrade, patch,
revision, repair, replacement, or modification.
§33
§236.1023(c)(2)
Configuration
management to
ensure safety isn’t
compromised as a
result of a change
Identify configuration/revision control measures that are
designed to ensure the safety-functional requirements
and the safety-critical hazard mitigation processes are
not compromised because of any change and that such
a change can be audited.
§17
§236.1023(e)
After in service, RR
shall maintain
database of all
safety-relevant
hazards
After PTC is in service, a database of safety-relevant
hazards occurring in the system is to be maintained. If
occurrence of a hazard exceeds a threshold limit,
reporting shall be performed as per this regulation.
§20
§236.1023(e)(3)
Take prompt
counter measures
to reduce the
number of safetyrelevant hazards…
… take prompt counter measures to reduce or eliminate
the frequency of the safety-relevant hazards below the
threshold identified in the PTCSP.
§20
PTCSP Section 1
April 2, 2020
Page 23
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
§236.1023(j)
When safety-critical
PTC system fails to
perform, RR shall
take appropriate
action
When any safety-critical PTC system, subsystem, or
§§20 & 33
component fails to perform its intended function, the
cause shall be determined and the faulty product
adjusted, repaired, or replaced without undue delay. Until
corrective action is completed, a railroad shall take
appropriate action to ensure safety and reliability as
specified within its PTCSP.
§236.1027
System Exclusions
Any office automation system that performs safety-critical §34
functions or directly controls the movements of a train in
a PTC system is subject to the requirements of Subpart I
§236.1029(a)
Specify actions to
ensure proper
logging and
correction of
failures
Any failures in PTC equipment must be identified,
logged, corrected, and normal service restored without
undue delay. Actions to accomplish this are to be
specified in the PTCSP.
§236.1029(b)
Enroute failures
When any safety-critical PTC System component fails to §25
perform its intended function … a railroad shall take
appropriate action as specified in its PTCSP.
In general. * * * Until repair of such essential components
is completed, a railroad shall take appropriate action as
specified in its PTCSP.
PTCSP Section 1
PTCSP
Section
References
§§20 & 25
April 2, 2020
Page 24
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1029(c)
Exception for
alternative system
failure procedure.
Deviation of operational procedures for enroute failures
§25
§236.1031
Previously
approved PTC
systems
Previous approval or recognition of a train control system
that may be credited towards safety case
N/A
§236.1033(e)(2)
Security information All wireless PTC communications must be protected by
to protect data
cryptographic means to assure message integrity and
authentication as described in the PTCSP.
§29
§236.1033(f)
Service restoration
and mitigation plan
Each railroad, or its vendor or supplier, shall have a
prioritized service restoration and mitigation plan for
scheduled and unscheduled interruptions of service. This
plan shall be included in the PTCDP or PTCSP as
required by §§236.1013 or 236.1015, as applicable.
§§25, 27 & 29
§236.1037
Records Retention
Identified PTC-related records shall be maintained by the §20
railroad as per regulation at designated location(s) on the
railroad. Occurrence of hazards and incidents must be
reported and corrective action taken.
§236.1039
Operations and
Maintenance
Manual
All documents specified in the PTCDP and PTCSP
§§15 & 20
related to operations and maintenance shall be located in
one manual readily available to personnel required to
perform such tasks.
PTCSP Section 1
April 2, 2020
Page 25
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
§236.1041(a)
Training and
Qualification
Program
Training program for PTC personnel and competencies
§14
§236.1043(a)
Training Structure
and Delivery
The Employer shall, at a minimum … identify the specific
goals of the training program …
§14
§236.1043
Task Analysis and
Basic
Requirements
Training structure and training records
§§14 & 20
§236.1045
Training Specific to
Office control
Personnel
Any person responsible for issuing or communicating
mandatory directives in territory where PTC systems are
or will be in use shall be trained in the following areas, as
applicable … Instructions concerning the interface
between the computer-aided dispatching system and the
train control system …
§14
§236.1047
Training for
Training for locomotive engineers and Conductors
operating personnel
§14
§236.1049
Training Specific to
Roadway Workers
Training requirements specific to Roadway Workers
§14
Appendix B
Risk Assessment
Criteria
The risk metric for the proposed product must describe
… risk … over the designated life cycle of the product.
§11;
Appendix [A1]
PTCSP Section 1
April 2, 2020
Page 26
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-1
49 CFR Regulatory
Reference
Summary of
Regulatory
Requirement
Description of Regulatory Requirement
PTCSP
Section
References
Appendix C
Safety Assurance
Criteria and
Processes
Safety principals must be followed or explained in
PTCSP
§11;
Appendix [A1]
Appendix C(b)(4)
SACs
The product design must include one or more of the
following Safety Assurance Concepts as described in
IEEE–1483 standard …
§10;
Appendix [A1]
Appendix C(b)(5)
Human factors
engineering
The product design must sufficiently incorporate human
factors engineering that is appropriate to the complexity
of the product …
§§7 & 11
PTCSP Section 1
April 2, 2020
Page 27
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
1.4
Revision 1.1
PTCSP Drafts Previously Shared with FRA
As of the current revision, no draft of this DCTA PTCSP has been shared with FRA.
1.5
Update of this PTCSP
Any update to this PTCSP will be done in accordance with 49 CFR §236.1021(a).
1.6
Acronyms and Definitions
This section is included to capture common acronyms, abbreviations and terms required
to interpret the PTC Safety Plan. Table 1-2, below, contains a list of abbreviations and
acronyms used in this document. Table 1-2 is followed by Table 1-3, which addresses
safety related definitions used herein.
Table 1-2: Abbreviations and Acronyms
Table 1-2
Abbreviation /
Acronym
Definition
AAR
Association of American Railroads
ADA
American With Disabilities Act
AREMA
American Railway Engineering and Maintenance-of-Way
Association
ATC
Automatic Train Control
CDU
Crew Display Unit
CFR
Code of Federal Regulations
CM
Configuration Management
CMCB
Configuration Management Control Board
CMDB
Configuration Management Database
CMP
Configuration Management Plan
CP
Control Point
CSS
Cab Signaling System
CTC
Centralized Traffic Control
DART
Dallas Area Rapid Transit
DCTA
Denton County Transportation Authority
PTCSP Section 1
April 2, 2020
Page 28
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-2
Abbreviation /
Acronym
Definition
DGNO
Dallas, Garland and Northeastern Railroad
DMU
Diesel Multiple Unit
DTMF
Dual Tone Multi Frequency
E-ATC
Enhanced Automatic Train Control
EC
Electrocode
EDU
Engineer’s Display Unit
ELIXS
ElectroLogIXS
EOB
End of Block
FFT
Functional Fault Tree
FMEA
Failure Mode and Effects Analysis
FOIA
Freedom of Information Act
FRA
Federal Railroad Administration
FTA
Fault Tree Analysis
GCOR
General Code of Operating Rules
GTW
Gelenktriebwagen (English translation: articulated railcar)
GUI
Graphical User Interface
HFA
Human Factors Analysis
HGCWS
Highway Grade Crossing Warning Subsystem
HL
Hazard Log
HMI
Human Machine Interface
Hz
Hertz
I/O
Input / Output
ID
Identification
IEEE
Institute for Electrical and Electronics Engineers
LCP
Local Control Point
LED
Light Emitting Diode
PTCSP Section 1
April 2, 2020
Page 29
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-2
Abbreviation /
Acronym
Definition
LRT
Light Rail Transit
MAS
Maximum Authorized Speed
MD
Mandatory Directive
MOW
Maintenance of Way
MP
Mile Post
MPH
Miles Per Hour
MTBF
Mean Time Between Failure
MTEA
Main Line Track Exclusion Addendum
MTTHE
Mean Time To Hazardous Event
NCP
No Code Proceed
O&SHA
Operating and Support Hazard Analysis
OBC
Onboard Computer
OCG
Office Communication Gateway
OMF
Operations and Maintenance Facility
OMM
Operating and Maintenance Manual
OS
Overspeed; Over-switch
PHA
Preliminary Hazard Analysis
PSR
Permanent Speed Restriction
PTC
Positive Train Control
PTCDP
Positive Train Control Development Plan
PTCIP
Positive Train Control Implementation Plan
PTCPVL
PTC Product Vendors List
QA
Quality Assurance
RA
Risk Assessment
RFA
Request for Amendment
ROW
Right-of-Way
PTCSP Section 1
April 2, 2020
Page 30
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-2
Abbreviation /
Acronym
Definition
RR
Railroad
RSD
Revenue Service Demonstration
RSIA08
Rail Safety Improvement Act of 2008
RWIC
Roadway Worker In-Charge
SAC
Safety Assurance Concept
SCIL
Safety Critical Items List
SHA
System Hazard Analysis
SIR
Secure Information Repository
TAV
Type Approval Variance
TCC
Rio Grande and Pacific Train Control Center
TCCP
Timed Code Change Point
TCG
Track Code Generator
TSR
Temporary Speed Restriction
TTP
Time To Penalty
TX
Texas; Transmit
U.S.C.
United States Code
UCII
Ultra Cab II
V&V
Verification and Validation
VHLC
Vital Harmon Logic Controller
VLC
Vital Logic Controller
WZ
Work Zone
XP4
ElectroLogIXS Crossing Predictor configuration
Table 1-3, below, contains a list of definitions for safety terminology used within this
document.
PTCSP Section 1
April 2, 2020
Page 31
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-3: Definitions of Safety Terms
Table 1-3
Term
Definition
Closed Loop
Principle
System design adhering to the closed loop principle requires that
all conditions necessary for the existence of any permissive state
or action be verified to be present before the permissive state or
action can be initiated. Likewise, the requisite conditions shall be
verified to be continuously present for the permissive state or
action to be maintained. This is in contrast to allowing a
permissive state or action to be initiated or maintained in the
absence of detected failures. In addition, closed loop design
requires that failure to perform a logical operation, or absence of a
logical input, output or decision shall not cause an unsafe
condition, i.e. system safety does not depend upon the occurrence
of an action or logical decision.
Fail-Safe
A design philosophy applied to safety-critical systems such that
the results of hardware failures or the effect of software error
either shall prohibit the system from assuming or maintaining an
unsafe state or shall cause the system to assume a state known to
be safe. (IEEE-1483 [2])
Host Railroad
A railroad that has effective operating control over a segment of
track.
Interoperability
The ability of a controlling locomotive to communicate with and
respond to the PTC railroad’s positive train control system,
including uninterrupted movements over property boundaries.
Safety-Critical
Safety-critical, as applied to a function, a system, or any portion
thereof, means the correct performance of which is essential to
safety of personnel or equipment, or both; or the incorrect
performance of which could cause a hazardous condition, or allow
a hazardous condition which was intended to be prevented by the
function or system to exist. (49 CFR Part 236, Subpart H [5])
Safety-Critical
A term applied to a system or function, the correct performance of
which is critical to safety of personnel and/or equipment; also, a
term applied to a system or function, the incorrect performance of
which may result in an unacceptable risk of a hazard. (IEEE-1483
[2])
PTCSP Section 1
April 2, 2020
Page 32
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 1-3
Term
Definition
Safety Validation
A structured and managed set of activities, including analysis and
test, which show that the system, as specified and implemented,
performs the intended functions and that those functions result in
overall safe operation. Validation answers the question, “Did we
build the right system?” (IEEE-1483 [2])
Safety
Verification
A structured and managed set of activities, including analysis and
test, which show that the system, including its subsystems,
interfaces and components, as designed and implemented, meets
the allocated system safety goals and requirements. Verification
answers the question, “Did we build the system right?” (IEEE-1483
[2])
Tenant Railroad
A railroad, other than a host railroad, operating on track upon
which a PTC system is required.
Timed Code
Change Point
(TCCP)
A time delay after a train enters a block before a downgrade of the
cab signal code rate occurs.
Vital Function
A function in a safety-critical system that is required to be
implemented in a fail-safe manner. Note: Vital functions are a
subset of safety-critical functions. (IEEE-1483 [2])
PTCSP Section 1
April 2, 2020
Page 33
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
2 Applicable Documents
The documents listed in this section either are referenced specifically from within this
PTCSP or are listed as general resources to provide more information regarding a
particular system safety subject. These referenced documents are not considered part
of this PTCSP. Documents that form an integral part of this PTCSP are contained within
the appendices listed in Section 36.
Documentation on this list may be obtained from the standards body where appropriate,
or from the publisher of the document.
Note: For undated references, the most current edition applies.
[1]
MIL-STD-882C, System Safety Program Requirements, 19 January 1993 with
Notice 1, 19 January 1996.
[2]
IEEE Standard 1483-2000, “Standard for the Verification of Vital Functions in
Processor-based Systems Used in Rail Transit Control”.
[3]
Congress of the United States. Rail Safety Improvement Act of 2008. Public Law
110–432. October 16, 2008.
[4]
Federal Railroad Administration, US Department of Transportation. 49 CFR Parts
228, 235, 236A thru 236G, Federal Railroad Administration, Rules, Standards,
and Instructions for Railroad Systems.
[5]
Federal Railroad Administration, US Department of Transportation. 49 CFR Part
236 Subpart H, Standards for Development and Use of Processor-Based Signal
and Train Control Systems; Final Rule, Docket Number FRA-2001-10160, 7
March 2005.
[6]
Federal Railroad Administration, US Department of Transportation. 49 CFR Parts
229, 234, 235, 236.
[7]
49 CFR §234.211, “Grade Crossing Signal System Safety,” Subpart D,
“Maintenance, Inspection, and Testing Maintenance Standards”, “Security of
Warning System Apparatus” – 5 December 2005.
[8]
49 CFR §229.135, “Railroad Locomotive Safety Standards,” “Event Recorders” –
15 January 2010.
[9]
IEEE STD 1362-1998, “IEEE Guide for Information Technology—System
Definition—Concept of Operations (ConOps) Document -Description”, IEEE
Computer Society/Software & Systems Engineering Standards Committee, 22
December 1998.
[10]
AREMA C&S Manual Section 16, “Vital Circuit and Software Design”.
PTCSP Section 2
April 2, 2020
Page 34
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
[11]
AREMA C&S Manual Section 17, “Quality Principles”.
[12]
AAR Standard S-61213, “Railroad Use of 802.11”.
[13]
E-ATC PTCDP Rev 1.2 as Type Approved by FRA on 3/11/16, FRA-TA-2013-01A.
[14]
DCTA PTCIP, Rev 9.0, January 30, 2019.
[15]
IEEE Standard 829-2008, “Standard for Software Test Documentation”.
[16]
NUREG-0492 Fault Tree Handbook, January 1981.
[17]
GCOR - General Code of Operating Rules” 7th edition, effective date 01 April
2015.
[18]
EN 50159:2010, “Railway applications – Communication, signaling and
processing systems – Safety related communication in transmission systems”.
The project specific reference documents listed below are available to FRA on request
by contacting the DCTA Director of Commuter Rail.
[R1]
DCTA Timetable #5, February 3, 2019.
[R2]
DCTA General Order #1, February 3, 2019.
[R3]
DCTA Roadway Worker Protection (RWP), Roadway Maintenance Machines and
On-Track Safety Rules.
[R4]
DCTA Configuration Management Plan.
[R5]
DCTA Communications Restoration Plan.
[R6]
DCTA Functional Design Description, 083511-040, Rev 07, March 26, 2018.
[R7]
Complete Set of O&M Manuals.
[R8]
E-ATC Practice 001 - Failure Notification and Recording.
[R9]
ElectroLogIXS Safety Assurance Concepts (SAC), 082806-123, Rev A12, 05
April 2019.
[R10] UltraCab II System Safety Concepts, 083423-025, Rev A02, 2019 April 08.
[R11] UCII DCTA Product Safety Case, 083511-015, Rev A01, 2018 November 14.
[R12] Carborne (UCI & UCII) Platform Generic Operation and Support Hazard Analysis
(O&SHA), 083423-021, Rev A07, 2016 July 20.
[R13] Global ElectroLogIXS Platform, Functional Fault Tree - Level 1, 082806-124, Rev
A19, 06/06/2013.
[R14] DCTA UCII FTA. (Fault Tree Analysis), 083511-012, Rev A01, 2018 April 08.
PTCSP Section 2
April 2, 2020
Page 35
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
[R15] DCTA E-ATC UCII Validation Report, 083511-708, Rev A, 16 Nov 2018.
[R16] ElectroLogIXS Validation Test Report 082806-887, Rev A01, 04/14/2016.
[R17] Alstom Project Configuration Management Plan, ENG-P-0059, Rev. F.
[R18] Alstom Configuration Management Plan Addendum for UltraCab (UCII) Product
Line, Alstom document: 083423-091, Rev B, 04/27/2018.
[R19] Test Request per 49 CFR §236.1035.
[R20] DCTA DMU Acceleration and Braking Qualification Test Report.
[R21] DCTA E-ATC Dynamic Test Report.
[R22] DCTA E-ATC Failure Test Report.
[R23] DCTA PTC Type Approval Variance Request, Revision 2.0, March 2, 2017.
[R24] DCTA Event Recorder Interface Description.
PTCSP Section 2
April 2, 2020
Page 36
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
3 Confirmation of FRA Type Designation for DCTA PTC System [49
CFR §236.1015(e)(2)]
E-ATC has been specified and implemented as a Vital Overlay PTC system on DCTA,
as defined by 49 CFR §236.1015(e). This PTCSP demonstrates that E-ATC meets the
FRA criteria set forth for a Vital Overlay PTC system:
1. This PTCSP shows that E-ATC reliably executes the requirements for PTC
systems set forth in 49 CFR §236.1005.
2. This PTCSP, when combined with the PTCDP [13], demonstrates that E-ATC
has sufficient documentation to fulfill the safety assurance criteria and processes
set forth in 49 CFR Part 236, Appendix C.
3. This PTCSP contains a risk assessment (RA) of the as-built E-ATC system, as
required by 49 CFR §236.1015(d)(3).
3.1
Reliably Execute PTC System Functions of 49 CFR §236.1005
This PTCSP contains the operating, conceptual, design, implementation, verification
and validation (V&V) evidence that DCTA’s implementation of E-ATC meets the
functional requirements of 49 CFR Part 236, Subpart I, §236.1005(a) and the additional
PTC safety criteria as required by 49 CFR Part 236, Subpart I. Table 1-1 provides a
cross-reference between regulatory requirements and this PTCSP.
3.2
Sufficient Documentation to Fulfill 49 CFR Part 236 Appendix C Safety
Assurance Principles
DCTA’s Safety Plan for E-ATC includes analysis and documentation to explain and
demonstrate that:
1. The safety principles of Appendix C, paragraph (b) were addressed, or are not
relevant; and
2. A verification and validation process pursuant to Appendix C, paragraph (c) was
employed.
The required documentation is provided in Sections 8 through 13 of this PTCSP and in
the appendices and reference documents called out in these sections.
3.3
Justification of Non-vital Classification of the Office Segment and the
Communication Segment
DCTA asserts that all office functions, communications paths and networks used for
PTC purposes are inherently non-vital, and that the E-ATC PTC system compensates
PTCSP Section 3
April 2, 2020
Page 37
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
for this condition by providing a vital signaling system with safety-critical conflict
resolution, that prevents implementation of overlapping and inconsistent authorities.
3.3.1
Basic Architecture of E-ATC System
A simplified representation of the basic architecture of DCTA’s E-ATC system is shown
in Figure 3-1, below.
Figure 3-1: DCTA E-ATC Architecture
Core functionality is provided by the Vital Signal System. Each Control Point (CP) in the
Wayside Segment contains an ElectroLogIXS vital controller performing the following
tasks:

Occupancy determination through vital track circuits

Safe train separation in accordance with railroad signaling principles

Route locking

Track code generation to cascade speed and signal status between adjacent
wayside controllers

Cab code generation to communicate cab signal information to the carborne
controller
PTCSP Section 3
April 2, 2020
Page 38
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority

Revision 1.1
Switch control
More detailed information on Wayside Segment functionality is provided in Section 6.5
Vital control of the Onboard Segment is provided by Ultra Cab II (UCII) equipment,
providing the following functionality:

Train Speed determination

Cab Code determination

Aspect display

Enforcement alerts

Speed limit enforcement through vital penalty brake application
More detailed information on Onboard Segment functionality is provided in Section 6.6
The Office Segment consists of CTC technology. The core system logic and
communications processing software is hosted on the servers, while the user interface
for Dispatchers is presented on the CTC Machines.
The Office Segment provides the following non-vital functionality:

Timetabling/Scheduling of routes

Visualization of track layout, aligned routes, train position and switch/signaling
status

