Docket Number: FRA-2006-23687

united transportation union
14600 Detroit Avenue
Cleveland, Ohio 44107-4250
International President
Brotherhood of Locomotive Engineers & Trainmen
1370 Ontario Street, Mezzanine
Cleveland, Ohio 44113-1702
National President
May 12, 2006
Docket Clerk
DOT Central Docket Management Facility
Room PL-401
400 7th Street, SW (Plaza Level)
Washington, DC 20590-0001
Re: Docket Number FRA-2006-23685
Dear Docket Clerk:
Attached hereto please find the Comments of the United Transportation Union and the
Brotherhood of Locomotive Engineers and Trainmen with respect to the above-referenced
Respectfully submitted,
Paul C. Thompson
International President
Don M. Hahs
National President
Computer Generated Letterhead
Federal Railroad Administration
in re
CSX Transportation, Inc.
Railroad Safety Program Plan
DOT DMS Docket No. FRA-2006-23685
Comments of
Brotherhood of Locomotive Engineers and Trainmen
United Transportation Union
The United Transportation Union (“UTU”) and the Brotherhood of Locomotive Engineers and Trainmen (“BLET”), a division of the Rail Conference of the International Brotherhood of Teamsters, are filing joint comments concerning the above-referenced document. BLET
and UTU are the duly recognized collective bargaining representatives, under the Railway Labor
Act (45 U.S.C. §§ 151 et seq.), for more than 10,000 operating craft employees and yardmasters
employed by the CSX Transportation, Inc. (“CSX”), all of whom are directly affected by the
document. For the reasons set forth below, UTU and BLET submit that FRA should require
CSX to make the following amendments and changes to its Railroad Safety Program Plan
(“RSPP”) referenced above.
Our first concern is with Section 4.1.2 of the RSPP, which addresses risk assessment.
CSX notes that its risk assessment process will be standardized and documented, and that the
“documentation shall include a listing of the appropriate railroad personnel who were part of the
assessment, their relationship to the operation of the system, and the logic justifying the conclusions that were reached regarding the severity and probability of occurrence of the identified
hazard.” However, footnote 1 states the following:
While it is possible to develop a quantitative methodology for this type of analysis, the
most practical method for railroad application is straightforward deductive reasoning, applied on a collective or organizational basis. A composite of experienced railroad personnel from appropriate line and staff departments can effectively determine the severity
of all but the most difficult or unusual hazards.
RSPP at p. 4-2.
We believe CSX’s proposed process is insufficient. Foregoing altogether any analysis of
quantitative data will produce a risk assessment that is not grounded on any performance data.
Given current requirements of Parts 225 and 240, if not others, there is no lack of data that
should properly be considered in conducting a PTC analysis. CSX should be required to revise
its RSPP to include a quantitative methodology in performing its risk analysis.
With respect to CSX’s risk assessment protocols, we also would point out that the proposed RSPP fails to meet applicable regulatory requirements. FRA recognizes U.S. Department
of Defense Military Standard for System Safety Program Requirements (“MIL-STD-882C”) “as
providing appropriate risk analysis processes for incorporation into verification and validation
standards” for PTC systems. 49 C.F.R. Part 236, App. C at ¶ (c)(3). All 882C hazard severity
categories include varying levels of environmental damage; however, CSX’s proposed RSPP
fails to include environmental damage in any of its hazard severity categories. RSPP at pp. 4-2–
4-3. CSX should be required to conform its hazard severity classifications to those set forth in
the DOD 882C standard, as required by Part 236.
Furthermore, CSX’s risk assessment protocols reflect, in part, the more detailed criteria
set forth in the DOD MIL-STD-882D standard,1 which has superseded the 882C standard. However, CSX has deviated from the 882D criteria, as can be seen in the side-by-side comparison of
the 882C, 882D, and proposed CSX severity criteria appended hereto as Attachment 2. The
damage thresholds proposed by CSX, although they deviate from the 882D thresholds, are not
problematic because they relate to FRA’s Part 225 accident/incident reporting requirements. On
the other hand, we must voice concern with respect to how CSX proposes to allocate casualties
among the four severity categories.
CSX’s use of the phrase “FRA reportable deaths” in the “catastrophic” category contrasts
starkly to the 882D reference to a singular, non-conditional “death.” Is CSX proposing that a
hazard that produces only one death is not catastrophic? If so, we would contend that CSX has
impermissibly deviated from the DOD standard. We acknowledge that there is no reference to
death among the “critical” criteria; therefore, the problem may require be nothing more than
However, a different issue arises with respect to how the RSPP treats injuries. The DOD
standard considers the permanent and total disability of a single person as catastrophic; CSX
proposes that a minimum of five injuries is required to meet the catastrophic threshold. On the
other hand, the DOD injury threshold for critical severity is three, whereas the CSX proposes
that the threshold be two, which is stricter. Injury criteria for the marginal and negligible severities, while slightly different from the DOD standard, appear to be based upon FRA reporting
For FRA’s ready reference, the DOD 882D standard is appended hereto as Attachment 1.
requirements. We believe that the injury threshold between critical and catastrophic does not
comport with the requirements of Part 236, and must be revised.
