The requirements of this section apply to electronic hardware and software used to control or monitor safety functions in passenger equipment ordered on or after September 8, 2000, and such components implemented or materially modified in new or existing passenger equipment on or after September 9, 2002.
(a) The railroad shall develop and maintain a written hardware and software safety program to guide the design, development, testing, integration, and verification of software and hardware that controls or monitors equipment safety functions.
(b) The hardware and software safety program shall be based on a formal safety methodology that includes a Failure Modes, Effects, Criticality Analysis (FMECA); verification and validation testing for all hardware and software components and their interfaces; and comprehensive hardware and software integration testing to ensure that the hardware and software system functions as intended.
(c) The hardware and software safety program shall include a description of how the following will be accomplished, achieved, carried out, or implemented to ensure safety and reliability:
(1) The hardware and software design process;
(2) The hardware and software design documentation;
(3) The hardware and software hazard analysis;
(4) Hardware and software safety reviews;
(5) Hardware and software hazard monitoring and tracking;
(6) Hardware and software integration safety testing; and
(7) Demonstration of overall hardware and software system safety as part of the pre-revenue service testing of the equipment.
(d)
(1) Hardware and software that controls or monitors a train's primary braking system shall either:
(i) Fail safely by initiating a full service or emergency brake application in the event of a hardware or software failure that could impair the ability of the engineer to apply or release the brakes; or
(ii) Provide the engineer access to direct manual control of the primary braking system (service or emergency braking).
(2) Hardware and software that controls or monitors the ability to shut down a train's main power and fuel intake system shall either:
(i) Fail safely by shutting down the main power and cutting off the intake of fuel in the event of a hardware or software failure that could impair the ability of the train crew to command that electronic function; or
(ii) The ability to shut down the main power and fuel intake by non-electronic means shall be provided to the train crew.
(e) The railroad shall comply with the elements of its hardware and software safety program that affect the safety of the passenger equipment.
[67 FR 19990, Apr. 23, 2002, as amended at 77 FR 21356, Apr. 9, 2012]