Application of Temporary Speed Restrictions

Application of Mandatory Directives
More detailed information on Office Segment functionality is provided in Section 6.3
DCTA utilizes a communication network operating over fiber optic cable to support its
daily operations. The communications infrastructure provides data services to all DCTA
wayside locations. More detailed information on Communication Segment functionality
is provided in Section 6.4. Communications security provisions are detailed in Section
29 of this PTCSP.
Note that data exchange between locations within the wayside signaling system is not
considered part of the Communication Segment. Wayside to Wayside data exchange is
part of the vital signaling system and is described further in Section 29.3.1.
3.3.2
Non-Vitality of Office Segment and Communication Segment
A core concept of DCTA’s E-ATC architecture is that Office Segment messages to the
wayside vital processor are not direct controls but requests. In all cases, the Office/CTC
PTCSP Section 3
April 2, 2020
Page 39
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
system issues a non-vital request that is transmitted by the Communication Segment to
the wayside. Each request is checked by the vital ElectroLogIXS controller before it is
implemented. No message from the dispatching system can cause the vital wayside
controller to present an unsafe condition. As shown in Sections 8 - 13 of this PTCSP,
the vital Wayside Segment prevents the issuance of overlapping and inconsistent
authorities in a safety-critical manner. If an unsafe request were to be received from the
CTC system, then the vital wayside processor will reject the request, fail to comply with
the dispatching command, and provide a message to the Dispatcher that the request
was not implemented.
Temporary Speed Restrictions (TSRs) and Mandatory Directives (MDs) are issued by
the Dispatcher through the Office Segment and sent to the wayside equipment through
the Communication Segment. The vital wayside processor checks each request for
validity and whether it can be implemented safely. Once implemented, the wayside
equipment sends confirmation back to the Dispatcher and vitally enforces and maintains
the restriction until it is removed by the Dispatcher. Should a restriction fail to apply, the
wayside returns an alert to the Dispatcher.
Two actions are required to release a TSR or MD: First, the Dispatcher issues the
release request. In response, the wayside equipment returns an “acknowledge receipt”
message to the Dispatcher, but does not yet release the restriction. The Dispatcher
must respond with a second release request. Only upon successful receipt of the
second release request will the wayside release the restriction.
To ensure that the Wayside Segment always has valid and current restriction
information, a TSR heartbeat is provided. A status message is sent from the office to
each wayside control point (CP) every 18 seconds, and the wayside replies back to the
office with a status message. If there is a mismatch, an error message will be displayed
to the Dispatcher.
Section 11 of this PTCSP and the associated Risk Assessment [A1] provide further
details to substantiate the non-vitality of the Office and Communication Segments of EATC.
PTCSP Section 3
April 2, 2020
Page 40
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
4 Type Approval Reference [49 CFR §236.1015(b)]
This section identifies the type approval that has been issued to E-ATC, and establishes
that DCTA has met the requirements of 49 CFR §236.1015(b) to reference and utilize
this type approval in this PTCSP by:
1. Maintaining a continually updated PTC Product Vendors List pursuant to 49 CFR
§236.1023;
2. Showing that the supplier from which they are procuring the PTC system has
established and can maintain a quality control system for PTC system design
and manufacturing acceptable to the Associate Administrator. The quality control
system must include the process for the product supplier or vendor to promptly
and thoroughly report any safety-relevant failure and previously unidentified
hazards to each railroad using the product; and
3. Providing the applicable licensing information.
4.1
Type Approval Referenced and Utilized in This PTCSP
The referenced type approval has been issued by the Associate Administrator for the EATC system and is utilized in this PTCSP in accordance with 49 CFR Part 236, Subpart
I: FRA-TA-2013-01-A.
4.2
PTC Product Vendors List (PTCPVL) [49 CFR §236.1015(b)(1)]
DCTA maintains a continually updated PTCPVL pursuant to 49 CFR §236.1023 as
required by 49 CFR §236.1015(b)(1). The PTCPVL is further described in Section 33.1
of this PTCSP and is provided complete in Appendix [A8] of this PTCSP.
4.3
PTC System Vendor Quality Control System [49 CFR §236.1015(b)(2)]
DCTA has reviewed vendors’ quality assurance (QA) plans and has determined that
they meet its requirements and are ISO 9001 compliant. In addition, DCTA and its
vendors have established and agreed upon a Failure Notification and Reporting
Process, which is described further in Section 33 of this PTCSP. Based on DCTA’s
review of vendors’ QA plans and the agreed-upon Failure Notification and Reporting
Process, DCTA confirms that:
1. The suppliers from whom DCTA is procuring its PTC system have established
and maintain a quality control system for PTC system design and manufacturing
acceptable to the Associate Administrator, and
2. The quality control system includes the process used by the suppliers to promptly
and thoroughly report any safety-relevant failure and previously unidentified
hazards to each railroad that uses the product.
PTCSP Section 4
April 2, 2020
Page 41
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
4.4
Revision 1.1
Applicable Licensing Information [49 CFR §236.1015(b)(3)]
DCTA does not have licenses for PTC hardware and software with their vendors. None
are required for operation and maintenance of the E-ATC system.
PTCSP Section 4
April 2, 2020
Page 42
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
5 PTCDP Reference and Identification of Any Variances [49 CFR
§236.1015(c)]
As required by 49 CFR §236.1015(c), this section:
5.1

Includes by reference the FRA approved PTCDP and the FRA issued Type
Approval FRA-TA-2013-01 [13];

Documents each variance, including the significance of each variance between
the DCTA PTC system and its applicable operating conditions (as described in
this PTCSP) with those described in the PTCDP, and attests that there are no
other such variances; or

Attests that there are no variances between the PTC system and its applicable
operating conditions as described in the applicable PTCDP from those described
in this PTCSP; and

Attests that the DCTA PTC system is otherwise built in accordance with the
referenced PTCDP and this PTCSP and achieves the level of safety represented
herein.
PTCDP and Type Approval References [49 CFR §236.1015(c)(1)]
E-ATC provides the core technology and functionality for the DCTA PTC system. The EATC PTCDP [13] is hereby incorporated in this PTCSP by reference per 49 CFR Part
236, Subpart I, §236.1015(d). The required final human factors analysis is provided in
Section 7 of this PTCSP.
5.2
Any Variances from PTCDP (Type Approved) [49 CFR §236.1015(c)(2)(i)]
This PTCSP is being submitted for System Certification and in accord with the E-ATC
PTCDP Revision 1.2 and its associated Type Approval [13]. Variances to the typeapproved PTCDP were specifically and rigorously documented in a standalone Type
Approval Variance Request (TAV) analysis [R23] that was approved by the FRA on
June 29, 2017 (refer to docket FRA-2010-0074-0022).
The FRA’s review of the TAV identified the functions listed below as variances, for
which DCTA must ensure each is specifically and rigorously documented in the PTCSP,
including the significance of each variance between the PTC system and its applicable
operating conditions.
1. Implementation of a standalone temporary speed restriction (TSR) terminal.
2. Implementation of revised procedures for implementing TSRs, work zones (WZ),
and mandatory directives due to the standalone TSR terminal.
PTCSP Section 5
April 2, 2020
Page 43
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
3. Implementation of vital remote links between neighboring locations for
transmission of tumble down logic in response to applying TSRs.
In accord with the language provided by the FRA, the TAV approval letter will be
maintained with a copy of the E-ATC PTCDP, and associated FRA-TA-2012-01 [13]
Type Approval documentation. All related documentation will be maintained under
configuration management on DCTA property and can be made available for FRA
inspection during normal business hours upon request.
DCTA attests that there are no other variances to the approved PTCDP.
5.3
PTCDP (Type Approved) [49 CFR §236.1015(c)(3)]
DCTA attests that the PTC System was built in accordance with this PTCSP and with
the referenced PTCDP (Type Approved), except as described in Section 5.2 above, and
achieves the level of safety represented herein.
PTCSP Section 5
April 2, 2020
Page 44
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
6 DCTA PTC System Implementation [49 CFR §236.1005(a)] [49 CFR
§236.1015(d)]
This section of the PTCSP includes a summary of the information required under 49
CFR §236.1013(a) and included in the PTCDP, as required by 49 CFR §236.1015(d).
The PTCDP associated with DCTA’s PTC system has been filed and type approved
prior to the filing of this PTCSP and is incorporated by reference. A final human factors
analysis, as required by 49 CFR §236.1015(d), is also included in Section 7 in this
PTCSP. The additional elements required by 49 CFR §236.1015(d)(1) through 49 CFR
§236.1015(d)(21) are provided in Section 8 through Section 35 of this PTCSP.
This section also provides a description of DCTA’s application of E-ATC to its operating
environment.
6.1
6.1.1
Information Required for PTCDP Under 49 CFR §236.1013(a)
Incorporate PTCDP by Reference
The E-ATC PTCDP has been filed and approved prior to filing this PTCSP, and is
incorporated in this PTCSP by reference per 49 CFR §236.1015(d).
6.1.2
E-ATC System Safety Integration Descriptions
The referenced PTCDP describes the manner in which the PTC system architecture
satisfies safety requirements. Further detail is provided in this section of the PTCSP.
6.2
DCTA Application of E-ATC
The DCTA E-ATC system consists of the existing wayside signal system supplemented
by a Cab Signaling System (CSS) with Enhanced Automatic Train Control (E-ATC) and
additional Central Office hardware and software. The existing wayside signal system in
conjunction with the additional E-ATC equipment will provide train separation and speed
limit enforcement functions including stop signal enforcement.
Additional Control Office hardware and software has been installed to apply and remove
Temporary Speed Restrictions (TSRs), including Work Zones (WZs) and Mandatory
Directives (MDs) for highway-rail crossings. Existing local control points (LCP) installed
at CPs will continue to be used for controlling signals only for emergency and
maintenance operations in rare instances when it is absolutely necessary to perform
these tasks locally. When required, Local Control Mode will be initiated according to
Operating Rules and used in accordance with 49 CFR §236.1029.
The existing DCTA wayside signal system in conjunction with the additional E-ATC
equipment is fully compliant with 49 CFR Part 236, Subpart I.
PTCSP Section 6
April 2, 2020
Page 45
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 6-1 lists the primary E-ATC functions as were described in the referenced
PTCDP, describes their functionality, identifies their criticality and the primary safety
functions performed within the DCTA operating environment.
Table 6-1: E-ATC Primary Functions
No.
PTC System Functions (defined in
49 CFR §236.1005)
Safety
Criticality
Primary Protections
1
Prevent Train-to-Train Collisions:
reliably and functionally prevent trainto-train collisions
Safety
Critical

Prevent Overspeed Derailments:
reliably and functionally prevent
overspeed derailments, including
derailments related to railroad
permanent speed restrictions, slow
orders, and excessive speeds over
switches and through turnouts.
Safety
Critical
Prevent Work Zone Incursions: reliably
and functionally prevent incursions into
established work zone limits without
first receiving appropriate authority and
verification from the Dispatcher or
Roadway Worker in charge.
Safety
Critical
Prevent Movement through any switch
in the improper position on a main
track or on a siding where the
allowable speed is in excess of 20
MPH: reliably and functionally prevent
a train from advancement through a
switch whose position is unknown or
improperly aligned for the train’s route.
Safety
Critical
2
3
4
PTCSP Section 6








Positive Stop
Enforcement
Train Separation
Switch Alignment
Verification
Overspeed
Protection
Permanent Speed
Restriction
Enforcement
Temporary Speed
Restriction
Enforcement
Positive Stop
Enforcement
Temporary Speed
Restriction
Enforcement
Switch Alignment
Verification
April 2, 2020
Page 46
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
No.
PTC System Functions (defined in
49 CFR §236.1005)
5
Protect Derail or Switch Protecting
Safety
Main Line: provide an appropriate
Critical
warning or enforcement when a derail
or switch protecting access to the main
line required by49 CFR §236.1007, or
otherwise provided for in the PTCSP, is
not in its derailing or protecting
position, respectively.

Switch Alignment
Verification
6
Protect Against Highway Rail Grade
Crossing Malfunction: provide an
appropriate warning or enforcement
when a mandatory directive is issued
associated with a highway-rail grade
crossing warning system malfunction
as required by 49 CFR §§234.105,
234.106, or 234.107.
Safety
Critical

Positive Stop
Enforcement
Temporary Speed
Restriction
Enforcement
7
Protect After Arrival Mandatory
Directive: provide an appropriate
warning or enforcement when an afterarrival mandatory directive has been
issued and the train or trains to be
waited on has not yet passed the
location of the receiving train.
N/A
N/A
8
Protect Movable Bridges: provide an
appropriate warning or enforcement
when any movable bridge within the
route ahead is not in a position to allow
permissive indication for a train
movement pursuant to 49 CFR
§236.312.
N/A
N/A
9
Integrate Hazard Detectors: provide an
appropriate warning or enforcement for
all hazard detectors integrated into a
signal or train control system on or
after October 16, 2008.
N/A
N/A
PTCSP Section 6
Safety
Criticality
Primary Protections

April 2, 2020
Page 47
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
No.
PTC System Functions (defined in
49 CFR §236.1005)
Safety
Criticality
10
Limit Passenger Train Speeds: limit the Safety
speed of passenger and freight trains
Critical
to 59 miles per hour and 49 miles per
hour, respectively, in areas without
broken rail detection or equivalent
safeguards.
Primary Protections