CSX’s proposed hazard probability criteria are curious. First, CSX bases its criteria on
“system operating hours,” rather than on fleet miles. RSPP at p. 4-3. Since no data are provided
establishing how many system operating hours the fleet is expected to be in operation in PTC
service, it is difficult to consider the criteria in other than abstract terms. Further, it appears that
the frequency criteria are significantly stricter than those contained in the DOD standard. Attachment 3 compares the proposed CSX standards with those quantified in DOD standard 882D.
Taken alone, these criteria imply that the RSPP is intended to provide a higher level than required by Part 236.
However, CSX’s proposed severity/probability risk matrix is radically different than the
matrices set forth in the DOD standard. RSPP at p. 4-4. Both 882C and 882D delineate four levels of risk: the highest risk is termed “unacceptable” in 882C and “high” in 882D; the second
highest risk is termed “undesirable” and “serious” in 882C and 882D, respectively, the third
highest risk is termed “acceptable with review by management” in 882C and “medium” in 882D;
and the lowest risk level is termed “acceptable” in 882C and “low” in 882D. However, CSX’s
proposed RSPP includes only three levels of risk: unacceptable, acceptable with review by management, and acceptable.
The distribution of risk across the matrices differs widely, as the side-by-side comparison
in Attachment 4 shows. The comparison can be summarized as follows:
Risk Level
Second Highest
Third Highest
882C (#1)
882C (#2)
It appears that CSX’s proposed hazard probability and risk matrix criteria differ dramatically from those set forth in the DOD standard because CSX proposes to use SAE-ARP 4761,
Appendix C, in performing the System Safety Assessment. See RSPP § 4.1.4, at pp. 4-5, 4-6.
However, paragraph (c)(2) of Appendix C to Part 236 establishes only the DOD standard as “acceptable for verification and validation.”
The DOD standard was adopted by FRA as a result of the consensus recommendation by
the Railroad Safety Advisory Committee. As FRA noted in the Notice of Proposed Rulemaking
(“NPRM”) for its proposed rule on PTC:
“Acceptable methodology” is intended to mean standard industry practice, as contained
in MIL–STD–882C, such as hazard analysis, fault tree analysis, failure mode and effect
criticality analysis, or other accepted applicable methods such as fault injection, Monte
Carlo or Petri-net simulation. FRA is aware of many acceptable industry standards, but
usage of a less common one in PSP analysis would most likely require a higher level of
FRA scrutiny.
66 Fed. Reg. 42379. FRA reiterated this position in publishing the Final Rule. 70 Fed. Reg.
The proposed RSPP submitted by CSX lacks any evidence whatsoever that the use of the
SAE standard — and the significantly different frequency and risk criteria — provide an analytical scheme at least as rigorous as that prescribed by the DOD standards to which all stakeholders
agreed, and which FRA included as a requirement in both the Proposed Rule and the Final Rule.
We believe that a railroad seeking to substitute a standard for one required by the regulation must
satisfy a burden of proving that at least the same level of safety is provided by the substitute
Accordingly, we request that FRA instruct CSX to redraft applicable portions of the
RSPP to reflect the DOD standards, as required by Part 236, Appendix C. In the alternative,
FRA should withhold approval of the RSPP until such time as (1) CSX has submitted evidence
in support of the acceptability of the SAE standard, (2) such evidence has been subject to public
comment, and (3) the substitute standard is proven to be at least as effective as the DOD standard.
The second issue we raise is Section 4.1.3.a, addressing system safety precedence, which
states that risk design standards shall “[m]inimize or eliminate the use of human input for
safety-critical functions.” RSPP at p. 4-5 (emphasis added). In its Final Rule on processor-based
signal and train control systems, FRA noted that the “overriding conclusion from the research is
that processor-based signal or train control systems that have been designed with humancentered design principles in mind — system products that keep human operators as the central active component of the system — are more likely to result in improved safety.” See 70
Fed. Reg. 11090 (emphasis added). For this reason, FRA promulgated design criteria for the
human-machine interface, or HMI, as Appendix E to Part 236.
In particular, FRA promulgated paragraph (c)(1), which “addresses ‘reduced situation
awareness and over-reliance,’ which can result when products transform the role of a human operator from an active system controller to a passive system monitor. Essentially, a passive operator is less alert to what the system is doing, may rely too heavily on the system and become less
capable of reacting properly when the system requires the operator’s attention.” Id. To safeguard
against over-reliance and loss of situation awareness, FRA’s HMI design requires that a locomotive engineer must “remain ‘in-the-loop’ for at least 30 minutes at a time,” as specified in paragraph (c)(1)(i) of Appendix E.