Positive Stop
Enforcement
Temporary Speed
Restriction
Overspeed
Protection
DCTA operates with eleven (11) GTW 2-6 Diesel Multiple Units (DMU) manufactured by
Stadler Bussnang AG. Each of the GTW 2-6 DMUs have been equipped with onboard
E-ATC hardware.
Track code generators (TCG) and associated communications equipment have been
installed at each central instrument house containing automatic or absolute signal
control logic. Switch position data associated with the signal control logic will continue to
be monitored by the existing wayside signal system.
A TSR terminal and its associated communication equipment is located in Rio Grande &
Pacific Dispatch Center in Fort Worth. A backup TSR (Hot Standby) and its associated
communication equipment is located in the DCTA Operations and Maintenance Facility
in Lewisville.
DCTA A-train service will normally be initiated with all wayside signal system and EATC related items controlled and monitored via the Rio Grande & Pacific Dispatch
Center. The function of the TSR Terminal will be to issue TSRs and MDs
application/removal requests to all affected wayside signal system locations within the
defined DCTA E-ATC territory.
DCTA will utilize its existing fiber optic communications infrastructure to support E-ATC
operations.
The following subsections describe DCTA’s specific application of E-ATC in fulfillment of
49 CFR Part 236, Subpart I, §236.1015(d) requirement to include 49 CFR §236.1013(a)
information. The E-ATC System consists of an Office Segment, a Wayside Segment, an
Onboard Segment and a Communication Segment. An illustration of the E-ATC System
is depicted in Figure 6-1.
E-ATC is a system that increases the safety of the railroad by improving situational
awareness and safe train operations. E-ATC applies a full-service brake application to
preempt violation by a DMU of its authority, non-compliance with speed limits, work
zone, or signal indications, or operation through a misaligned switch.
PTCSP Section 6
April 2, 2020
Page 48
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Figure 6-1 provides a simplified overview of the interconnected system and the
segments of E-ATC that comprise the DCTA PTC System.
Figure 6-1: Overview of DCTA E-ATC System
HMI
(Engineer)
Logic Control
Rack (UCII)
Brake Interface
TSR Terminal
Axle
Tachometer
Track Code
Pickup Coils
Dispatch System
Office Systems
Onboard Systems
Track Code
Generator
Track Code
Generator
ELIXS
ELIXS
VHLC
or
EC5
VHLC
or
EC5
Wayside Systems
Communications Network
PTCSP Section 6
April 2, 2020
Page 49
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
6.3
DCTA E-ATC Office Segment
6.3.1
Office Segment Overview
Revision 1.1
The current Office Segment is based on CTC technology. The Wayside Segment
Control Points (CP) along the DCTA Corridor are managed by the Office Segment at
the primary Dispatch Center in the Rio Grande and Pacific Train Control Center (TCC)
and a backup Dispatch Center located in the DCTA Rail Operations and Maintenance
Facility (Rail OMF) in Lewisville, TX. Servers at the primary Dispatch Center
communicate directly with each CP. In the event that the CTC machines at the primary
Dispatch Center fail, the backup CTC machines can assume control.
A TSR Terminal and associated communication equipment will be installed at the
Dispatch Center in TCC. Redundant equipment will also be installed at the backup
Dispatch Center in the Rail OMF. The backup Dispatch Center will be provided with the
same equipment and capability as will be provided in the TCC. Servers supporting the
TSR Terminal will be located in the TCC and Rail OMF. DCTA A-train service will
normally be initiated with all existing wayside signal system and additional E-ATC
related items controlled and monitored via the TCC. Hereinafter, reference to TCC or
Rail OMF will mean reference to both facilities. The function of the TSR Terminal will be
to issue TSRs, WZs, and MDs and to communicate the appropriate speed limits to all
affected wayside locations within the defined DCTA E-ATC territory.
6.3.2
TSR, WZ, and MD Function
The TSR Function can be implemented on any contiguous set of track circuits. This
function is implemented by the TSR office system communicating with equipment
located at each CP, intermediate signal, and cut section. Dispatchers will use the TSR
Function to implement both zero speed and non-zero speed TSRs, WZs, and MDs. This
function will allow the Dispatcher to request and issue a TSR, WZ, or MD by icon and
pull-down menu item selection. The speed limit for the TSR, WZ, or MD will be based
on the available cab limits.
For a zero speed TSR the vehicle is stopped on the approach using the end of block
(EOB) code. The EOB code is transmitted until the TSR 0 speed limit value is removed.
For a WZ or a zero speed MD, the EOB code is transmitted until the Dispatcher issues
a train release. When the train release is received by the wayside, the EOB code is
replaced with an S&P code, thereby permitting the train driver to operate the vehicle at
the restricted speed limit once the vehicle has first come to a stop. In the case of a WZ,
the speed limit is updated to the applied WZ speed limit once the vehicle passes into
the WZ.
PTCSP Section 6
April 2, 2020
Page 50
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
If the TSR office system fails and sends an invalid control, the wayside fails to process
the control and does not send back an indication that the control has been processed.
The TSR office system indicates that the field conditions for the requested TSR, WZ, or
MD are not in correspondence with the request controls.
The TSR Terminal displays that the requested TSR, WZ, or MD is being correctly
applied by the wayside while the field indications received from the wayside are in
correspondence with the requested controls being transmitted by the TSR office
system. The TSR office system displays the specific speed limits applied to the track
circuits involved in the TSR, WZ, or MD zone. The TSR office system does not display
that the TSR, WZ, or MD is correctly applied unless all indications are in
correspondence with all controls. The dispatcher has direct view of the TSR Terminal
monitor from his/her workstation.
There is a “select” step followed by an “execute” step for applying or releasing a TSR.
The “select’ is by clicking on displayed icons and/or list items. Execute is by clicking on
a displayed “execute” icon. Once execute is selected for a release command the TSR
office system changes the transmitted controls to the release state. The TSR, WZ, or
MD is displayed as correctly released once the indications are in correspondence with
the controls.
The TSR office system maintains a poll-response type communication link with the
added ElectroLogIXS at each wayside location. The TSR office system declares a
communication link with ElectroLogIXS to be failed, when the maximum permitted time
period between indication message receptions is exceeded. The TSR office system
provides a means for the dispatcher to identify timed-out links.
6.4
E-ATC Communication Segment
DCTA utilizes a communication network operating over fiber optic cable to support its
daily operations. The communications infrastructure provides data services to all DCTA
wayside locations. Two 185 feet antenna towers at Denton and Lewisville will provide
radio coverage for rail voice communications along the DCTA right-of-way (ROW) and
microwave radio data circuits to augment the fiber optic cable. Dedicated commercial T1 circuits will provide high-throughput connectivity between the tower locations and the
TCC. In addition, a designated commercial Disaster Recovery T-1 circuit will provide a
high-throughput connection between the Dispatch Centers. Data Circuits for the added
ElectroLogIXS unit at each Control Point, intermediate signal, and cut section location
will also be supported by the DCTA fiber optic infrastructure. The Dispatch Centers host
the Train Management and Dispatch System (TMDS) workstations and servers along
with the Code Line Controller Office Communication Gateway (OCG) Servers to support
CTC, information flow, and other daily operations. Network monitoring and management
will be performed using network management software.
PTCSP Section 6
April 2, 2020
Page 51
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
6.5
6.5.1
Revision 1.1
E-ATC Wayside Segment
Wayside Segment Overview
The Wayside Segment of the E-ATC System will consist of a number of components
and functions, most of which are currently in use as part of the existing DCTA signaling
system, and some of which will be added to achieve PTC functionality. DCTA’s existing
wayside signal system employs the Vital Harmon Logic Controller (VHLC) for control
points and the Electrocode (EC) 5 at intermediate signal locations and an
ElectroLogIXS at each of two the new cut sections. DCTA is adding an ElectroLogIXS to
the control point and intermediate locations to drive the cab signal generators and
provide communication to the TSR office system. There are nine Control Points along
the subject line, providing an average spacing between Control Points of approximately
2.6 miles.
A Local Control Panel (LCP) is provided at each Control Point. The entire line is vital
processor controlled and interconnected via EC5 rail codes. The added E-ATC system
generates cab signals and the pre-existing wayside signal system drives light emitting
diode (LED) wayside signals based on occupancy of the train detection circuits and the
selected train route. The existing LED wayside signals reflect the appropriate aspect
based on track occupancy, and train route.
The pre-existing wayside signal system consists of control points, automatic
intermediate signals, and cut sections. The pre-existing wayside signal system governs
routes over switches, sets traffic direction between Control Points, and provides for
remote control (i.e., from the CTC machine at the Dispatch Center) during normal
operations and local control (i.e., from an LCP) for emergency and maintenance
operations.
The pre-existing wayside signal system automatically displays route information through
LED wayside signals between Control Points based on track codes received from
adjacent automatic intermediate signals or CPs. EC5 track circuits are implemented
between CPs and provide train detection as well as convey aspect information between
locations. The added E-ATC system provides 40 Hertz (Hz) cab signal for all track
circuits.
The added E-ATC system automatically manages train separation by generating train
speed commands between Control Points based on the wayside signal aspects,
permanent speed restrictions, and applied TSRs, WZs, and MDs. Cab codes (cab
signals) corresponding to the required speed limit are transmitted into the rails for
communication to the train.
The E-ATC system generates a coded 40 Hz signal corresponding to the required
speed limit. For more detailed information on the cab signal characteristics, the Ultra
PTCSP Section 6
April 2, 2020
Page 52
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Cab II for DCTA Service Manual [M4] should be referenced. The pre-existing wayside
system is based on the Alstom EC5, and VHLC product lines. Color light signals are
LED type, which are compatible with the vital light out detection function of the EC5 and
VHLC. Battery capacity is upgraded to accommodate the added E-ATC equipment,
follows American Railway Engineering and Maintenance-of-Way Association (AREMA)
recommended practices, and complies with FRA requirements. Vital processor logic
conforms to AREMA recommended practices. Switch operating layouts use a type M23
switch machine with battery backup.
6.5.2
Local Control Mode
As currently implemented in the DCTA wayside signal system, signal control may be
performed locally at the wayside equipment using the LCP’s Local Control Mode. Local
Control Mode is only used for emergency and maintenance operations in rare instances
when it is absolutely necessary to perform these tasks locally. Local Control Mode must
be initiated according to Operating Rules and must be used in accordance with 49 CFR
§236.1029. The signal maintainer or other properly trained DCTA employee must obtain
authorization from the Dispatcher before taking control of the signal. Once the
Dispatcher has given authorization to the signal maintainer, the signal maintainer will
switch the LCP to Local Control Mode. When in Local Control Mode, the Dispatcher no
longer has control over the signals. In other words, the Dispatcher has read-only
privileges while the LCP is in Local Control Mode. The signal maintainer will stay in the
vicinity of the LCP for the entire time that the LCP is in Local Control Mode.
Local Control Mode allows the signal maintainer to request signal changes and switch
movements at a CP to either Stop or Clear. The signal maintainer uses a toggle switch
on the LCP to request the signal status to display a Stop aspect. The Stop aspect
indication will be displayed on the LCP and sent back to the Central Office to be shown
on the Dispatcher’s display. The signal maintainer must verify that the Stop aspect is
displaying correctly, and must also contact the Dispatcher to verify that the Stop aspect
is displaying correctly in the Central Office. To clear the signal, the signal maintainer
uses the toggle switch associated with the signal to be cleared. However, the signal
maintainer must obtain authorization from the Dispatcher before performing this task.
After requesting the signal to Clear, the signal maintainer must verify that the Stop
aspect is no longer displayed and a Clear aspect is displayed instead. The signal
maintainer must also contact the Dispatcher to verify that a Clear aspect is displayed at
the Central Office. Once finished with changing the statuses of the signals, the signal
maintainer will place the LCP in Remote mode and give control of the CP back to the
Dispatcher.
PTCSP Section 6
April 2, 2020
Page 53
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
6.5.3
Revision 1.1
Highway Grade Crossings
6.5.3.1 Highway Grade Crossings Overview
The DCTA rail line has forty-three (43) highway-rail at-grade crossings. All at-grade
highway crossings are equipped with flashing lights, bells, and crossing gate warning
devices.
Track circuit based predictor technology provides constant time warning by calculating
an approaching train’s time to crossing. Predictors are Alstom HXP.
6.5.3.2 Highway Grade Crossings within a Control Point
DCTA crossings are activated by motion detection regardless of home signal or
approach locked status. Crossing warning devices can be activated via dual tone multi
frequency (DTMF) radio where implemented.
6.5.3.3 Highway Grade Crossings Adjacent to Platforms
There are seven (7) nearside station stops in the DCTA rail line, where a commuter
train will normally stop at a station before crossing the road.
1. East Trinity Mills Rd (SR-190)
2. Hebron Pkwy
3. East Main St
4. College St
5. Colorado/Mayhill Rd
6. Brinker Rd
7. East Sycamore St
When the commuter train is ready to depart, the crossing is called by the driver via the
radio DTMF activator. By pushing the proper 4-digit number on the radio keypad, the
gates at these crossings will activate until train movement is detected. The train
operator must still visually ensure that the crossing is properly activated and the gates
must be down in the horizontal position at least five seconds prior to the train entering
the crossing. In the event that the train is delayed after sending the DTMF tones, the
operator must ensure that the gates have again been activated either by DTMF tones or
train movement and are in the horizontal position at least five seconds prior to the train
entering the crossing.
DTMF equipment is already installed on the DCTA Corridor. DTMF is not needed for
safe operations; rather, it allows for more efficient traffic control at grade crossings. The
ultimate safety of the PTC system is built into the vital wayside equipment. Therefore,
PTCSP Section 6
April 2, 2020
Page 54
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
DTMF equipment is not part of the E-ATC System, but is described here to ensure that
all existing equipment is clearly documented.
6.5.4
Enforcement of Permanent Speed Restrictions (PSRs)
The Wayside Segment of the E-ATC System will be configured to communicate the
maximum authorized speeds that reflect Permanent Speed Restrictions (PSRs) for the
DCTA Corridor. The Wayside Segment generates and transmits, via the rail, the
applicable cab signal code rate, and the Onboard Segment detects the cab signal code
and displays the corresponding speed on the engineer’s display unit (EDU).
6.5.5
Enforcement of TSR, WZ, and MD Based Speed Reductions
As a means to reliably and functionally prevent incursions into established work zone
limits without first receiving appropriate authority and verification from the dispatcher or
Roadway Worker in charge, the E-ATC system provides enforcement of TSRs, WZs,
and MDs.
The available TSR/WZ speed limits are 0, 15, 25, 35, and 45 mph. The resolution (start
or stop) of a speed limit reduction due to a TSR/WZ is always located at a track circuit
boundary.
The available MD speed limits are 0 and 15mph. The start of a speed limit reduction
due to a MD is at the nearest crossing island track circuit boundary location unless there
is insufficient braking distance between the island track circuit boundary and the
preceding track circuit boundary for a speed reduction from a higher speed limit than the
assigned MD speed limit.
When there is insufficient braking distance between the preceding track circuit boundary
and a track circuit boundary that is the start of a speed limit reduction due to a TSR/WZ
or MD, the speed limit at the preceding boundary is reduced as required to achieve the
speed reduction to the TSR/WZ or MD speed limit.
In the case of a speed reduction to the start of a WZ, the speed limit at the start of the
WZ is considered to be 0 mph, regardless of the actual speed limit applied within the
WZ, as the vehicle must be brought to a stop before entering the WZ.
A speed reduction definition does not traverse an over-switch (OS) track circuit. When a
speed limit reduction is required at the exit boundary of an interlocking, that same speed
limit is also applied at the entry boundary of that interlocking.
6.5.5.1 Train Release at Level Crossing and WZ Limit
The TSR office system provides the dispatcher with a means to release a train to travel,
at a restricted speed, past the 0 mph speed limit at a WZ entry boundary and a level
crossing island track circuit boundary.
PTCSP Section 6
April 2, 2020
Page 55
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
The dispatcher requests a train release by selecting the associated identification (ID) of
the WZ or MD in the list of active WZs, or MDs. The TSR office system accepts a train
release request provided the associated ID of the WZ or MD is in the list of active WZs,
or MDs.
When the TSR office system accepts a train release request for a WZ entry boundary or
a crossing island track circuit boundary, the TSR office system:

Displays the release status to the dispatcher, and

Includes the associated train release control bit in the control message to the
required ELIXS until the indication message from the ELIXS indicates that the
train release control bit has been latched.
When the ELIXS receives the train release request, the ELIXS:

Latches the train release, and

Includes the associated train release request received indication in the indication
message transmission to the TSR office system, and

Starts transmitting the S&P code and continues to transmit the S&P code in the
track circuit while there is a latched train release request for every crossing in the
track circuit that has an applied 0 mph MD speed limit.
The ELIXS unlatches the train release for every crossing in a track circuit that has an
applied 0 mph MD speed limit and sends the updated train release status to the TSR
office system when the train is detected entering the next track circuit
The ELIXS unlatches the train release for a WZ and sends the updated train release
status to the TSR office when the train is detected entering the first track circuit past the
WZ boundary.
6.5.6
Effects of TSR Function on Local Control Mode
Any TSRs that were put in place by the Dispatcher prior to the LCP being switched to
Local Control Mode will continue to be enforced, regardless of any actions performed at
the LCP while in Local Control Mode. The only exception is when the Local Control
Mode is used to set a signal to Stop. In this case, if a non-zero speed TSR is in place
for that signal, the Stop aspect implemented by the LCP will be enforced rather than the
non-zero speed TSR. Therefore, the more restrictive speed will always be applied to a
signal.
TSRs cannot be implemented at the LCP. TSRs may only be implemented from the
Office Segment by the Dispatcher.
PTCSP Section 6
April 2, 2020
Page 56
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
6.6
Revision 1.1
E-ATC Onboard Segment
6.6.1
E-ATC Onboard Segment Overview
The Onboard Segment receives and interprets the cab signal codes generated by the
Wayside Segment. The Onboard Segment notifies the driver of the maximum speed at
which the train can be safely operated and enforces adherence to the associated speed
limit.
DMUs are bidirectional and have coils located under each cab end in front of each
leading wheel on the A End and B End. The coils detect coded cab signals that are
transmitted through the rails by the signaling system. Each train is equipped with Alstom
Ultra Cab II (UCII), which decodes the received cab signal to display and enforce the
maximum authorized speed associated with a particular block. Speed limits are
presented via an onboard display unit in MPH.
There are two types of speed enforcement: time to penalty (TTP) enforcement, and
Overspeed enforcement. The purpose of TTP enforcement is to ensure that the vehicle
decelerates to a reduced Speed Limit prior to reaching the point on the track where the
reduced Speed Limit takes effect. TTP enforcement provides for smooth braking to the
new Speed Limit when a valid Speed Limit reduction is received and the measured
speed is greater than the new Speed Limit. The purpose of overspeed enforcement is to
ensure that the vehicle’s speed does not exceed the Speed Limit for the section of track
currently occupied by the vehicle.
Maximum speed authorities and time-to-penalty are displayed on the display panel. If
the driver exceeds the authorized speed or runs out the TTP, a mandatory full service
stop is enforced by the onboard equipment.
The Onboard Segment also includes an event logging function and reporting system.
The Onboard Segment equipment data to the vehicle’s event recorder is stored in a
Crash-Hardened Event Recorder. There is no data connection from the onboard to the
office.
6.6.2
Code Rates and Associated Speed Commands
Cab signal rates and associated speed commands can be found in the Ultra Cab II for
DCTA Service Manual [M4].
6.6.3
Operating Modes
The Onboard Segment contains the following operating modes relevant to PTC
operations.

Trail
PTCSP Section 6
April 2, 2020
Page 57
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1

Cab Active

Self-Test

Yard

No Code Proceed and EOB Proceed

Restricted

Cut out
More detailed information on operating modes can be found in the Ultra Cab II for DCTA
Operator’s Manual [M7].
6.7
E-ATC Interoperability
Passenger service and freight service are temporally separated and are not permitted to
operate simultaneously in the corridor. Freight traffic of the Class II railroad will not be
equipped with E-ATC onboard equipment.
DCTA does not operate as a tenant on any host railroads and therefore has no
interoperability issues with host railroads.
6.7.1
Failure Modes
6.7.1.1 Office Segment or Communication Segment Failure
Any failure within the CTC server does not affect the safety of the railroad operation, as
the wayside signal system will maintain the safety. When all CTC machines are down,
or both of the communication links from the CTC servers to the wayside equipment are
out of service, the trains will come to a stop before each home signal. A Signal
Maintainer will be called, who takes over the Local Control Panel at the affected
wayside location, as described in Section 3.3.2.2 of the PTCDP [13]. The Signal
Maintainer will be in communication with the Dispatcher, and will perform his or her
functions according to GCOR Section 9.13. Upon visually confirming the wayside home
signal indication, the Maintainer will clear the home signal for the train to proceed to the
next home signal while maintaining safe train separation and route safety as determined
by the vital logic within the signal system.
The Local Control Panel cannot override any TSRs, including zero speed TSRs that are
already programmed by the Dispatcher prior to the identified failure. Since zero speed
TSRs cannot be overridden by the Local Control Panel, the Train Operator will verbally
communicate with the Maintainer and the Dispatcher to activate the onboard No Code
Proceed mode. Upon getting the permission from the Dispatcher, the Train Operator is
able to move the train, in accordance with 49 CFR §236.1029 with an enforced speed of
10 MPH, until it receives a valid speed code or leaves the PTC territory. While in this
PTCSP Section 6
April 2, 2020
Page 58
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
mode, the Train Operator is responsible for maintaining a visual check of any unsafe
condition ahead and take appropriate action. This procedure is in place now and will
continue after the PTC system is in revenue service under FRA regulation.
6.7.1.2 Wayside Segment Failure
Failure within an individual wayside controller prevents train movement between
affected CPs. In such a case, the Train Operator receives verbal authorization from the
Dispatcher to activate the onboard No Code Proceed mode as described earlier in
Section 6.7.1.1. All movements are handled in accordance with 49 CFR §236.1029 with
an enforced speed of 10 MPH. The operation continues as explained in Section 6.7.1.1
above.
6.7.1.3 Onboard Segment Failure
An Onboard Computer (OBC) failure will result in an irrevocable full service penalty
brake application. The Train Operator will call the Dispatcher to report the problem.
Upon getting the authorization, the Train Operator will cut out the OBC, which means
the PTC system on that DMU will be out of service. The Train Operator will restrict the
train speed to a maximum of 40 MPH for passenger service until the next wayside
signal location per FRA regulation.
Thereafter, the train movement is governed by the wayside signal system as defined in
49 CFR §236.1029 rules and railroad special instructions, which is not to exceed 59
MPH for passenger service and 49 MPH for freight service. The failed train will be taken
out of service at the next available maintenance location and will not be allowed to
return to service until the reported problem is addressed and recorded per FRA
requirements.
PTCSP Section 6
April 2, 2020
Page 59
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
7 Final Human Factors Analysis [49 CFR §236.1013(a)(5)] [49 CFR
§236.1015(d)]
This section describes the Final Human Factors Analysis (HFA) as required by 49 CFR
§236.1015(d) that builds on the preliminary human factors analysis contained in the
referenced PTCDP in accordance with 49 CFR §236.1013(a)(5).
There are three types of Human Machine Interfaces (HMIs) in the DCTA PTC Train
Control System:

Engineer’s Display Unit (EDU) Used by the Train Crews on DMUs

Centralized Traffic Control (CTC) machine – Used by the Dispatcher

TSR Terminal – Used by the Dispatcher
The EDU is described in §7.1 and the office-based human factors analyses is discussed
in §7.2.
7.1
PTC Human Factors Analysis of EDU
The EDUs installed in the DCTA DMUs have been successfully deployed on multiple
railroads, including other E-ATC railroads that had preexisting ATC systems. In general,
railroad personnel are highly familiar with the display and input features and DCTA has
implemented training procedures to qualify and educate operators on their functionality.
A HFA, provided as Appendix [A7] demonstrates that the design of the onboard
interface to the E-ATC system sufficiently incorporates human factors engineering
appropriate to the complexity of the system. Incorporation of HMI design factors
minimizes negative safety effects and enhances the required human interaction with the
equipment.
7.2
PTC Dispatch Human Factors Analysis
A Human Factors Analysis for DCTA’s E-ATC dispatch system and TSR terminal is
provided in Appendix [A7]. The analysis concludes that the design(s) of the E-ATC
dispatch system and TSR terminal sufficiently incorporates human factors engineering
appropriate to the complexity of the system, and that incorporation of these design
factors minimizes negative safety effects and enhances the required human interaction
with the equipment.
PTCSP Section 7
April 2, 2020
Page 60
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
8 Safety Assessment and Application of 49 CFR Part 236, Appendix
C [49 CFR §236.1015(d)(5)] [49 CFR §236.1015(e)(2)(ii)] [49 CFR
Part 236, Appendix C]
As required by 49 CFR §236.1015(d)(5), this section of the PTCSP provides a complete
description of the safety assessment and Verification and Validation processes applied
to DCTA’s PTC system, the results of those processes, and whether these processes
address the application of the safety principles described in 49 CFR Part 236, Appendix
C directly, using other safety criteria, or not at all.
This section describes a program that efficiently, effectively, and critically evaluated the
E-ATC system. Safety critical components, like those employed in E-ATC, require a
level of rigor and discipline that must be adhered to throughout the build process from
requirements to implementation and support. This section of the PTCSP provides an
overview of several means by which the DCTA PTC system was assessed.
The purpose of the system safety process, Verification and Validation, and compliance
with 49 CFR Part 236, Appendix C is to ensure that the development, functionality,
architecture, installation, implementation, inspection, testing, operation, maintenance,
repair, and modification of E-ATC achieves and maintains an acceptable level of safety.
8.1
Safety Program Scope for E-ATC
The safety program and the applied safety assessments for E-ATC concentrate on the
vital signal system, its interfaces to the existing railroad systems and operations, and
the changes made to the entire system for E-ATC implementation.
As shown in Figure 6-1, E-ATC consists of four segments: the Office Segment, the
Onboard Segment, the Wayside Segment, and the Communication Segment. Office
Segment and Communication Segment (collectively referred to as Dispatch System)
have no safety-critical requirements as described in Section 3.3 of this PTCSP. The
Dispatch System provides a supervisory function, and does not directly control
authorities and enforcement. Therefore, the core safety scope focuses primarily on the
wayside and Onboard Segments as shown within the black box in Figure 6-1. However,
compliance with 49 CFR Part 236, Appendix C is assessed for the entire system,
including Office and Communication Segments.
Additionally, the vital nature of the system was substantiated by the Verification and
Validation processes described in Section 13. Verification & Validation for E-ATC was a
comprehensive analysis and test of the system software and hardware to determine that
it performs its intended function, to ensure that it performs no unintended functions, and
to measure its quality and reliability.
PTCSP Section 8
April 2, 2020
Page 61
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
8.2
Revision 1.1
E-ATC System Safety Assessment Process
The System Safety Assessment Process is the complete process applied during the life
cycle of E-ATC to establish safety objectives and to demonstrate compliance with 49
CFR Part 236, Subpart I, and other safety requirements. The safety assessment
process provided a methodology for assurance that all relevant failure conditions were
identified and that the combinations of those identified failures were considered.
The System Safety Assessment Process for E-ATC consists of the following major
components:

Hazard Analysis and Mitigation

Safety Critical Items List (SCIL)

Safety Assurance Concepts

Risk Assessment

Verification and Validation

Appendix C Safety Requirements Compliance
A brief overview for each of these processes is presented in this section and more
detailed descriptions are provided in Sections 9 – 13 of this PTCSP.
8.3
Hazard Analyses and Mitigation
A complete system hazard mitigation analysis was performed during the design and
implementation of E-ATC, identifying and assessing all hazards and the mitigation used
to minimize their frequency and risk. A top-down analysis method was used that
included the following analyses:

A Preliminary Hazard Analysis (PHA), showing hazards resulting from the system
level implementation and their risk category. All such hazards are sufficiently
mitigated or eliminated, supporting the system safety architecture.

A System Hazard Analysis (SHA), developing the causative faults from the PHA
into more detailed faults relating to one or more subsystems of the E-ATC
system. These are analyzed for the determination of subsystem mitigation needs.

An Operating and Support Hazard Analysis (O&SHA), documenting hazards
associated with the operations and support functions during installation,
operation and maintenance, performing a risk assessment on the hazards, and
establishing mitigations to be employed.
A more detailed description of the Hazard Mitigation Analysis is provided in Section 12
of this PTCSP.
PTCSP Section 8
April 2, 2020
Page 62
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
8.4
Revision 1.1
Safety Critical Items List (SCIL)
All hazards identified by PHA, SHA, and O&SHA are captured and tracked through to
their successful mitigation by the Safety Critical Items List (SCIL). Its purpose is to
capture all system hazards, identify associated risks, list mitigations, and document that
all required mitigations have been successfully implemented in the system and/or the
system’s operating environment.
The SCIL provides a single point of reference for all hazards that are identified
throughout the design and implementation cycle of the E-ATC System. A detailed
description of the SCIL is provided in Section 9 of this PTCSP.
8.5
Safety Assurance Concepts
49 CFR Part 236, Appendix C (b)(4) requires that the product design must include one
or more Safety Assurance Concepts (SACs) described in IEEE 1483 [2] to ensure
failures are detected and the product is placed in a safe state. Recognized SACs
include Checked Redundancy, Diversity & Self-Checking, N-Version Programming,
Numerical Assurance, and Intrinsically Fail-Safe Hardware design.
SACs were used in the design of the vital components of E-ATC, the ElectroLogIXS
wayside controller and the UCII onboard equipment. The ElectroLogIXS product utilized
Checked Redundancy, while UCII design employed Diversity & Self-Checking. A
detailed description of the SACs used during design of the vital system components is
provided in Section 10 of this PTCSP.
Use of SACs was not required for the design of the non-vital Office and Communication
Segments of E-ATC, as further discussed and justified in Section 11.2 of this PTCSP.
8.6
Risk Assessment
A Risk Assessment of the DCTA E-ATC system was performed with the objective of
assessing the level of safety of the system. This assessment is based on the
designation of E-ATC as a Vital Overlay PTC system.
The E-ATC system was assessed relative to the allocation of safety-critical functions
across the four defined segments of the system (Onboard, Office, Wayside and
Communication). The safety critical functions are implemented with a combination of
vital and non-vital components and subsystems, but all are assessed against the target
level of safety assurance considered vital (MTTHE >= 109 hours). In addition to the
quantitative assessment for mean time to hazardous event (MTTHE), qualitative
assessment of these functions against Appendix C compliance was performed. The
MTTHE (in hours) is calculated for as the inverse of the probability of hazardous event
per hour (hazard rate, h) of a given system or subsystem element. The formula to
convert from hazard rate to MTTHE = 1/h.
PTCSP Section 8
April 2, 2020
Page 63
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
The Risk Assessment is discussed further in Section 11 of this PTCSP and is included
as Appendix [A1].
8.7
Verification and Validation of E-ATC
Verification and Validation (V&V) of E-ATC is covered in detail in Section 13. V&V for EATC required extensive planning and coordination among railroads and vendors and
served as a comprehensive analysis and test of the system software and hardware to
determine that it performs its intended function and to ensure that it does not perform
any unintended functions. Testing included failure mode testing.
8.8
Safety Requirements Compliance [49 CFR Part 236 Appendix C]
As defined in the Preamble to Part 236, Subpart I, 49 CFR Part 236, Appendix C
provides safety criteria and processes for the design of safe systems, or fail-safe, or
vital signaling systems that must exclude any hazards associated with human errors.
E-ATC has been designed using well-established system safety engineering principles
as identified in 49 CFR Part 236 Appendix C and elsewhere [1] [2] [10] to assure that
the system performs safely under normal operating conditions and under failures, while
accounting for human factors impacts and external influences.
Each of the safety principles called out in 49 CFR Part 236, Appendix C has been
addressed further in the Risk Assessment [A1] as described in Section 11 of this
PTCSP.
PTCSP Section 8
April 2, 2020
Page 64
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
9 Safety Critical Items List (SCIL) or Hazard Log [49 CFR
§236.1015(d)(1)]
This section describes the purpose of the E-ATC Safety Critical Items List (SCIL),
identifies how the SCIL fits into the overall safety assessment, describes how system
hazards are represented in the SCIL, describes how the SCIL is maintained, and
presents the conclusions drawn from the SCIL as required by 49 CFR §236.1015(d)(1).
9.1
Safety Critical Items List Description
The SCIL is a table used to track all hazards associated with E-ATC through to their
successful mitigation. Its purpose is to capture all system hazards, identify associated
risks, list mitigations, and document that all required mitigations have been successfully
implemented in the system and/or the system’s operating environment.
The SCIL provides a single point of reference for all hazards that are identified
throughout the design and implementation cycle of the E-ATC System. Source analyses
documents include the PHA, SHA, and O&SHA. The SCIL captures:
9.2

System level hazards – hazards that impact the entire E-ATC system;

Segment level hazards – hazards that impact one or more segments, but not all
segments within the system;

Component hazards – hazards that impact a given component within a segment;

Hazards related to the integration of E-ATC with the DCTA operating
environment.
SCIL Role in the E-ATC Safety Assessment
The SCIL is used as the central depository for all hazards identified over the life of the
system, regardless of the method used to initially identify the hazard. Potential hazards
are generally identified through the structured safety analysis process associated with
the development of the system functionality and are captured in one of the three main
hazard analyses:
1. Preliminary Hazard Analysis (PHA);
2. System Hazard Analysis (SHA);
3. Operation and Support Hazard Analysis (O&SHA).
Regardless of which method was used to identify the hazard, the SCIL is the tool to
track each hazard to its successful mitigation.
The SCIL can be thought of as a chronological history of a hazard. It starts with a
reference to the source of the hazard identification, continues to a description of
PTCSP Section 9
April 2, 2020
Page 65
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
potential causes of the hazard, includes an initial assessment of the risk associated with
the hazard, identifies mitigations required to reduce the risk to acceptable levels, and
concludes with references to evidence indicating that the mitigations have been
successfully implemented.
9.3
E-ATC SCIL
The SCIL captures PTC system hazards, including hazards identified for system level
functionality, as well as Office, Onboard, and Communication Segment hazards. There
is a single Project SCIL that includes the complete set of hazards. The E-ATC SCIL
captures and tracks E-ATC hazards unique to DCTA. The SCIL also identifies the
railroad-specific mitigations.
The SCIL is provided in Appendix [A2] of this PTCSP. The Appendix provides details for
each hazard, includes a description of the columns of the SCIL, and provides a detailed
overview of the SCIL development and maintenance process. The SCIL accurately
represents the hazards and mitigations associated with DCTA’s implementation of EATC.
9.4
Conclusions Drawn from SCIL Analysis
Based on the mitigations listed in the SCIL, requirements have been established for the
E-ATC system as well as supporting programs such as training, maintenance,
development of warning labels and other non-system mitigations as demonstrated in the
SCIL.
The SCIL submitted is the final version of the document after full implementation of
DCTA’s E-ATC system.
9.5
Maintenance of the SCIL
As the E-ATC system evolves over its life cycle, the need may arise to update the SCIL
as new hazards are identified or alternate mitigations are implemented. This periodic
maintenance of the SCIL is anticipated to be of limited occurrence and will generally
result from one of two primary activities: A new hazard or mitigation may be introduced
through enhancements made to the system, or be reported through the Failure
Notification and Recording Process [R8]. A new hazard and related mitigation may be
railroad-specific, or apply to several or all E-ATC railroads. The E-ATC SCIL will be
updated under either of these circumstances, and the Failure Notification and Recording
Process will provide the necessary coordination between Vendor and Railroads.
PTCSP Section 9
April 2, 2020
Page 66
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
10 Safety Assurance Concepts [49 CFR §236.1015(d)(2)] [49 CFR Part
236 Appendix C(b)(4)]
This section describes the safety assurance concepts that are used in the product
design and provides an explanation of the design principles and assumptions as
required by 49 CFR §236.1015(d)(2) and 49 CFR Part 236, Appendix C (b)(4). 49 CFR
Part 236, Appendix C (b)(4) requires that the product design must include one or more
Safety Assurance Concepts (SACs) described in the IEEE 1483 standard [2] to ensure
failures are detected and the product is placed in a safe state. Note that other
requirements of Appendix C are addressed in Section 11 and elsewhere in this PTCSP.
The E-ATC wayside signal system and onboard equipment are designed and built on
well-defined and proven fail-safe principles as described below in this section. Any
human error by the Dispatcher or CTC server for moving the switch position or route in
an unsafe manner is prevented by the vital wayside logic controller. The hardware and
software are designed and installed based on the FRA guidelines per CFR 49 Part 236.
Any failures within the safety critical circuits are self-detectable. No single point failure
results in unsafe train operation.
Safety Assurance Concepts (SACs) are a formalization of the various techniques that
assure safety in the design of hardware and software for processor-based train control
systems such as E-ATC. The recognized SACs include Checked Redundancy, Diversity
& Self-Checking, N-Version Programming, Numerical Assurance, and Intrinsically FailSafe Hardware design. System designs use one or more of these concepts to assure
that the component and its operation are based on design techniques that reduce the
risk from mis-operation to a negligible level.
The ElectroLogIXS product utilizes the Checked Redundancy safety concept to
implement functions identified as safety critical. The critical assumptions for safety
concepts are identified in IEEE 1483 [2]. In addition, the design separates safety-critical
and non-safety critical functions. The Alstom Safety Process and V&V Process ensure
the proper implementation of safety concepts.
The primary technical objective of Checked Redundancy is to achieve the required level
of safety. It does this by using redundant processors for all safety critical operations.
Inputs to and results from the redundant processors are cross-checked. The basic
software architecture requires that both processors must agree in order to produce a
valid permissive output. That is, either processor can assure that the system assumes
the restrictive (safe) state.
Checked Redundancy provides the framework within which the processors may execute
the necessary computational and logical operations.
Checked Redundancy is applied within a design environment that supports:
PTCSP Section 10
April 2, 2020
Page 67
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1

The structured design of vital functions using high-level software design tools;

Direct and efficient translation of the design into software executing on processor
hardware, by using specific compilers and other tools;

Independence from the need to analyze the effects of all Class II hardware
failures for safety.
The use of Checked Redundancy provides a method for providing fail-safe execution of
vital functions in a processor-based system. The application of Checked Redundancy to
a specific set of functions in a system is only done for software designs that have been
developed according to an approved software development plan, including traceability
to requirements and extensive V&V steps and functional testing.
The UltraCab II system uses the Diversity with Self-Checking safety concept to
implement those functions identified as safety critical.
The concept of Diversity with Self-Checking uses a combination of Class II (non-vital,
but monitored for failure) hardware and closed-loop software such that each permissive
decision must be made by internally diverse program elements, operating on diverse
stored or dynamic data, such that diverse results correspond for an output to be
permissive. In addition, the hardware elements which generate a permissive result are
verified by the processor periodically performing self-checking tests on those elements.
A permissive output is allowed only if the logical sum of all diverse operations and selfchecking tests are consistently correct.
More detailed information is available in Safety Assurance Concepts documents for
Wayside and Onboard equipment, Reference [R9] (ElectroLogIXS Safety Assurance
Concepts) [R10] (UltraCab II System Safety Concepts).
PTCSP Section 10
April 2, 2020
Page 68
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
11 Risk Assessment [49 CFR §236.1015(d)(3)] [49 CFR Part 236
Appendix B (as revised)] [49 CFR Part 236 Appendix C]
This section of the PTCSP provides a discussion of the Risk Assessment (RA) of the
as-built PTC system described in the referenced PTCDP and this PTCSP as required
by 49 CFR §236.1015(d)(3). The Risk Assessment meets the requirements of Part 236
Appendix B (as revised) and is contained in Appendix [A1] of this PTCSP.
11.1 Risk Assessment Approach
The E-ATC system, as a Vital Overlay PTC system, is assessed relative to the
allocation of safety-critical functions across the four defined segments of the system
(Onboard, Wayside, Office and Communications).
The vitally implemented functions are assessed based on the quantitative MTTHE
allocated to the vendor-provided subsystems in the context of the complete system.
FRA Regulation 49 CFR Part 236, Appendix C compliance has been assessed from
available evidence against the safety principles listed in paragraph (b) of 49 CFR Part
236 Appendix C.
Where human input to safety-critical functions is integral to the operation of the system,
evidence is assessed to determine whether human errors are adequately mitigated by
the E-ATC system design.
External interfaces to E-ATC are addressed within the Risk Assessment to assess
whether these interfaces negatively impact the safety risk of the system. This
specifically includes:

Onboard interfaces to speed sensors, braking system and EDU;

Interface between Wayside Segment and Office Segment;

Human interface of Office system.
11.1.1 Risk Assessment Objectives
The objectives of the RA methodology employed for the E-ATC are:

Provide a clear and unambiguous view into the assessment of risks associated
with all safety-critical functions implemented by the DCTA E-ATC system;

Provide a clear assessment of the compliance of all system components and
subsystems with 49 CFR Part 236, Appendix C for purposes of substantiating
Vital Overlay status;

Assess whether any changes to dispatch system capability associated with EATC system deployment have safety impacts through a qualitative analysis.
PTCSP Section 11
April 2, 2020
Page 69
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
11.1.2 Risk Assessment Methodology
This section summarizes the risk assessment methodology applied, relative to three
categories:
1. Appendix C Compliance Assessment;
2. CTC System Impact Assessment;
3. Residual Risk Assessment.
Each of these components is described in additional detail under the dedicated
subsections that follow, and in the Risk Assessment Report in Appendix [A1].
11.2 Appendix C Compliance Analysis
From both the regulation and specific guidance provided by FRA, it is understood that
the Vital Overlay PTC system, as built, must fulfill the safety principles in 49 CFR Part
236 Appendix C, with the preamble to the Final Rule stating: “FRA cannot
overemphasize that vital overlay system designs must be fully designed to address the
factors contained in Appendix C.”
For each system segment of E-ATC, the following safety principles are addressed:
1. System safety under normal operating conditions;
2. System safety under failures;
3. Closed loop principle;
4. Safety assurance concepts;
5. Human factor engineering principle;
6. System safety under external influences;
7. System safety after modifications.
The Risk Assessment documents and analyzes the 49 CFR Part 236, Appendix C
principles applied within the E-ATC system, both within and between individual
components/subsystems. Within individual segments that are allocated safety-critical
functions, 49 CFR Part 236, Appendix C compliance is demonstrated. As part of
substantiating the designation of Vital Overlay PTC system, evidence is reviewable for
49 CFR Part 236, Appendix C compliance verification for all safety-critical functions.
The risk assessment concludes that each of the safety principles from Appendix C were
followed during development of the vital Onboard and Wayside Segments, and were
partially followed or found to be not relevant for the Office and Communication
Segments. The Risk Assessment further concludes that a validation and verification
process pursuant to paragraph (c) of Appendix C was followed during implementation of
PTCSP Section 11
April 2, 2020
Page 70
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
the E-ATC system. Thus, the entire E-ATC system qualifies as compliant with Appendix
C requirements.
11.3 Railroad CTC Dispatch Systems Impact Assessment
While the DCTA CTC dispatch systems and related control office Management
Information Systems are not intended as primary E-ATC system components
themselves, these systems provide functions that interact with the vital Wayside and
Onboard Segments of the E-ATC system to support safety-critical functions. The Risk
Assessment includes a qualitative assessment of the Office Segment operation and the
safety impacts of system modifications [A1]. The Project System Hazard Analysis (SHA)
(Appendix [A4]) evaluated risks associated with TSR and MD implementation,
concluding that all risks are mitigated to an acceptable level.
The existing CTC Dispatching system for DCTA was expanded upon for E-ATC by
adding a separate TSR terminal to implement Temporary Speed Restriction (TSR) and
Mandatory Directive (MD) functionality. These functions were analyzed for their level of
safety provided by the E-ATC system.
TSR and MD requests are sent by the Dispatcher through the Office Segment to the
Wayside, using GCOR forms and procedures.
Dispatcher errors (failure to take action, incorrect action) are mitigated through office
design, procedures and training. Direct feedback, messages, and conflict checking
functions built into the offices system alert Dispatchers to incipient errors. Separate oral
transmission over radio from the Dispatcher to the Train Crew or Roadway Worker in
Charge (RWIC) provides further opportunity for error checking.
Office system errors (incorrect data displayed, incorrect request sent) are mitigated
through communications security measures described in Section 29, and through
testing and configuration management control measures. Correctness of indications and
requests was verified during system testing, and DCTA’s Configuration Management
Plan will ensure that any changes are correctly implemented and tested.
Once implemented by the Wayside, TSRs and MDs are maintained and enforced vitally
by the Wayside Segment. Additionally, a TSR heartbeat function transmitted every 18
seconds is provided to confirm that Office and Wayside are in sync with respect to
TSRs and MDs.
As shown in the Risk Assessment, all safety-critical functions are performed by the vital
Wayside and Onboard Segments. The Office Segment does not perform any safetycritical functions within the E-ATC system.
PTCSP Section 11
April 2, 2020
Page 71
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
11.4 Communication Segment Impact Assessment
As described in Section 3.3 of this PTCSP, the Communication Segment of the E-ATC
system does not have any safety-critical requirements in that it is only a channel for
carrying messages between other segments, where the protection and security of those
messages is provided by the other segments themselves. Therefore, the Risk
Assessment of the Communication Segment is limited to citing the lack of safety
requirements for its execution of functions.
11.5 Residual Risk Assessment
Within the scope of the E-ATC PTC system, an assessment was conducted based on a
set of hazardous events that have been identified as applicable to railroad operations
under PTC.
Alstom, as the E-ATC system developer, has provided the hazard analyses that were
assessed and utilized for characterizing the system hazardous events and MTTHE
values. Vendor supplied hazard rates were used to validate that all safety requirements
from the analyses are satisfied. These hazard rates are supported by lower-level
quantitative analysis (Subsystem Analysis, Failure Mode and Effects Analysis, Fault
Tree Analysis, etc.) and this evidence is reviewable in references [R9] - [R15].
The hazards in the DCTA Project SHA [A4] were reviewed and found to be mitigated by
the functions of the vital Onboard and Wayside Segments, supported by DispatcherCrew interaction and the confirming reactions of the Office Segment. All hazards were
assessed using an industry-standard risk matrix in accordance with MIL-STD-882C [1].
As a conclusion, all hazards associated with the E-ATC system were determined to be
closed with an acceptable level of safety risk.
11.6 MTTHE Calculation
The DCTA E-ATC System MTTHE was developed by performing the following steps:

Identify safety critical system functions (those that can result in a hazardous
event). Performed in the PHA and Functional Fault Tree Level 1;

From the safety critical system functions, identify the safety critical subsystem
and interface functions. Performed in the Functional Fault Tree Levels 2 and 3;

Through subsystem fault tree development, identify the specific failures (Basic
Events) that can contribute to a system function hazard. These include such
items as hardware failures, data corruption, etc. The subsystem Fault Tree
Analyses (FTAs) include hardware failure items such as the failure of one of the
processors;
PTCSP Section 11
April 2, 2020
Page 72
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1

Assign probability of occurrence to the Basic Events. These may be derived from
analysis, hardware MTBF or probability theory. For the portion of events that are
not attributable to the DCTA System, the contribution probability is zero;

Calculate the function specific probabilities of a hazard attributable to each of the
safety-critical system functions;