To the extent that Section 4.1.3.a addresses, for example, electronic transfer of train consist information from a computer into the PTC system computer — rather than having an employee manually enter such information — the concept makes sense. However, a locomotive
engineer may be required to interact, via the system’s Human-Machine Interface, with the system by inputting movement-related information or by acknowledging a warning, both of which
involve a safety-critical function. We submit that Appendix E prohibits the elimination of this
second category of human input, and question, therefore, whether this design standard meets the
requirements of Appendix E, paragraph (c)(1)(i). At the very least, FRA should require CSX to
provide clarification as to the meaning and intent of this phrase.
Thirdly, Section 5.7 (“Risk Assessment Requirements”) of the proposed RSPP states that
hazards “identified as having an unacceptable or undesirable risk shall be eliminated by design or
mitigated such that the risk is acceptable or can be controlled through the appropriate application
of existing operating rules, operating practices and/or procedures.” RSPP at p. 5-3. This provision is vague and confusing. Although the requirement facially pertains to “undesirable” risks,
CSX’s risk assessment matrix does not include this category. Furthermore, the phrase “or can be
controlled” is meaningless in terms of assessing risk. We recommend that the sentence be redrafted to read “such that the risk is eliminated or reduced to an acceptable level through the appropriate application of existing operating rules, operating practices and/or procedures.”
Fourth, we have a concern with respect to the RSPP’s treatment of the Human-Machine
Interface (“HMI”), which is contained in Section 11 of the document. CSX states that the “HMI
shall provide consistent and predictable display of information” and that the “system shall provide automatically refreshable display that can supplement the operator’s memory.” Id. at
p. 11-1. It is unclear from the context whether CSX contemplates a constant PTC display, or one
that is activated only when the system provides a warning or initiates an enforcement action. It
is our understanding that CSX has been testing a PTC system that activates the display only for
purposes of warning and enforcement notification; however, constant display is being currently
tested in other portions of the industry.
In a January 2005 Final Report entitled Effects of Train Control Technology on Operator
Performance, DOT’s Research and Special Programs Administration (“RSPA”) described the
work of a locomotive engineer in these terms:
Operating a rail vehicle (and, in general, operating any vehicle) can be considered a combination of divided attention and selective attention tasks. The task is divided attention,
in that the locomotive engineer must attend to several different tasks at once, including
speed control, position control, system status monitoring, and vehicle status monitoring.
The monitoring subtasks can each be considered as selective attention tasks. The objective is to identify a system or vehicle fault, and the engineer must monitor several channels of information to detect a fault. From a different perspective, the task of a
locomotive engineer is a combination of relatively high frequency monitoring and control
(to fulfill the task of speed and position control) with vigilance (for system failures and
See DOT/FRA/ORD-04/18 at p. 5.
Six months after the publication of this report, RSPA published another, entitled Effects
of Supervisory Train Control Technology on Operator Attention, which defined “vigilance” as
“the capacity of the human operator to sustain attention and remain alert to stimuli over a prolonged time.” See DOT/FRA/ORD-04/10 at p. vii. All PTC systems present a locomotive engineer with the numerous additional visual, auditory, and tactile stimuli, compared to standard
operations. This creates a concern, which was acknowledged in the July 2005 RSPA report:
The human performance concern, with regard to display automation, is potential overload
of the operator sensory channels. Too much information will ultimately degrade overall
performance due to the inability to process that information and extract the pertinent data
from it.
See DOT/FRA/ORD-04/10 at p. 3.
We have voiced similar concerns in a number of PTC proceedings over the years. FRA
should require CSX to revise Section 11 to identify the type of display it intends to use, and to
address the extent to which over-reliance and/or distraction caused by a constant display may
introduce risks that do not exist in current operations.
Lastly, we wish to raise an issue that was omitted altogether from CSX’s RSPP. There is
no mention in the RSPP regarding the capture and retention of safety critical control data routed
to the locomotive engineer’s display. In the case of a train control system, the technical details
of the format, content, and proposed duration for retention of this type of data are to be addressed
by the Product Safety Plan. 49 C.F.R. §§ 229.135(b)(3)(xxv), and 229.135 (b)(4)(xxi). It only
makes sense for CSX to have noted this requirement in the RSPP, and provided any standardized
guidance that it intends to apply (e.g., whether retention of data will be accomplished in event
recorders with a certified crashworthy memory module or in separate certified crashworthy
memory modules). FRA imposed this requirement as part of its conditional approval of a RSPP
submitted by the BNSF earlier this year. See FRA-2006-23686-4 at p. 2.