For the specific DCTA E-ATC System Solution configuration and application,
combine the applicable hazard rates to calculate the MTTHE contribution to the
overall railroad MTTHE calculation.
The MTTHE (in hours) is calculated for subsystems as the inverse of the probability of
hazardous event per hour (hazard rate, h) of that subsystem.
As shown in the DCTA Project Safety Report [A6] the DCTA system is formed by three
main modules that execute the safety critical functions. Each location has its own
combination of these modules, with various quantities of each. The hazard rates given
in [A6] were retrieved from Alstom’s internal reports and FTAs. The exposure times
were defined based on common practices of the Rail Industry.
From a risk level, the evidence provided by Alstom supports the ability to calculate an
Unsafe Failure Rate assignment for each onboard and wayside component. The
product level subsystem MTTHE calculation is provided in Appendix [A6].
Table 11-1, below provides the hazard rates and MTTHE’s for the E-ATC subsystems.
Table 11-1: Mean Time to Hazardous Event
E-ATC Subsystems
Hazard Rate
MTTHE
Ultra Cab II (UCII)
< 1E-10
> 1E10
Vital Logic Controller (VLC)
< 1E-10
> 1E10
ElectroLogIXS Crossing
Predictor (XP4)
< 1E-10
> 1E10
The system MTTHE calculated in [A6] and included in Table 11-1 above was
determined to be >1E9 hours, confirming the classification of E-ATC as a vital system.
PTCSP Section 11
April 2, 2020
Page 73
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
12 Hazard Mitigation Analysis [49 CFR §236.1015(d)(4)]
This section of the PTCSP describes the PTC system hazard mitigation analysis,
including a complete and comprehensive description of each hazard and the mitigation
techniques used to minimize its frequency and risk as required by 49 CFR
§236.1015(d)(4).
The organization of the Hazard Mitigation Analysis is shown in Figure 12-1. This figure
shows that a top-down analysis method was used for the DCTA E-ATC system.
A summary of the individual analyses referenced in this PTCSP is shown below. Each
of these are addressed in more detail in Sections 12.1 through 12.6.
a. Preliminary Hazard Analysis (PHA) - The PHA shows hazards resulting from the
system level implementation and their risk category. All such hazards are
sufficiently mitigated or eliminated, supporting the system safety architecture.
b. System Hazard Analysis (SHA) - The SHA develops the causative faults from the
PHA into more detailed faults relating to one or more subsystems of the E-ATC
system. These are analyzed for the determination of subsystem mitigation needs
as risk reduction in the system.
c. Operating and Support Hazard Analysis (O&SHA) - The purpose of the O&SHA
is to formally document hazards associated with the operations and support
functions during installation, operation and maintenance phases of the system to
identify safety critical functions, provide a brief expansion on the potential
sources of the hazards, perform a risk assessment on the hazards, and establish
mitigations to be employed.
d. Functional Fault Trees (FFTs) - The FFTs provide a graphical analysis using a
tree diagram to show what combinations of system failures can lead to a mishap
(accident). By mitigating or eliminating the causative faults in the system, it can
be asserted that the likelihood of mishaps is substantially reduced at the system
level.
e. Subsystem Fault Tree Analyses (FTAs) - The subsystem FTAs provide the same
data as the FFT but at a subsystem level, where the faults to be eliminated or
mitigated are part of specific equipment design. The FTAs confirm that failures
leading to unsafe hazards are either sufficiently mitigated or eliminated.
f. Failure Modes and Effects Analyses (FMEAs) - for fail-safe discrete equipment
and logic made of simple electronic or electromechanical parts; a comprehensive
fault analysis (Failure Modes and Effects Analysis) is performed to show that
there are no unsafe failure modes that can plausibly occur. This analysis is used
to verify that fail-safe hardware design is truly fail-safe.
PTCSP Section 12
April 2, 2020
Page 74
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
The results of these safety verifications performed on the existing system and on the EATC enhancements effectively substantiate the design as meeting the necessary safety
targets. The organization of the Hazard Mitigation Analysis is shown in Figure 12-1.
Figure 12-1: Organization of Hazard Mitigation Analysis
E-ATC System
Design and
Requirements
Begin Hazard
Analysis
Preliminary
Hazard
Analysis
Operating and
Support
Hazard
Analysis
System
Hazard
Analysis
Functional
Fault Trees
Fault Tree
Analyses
Failure Modes
and Effects
Analysis
SCIL
System Level
Subsystem or Component Level
12.1 System Preliminary Hazard Analysis (PHA)
A Preliminary Hazard Analysis (PHA) was developed to identify system level hazards
associated with implementation and their causes from system faults and/or human
PTCSP Section 12
April 2, 2020
Page 75
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
errors. The PHA submitted with this PTCSP includes preliminary hazards related to all
aspects of the E-ATC system, including hazards that could be introduced by CTC. The
PHA is included in this PTCSP as Appendix [A3].
12.1.1 Methodology of the PHA
The PHA is a tabular analysis that was developed by the system vendor (Alstom) per
the guidelines provided by MIL-STD-882C [1]. The PHA was developed by reviewing
the functional requirements and technical performance specifications of the system to
determine the top-level functional hazards and their contributing faults or operational
errors.
The PHA identifies the safety critical areas, assesses the inherent safety of the system,
provides an Initial Risk assessment of the hazards, and aids in the identification of
effective hazard controls and required actions. The PHA was conducted by analyzing
the system for all hazards that can directly cause mishaps (e.g., collision, derailment,
injury, or damage), per MIL STD-882C.
The results from the PHA are used as an initial source to develop more detailed hazard
analyses. The Functional Fault Trees (FFTs) and the System Hazard Analysis (SHA)
break the system faults down into causative segment faults or component faults within
the E-ATC system. Human error faults from the PHA are further developed to
contributing causes in the Operations & Support Hazard Analysis (O&SHA).
Hazards identified by the PHA were added to the Safety Critical Items List (SCIL) to
ensure that they were tracked throughout the development process, and fully resolved.
The order of precedence for mitigations was as follows: Design to eliminate hazard;
design to reduce hazard; provide safety devices; provide warning devices; provide
special procedures. MIL-STD-882C classification was used to determine risk
acceptance.
12.1.2 Results from PHA
A total of 15 hazards were identified, 3 for the Onboard Segment, 8 for the Wayside
Segment, 3 for the Office Segment, and 1 for the Communication Segment. All
identified hazards were transferred to the SHA for resolution/mitigation and to the SCIL
for tracking purposes.
12.2 System Hazard Analysis (SHA)
A SHA is used to comprehensively identify faults associated with subsystem functions,
and functions of interfaces between subsystems that require fail-safe design to prevent,
detect, and/or protect against the occurrence of the terminal functional faults. To
PTCSP Section 12
April 2, 2020
Page 76
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
perform the System Hazard Analysis, a top down approach is used to identify the faults.
The System Hazard Analysis is contained in Appendix [A4] of this PTCSP.
12.2.1 System Hazard Analysis Methodology
The SHA is generated utilizing a top down analysis approach to analyze the hazards
identified in the preliminary hazard analysis. Techniques used to support the top down
analysis include functional hazard analysis, interface hazard analysis and fault tree
analysis. The types of hazards expanded in the SHA are primarily those subsystem
functions that may cause serious injury and/or destruction of equipment. The boundary
hazards from the PHA are included and expanded to reflect hazards of subsystems, the
interfaces between subsystems, and interfaces between system and external
equipment.
Industry standard Hazard Severity Categories, Hazard Probability Levels, and
Acceptability Criteria in accordance with MIL-STD-882C were used in the analysis, as
detailed in Appendix [A4].
12.2.2 Results from System Hazard Analysis
The conclusions from performing the System Hazard Analysis can be summarized as
follows:
1. Penalty brake applications have a minor residual risk of passenger or crew injury
due to the unexpected braking. This risk was mitigated to residual risk of 3-D
(Marginal/Remote), deemed acceptable with review. DCTA has reviewed and
accepted this determination.
2. The remainder of the hazards were mitigated to a risk level of I-E
(Improbable/Catastrophic), also acceptable with review. DCTA has reviewed and
accepted this determination.
3. The primary hazards identified for PTC protection by the FRA regulation 49 CFR
§236.1005 are adequately mitigated by the E-ATC system without the need for
crew intervention.
4. Hazards related to TSRs and MDs were mitigated primarily through vital
condition checking and speed/stop enforcement by the Wayside and Onboard
Segments. However, mitigation also included Office Segment Design elements
(Request/Check/Execute sequence), Procedures (Read-back, etc.) and Training
of Dispatchers and Train Operators. For hazards pertaining to route stacking,
DCTA has taken steps to ensure dispatchers are properly trained [A7] and are
required to avoid route tacking.
PTCSP Section 12
April 2, 2020
Page 77
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
All safety requirements from the SHA were transferred to the SCIL and tracked to
closure.
12.3 Operating & Support Hazard Analysis (O&SHA)
The overall goal of the Operating and Support Hazard Analysis (O&SHA), as generally
depicted by industry standards (e.g., MIL-STD-882C), is to capture hazards associated
with operational and support tasks performed by personnel for a given system and to
evaluate the adequacy of procedures put in place to direct the activity of executing the
tasks, to mitigate the identified hazards. Generally this entails a review of procedures
and tasks associated with system production, deployment, installation, assembly, test,
operation, maintenance, service, storage, transportation, modification, decommissioning
and disposal as well as considerations of the human interactions anticipated.
The DCTA Operation and Support Hazard Analysis (O&SHA) provides an analysis of
the hazards related to the procedural actions that are performed as part of the
application, operation, maintenance, training, use, or failure management of the E-ATC
system. Information from the O&SHA is used to develop safety resolution requirements,
identify the operation and support functions which must be implemented and provide
criteria for new or revised rules, procedures, or processes to mitigate unsafe impacts on
the system. The O&SHA is provided as Appendix [A5] of this PTCSP.
12.3.1 O&SHA Methodology
The DCTA E-ATC O&SHA analysis identifies all O&SHA related hazards, level of risk
and proposed mitigations as safety requirements. O&SHA references are carried
forward into the E-ATC SCIL, where mitigations of O&SHA identified hazards are
tracked and closed.
Industry standard Hazard Severity Categories, Hazard Probability Levels, and
Acceptability Criteria in accordance with MIL-STD-882C were used in the analysis, as
detailed in [A5].
12.3.2 Results from O&SHA
The conclusions from performing the System Hazard Analysis can be summarized as
follows:
1. Penalty brake applications have a minor residual risk of passenger or crew injury
due to the unexpected braking. This risk was mitigated to residual risk of 3-D
(Marginal/Remote), deemed acceptable with review. DCTA has reviewed and
accepted this determination.
PTCSP Section 12
April 2, 2020
Page 78
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
2. The remainder of the hazards were mitigated to a risk level of I-E
(Improbable/Catastrophic), also acceptable with review. DCTA has reviewed and
accepted this determination.
3. Mitigations identified included requirements for installation, testing, training,
Operation and Maintenance manual documentation, and configuration control.
All safety requirements from the O&SHA were transferred to the SCIL and tracked to
closure.
12.4 System Functional Fault Tree (FFT)
The Functional Fault Trees (FFTs) for the E-ATC system are provided separately for the
UCII or Onboard Segment and for the ElectroLogIXS Wayside Segment. Both of these
segments are vitally implemented. The FFT provides an analysis of the boundary
hazards as identified in the PHA. It develops contributing factors of the boundary
hazards down to the applicable subsystem function and/or interface. The scope of the
FFT document includes the hazards identified by the PHA, the faults from allocation of
functions to subsystems, and faults from the interfaces between subsystems. The
Functional Fault Trees, reference documents [R13] and [R14], are available for review
at DCTA.
12.5 Segment (Subsystem) Fault Tree Analysis (FTA)
Subsystem Fault Tree Analyses for ElectroLogIXS and UCII components were
performed prior to the introduction of E-ATC. Implementation of E-ATC consisted of
application-specific configuration changes, and no modification of the underlying safety
architecture was made. Hence, Subsystem Fault Tree Analyses were not required to be
changed or updated. No FTA is included with the PTCSP submittal.
12.6 Failure Modes and Effects Analysis (FMEA)
Detailed Failure Modes and Effects Analyses for ElectroLogIXS and UCII were
performed prior to the introduction of E-ATC. Implementation of E-ATC consisted of
application-specific configuration changes, and no modification of the underlying safety
architecture was made. Hence, FMEAs were not required to be changed or updated. No
FMEA is included with the PTCSP submittal.
PTCSP Section 12
April 2, 2020
Page 79
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
13 Verification and Validation Processes [49 CFR §236.1015(d)(5)]
As required by 49 CFR §236.1015(d)(5), this section of the PTCSP provides a complete
description of the Verification and Validation (V&V) processes applied to the DCTA EATC system and the results of those processes.
The goal of the system safety process and compliance with 49 CFR Part 236, Appendix
C, as detailed in Section 8, along with Verification and Validation, is to ensure that the
development, functionality, architecture, installation, implementation, inspection, testing,
operation, maintenance, repair, and modification of E-ATC will achieve and maintain an
acceptable level of safety.
The V&V process leading to the certification of the DCTA E-ATC PTC system is shown
in Figure 13-1. This flow diagram shows how the components described in this section
are related to one another. The process shown in Figure 13-1 will provide a complete
set of test records, documenting the results of the V&V process and supporting the
safety case.
PTCSP Section 13
April 2, 2020
Page 80
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Figure 13-1: DCTA Certification and V&V Flowchart
DCTA PTC V&V PLAN
FIELD TEST PLAN
SUBMITTED TO FRA &
APPROVED
UNIT and SEGMENT
TESTING (FAT/ SAT)
BY VENDORS
PTC SYSTEM LAB
TESTING PLAN &
PROCEDURES
(LINN/LIEE)
FIELD TESTING
PROCEDURES
(FIT/ FQT)
LAB TEST RESULTS &
REPORTS
FIELD TEST RESULTS &
REPORTS
YES
NO
NO
RESULTS OK ?
RESULTS OK ?
YES
REVENUE SERVICE
DEMONSTRATION
SUBMIT FINAL PTCSP
TO FRA
FRA CERTIFICATION
13.1 Verification and Validation of E-ATC
Verification is defined in 49 CFR Part 236, Subpart H, as “the process of determining
whether the results of a given phase of the development cycle fulfill the validated
PTCSP Section 13
April 2, 2020
Page 81
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
requirements established at the start of that phase. The goal of the verification process
is to determine ‘whether the product was built correctly.”
Validation, as defined in 49 CFR Part 236, Subpart H, means, “The process of
determining whether a product's design requirements fulfill its intended design
objectives during its development and life-cycle. The goal of the validation process is to
determine ‘whether the correct product was built.”
E-ATC safety verification is comprehensive; it included the identification of safety-critical
functions and the verification that the identified vital functions have been implemented in
a fail-safe manner as required by the system safety goals and applicable train control
system regulations.
Verification and Validation (V&V) for E-ATC was a comprehensive analysis and test of
the system software and hardware to determine that it performs its intended function, to
ensure that it performs no unintended functions, and to measure its quality and
reliability.
13.2 PTC System Verification and Validation Processes
The V&V process for E-ATC included the following activities:

Vendor validation of E-ATC revisions to UltraCab II [R15] and ElectroLogIXS
software [R16]

Segment testing, including vehicle brake rate verification;

Field verification that each control line is correct and all vital locking functions are
provided;

Verification that all controls and indication bits are correct between the office and
Wayside Segments;

Vital Sim verification of all Vital Timers including TCCP;

Vital Sim verification of all Permanent Speed Restrictions;

Vital Sim verification of all TSR and MD restrictions with each speed code in all
applicable routes and directions;

Field static verification of all Vital Timers including TCCP;

Dynamic validation of all Permanent Speed Restrictions;

Dynamic validation of TSR and MD restrictions with each speed code in all
applicable routes and directions;

Dynamic validation of failure scenarios for each PTC segment;
PTCSP Section 13
April 2, 2020
Page 82
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority

Revision 1.1
Vital Sim verification of each TSR and MD in each direction.
Test reports for these activities were provided to DCTA for review as each level of
testing was completed. DCTA review of the reports was performed to ensure testing
was complete and fully validated design assumptions.
Testing of the E-ATC system began with the development of a system level Test Plan.
The Test Plan was submitted and approved as an integral part of DCTA’s Test Request
per FRA §236.1035 [R19]. The Test Plan:

Provides a methodology to iteratively integrate and test the components and
segments of E-ATC from the lab to the field environment;

Defines a strategy that may be implemented by railroads deploying E-ATC to
verify the PTC system;

Provides guidance for the managerial and technical effort necessary to support
the test program;

Defines the level of testing deemed necessary to achieve the E-ATC program
goals and objectives;

Requires a level of traceability from requirement to test case to result;

Identifies the primary personnel, equipment, and facility resources required to
support the test program;

Describes a high-level defect management process and the requisite categories
for managing defects.
The purpose of the testing effort was to validate and verify E-ATC, as defined in the EATC Functional Design Description document [R6], in both a laboratory and a field
environment to assure E-ATC will achieve and maintain an acceptable level of safety.
Testing was performed not only to confirm that the system will perform in the desired
manner, but also to verify that it will not permit unsafe conditions. The testing process
involved data collection, performance evaluation, and component or system refinement
and was broken into several defined steps that required different inputs and outputs.
Each of the testing levels is further described in the following sections.
Test documents were uploaded to the FRA Secure Information Repository (SIR) site as
shown in Table 13-1 below:
PTCSP Section 13
April 2, 2020
Page 83
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Table 13-1: Test Documents
Ref
No.
Document Title
SIR Site
Upload
Date
Description
[R19]
Test Request per 49 CFR
§236.1035
03/12/2018 PSR Test Plan
03/14/2018 TSR Test Plan
03/22/2018 Work Zone Test Plan
03/29/2018 MD Test Plan
[R20]
DCTA DMU Acceleration
and Braking Qualification
Test Report
11/28/2018 Braking test results for DMUs,
validating the safe braking
assumptions.
Note: Included as part of the
Operational Scenario Test Report
[R21]
DCTA E-ATC Dynamic
Test Report
11/16/2018 MBL-TCCP Test Report
11/16/2018 PSR Navigation Test Report
11/28/2018 Operational Scenario Test Report
[R22]
DCTA E-ATC Failure Test
Report
11/16/2018 Failure Test Report
13.3 Testing E-ATC
13.3.1 Stage 1 - Segment Testing
The first stage of testing included testing to prove that requirements of 49 CFR Part
236, Subparts A and C, were still met after modifications. This included testing of both
control points and crossings. Permanent speed restrictions were tested statically as part
of this stage as part of control line verification. Individual controls and indications
communicated to and from the office were verified at this stage. Additionally, vehicle
brake rates were verified through test or analysis.
The 49 CFR Part 236, Subpart A and C tests were performed to verify all vital timers,
including TCCP, and vital interlocking tests for approach, time, route, indication and
traffic locking. All tests were passed and were recorded on DCTA test forms, which are
retained onsite by the railroad and available for FRA review per 49 CFR §236.110.
Pre-testing of control lines to support underlying E-ATC functionality was performed
statically in the field. Also, field verification of each control and indication between the
PTCSP Section 13
April 2, 2020
Page 84
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
office and the wayside was verified statically. These test results were recorded on
design drawings and retained by the test engineer.
As documented on the test forms referenced above, all necessary Stage 1 tests were
performed successfully, and all tests were passed.
Segment testing also included validation of vehicle brake rate assumptions used in
block design. DMUs were tested as part of the existing system’s implementation. Test
results provided in document [R20] confirmed that the brake rate assumptions used in
the block design are valid. Test results and analysis confirm that DCTA’s
implementation of E-ATC will always appropriately enforce per the requirements of 49
CFR §236.1005(a).
13.3.2 Stage 2 - Laboratory Integration Testing
The second level of testing phases was Laboratory Integration Testing. Laboratory
Integration testing was performed using Vital Sim software to verify that the Wayside
and Office Segment logic is fully integrated and provides appropriate speed commands
to enforce all E-ATC restrictions. Completion of Laboratory Integration Testing verified
that all wayside and office logic operates per the system design. All tests were
performed successfully, and all tests were passed.
Defects during laboratory integration testing were managed in a coordinated fashion
throughout the testing effort. As defects were identified and corrected, the test team
determined which tests needed to be executed again to verify correction of the defect.
Regression test plans were developed as required to retest and close discrepancies
during the lab testing. All tests were performed successfully, and all tests were passed.
13.3.3 Stage 3 - Field Testing of E-ATC
Field-testing is defined as all tests conducted on rail, and included E-ATC equipped
DMUs. Field tests began after the requirements of 49 CFR §236.1035 and the related
test waiver conditions imposed by the FRA were met [R19].
Field tests provided the formal testing of the E-ATC system outside of the laboratory
environment, in a field environment with the express intent of gaining FRA System
Certification. Field tests were conducted with well-documented and approved test
cases.
Field testing demonstrated the successful implementation of each restriction
dynamically using the combination of all PTC system segments. Speed restrictions were
applied by the Office Segment, carried to the field by the Communication Segment,
executed by the Wayside Segment and enforced by the Onboard Segment. These tests
verified dynamically that the required train speed at the proper track location was
PTCSP Section 13
April 2, 2020
Page 85
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
carried out through the integration of all E-ATC system segments. The full test report is
provided in [R21].
13.3.4 Stage 4 - Failure Testing
Failure testing was performed to verify that the system performs properly in the event of
a failure and prevents the issuance of unsafe conditions. The following functions were
tested:
1. Ensure restriction cannot be applied that is greater than the maximum authorized
speed (MAS) for a given location;
2. Failure to implement TSR by wayside will trigger alarm at Office;
3. Failure to receive TSR Heartbeat Message by Office will trigger an alarm;
4. Failure of primary connection to office will cause a failover to backup connection;
5. Failure of wayside hardware will prevent train movements;
6. Carborne failure results in an irrevocable full service penalty brake.
All tests were completed successfully, and no discrepancies were encountered during
testing. Test procedures and results are provided in [R22].
13.4 Revenue Service Demonstration
After the successful completion and signoff of System Testing and upon receipt of
FRA’s approval, DCTA initiated Revenue Service Demonstration (RSD) operation. RSD
consisted of closely monitored revenue service trains with E-ATC active and enforcing.
Details on entry criteria, exit criteria, and the number of runs required during RSD are
found on DCTA’s FRA docket (FRA-2010-0074) and in the DCTA Revenue Service
Demonstration Application and FRA Approvals on the Docket as noted. RSD was
completed successfully on September 19, 2019.
13.5 Interoperability Testing
Passenger service and freight service are temporally separated and are not permitted to
operate simultaneously in the corridor. Freight traffic of the Class II railroad will not be
equipped with E-ATC onboard equipment.
DCTA does not operate as a tenant on any host railroads and therefore has no
interoperability issues with host railroads.
PTCSP Section 13
April 2, 2020
Page 86
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
14 DCTA Training Plan [49 CFR §236.1015(d)(6)] [49 CFR §236.1041]
[49 CFR §236.1043] [49 CFR §236.1045] [49 CFR §236.1047(a),(b) &
(d)] [49 CFR §236.1049]
This section of the PTCSP provides a complete description of the DCTA training plan
for railroad and contractor employees, and supervisors necessary to ensure safe and
proper installation, implementation, operation, maintenance, repair, inspection, testing,
and modification of E-ATC as required by 49 CFR §236.1015(d)(6), 49 CFR, Subpart I,
§236.1041, 49 CFR, Subpart I, §236.1043, 49 CFR, Subpart I, §236.1045, 49 CFR
§236.1047(a), (b), & (d), and 49 CFR, Subpart I §236.1049.
DCTA have established and implemented training and qualification programs for all
railroad and contractor employees who will install, implement, operate, maintain, repair,
inspect, test or modify E-ATC, and their direct supervisors. Alstom has provided to
DCTA all required training, tools, test and diagnostic equipment for the operation,
installation, inspection, troubleshooting and maintenance of the Enhanced-Automatic
Train Control (E-ATC) System.
Since the following entities are responsible for E-ATC maintenance – training was
directed to the appropriate staff by function:

The office system is maintained by DCTA

The wayside is maintained by DCTA

Onboard E-ATC on commuter DMUs is maintained by DCTA
Alstom has developed and provided E-ATC-related training for DCTA contractors,
Dispatchers, Train Crews, equipment maintenance staff, track and Signal Maintainers
and supervisory/management/technical staff as required.
Individual training sessions included familiarization, installation, operation, maintenance,
and troubleshooting for these E-ATC System Segments:

Onboard

Office

Wayside

Communication
Training consisted of detailed classroom presentations to aid DCTA personnel in their
jobs. Classroom training familiarized students with the contents of the O&M manuals
and provided instruction on the system equipment. Special emphasis was given to
equipment familiarization, installation, operation, maintenance and troubleshooting.
PTCSP Section 14
April 2, 2020
Page 87
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Hands-on activities were provided, as applicable to the system equipment. Students
were given verbal and written comprehension tests.
14.1 Train Dispatcher Training
This training included becoming familiar with the PTC system and the effect of the
computer-aided train dispatch on the PTC system. Specific areas were the issuance of
Mandatory Directives, Temporary Speed Restrictions, and similar commands that are
PTC-enforced. It also included getting familiar with processes used to mitigate
exceptions experienced with the system. Since there is familiarity with the forms,
training provided a quick reference sheet of the new features and one-on-one training
with the Dispatchers.
14.2 Train Operator Training
The training provided familiarization with the onboard equipment as well as other
operational aspects relating to rules and procedures for the safe operation of the train.
The training program complies with 49 CFR §236.1047.
14.3 Signal Personnel Training
This training includes familiarization with the E-ATC system and the methods used to
maintain the wayside signal portion of the system. It also includes the tools, procedures,
and guidelines used to maintain the Wayside system components and getting familiar
with troubleshooting processes.
14.4 Mechanical Personnel Training
This training includes familiarization with the E-ATC system and the methods used to
maintain the onboard portion of the system. It also includes the tools, procedures, and
guidelines used to maintain the onboard system components and getting familiar with
troubleshooting processes.
14.5 First Line Supervisor Training
This training includes familiarization with the E-ATC system and the methods used to
maintain the system. Front Line Supervisors attended the same training as the
personnel over whom they have supervisory responsibilities. Training details are
included in each craft’s training section as shown in the previous sections.
14.6 MOW/Roadway Worker Personnel Training
The training for Maintenance of Way (MOW) / Roadway Workers was required for
railroad and contract employees who provide protection for themselves or roadway work
groups, and their supervisors. The training provided familiarization with E-ATC, wayside
PTCSP Section 14
April 2, 2020
Page 88
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
equipment, and an understanding of the protections provided to Roadway Worker
personnel. The training program complied with 49 CFR §236.1049.
14.7 Training Records
Training Records for train Dispatchers are maintained at the Rio Grande & Pacific
Dispatch Center in Fort Worth, TX. Training records for Commuter Train Operators and
Commuter Vehicle Mechanical Personnel are maintained by DCTA in its offices at
DCTA Rail Operations and Maintenance Facility (Rail OMF) in Lewisville, TX
14.8 Refresher Training
Periodic refresher training and evaluation will be provided at the following intervals:

Dispatcher – 1 year

Train Operator – 3 years

Signal Personnel – 3 years

Mechanical Personnel – 3 years

First Line Supervisor – 3 years
14.9 Operating Rules for PTC
14.9.1 Books of Rules
All required Rule Books are to be in possession of the Train Operator of a DCTA train,
roadway or maintenance worker, mechanic, or Dispatcher as appropriate, per company
policy. The rules applicable to the application of PTC are contained within DCTA
Timetable #5 and DCTA General Order #1.

DCTA Timetable #5 [R1]

GCOR Seventh Edition [17]

DCTA General Order #1 [R2]
14.9.2 PTC Operating Instructions and Crew Record-Keeping
This section addresses operating instructions and crew record keeping for all train
operations on the DCTA Corridor.
Training/Qualification
All Train Crews operating where PTC is in effect are provided classroom training on the
system by a qualified instructor, and are also provided with a qualified PTC Train
PTCSP Section 14
April 2, 2020
Page 89
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Operator pilot while operating a DMU equipped with PTC during their qualification
period.
Job Safety Briefing
PTC qualified Train Crews are required to conduct a job safety briefing at the beginning
of each tour of duty regarding their PTC equipment and at any time PTC is initialized,
re-initialized or cut out enroute.
The job safety briefing includes, but is not limited to, the following:

Verify that PTC safety devices have not been cut out. (Crew members must not
cut out, tamper with, or defeat a safety device without permission from the proper
authority);

Review PTC requirements and functionality;

Crew members must understand each other's knowledge and experience with
the PTC System.
Initializing PTC
If start-up fails, the Crew must contact train Dispatcher and be governed by his/her
instructions. Where this occurs at the initial terminal, a DMU train will not be allowed to
depart.
Departure Test Reporting
Passenger Departure tests are performed by mechanical staff prior to departing the
initial terminal (DCTA Operations and Maintenance Facility) once each 24 hours per 49
CFR §236.587. Mechanical staff document departure tests onboard with a multi-use
form that is kept in the operating cab of the DMU. Mechanical staff report departure test
results to dispatching who in turn document test results in a database. Daily Departure
test forms for DMUs are maintained at the DCTA Rail Operations and Maintenance
Facility (Rail OMF) in Lewisville, TX.
No-Code Proceed Reporting
The use of NCP requires the permission of Dispatch by rule. NCP operations require
the Operating Crew to report the onboard NCP counter numbers to Dispatch. The
onboard form that is utilized for Departure tests includes a line for NCP counter
numbers (beginning and ending). The initial (beginning) NCP counter numbers are
reported to Dispatch with the Daily Departure test results prior to entering equipped
territory. Dispatch maintains a record of the NCP numbers for each equipped vehicle. If
operating crews are authorized to utilize NCP, they report as required by rule and
PTCSP Section 14
April 2, 2020
Page 90
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
document the updated “ending” NCP number using the onboard form. When
mechanical staff increment the NCP counter for maintenance/testing they report the
new NCP counter numbers to Dispatch at the time of testing.
Anomalies and Unusual Events Reporting
The Train Operator must report the following conditions and occurrences to the train
Dispatcher:

Any PTC brake enforcement;

Any overrun of an authority boundary;

Any onboard PTC equipment failure;

Any suspected PTC system failure, including failure to enforce required braking
applications and speed restrictions.
When making a report to the train Dispatcher, the Train Operator must include the
following information:

DMU initials/number, AND

Time and location of occurrence, AND

Any unusual occurrence, which may have attributed to the problem.
Anomalies or unusual events are entered into a database by Dispatch. Anomalies or
unusual events include any situation that is outside of normal operating conditions
including:

Enforcements of any type, including unintended;

E-ATC system faults, failures to enforce, or unexpected actions;

Display problems with the EDU;

Use of the No Code Proceed for any reason;

Use of MD for any highway crossing failure event;

Any other unusual PTC event.
PTCSP Section 14
April 2, 2020
Page 91
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
15 Procedures, Test Equipment and Operations & Maintenance
Manual [49 CFR §236.1015(d)(7)] [49 CFR §236.1039 (all)]
This section provides a complete description of the specific procedures and test
equipment used to ensure the safe and proper installation, implementation, operation,
maintenance, repair, inspection, testing, and modification of the PTC system on DCTA
and establish that safety-critical hazards are appropriately mitigated as required by 49
CFR §236.1015(d)(7) and 49 CFR Part 236, Appendix C(b)(7). These procedures,
including calibration requirements, are consistent with equipment manufacturer’s
recommendations.
This section also ensures that documents specified in the PTCSP or PTCDP,
operations and maintenance manuals for hardware / software handling, and operations
and maintenance manuals for safety-critical components are properly documented and
stored as required by 49 CFR §236.1039.
15.1 Maintenance Procedures and Process
DCTA’s PTC maintenance process includes general policies for dealing with railroad
(and PTC) maintenance as well as specific procedures that implement the maintenance
policies for particular equipment or scenarios. DCTA has integrated the PTC process
and procedures into its overall structure and does not have a separate approach to PTC
service and maintenance documentation.
Operations and maintenance documentation is structured around system segments
(Wayside, Carborne, Office and Communications). Configuration Management of
documentation is controlled through DCTA’s Configuration Management Plan [R4].
The Operations and Maintenance Manual contains all test procedures and test
equipment instruction necessary to preserve safe E-ATC operation, covering:

Preventive and periodic testing required to maintain equipment in safe working
order;

Testing required following equipment repair or maintenance actions.
15.1.1 DCTA-Specific Procedures and Test Equipment
The following DCTA-specific procedures and test equipment are performed in
accordance with the equipment manufacturer’s recommendations:
1. Daily Departure Test for Onboard equipment
UCII Operator’s Manual, Section 3
PTCSP Section 15
April 2, 2020
Page 92
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
This test is performed daily on DMUs before entering E-ATC territory, in
accordance with 49 CFR §236.587. Results are posted in the cab and filed in the
office, as required. The test is performed through the onboard Engineer’s Display
Unit (EDU), no test equipment is required.
2. Periodic Test for UCII
UCII Service Manual Section 3
This test is performed every 60 days in accordance with 49 CFR §236.588. It
includes the following:
o Visual Inspection
o System Isolation Test
o System Voltage Test
o NCP Counter Operation
o Cutout Operation
o Locate System Ground
o Wheel Diameter Calibration
o Set Date and Time
o Cab Signal Pickup Test
A test form is included in the Manual.
Special Test Equipment:
o Cab signal generator and test loop
3. Installation and Repair Procedures for UCII
UCII Service Manual, Section 5
This procedure covers troubleshooting, removal and installation of components,
and repair of wiring harness connectors. It includes test procedures to verify
proper operation after installation or repair.
4. Maintenance, Repair and Testing Procedures for the ElectroLogIXS
ElectroLogIXS System Operation and Maintenance Manual, Section 3
This includes the following tasks:
o Visual Inspection
o Maintenance Procedures using the CDU
PTCSP Section 15
April 2, 2020
Page 93
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1

Track Circuit Adjustment

Lamp Voltage Setup

Lamp Test Mode

Battery Alarm Values

Office Port Protocol
o ElectroLogIXS Maintenance Procedures

Fuse and Battery Replacement

Voltage Check

Module Removal and Installation
o Record Maintenance Activities
Special test equipment: PC Computer to access Graphical User Interface
5. Installation Procedures for ElectroLogIXS
ElectroLogIXS System Operation and Maintenance Manual, Section 2
This includes the following tasks:
o Initial Installation
o Mounting and Setup
o Filters
o Software Update
o EPROM Update
o Track Termination and Lightning Protection
o Communications
o Initial Setup

Track Circuit Setup

Lamp Voltage Setup

Timers Setup

Vital Configuration Setup

Date/Time

Port Setup

Ground Fault Detector Setup
PTCSP Section 15
April 2, 2020
Page 94
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
Special test equipment: PC Computer to access Graphical User Interface.
15.1.2 Controlling and Tracking Component/Product Modifications
DCTA and Alstom have an established system for control and tracking of all safetyrelated products and their modifications. This system is described in Section 17 of this
PTCSP. The management methods are adequate to fully control all changes to PTC
equipment including hardware, software and firmware of the components of the PTC
system. The configuration management system ensures all such changes are
documented and implemented consistently throughout the set of equipment deployed at
DCTA.
15.2 PTC Operations and Maintenance Manuals
FRA regulation [49 CFR §236.1039(a)] requires that a “master” Operations &
Maintenance manual exist for the PTC system installed by DCTA. This master manual
provides the overall structure and content for operation and maintenance of the PTC
system. Individual sections of the manual contain the specific procedures and
processes for maintaining and operating DCTA’s E-ATC system down to the component
level. This O&M Manual is shown in Table 15-1 below:
Table 15-1: Master Operations & Maintenance Manual List
No.
Document
Description
[M1]
DCTA Functional Design
Description, 083511-040, Rev 07,
March 26, 2018
Defines system operation, system
architecture, and system interfaces.
[M2]
ElectroLogIXS VLC and EC5,
System Operation and
Maintenance, Volume I, 100373010, Rev AW0, 03/03/2016
This document provides the specific
information related to installation,
maintenance, troubleshooting, CDU
program, Web GUI, Terminal Program,
Retest Guide and specifications of the
ElectroLogIXS VLC and EC5 system.
[M3]
ElectroLogIXS VLC and EC5,
System Operation and
Maintenance, Volume II, 100373010, Rev AW0, 03/03/2016
This document provides the specific
information related to installation,
maintenance, troubleshooting, CDU
program, Web GUI, Terminal Program,
Retest Guide and specifications of the
ElectroLogIXS VLC and EC5 system.
PTCSP Section 15
April 2, 2020
Page 95
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
No.
Document
Description
[M4]
Ultra Cab II for DCTA Service
Manual, 100306-003, Rev AA2,
03/04/2019
This document provides specific
information related to Theory of
Operation, Departure Tests, System
Logs, Preventive Maintenance,
Troubleshooting, Installation/Repair,
Parts Catalog and System Wiring
Diagrams of the Ultra Cab II system.
[M5]
ElectroLogIXS XP4, System
Operation and Maintenance,
Volume 1, 100323-010, Rev AV0,
01/18/2016
This document provides specific
information related to Installation,
maintenance, Troubleshooting, CDU
Program, Terminal Program, and a
Retest Guide of the ElectroLogIXS XP4
system.
[M6]
ElectroLogIXS XP4, System
Operation and Maintenance,
Volume 2, 100323-010, Rev AV0,
01/18/2016
This document provides specific
information related to Installation,
maintenance, Troubleshooting, CDU
Program, Terminal Program, and a
Retest Guide of the ElectroLogIXS XP4
system.
[M7]
Ultra Cab II for DCTA, Operator’s
Manual, 100306-004, Rev AA1,
12/06/2018
This document provides specific
information related to General
Operation, Component Overview,
Departure Tests, Penalty Brake and
System checks, Cab Mode Operation,
Trail Mode Operation, Yard Mode
Operation, Inactive/Neutral Mode
Operation, No Code / EOB Proceed
Mode Operation, Restricted Mode
Operation and ATC Cutout Mode
Operation of the Ultra Cab II system.
[M8]
Cab-X, Cab Signal Generator,
Installation Manual, 100102-002,
Rev AI0, 11/2015
This document describes the Cab-X
Cab Signal Generator installation
information.
PTCSP Section 15
April 2, 2020
Page 96
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
No.
Document
Description
[M9]
Dispatching System and TSR
Terminal User Manual, Rev 1,
October 2017.
A functional description of the user
interface for the DCTA dispatching
system from the perspective of the
Dispatcher, with regards to the PTC
interface.
Includes general overview of the
features used to interact with DCTA
TSR Interface system, in order to
activate PTC Temporary Speed
Restrictions and PTC Mandatory
Directives in the field.
The complete set of manuals are maintained in the DCTA Office as per FRA regulation
and DCTA standards and policies.
PTCSP Section 15
April 2, 2020
Page 97
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
16 Warnings and Warning Labels [49 CFR §236.1015(d)(8)]
As required by 49 CFR §236.1015(d)(8), this section provides a complete description of
any additional warning to be placed in the Operations and Maintenance manual in the
same manner specified in 49 CFR §236.919 and all warning labels to be placed on
equipment as necessary to ensure safety.
16.1 Warnings in Vendor Manuals
The Vendor’s Manuals contain safety warnings, cautions and other safety related
information throughout the content. Examples of these warnings, extracted from the
various manuals, are shown in Appendix [A9].
16.2 Warning Labels
There are no warning labels placed on the E-ATC onboard, wayside or dispatch
equipment. This equipment is only accessible to trained personnel who are aware of the
hazards that can be posed by electrical and mechanical equipment on railroad rolling
stock or wayside equipment. Signal equipment is contained in locked enclosures or
buildings that prevent access by untrained personnel. Dispatching system equipment is
enclosed in access-controlled rooms at the dispatching locations. Safe operation of the
equipment does not rely on any warning labels.
PTCSP Section 16
April 2, 2020
Page 98
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
17 Configuration Management and Revision Control Measures, DCTA
[49 CFR §236.1015(d)(9)] [49 CFR §236.1023(c)(2)]
This section provides a complete description of the configuration and revision control
measures designed to ensure that DCTA or its contractor does not adversely affect the
safety-functional requirements and that configuration or revision changes do not
compromise any safety-critical hazard mitigation processes as required by 49 CFR
§236.1015(d)(9) and that such changes can be audited as required by 49 CFR
§236.1023(c)(2).
17.1 Configuration Management Acronyms, Terminologies and Definitions
Table 17-1 below describes the meaning of the acronyms and terminologies used in the
Configuration Management (CM) and Revision Control Measures section.
Table 17-1: CM Acronyms, Terminologies and Definitions
Acronym or
Term
Definition
CI
Configuration Item – Any E-ATC System artifact including, but not
limited to, hardware, software, firmware, document, or an
aggregation of hardware, software, firmware and documents that
deliver a Service within the E-ATC System. It is treated as a single
entity that needs to be managed and controlled via configuration
management.
CM
Configuration Management – A collection of processes that are
responsible for maintaining and controlling CIs, information about
CIs, and their relationships, which are required to deliver E-ATC
System services. This information is continuously managed
throughout the lifecycle of CIs.
CMCB
Configuration Management Control Board – DCTA board that
reviews and approves all proposed changes to CI.
CMDB
Configuration Management Database – A central point for tracking
and documenting the status of all Configurable Items.
CMP
Configuration Management Plan – A description of CM policies and
procedures employed by entities that participate in E-ATC System
production, support and maintenance.
Baseline
A recorded state of CIs at a specific point in time that serves as a
basis for future builds, changes, and releases. It is formally agreed
upon through CM.
PTCSP Section 17
April 2, 2020
Page 99
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
17.2 Configuration Management Integration with Vendors
The DCTA Configuration Management Plan [R4] ties together the railroad’s CM Plan
with vendor driven configuration plans. The railroad’s CM objectives are to support
implementation of PTC changes, while:
1. Ensuring safety
2. Maintaining operability
3. Maintaining reliability
Configuration Management Process is to identify and document the functional and
physical characteristics of the PTC configuration items; Audit the Configuration Items to
verify conformance to specification, standards, and contract requirements; Control
changes to configuration items and their related documentation; and Record and report
information required to manage PTC Configuration Items including the implementation
status of proposed changes.
17.3 DCTA System Configuration Management
The Configuration Management Plan (CMP) has been established to support the
requirements of the DCTA E-ATC system in compliance with Association of American
Railroads (AAR) and Federal Railroad Administration (FRA) standards and
requirements. The CMP applies to the fully installed, tested and approved baseline
version of the system and is available for review at DCTA.
The CMP establishes and maintains integrity and control of the E-ATC system products.
Using Configuration Control and the Engineering Change Management Process, the
goal of the CMP is to maintain the integrity of the fully operational system. The CMP has
been established to prevent; 1) non-traceability, 2) the inability to re-create a PTC
system or interface test problem, 3) the inability to restore a previous software version,
and 4) surface issues that impede software components ability to interface due to
software error inconsistencies found resident upon the vendor/supplier’s product
baseline hardware or software.
The following systems are included in DCTA’s Configuration Management program:

E-ATC Onboard Equipment and Software

E-ATC Wayside Equipment and Software

E-ATC Office Software

E-ATC Communication Equipment and Software
The DCTA Configuration Management Plan is based and built upon the PTC product
specifications and incorporates the controls and processes to support the latest revision
PTCSP Section 17
April 2, 2020
Page 100
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
standards issued by the Enhanced Automatic Train Control (E-ATC) requirements, and
those PTC requirements and standards provided by the AAR and the FRA.
17.4 DCTA Revision Control Measures
The CMP establishes a Configuration Management Control Board (CMCB), sponsored
jointly by DCTA. The CMCB has established a baseline of E-ATC related Configuration
Items and reviews and approves all proposed revisions to these items.
Configurable Items are tracked in the Configuration Management Database (CMDB).
The CMDB provides a central point for tracking and documenting the status of all
Configurable Items.
The CMP also establishes a Configuration Management Control Process, consisting of
Change Request, Evaluation, Change Approval, Implementation, Verification and
Documentation steps.
Additionally, audit procedures and configuration audits are required by the CMP. Audits
confirming the status of each Configurable Item will be performed every four years at a
minimum.
17.5 Vendor Configuration Management and Revision Control Measures
After establishment of the fully installed, tested and approved baseline version of the
system, vendors are required to comply with DCTA’s Configuration Management Plan
for all proposed changes.
In addition, Alstom as the vendor of all safety-critical equipment and software, has its
own Configuration Management Program in place, which will be used to control
changes and updates to the system. Alstom’s internal Configuration Management
Plan(s) [R17], [R18] establish and maintain the integrity of the products delivered and
installed for E-ATC throughout their life cycle. The CMP identifies the project’s
Configuration Items that are created or modified by the project, controlling changes to
those configurations or baselines, conducting status accounting activities, conducting
baseline audits and releasing work products to the customer.
PTCSP Section 17
April 2, 2020
Page 101
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
18 Initial Implementation Testing Procedures [49 CFR
§236.1015(d)(10)]
This section provides a complete description of all initial implementation testing
procedures necessary to establish that safety-functional requirements are met and
safety-critical hazards are mitigated appropriately as required by 49 CFR
§236.1015(d)(10).
This testing is part of the PTC Certification process as required by the FRA regulation
Subpart I. Testing of the E-ATC system began with the development of a system level
Test Plan. The Test Plan was submitted and approved as an integral part of DCTA’s
Test Request per 49 CFR §236.1035 [R19].
The Test Plan provides for:

Field verification that each control line is correct and all vital locking functions are
provided.