We appreciate FRA’s most serious consideration of the concerns and proposals we have
raised in these comments. These conditions are necessary in order for the letter and the spirit of
Subpart H to be fulfilled.
Respectfully submitted,
Don M. Hahs
National President
Brotherhood of Locomotive
Engineers and Trainmen
Paul C. Thompson
International President
United Transportation Union
RSPP Hazard Severity Comparison
I. Catastrophic
Death, system loss, or severe
environmental damage.
II. Critical
Severe injury, severe occupational
illness, major system or
environmental damage.
III. Marginal
Minor injury, minor occupational
illness, or minor system or
environmental damage.
IV. Negligible
Less than minor injury, occupational
illness, or less than minor system or
environmental damage.
Could result in death, permanent
total disability, loss exceeding $1M,
or irreversible severe environmental
damage that violates law or
Could result in permanent partial
disability, injuries or occupational
illness that may result in
hospitalization of at least three
personnel, loss exceeding $200K but
less than $1M, or reversible
environmental damage causing a
violation of law or regulation.
Could result in injury or
occupational illness resulting in one
or more lost work days(s), loss
exceeding $10K but less than
$200K, or mitigable environmental
damage without violation of law or
regulation where restoration
activities can be accomplished.
Could result in injury or illness not
resulting in a lost work day, loss
exceeding $2K but less than $10K,
or minimal environmental damage
not violating law or regulation.
Proposed RSPP
Events that could result in FRA
reportable deaths, five or more
injuries, or equipment damage
greater than $1,000,000.
Events that could result in two or
more FRA reportable injuries,
illness, or equipment damage greater
than $150,000 but less than
Events that could result in an FRA
reportable injury, illness, or
equipment damage.
Events that could result in an FRA
non-reportable injury, illness, or
equipment damage.
Attachment 2
RSPP Hazard Probability Comparison
A. Frequent
Likely to occur often in the life of
an item, with a probability of
occurrence greater than 10-1 in
that life; continuously
experienced in fleet/inventory.
Will occur several times in the
life of an item, with a probability
of occurrence less than 10-1 but
greater than 10-2 in that life; will
occur frequently in
Likely to occur some time in the
life of an item, with a probability
of occurrence less than 10-2 but
greater than 10-3 in that life; will
occur several times in
Unlikely but possible to occur
some time in the life of an item,
with a probability of occurrence
less than 10-3 but greater than 10-6
in that life; unlikely but can
reasonably be expected to occur
in fleet/inventory.
So unlikely, it cam be assumed
occurrence may not be
experienced, with a probability of
occurrence less than 10-6 in that
life; unlikely to occur but possible
in fleet/inventory.
B. Probable
C. Occasional
D. Remote
E. Improbable
Occurrences per
100,000,000 hours
> 10,000,000
1,000,000 – 10,000,000
100,000 – 1,000,000
100 – 100,000
< 100
Proposed RSPP
Likely to occur often in the life
of the system, subsystem, or
component. The probability of
occurrence is greater than 1E-3
per system operating hour.
Will occur several times in the
life of the system, subsystem, or
component. The probability of
occurrence is between 1E-3 and
1E-5 per system operating hour.
Likely to occur some time in
the life of the system,
subsystem, or component. The
probability of occurrence is
between 1E-5 and 1E-7 per
system operating hour.
Unlikely, but possible to occur
in the life of the system,
subsystem, or component. The
probability of occurrence is
between 1E-7 and 1E-9 per
system operating hour.
So unlikely to occur that it can
be assumed in will not be
experienced in the life of the
system, subsystem, or
component. The probability of
occurrence is greater than 1E-9
per system operating hour.
Occurrences per
100,000,000 hours
> 100,000
1,000 – 100,000
10 – 1,000
0.1 – 10
< 0.1
Attachment 3
RSPP Hazard Risk Resolution Assessment Comparison
MIL-STD-882C (Ex. #1)
Severity →
Probability ↓
Codes: UN – Unacceptable
UD – Undesirable (management decision required)
AC/WR – Acceptable with review by management
AC – Acceptable without review
Severity →
Probability ↓
Risk Acceptance Levels:
High = Competent Acquisition Executive
Serious = Program Executive Officer
Medium = Program Manager
Low = As directed
MIL-STD-882C (Ex. #2)
Severity →
Probability ↓
Codes: UN – Unacceptable
UD – Undesirable (management decision required)
AC/WR – Acceptable with review by management
AC – Acceptable without review
Proposed RSPP
Severity →
Probability ↓
Codes: UN – Unacceptable
AC/WR1 – Acceptable with review by Vice President
AC/WR2 – Acceptable with review by Assistant VP or Chief Engineer
AC/WR3 – Acceptable with review by Director or Assistant CE
AC – Acceptable without review
Attachment 4