Verification that all controls and indication bits are correct between the office and
Wayside Segments.

Vital Sim verification of all Vital Timers including TCCP.

Vital Sim verification of all Permanent Speed Restrictions.

Vital Sim verification of all TSR and MD restrictions with each speed code in all
applicable routes and directions.

Field static verification of all Vital Timers including TCCP.

Dynamic validation of all Permanent Speed Restrictions.

Dynamic validation of all TSR and MD restrictions with each speed code in all
applicable routes and directions.

Dynamic validation of failure scenarios for each PTC segment.
18.1 DCTA Informational Filing and Testing Waivers
DCTA PTC system level testing was conducted under the FRA approved test request
using FRA approved test plans [R17] per 49 CFR §236.1035.
The DCTA PTC system has been deployed as a single “stage”. The stage consists of
the entire DCTA corridor, as is described in the DCTA PTCIP. DCTA equipped the
corridor for PTC and completed the system testing for approval under an FRA Waiver
per 49 CFR §236.1035 prior to the FRA certification of the PTC system for deployment.
The results from the single stage have been assembled, reviewed, and submitted to the
PTCSP Section 18
April 2, 2020
Page 102
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
FRA, refer to Table 13-1 for details. Furthermore, Revenue Service Demonstration has
been completed successfully.
18.2 Pre-Certification Field Deployment
DCTA, per its testing waiver, conducted pre-certification testing on the entire DCTA
corridor. See Table 13-1 for test results and upload dates to the FRA SIR site.
18.3 Post-Certification Segment Definition
After full certification of the DCTA E-ATC System for revenue service, the DCTA
corridor will allow revenue service operation by DCTA commuter service over the entire
corridor.
PTCSP Section 18
April 2, 2020
Page 103
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
19 Post-Implementation Testing (Validation) and Monitoring
Procedures [49 CFR §236.1015(d)(11)]
As required by 49 CFR §236.1015(d)(11),this section provides a description of all postimplementation testing (validation) and monitoring procedures, including the intervals
necessary to establish that safety-functional requirements, safety-critical hazard
mitigation processes, and safety-critical tolerances are not compromised over time,
through use, or after maintenance (adjustment, repair, or replacement) is performed.
A detailed description of all testing and monitoring procedures is included in the DCTA
Operating & Maintenance Manual [R7] which describes the proper maintenance
processes and time intervals needed to maintain safety-critical performance of the
system and its components.
19.1 Post Implementation Testing and Monitoring Activities
Post implementation testing activities are included within the DCTA PTC Operating and
Maintenance Manual [R7].
Periodic tests include:

Daily Departure Test for Onboard equipment

Periodic Test for UCII Onboard equipment (60 days)

Maintenance and Testing Procedures for ElectroLogIXS (90 days):
o Battery Tests
o Track Circuit Tests

Monthly Wayside Segment Tests:
o Switch Obstruction Tests (49 CFR §236.382)

Quarterly Wayside Segment Tests:
o Switch Circuit Controller or Point Detector (49 CFR §236.103)
o Shunt Fouling Circuit (49 CFR §§236.104 & 236.57)
o Insulated Joints (49 CFR §236.59)
o Grounds Test (49 CFR §§236.107 & 236.2)

Annual Wayside Segment Tests:
o Time Release / Time Relay Test

2 year Wayside Segment Tests:
PTCSP Section 19
April 2, 2020
Page 104
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
o Approach Locking (49 CFR §236.377)
o Time Locking (49 CFR §236.378)
o Route Locking (49 CFR §236.379)
o Indication Locking (49 CFR §236.380)
o Traffic Locking (49 CFR §236.381)

4 year Wayside Segment Tests:
o Relay Tests

10 year Wayside Segment Tests:
o Insulation Resistance Test
In addition, testing as specified in [R7] is performed after any adjustment, repair or
replacement of components, as described in Section 15.1.1.
Furthermore, configuration audits are performed every four years for Configurable
Items, as specified in DCTA’s CMP [R4], as described in Section 17.4.
PTCSP Section 19
April 2, 2020
Page 105
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
20 Records [49 CFR §236.1015(d)(12)] [49 CFR §236.1023(e)] [49 CFR
§236.1037]
20.1 Record Management
This section provides a complete description of each record necessary to ensure the
safety of DCTA PTC system that is associated with periodic maintenance, inspections,
tests, adjustments, repairs, or replacements, and the system’s resulting conditions,
including records of component failures resulting in safety-relevant hazards as required
by 49 CFR §236.1015(d)(12). This section also includes DCTA’s record retention
process that ensures compliance with 49 CFR §236.1037.
DCTA’s record retention process includes:
1. Retention of:
a. A current copy of each FRA approved Type Approval, if any, PTCDP, and
PTCSP that it holds;
b. Adequate documentation to demonstrate that the PTCSP and PTCDP
meet the safety requirements of Subpart I;
c. An Operations and Maintenance Manual pursuant to 49 CFR §236.1039,
as described in Section 15 of this PTCSP;
d. Training and testing records pursuant to 49 CFR §236.1043(b), as
described in Section 14 of this PTCSP.
2. Recording of results of inspections and tests specified in this PTCSP as required
by 49 CFR §236.1015(d)(11) and described in Section 19 of this PTCSP.
3. Retention of training records for each entity providing services related to the
testing, maintenance, or operation of DCTA PTC system per 49 CFR
§236.1039(b), as described in Section 14 of this PTCSP.
4. After the PTC system is placed in service:
a. A database is maintained of all safety-relevant hazards as set forth in this
PTCSP and those that had not been previously identified;
b. Safety-relevant hazards are monitored for frequency: If the frequency
exceeds the threshold set in this PTCSP, DCTA reports the inconsistency
in writing by mail, facsimile, e-mail, or hand delivery to the Director, Office
of Safety Assurance and Compliance, and the FRA. The frequency
threshold for hazards is shown by the level of residual risk in the SHA [A4]
and O&SHA [A5]. If failure(s) occur that would change (increase) the
residual risk category of the hazard, the frequency deviation will be
PTCSP Section 20
April 2, 2020
Page 106
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
reported to FRA. Failure Reporting will be in accordance with the Failure
Handling Standard [R8] described in Section 33 of this PTCSP.
20.2 Record Description
DCTA catalogs and maintains all documents for the installation, maintenance, repair,
modification, inspection, and testing of the PTC system as described in Section 15 of
this PTCSP. A complete description, or templates, of each record can be found in DCTA
Operations & Maintenance Manual [R7].
20.3 Data Retention Management
DCTA will retain the following PTC documents and records in accordance with 49 CFR
§236.1037. Table 20-1 displays the retained documents, the requirements and the
retention period.
Table 20-1: Retained Documents
ITEM
REQUIRED BY
49 CFR
RETENTION PERIOD
System Type
Approval, PTCDP,
PTCSP
§236.1037(a)(1)
The life cycle of the system
Supporting safety
documentation for the
PTCDP and PTCSP
§236.1037(a)(2)
The life cycle of the system
Operations &
Maintenance Manual
pursuant to §236.1039
§236.1037(a)(3)
The life cycle of the system
Training & testing
records pursuant to
§236.1043(b)
§236.1037(a)(4); Until new designations of qualification are
recorded for the employee or for at least
§236.1037(c)
one year after such persons leave
(contractors)
applicable service pursuant to
§236.1043(b).
PTCSP Section 20
April 2, 2020
Page 107
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
ITEM
REQUIRED BY
49 CFR
RETENTION PERIOD
Results of inspections
and tests specified in
the PTCSP and
PTCDP
§236.1037(b)
In accordance with §236.110(b) tests
made in compliance with §236.587, 92
days. For tests made in compliance with
§236.917(a):
 Installation and modification tests
are to be retained for the life cycle
of the equipment tested;
 Periodic tests required for
maintenance and repair of the
equipment tested must be retained
until the next record is filed but in
no case less than one year.
All other tests must be retained until the
next record is filed, but in no case may
this period be less than one year.
SCIL
§236.1037(d)
The life cycle of the system
PTC Product Vendor
List pursuant to
§236.1023(a)
§236.1023(a)
The life cycle of the system
20.3.1 Type Approval, PTCDP and PTCSP
DCTA will keep a copy of each Type Approval received for its PTC system throughout
the lifecycle of the PTC system. DCTA will keep a copy of each submitted PTCDP and
PTCSP throughout the lifecycle of the PTC system. These documents are kept securely
at DCTA headquarters in hard copy and electronic form in a location where only
authorized individuals may access them. Electronic copies will be kept on DCTA
servers, accessible only to authorized personnel.
20.3.2 Supporting Safety Documentation for PTCDP/PTCSP
DCTA will keep a copy of all of the supporting safety documentation used to justify the
PTC system in the PTCDP/PTCSP throughout the lifecycle of the system. These
documents are kept securely at DCTA headquarters in hard copy and electronic form in
a location where only authorized individuals may access them. Electronic copies will be
kept on DCTA servers, accessible only to authorized personnel.
PTCSP Section 20
April 2, 2020
Page 108
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
20.3.3 Operations & Maintenance Manual
DCTA has catalogued and will maintain all documents specified in the referenced
PTCDP and this PTCSP for the installation, maintenance, repair, modification,
inspection, and testing of the PTC system. DCTA has collated them into a single
Operations and Maintenance Manual (OMM) that is to be maintained throughout the
lifecycle of the PTC system. This manual, and all of the subdocuments that comprise it,
is readily available, to all personnel who are required to perform the tasks described in
the manual and for inspection by FRA and FRA-certified inspectors. Revision control is
tracked through DCTA’s Configuration Management Plan [R4].
20.3.4 Training Records
DCTA will keep a copy of all of the training records which designate persons who are
qualified under 49 CFR §236.1043 until new designations are recorded or for at least
one year after such persons leave applicable service. These documents are kept
securely at DCTA headquarters in hard copy and electronic form in a location where
only authorized individuals may access them. Electronic copies will be kept on DCTA
servers, accessible only to authorized personnel.
Records related to employee attendance and certification/qualification for E-ATC,
including employee attendance records and records related to certification for
individuals to perform certain tasks, will be retained after the employee’s employment
relationship with DCTA ends; or longer, if and as DCTA corporate policy dictates.
Initial and refresher training and qualification records are maintained at DCTA
headquarters for DCTA employees. These records are available for inspection and
replication by FRA and FRA-certified State inspectors at the location they are kept or by
contacting the DCTA Director of Commuter Rail.
Records will include relevant training information such as:

Name of the employee.

Employee occupational category or subcategory designation.

Training completion dates.

Title of training course completed.

Pass/fail on associated tests if applicable, or date qualified.
20.3.5 Inspection & Test Records
DCTA will keep a copy of all of the required inspection and test records where only
authorized individuals may access them. For tests performed in accordance with 49
CFR §236.587, records are kept in either hard, and/or soft, copy form for 92 days. A
PTCSP Section 20
April 2, 2020
Page 109
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
copy of installation and modification tests are kept in either hard, and/or soft, copy form
throughout the lifecycle of the system. A copy of periodic tests for maintenance or repair
of the equipment will be maintained until the next record is filed, but in no case less than
one year. All other tests will be retained in either hard, and/or soft, copy form until the
next record is filed but in no case less than one year. All inspection and test records will
be available for inspection and replication by FRA and FRA-certified state inspectors.
20.3.6 Hazard Log (SCIL)
The master copy of the E-ATC Hazard Log in the form of the Alstom Safety Critical
Items List (SCIL) [A2] will be maintained by DCTA at its DCTA Rail Operations and
Maintenance Facility (Rail OMF) in Lewisville, TX. Electronic copies will be kept on
DCTA servers, accessible only to authorized personnel. Configuration control will be
maintained through DCTA’s Configuration Management Plan. Any additional hazards
determined during system operation will be added to the SCIL and mitigations provided
to maintain the required level of system safety.
Any errors and malfunctions of the system are reported to vendors, other E-ATC
customers, and the FRA in accordance with the Failure Handling Standard [R8]
discussed in Section 33 of this PTCSP. As appropriate, safety-critical errors and
malfunctions will be logged into the SCIL database and monitored for frequency. If the
frequency exceeds the threshold set in this PTCSP, DCTA will report the inconsistency
in writing by mail, or e-mail to the FRA Director, Office of Safety Assurance and
Compliance as required.
20.3.7 Product Vendor List
DCTA will keep a copy of the PTCPVL [A8] throughout the lifecycle of the system. This
document will be kept securely at DCTA headquarters in either hard, and/or soft, copy
form in a location where only authorized individuals may access it. Section 33.1 further
describes the PTCPVL.
PTCSP Section 20
April 2, 2020
Page 110
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
21 Safety Analysis of Work Zone Incursion Protection from Human
Error [49 CFR §236.1015(d)(13)]
This section provides a safety analysis to determine whether any risk remains of an
unintended incursion into a roadway work zone due to human error as required by 49
CFR §236.1015(d)(13). This section also describes how any remaining risk are
mitigated.
21.1 Functional Description
E-ATC prevents unauthorized train incursions into the limits of work zones. The
Onboard Segment provides enforcement for the limits of the work zone as designated
by the zone boundaries entered by the Dispatcher in the Office Segment of the E-ATC
system.
DCTA establishes work zones per GCOR. The Dispatcher establishes the work zone on
the TSR server and CTC dispatch systems, separately, to set all signals for the affected
zone to Stop. The Dispatcher informs the Roadway Worker in Charge (RWIC) that the
work zone has been established, and the RWIC verbally confirms this information.
Once the work zone has been established using the TSR Function, the UCII onboard
equipment vitally enforces a stop prior to entry into the work zone. Therefore, work zone
protection as required under the FRA rules is implemented and enforced in a manner
similar to MD0 protection. The DCTA work zone workflow is depicted in Figure 21-1.
21.2 Identification and Mitigation of Human Errors
The work zone protection function is accomplished through a combination of system
functionality and procedure. Human error can be sub-categorized into errors associated
with interaction with the Human Machine Interface, in this case the EDU, or failure of
procedure. Those facets of the work zone protection function that pertain to human
errors are listed in the O&SHA and include those associated with both the Train Crew
and the RWIC. Procedural and training requirements are established in the O&SHA to
ensure that the resulting operating procedures generated to support protection against
work zone incursion also mitigate all potential hazards.
21.3 DCTA Operating Rules Related to E-ATC Protection Against Work Zone
Incursion
At present, there are no proposed changes to the rules protecting establishing work
zones due to PTC. There is no proposed change in operations regarding form based
authorities, placing of red boards, yellow/red boards, yellow boards, etc. or limits of
track and time. Existing communications of work zones and protection thereof, as
communicated between the train and the Dispatcher will remain as they are today. The
PTCSP Section 21
April 2, 2020
Page 111
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
PTC system will provide an overlay as a method of enforcement. Per the rules,
authorities granted by the Dispatcher are enforced onboard the DMU. Figure 21-1,
below, provides a depiction of the work zone workflow.
Figure 21-1: Work Zone Workflow
Initiate Work Zone
Process
RWIC: Determine
Work Zone Limits
and Tasks to be
Performed
RWIC: Initiate
contact with Train
Dispatcher and get
Get Track and Time
RWIC: Inform
Work Crew at
Job Briefing
Dispatcher:
Enter Track
and Time in
CTC System
TSR Server:
Protect Track
and Time with
TSR (0)
Encompassing
Work Limits
Dispatcher:
Confirm or
modify the
Track & Time
based on
operations
RWIC: Copy
Track & Time
from
Dispatcher
RWIC: Job brief
crew on limits
and time limit
of authority
RWIC:
Complete
Work Zone
Tasks, Clear
equipment,
Job Brief
RWIC: Perform
track work in
work zone
Dispatcher:
Confirm
information
with RWIC,
cancel Track
and Time
RWIC: Cancel Track
and TIme
TSR Server:
Cancel TSR (0)
Encompassing
work limits
RWIC: Job
Brief with
crews
regarding
Track & Time
Cancellation
Finish Work Zone
Activity
PTCSP Section 21
April 2, 2020
Page 112
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
22 Alternative Arrangements for Rail At-Grade Diamond Crossings
[49 CFR §236.1005(a)(1)(i)] [49 CFR §236.1015(d)(14)]
This section provides a detailed description, when applicable, of any alternative
arrangements as already provided under §236.1005(a)(1)(i) with regard to train-to-train
collisions as required by 49 CFR §236.1015(d)(14).
There are no rail at-grade diamond crossings on the DCTA territory, therefore this
section is reserved.
PTCSP Section 22
April 2, 2020
Page 113
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
23 Authority and Signal Enforcement Exceptions Not in PTCDP [49
CFR §236.1005(e)(4)] [49 CFR §236.1015(d)(15)]
This section provides additional details of the DCTA PTC system enforcement of
authorities and signal indications to supplement the descriptions included in the
referenced PTCDP and any exceptions to the switch protection requirements as
required by 49 CFR Part 236, Subpart I, 49 CFR §236.1005(e)(4) and 49 CFR
§236.1015(d)(15).
DCTA does not have any form of authority or signal enforcement that is not already
described in the E-ATC Type Approval, so no action is necessary.
PTCSP Section 23
April 2, 2020
Page 114
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
24 Compliance with Stated MTEA [49 CFR §236.1015(d)(16)] [49 CFR
§236.1019(f)]
This section describes how the DCTA PTC system complies with 49 CFR §236.1019(f)
to attest that no changes, except for those included in an FRA approved RFA, have
been made to the information in DCTA’s PTCIP and Main Line Track Exceptions, as
required by 49 CFR §236.1015(d)(16).
Main Track Exclusion Addenda (MTEA) for the DCTA territories listed in Table 24-1,
below, have been implemented as stated in Section 13 of the approved DCTA PTCIP
[14].
Table 24-1: DCTA Corridor MTEA’s
Description
Mile Post(s)
Lewisville Yard
MP 737.16 - MP 738.04
Trinity Mills Station
MP 742.83 - MP 742.48
Downtown Denton Station
MP 721.63 - MP 721.80
There are no changes to the MTEAs as appended to the PTCIP and no other MTEAs
have been proposed or implemented by DCTA.
PTCSP Section 24
April 2, 2020
Page 115
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
25 Deviation in Operational Requirements for Enroute Failures [49
CFR §236.1015(d)(17)] [49 CFR §236.1029(c)]
25.1 E-ATC Failures Enroute
This section describes any deviations in operational requirements for enroute failures as
specified under 49 CFR §236.1029(c) that are not completely provided for in the
PTCDP as required by 49 CFR §236.1015(d)(17). DCTA operations follow the General
Code of Operating Rules [17] and DCTA Timetable No. 5 [R1] and General Order No. 1
[R2].
E-ATC Failures Enroute
DCTA handles enroute failures by using the cut-out capability and operating in a manual
block mode per GCOR rules and FRA regulation.
DCTA does not anticipate any deviations from the FRA requirements for operations
during enroute failures, as are stated in regulation 49 CFR §236.1029(b).
Locations where Failed Onboard PTC Apparatus will be Exchanged or Repaired
Per 49 CFR §236.1015(d)(21), DCTA identifies where failed PTC Onboard Apparatus
will be repaired or exchanged in Table 25-1, below. No movements on DCTA will
potentially exceed 500 miles.
Table 25-1: Location(s) for Failed Onboard PTC System Replacement
Name
Location
DCTA O&M Facility
640 East Texas 121 Business
Lewisville, Texas 75057
Current operation of E-ATC PTC on DCTA permits a failed PTC onboard unit to be cut
out and the train to be operated as unequipped for the rest of its existing run. The unit
will then be routed to the appropriate maintenance facility listed above for diagnosis and
repair. DCTA will follow the process required by 49 CFR §236.1029 to bring a failed
PTC unit to the facility for servicing.
PTCSP Section 25
April 2, 2020
Page 116
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
26 Enforcement of Hazard Detectors [49 CFR §236.1005(a)(4)(v)] [49
CFR §236.1005(c)(1)] [49 CFR §236.1005(c)(2)] [49 CFR
§236.1015(d)(18)]
This section is designated for documenting the complete description of how the
applicable PTC system appropriately and timely enforces integrated hazard detectors
as required by 49 CFR §236.1015(d)(18).
DCTA’s implementation of E-ATC does not have integrated hazard detectors.
26.1 Function Description for Additional Non-Integrated Hazard Detectors on
DCTA
E-ATC, as currently designed, does not specify any actions to be taken by the system
and crewmembers based on the receipt and presentation to the Train Operator and
Train Crew of alarms or other warnings generated as the result of additional nonintegrated hazard detectors.
There are no non-integrated hazard detectors located on the DCTA territory.
PTCSP Section 26
April 2, 2020
Page 117
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
27 Emergency and Planned Maintenance Re-Routing Management
Plan [49 CFR §236.1005(g-k)] [49 CFR §236.1015(d)(19)] [49 CFR
§236.1029]
This section provides the emergency and planned maintenance temporary rerouting
plan, including an indication of how operations on the DCTA PTC system take
advantage of the benefits provided under 49 CFR §236.1005(g) – (k) as required by 49
CFR §236.1015(d)(19).
An Emergency and Planned Maintenance Rerouting Plan is not applicable on the DCTA
corridor. The single main line is PTC equipped, and there is no alternative route for PTC
operation. Trains that are not PTC-equipped (tenant freight) operate according to a
temporal separation agreement, as permitted by under 49 CFR §236.1006(b)(4).
Otherwise, the only trains that may operate on DCTA territory without being PTCequipped (functionally) are those experiencing enroute failures of PTC equipment.
PTCSP Section 27
April 2, 2020
Page 118
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
28 High Speed Service Requirements [49 CFR §236.1005(c)(3)] [49
CFR §236.1007] [49 CFR §236.1015(d)(20)]
This section contains the documents and information required for high-speed service
under 49 CFR §236.1007 as required by 49 CFR §236.1015(d)(20).
E-ATC is designed based on cab signal systems and is developed to support operating
speeds prevalent on North American freight and passenger roads. As required by 49
CFR §236.1007(a), E-ATC is a vital overlay that works in concert with the safety-critical
functional attributes of a block signal system, including appropriate fouling circuits and
broken rail detection (or equivalent safeguards). Refer to Section 6 of this PTCSP.
Maximum speed for tenant freight trains is 40 MPH, while passenger trains operate at
up to 60 MPH. Note that tenant freight trains are not equipped with an E-ATC system
and operate according to a temporal separation agreement, as permitted by under 49
CFR §236.1006(b)(4).
DCTA’s E-ATC system meets the requirements set forth in 49 CFR §236.1007(a) for
high-speed service. Where DCTA passenger trains are operated at the maximum speed
of 60 MPH, the PTC system is overlaid on a cab signal and block signal system that
includes all of the safety-critical functional attributes meeting the requirements of FRA
Part 236, including appropriate fouling circuits and broken rail detection.
DCTA does not have any trains operating or planned to be operating over 90 MPH at
the time of submittal, hence 49 CFR §236.1007(b)(c)(d) and (e) are not applicable.
Should DCTA decide in the future to operate trains at greater than 90 MPH, a sufficient
explanation of the additional safety measures provided per FRA regulation will be
distinctly identified in a future revision of this PTCSP.
PTCSP Section 28
April 2, 2020
Page 119
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
29 Communication and Security Requirements [49 CFR
§236.1015(d)(20)] [49 CFR §236.1033]
This section contains the documents and information required for communications and
security requirements under 49 CFR §236.1033 as required by 49 CFR
§236.1015(d)(20).
29.1 Communications Restoration Plan
DCTA maintains an E-ATC Communication Restoration Plan [R5] for coping with
communications systems outages and faults while providing safe PTC operation.
Failed communications are repaired as soon as possible. Response will take place
immediately after notification, it will not be deferred for convenience.
Any service restoration effort will be led and coordinated by the Dispatcher. Backup
communications paths are provided to minimize the risk of communications outages, as
shown in Figure 6-1. If only one communications path is affected, service will continue
normally, using the backup path while the primary path is restored. If communication to
a CP is lost completely and routes cannot be cleared, operation through the affected
area may continue at restricted speed using Absolute Block rules, as required by 49
CFR §236.1029. Train movement will be supervised by the Dispatcher.
Multiple site failures, or system wide communication failures will result in the suspension
of all train operation.
29.2 Wireless Messaging Security and Encryption
Wireless communications are not used for the transmission of vital PTC commands and
indications. Vital commands and indications are entirely within the Wayside Signal
System, using wired and track-borne communications systems. The Cab Signaling
system is a captive network that is only operable for a very limited range between
Control Points, vehicle and rails. This is not considered a communication system that
needs encryption of any kind.
No wireless communications (data radio) are incorporated into the E-ATC system on the
DCTA Corridor; hence, 49 CFR §236.1033 (a) through (e) are not applicable.
29.3 Communication Security Provisions in E-ATC
Communication Security measures have been designed to limit unauthorized access to
and prevent tampering or overriding the safety functions of the system. The security
measures address wayside, office and communication subsystems as applicable.
PTCSP Section 29
April 2, 2020
Page 120
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
The security of communicated data associated with the protection of E-ATC messaging
between CTC and Wayside Segments and between wayside locations for each type of
link within the Communication Segment is described further below.
Note that data exchange between locations within the wayside signaling system is not
considered part of the Communication Segment. Wayside to Wayside data exchange is
part of the vital signaling system and is described further in Section 29.3.1.
29.3.1 Wayside to Wayside Data Exchange
Data Exchange between wayside locations is provided through copper cable that
connects ElectroLogIXS signal processors. These cables are dedicated wayside
communications links that terminate only in the wayside signal houses. Messaging
between these locations uses RP 2000 protocol which complies with complies with EN
50159 [18].
RP2000 is a protocol that is designed to communicate vital (safety-critical) binary data
between two vital control units via fixed-format messages. As a vital protocol, RP2000
provides mechanisms to detect data corruption, misrouted messages, out-of-sequencemessages, and stale messages.
RP2000 allows messages to be defined with varying sizes (8 bits to 512 bits of data).
However, a given message from one Vital Logic Controller (VLC) to another is fixed in
size and data definition by the application. That is, once defined by the specific
application, the definition and amount of data transmitted from one unit to the other
does not change from message transmission to message transmission and the
message is always transmitted in its entirety.
Figure 29-1, below, depicts the basic RP2000 operation. One message from Unit 1 to
Unit 2 is defined by the unit application (size and meaning of bits transmitted) with
another being defined from Unit 2 to Unit 1. Both units must be transmitting / receiving
the defined messages for the RP2000 link to be “up” and operational.
Figure 29-1: Basic RP2000 Interaction
Message A
Unit 1
Unit 2
Message B
The RP2000 elements and construction of the message are such that they facilitate
requiring two processors to construct a valid message and two processors to interpret a
PTCSP Section 29
April 2, 2020
Page 121
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
message’s successful transmission and reception. The RP2000 protocol features
provide for:
1. Detection of data integrity faults
2. Misaddressed messages (incorrect sender or receiver)
3. Out-of-sequence message arrival
4. Stale data reception
Using the RP2000 protocol messaging described herein, the vital signal processors are
able to determine if valid messaging is received. If valid messages are not received, the
communications link is considered to have failed.
If the link between vital signal processors fails, the wayside logic will assume worst case
conditions such as train occupancy in the location that the link has failed to. This will
force signals to stop, remove permissive cab signal indication and bring the train to a
stop.
29.3.2 Wayside to CTC Servers Communications
Communication between CTC servers and ElectroLogIXS units is via Genisys protocol.
This arrangement ensures that the final messaging into the vital processor is not directly
accessible outside of the signal house.
29.3.3 Communication Between CTC Servers
CTC Servers are located in both the Dispatch Center in the Rio Grande and Pacific
Train Dispatch Center (TCC) in Fort Worth, TX and a backup Dispatch Center located in
the DCTA Rail Operations and Maintenance Facility (Rail OMF) in Lewisville, TX. This
architecture provides redundancy and reliability to support railroad dispatching.
29.3.4 CTC Servers to Dispatch Workstations
This traffic is to support the application data for the dispatch workstations located in Rio
Grande and Pacific Train Dispatch Center (TCC) in Fort Worth, TX. The messaging
between dispatch and servers is encrypted.
PTCSP Section 29
April 2, 2020
Page 122
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
30 Identification of Potential Data Errors and their Mitigation [49 CFR
§236.1015(h)]
This section identifies the risks for potential data errors and provides a discussion of
each risk’s applicable mitigation as required by 49 CFR §236.1015(h).
For E-ATC, the data errors considered are those that can be introduced into the system
but not directly detected and mitigated by the E-ATC design during normal operations.
Below are sources of potential data errors, general mitigations put in place to address
hazards that could result from errors in data, and pointers to DCTA documentation
provided within this PTCSP to confirm mitigations are instituted.
30.1 Sources of Potential Data Errors
PTC system data errors are accounted for in the DCTA E-ATC SHA [A4]. The
System/Segment Affected column of the SCIL refers to the source of the potential
hazard. Identification of the sources of potential data errors for DCTA are listed below:

Communications system does not deliver message;

Communication system sends stale message data;

Communication system corrupts valid data.
30.2 Mitigations for Potential Data Error Hazards
Mitigations instituted to rely on the vitality of the wayside system include the following:

The wayside vitally enforces temporary speed restrictions and mandatory
directives;

The wayside provides vital train detection and track-circuit occupancy status;

Interlockings are implemented vitally;

Speed control functionality is implemented vitally.
Additional mitigations applied are:

A TSR heartbeat is provided to ensure current information;

Office design uses a multi-step Select – Check – Execute design to implement
TSRs and MDs.
Residual risks associated with these potential data errors are mitigated to risk level 1-E,
acceptable with review.
PTCSP Section 30
April 2, 2020
Page 123
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
31 Third Party Assessment [49 CFR §236.1017]
Pursuant to 49 CFR §236.1017, the Associate Administrator has not concluded that an
independent third-party assessment of the DCTA PTC system is necessary based on
the criteria set forth in 49 CFR §236.913.
PTCSP Section 31
April 2, 2020
Page 124
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
32 PTC Data Maintained in Locomotive Event Recorder [49 CFR
§236.1005(d)]
This section specifies how DCTA’s E-ATC system meets the requirements of
§236.1005(d); Event Recorders.
Each DMU operating on DCTA’s E-ATC system is equipped with an Event Recorder
meeting the requirements of 49 CFR §229.135.
§236.1005(d)(1)(i) requires that event recorders shall “(r)ecord safety-critical train
control data routed to the locomotive engineer's display that the engineer is required to
comply with”.
The UCII CPU includes a serial RS-232 port that continuously outputs logging
information. This RS-232 port is connected to the existing non-crash-hardened HASLER
TELOC event recorder. The non-crash-hardened event recorder is used to store the
UCII CPU logging information. The non-crash-hardened event recorder periodically
provides the UCII with time and date to allow the UCII to synchronize its time and date
to the time and date provided by the event recorder.
The non-crash hardened event recorder located in the A car parses through the
received UCII logging information and forwards the following information (in compliance
with 49 CFR §236.105) to a crash hardened recorder located in the roof area:

Received cab codes (49 CFR §229.135); aspect name (STOP, UNK/CC, EOB,
SP, YD, 15R, 10, 15, 20, 25, 35, 40, 45, 55, 60)

Audible alarm activation; with reason (speed limit change, TTP enforcement,
overspeed enforcement, self-test),

Overspeed detection,

Time to Penalty,

PTC Electric Brake requests,

PTC Emergency Brake requests,

Operating mode; Trail, Cab Active, Self-Test, No Code Proceed, EOB Proceed,
Restricted, Yard

Measured speed; primary and secondary speed measurements,

End selection (A End or B End),

Motion detection (vehicle not at Zero Speed),

System critical health check failures,
PTCSP Section 32
April 2, 2020
Page 125
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority

Revision 1.1
Date/Time (GPS Based).
Operation of the bypass switch to cut-out the UCII causes the UCII to be powered
down. The bypass switch status is connected directly to an event recorder discrete
input. The event recorder records the position of the bypass switch.
49 CFR §236.1005(d)(1)(ii) requires that event recorders shall “(s)pecifically include text
messages conveying mandatory directives, maximum authorized speeds, PTC system
brake warnings, PTC system brake enforcements, and the state of the PTC system
(e.g., cut in, cut out, active, or failed)”.
This requirement is not applicable to E-ATC, as there are no text messages transmitted
to the EDU.
49 CFR §236.1005(d)(1)(iii) requires examples of how the captured data will be
displayed during playback, along with format, content, and data retention requirements.
It also permits separate memory modules for the data, as long as it can be calibrated
against other data required.
Examples of how captured data will be displayed during playback are shown in
Appendix [A10]. The format and content are consistent with the data types recorded and
may be analyzed using a personal computer that connects to the memory module. A
complete description of the format and data types is cataloged in the interface
description document for the UCII [R24]. The crash hardened event recorders are
specified to store a minimum of 7 days of data under normal vehicle operation. Data will
be stored last-in first-out, that is, when the storage is full, the newest data event will
overwrite the oldest stored event.
49 CFR §236.1005(d)(2) requires that each locomotive manufactured and in service
after October 1, 2009 be equipped with an event recorder memory module meeting
crash hardening requirements of 49 CFR §229.135. All commuter vehicles on DCTA are
equipped with event recorders with memory modules meeting crash hardening
requirements of 49 CFR §229.135.
PTCSP Section 32
April 2, 2020
Page 126
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
33 Process for Reporting Errors and Malfunctions [49 CFR §236.1023]
33.1 PTCPVL [49 CFR §236.1023(a)]
DCTA has established a PTC Product Vendor List (PTCPVL) [A8] that includes all
vendors and suppliers of its E-ATC system, products and components. Changes to the
PTCPVL are managed through the DCTA Configuration Management Plan [R4]. The
PTCPVL is available to the FRA upon request.
33.2 Failure Notification and Recording Process
DCTA and their vendors and suppliers have adopted E-ATC Practice 001 – Failure
Notification and Recording, to govern notification of all parties upon discovery of safetycritical failures or previously unidentified hazards in its E-ATC system. The Standard is
available for review [R8] and briefly summarized below.
As detailed in the Standard, Vendor responsibilities include:

Maintaining a list or database of Railroads using their E-ATC products

Prompt notification to all Railroads upon discovery of any safety-critical failure, or
previously unidentified hazard in their product

Notification must include a thorough description of the defect and recommended
mitigation

FRA notification within 15 days of defect discovery

Determination of root cause and final corrective actions
Railroad responsibilities include:

Documentation of safety-critical failures, or previously unidentified hazards in an
incident report

Prompt notification of the vendor of the affected product with details from the
incident report

FRA notification within 15 days of defect discovery

FRA notification by telephone within 24 hours when a defect resulting in a more
permissive aspect than intended or hazardous to the movement of a train is
discovered.

Take prompt counter measures to ensure safety and reliability of operations
PTCSP Section 33
April 2, 2020
Page 127
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
34 PTC System Exclusions [49 CFR §236.1027]
49 CFR §236.1027 allows for the exclusion of certain office system technologies from
subpart I compliance. This section describes the role of DCTA’s Office Segment within
the E-ATC system and provides justification for its exclusion from Subpart I
requirements in accordance with 49 CFR §236.1027(a).
34.1 Office E-ATC Added Functions
The existing CTC Dispatching system for DCTA was expanded upon for E-ATC by
adding a separate TSR terminal to implement Temporary Speed Restriction (TSR) and
Mandatory Directive (MD) functionality. The legacy system was excluded from 49 CFR
Part 236 Subpart H requirements in accordance with 49 CFR §236.911(c). This section
analyzes the safety impact of the added functionality on the Office Segment.
34.2 Implementation of Office E-ATC Functions
TSR and MD requests are implemented by the Dispatcher within the Office Segment
through the same GCOR forms that were used for this purpose prior to E-ATC. When
the form is issued by the Dispatcher, a speed-code request is sent from the Office to the
Wayside Segment. The Wayside Segment implements the request if safe to do so.
Once implemented by the Wayside, TSRs and MDs are enforced vitally.
Separate oral transmission over radio from the Dispatcher to the Train Crew or
Roadway Worker in Charge is required for all TSRs and MDs, providing the opportunity
for error checking.
A TSR heartbeat function transmitted every 18 seconds is provided between the Office
and Wayside Segments to confirm that the Office and Wayside are in sync with respect
to TSRs and MDs.
The Office Segment safety relevance and compliance with 49 CFR Part 236 Appendix
C is discussed in more detail in the Risk Assessment contained in Section 11 and
Appendix [A1] of this PTCSP.
34.3 Summary of E-ATC CTC Automation
Architecture and design of DCTA’s E-ATC system have ensured that all safety-critical
functions are performed by the vital Wayside and Onboard Segments. The Office
Segment does not perform safety-critical functions within, or affect the safety
performance of, the E-ATC system, and therefore qualifies for exclusion from 49 CFR
Part 236 Subpart I requirements in accordance with 49 CFR §236.1027(a).
PTCSP Section 34
April 2, 2020
Page 128
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
35 Novel Technology Employed in Highway Crossing Protection for
PTC [49 CFR §234.275(c)]
This section explains how the new and novel highway crossing protection performance
objective is met by this product, why the objective is not relevant to this product’s
design, or how the safety requirements are satisfied using alternative means as
required by 49 CFR §234.275(c) and 49 CFR Part 236, Subpart I.
The DCTA E-ATC system does not include any PTC-based crossing protection
subsystems and does not interface to any existing crossing protection subsystems.
Highway-railway grade crossing warning systems will not be modified to provide safetycritical data to E-ATC and, accordingly, 49 CFR §234.275(c) is not applicable to E-ATC.
Note that E-ATC also provides protection for highway grade crossing system
malfunctions through the enforcement of Mandatory Directives issued by the Dispatcher
for Activation Failures and False/Partial Activation.
PTCSP Section 35
April 2, 2020
Page 129
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
36 List of Appendices
Table 36-1 lists appendix artifacts referenced within this document and included within
Volume II of this PTCSP.
Table 36-1: List of Appendices
Appendix
Title
[A1]
DCTA Risk Assessment Report, Rev A02, March 9, 2020
[A2]
Safety Critical Items List (SCIL) for the DCTA Project, 083511-112, Rev
A06, 2020 April 02
[A3]
DCTA Project Preliminary Hazard Analysis (PHA), 083511-109, Rev A05,
2020 April 02
[A4]
DCTA Project System Hazard Analysis (SHA), 083511-110, Rev A05,
2020 April 02
[A5]
DCTA Operating & Support Hazard Analysis (O&SHA), 083511-111, Rev
A05, 2020 April 02
[A6]
DCTA Project Safety Report, 083511-113, Rev A02, 2020 April 02
[A7]
DCTA PTC Human Factor Analysis of Onboard and Office Segments of
the E-ATC System, Rev 1.1, 04/01/2020
[A8]
PTC Product Vendor List, DCTA, E-ATC Rev 0, 02/27/2020
[A9]
Warnings and Warning Label Examples
[A10]
Event Recorder Readout Examples
PTCSP Section 36
April 2, 2020
Page 130
Volume I – Main Body
E-ATC PTC Safety Plan (PTCSP)
Denton County Transportation Authority
Revision 1.1
37 Redaction Matrix
Note: This section is reserved for future use should it be needed. No redactions will be
incorporated in the appendices of this revision of the PTCSP.
Content of this PTCSP containing confidential information that constitutes trade secrets
and other proprietary information, for which exemption from the mandatory disclosure
requirements of the Freedom of information Act (5 U.S.C. §552) (FOIA), would be listed
this section. When applicable, this section is used to provide justification for the
redaction of documentation from public disclosure as provided in the DCTA PTCSP
submitted to FRA.
PTCSP Section 37
April 2, 2020
Page 131