Skip to Content

Proposed Rule

Licensing and Safety Requirements for Launch

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble Start Printed Page 63922

AGENCY:

Federal Aviation Administration (FAA), DOT.

ACTION:

Notice of proposed rulemaking (NPRM).

SUMMARY:

The Associate Administrator for Commercial Space Transportation of the Federal Aviation Administration (FAA), Department of Transportation (DOT), is proposing to amend the FAA's commercial space transportation regulations. The FAA proposes to amend its regulations to codify its license application process for launch from a non-federal launch site. A non-federal launch site is a launch site not located on a federal launch range. The proposed regulations are also intended to codify the safety requirements for launch operators regarding license requirements, criteria, and responsibilities in order to protect the public from the hazards of launch for launch from a federal launch range or a non-federal launch site.

DATES:

Send your comments on or before February 22, 2001.

ADDRESSES:

Address your comments to the Docket Management System, U.S. Department of Transportation, Room Plaza 401, 400 Seventh Street, SW., Washington, DC 20590-0001. You must identify the docket number FAA-2000-7953 at the beginning of your comments, and you should submit two copies of your comments. If you wish to receive confirmation that FAA received your comments, include a self-addressed, stamped postcard. You may submit and review comments through the Internet at http://dms.dot.gov. You may review the public docket containing comments to these proposed regulations in person in the Dockets Office between 9:00 a.m. and 5:00 p.m., Monday through Friday, except Federal holidays. The Dockets Office is on the plaza level of the NASSIF Building at the Department of Transportation at the above address.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Michael Dook, Licensing and Safety Division (AST-200), Associate Administrator for Commercial Space Transportation, Federal Aviation Administration, DOT, Room 331, 800 Independence Avenue, SW., Washington, DC 20591; telephone (202) 267-8462; or Laura Montgomery, Office of the Chief Counsel (AGC-200), Federal Aviation Administration, DOT, Room 915, 800 Independence Avenue, SW., Washington, DC 20591; telephone (202) 267-3150.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Comments Invited

Interested persons are invited to participate in the making of the proposed action by submitting such written data, views, or arguments as they may desire. Comments relating to the environmental, energy, federalism, or economic impact that might result from adopting the proposals in this document also are invited. Substantive comments should be accompanied by cost estimates. Comments must identify the regulatory docket or notice number and be submitted in duplicate to the DOT Rules Docket address specified above.

All comments received, as well as a report summarizing each substantive public contact with FAA personnel concerning this proposed rulemaking, will be filed in the docket. The docket is available for public inspection before and after the comment closing date.

The Administrator will consider all comments received on or before the closing date before taking action on this proposed rulemaking. Late-filed comments will be considered to the extent practicable, and consistent with statutory deadlines. The proposals in this document may be changed in light of the comments received.

Commenters wishing the FAA to acknowledge receipt of their comments submitted in response to this document must include a pre-addressed, stamped postcard with those comments on which the following statement is made: “Comments to Docket No. FAA-2000-7953.” The postcard will be date stamped and mailed to the commenter.

Availability of Rulemaking Documents

You can get an electronic copy using the Internet by taking the following steps:

(1) Go to the search function of the Department of Transportation's electronic Docket Management System (DMS) Web page (http://dms.dot.gov/​search).

(2) On the search page type in the last four digits of the Docket number shown at the beginning of this notice. Click on “search.”

(3) On the next page, which contains the Docket summary information for the Docket you selected, click on the document number of the item you wish to view.

You can also get an electronic copy using the Internet through FAA's web page at http://www.faa.gov/​avr/​arm/​nprm/​nprm.htm or the Federal Register's web page at http://www.access.gpo.gov/​su_​docs/​aces/​aces140.html.

You can also get a copy by submitting a request to the Federal Aviation Administration, Office of Rulemaking, ARM-1, 800 Independence Avenue SW., Washington, DC 20591, or by calling (202) 267-9680. Make sure to identify the docket number, notice number, or amendment number of this rulemaking.

I. Introduction

By this notice of proposed rulemaking, the FAA proposes licensing and safety requirements for the conduct of a launch. The proposed requirements for obtaining a license would apply to a launch operator planning to launch from a non-federal launch site. A non-federal launch site is a launch site that is not located at a federal launch range. The proposed regulations for obtaining a license would not, however, apply to any launch from a non-federal launch site where a federal launch range performs the safety functions. For such a launch, the licensing requirements of 14 CFR part 415, subpart C applies. The proposed regulations are also intended to codify the safety requirements that a launch operator must satisfy to protect the public from the hazards of launch. The safety requirements contained in this proposed regulation apply to all licensed launches of expendable launch vehicles whether from a federal launch range or a non-federal launch site. This notice provides information regarding the criteria for obtaining a launch license, the responsibilities with which a launch licensee must comply, and operational requirements.

II. Background

The Commercial Space Launch Act of 1984, as codified and amended at 49 U.S.C. Subtitle IX—Commercial Space Transportation, ch. 701, Commercial Space Launch Activities, 49 U.S.C. 70101-70121 (the Act), authorizes the Department of Transportation and thus the FAA, through delegations,[1] to oversee, license and regulate commercial launch and reentry activities and the operation of launch and reentry sites as carried out by U.S. citizens or within the United States. 49 U.S.C. 70104, 70105. The Act directs the FAA to exercise this responsibility consistent with public health and safety, Start Printed Page 63923safety of property, and the national security and foreign policy interests of the United States. 49 U.S.C. 70105. The FAA is also responsible for encouraging, facilitating and promoting commercial space launches by the private sector. 49 U.S.C. 70103. A 1996 National Space Policy recognizes the Department of Transportation as the lead federal agency for regulatory guidance regarding commercial space transportation activities.

The FAA licenses commercial launches, the subject of this notice of proposed rulemaking in accordance with the Act and 14 CFR Ch. III. Until recently, all commercial launches took place under the cognizance of federal launch range safety organizations, which impose comprehensive safety requirements on launch operators. The FAA has been able to rely significantly on the safety oversight activities of the federal launch ranges. Consequently, many safety issues did not need to be addressed explicitly in the FAA's regulations. That has now changed.

The commercial space transportation industry continues to grow and diversify. Between the first licensed commercial launch in March 1989 and July 2000, 130 licensed launches have taken place from five different launch sites, including launches from a non-federal launch site, and from launch sites operated by licensed launch site operators. The vehicles have included traditional orbital expendable launch vehicles, such as the Atlas, Titan, and Delta, and sub-orbital Black Brant boosters, new expendable launch vehicles using traditional launch techniques, such as Athena and Conestoga, and unique vehicles, such as the air-borne Pegasus. The commercial launch industry has evolved from one relying on traditional orbital and sub-orbital launch vehicles to one with a diverse mix of vehicles using new technology and new concepts. A number of international ventures involving U.S. companies have also formed, further adding to this diversity.

Developments in cost savings and innovation are not confined to the launch industry. The launch site industry has also made progress. Commercial launch site operators are coming on line with the goal of providing flexible and cost-effective facilities both for existing launch vehicles and for new vehicles. When the commercial launch industry began, commercial launch companies based their launch operations at federal launch ranges operated by the Department of Defense (DOD) and the National Aeronautics and Space Administration (NASA). The Eastern Range, where the 45th Space Wing provides launch safety services, located at Cape Canaveral Air Station in Florida (CCAS), and the Western Range, where the 30th Space Wing provides launch safety services, located at Vandenberg Air Force Base (VAFB), in California are Federal launch ranges that support licensed launches. Both are operated by the U.S. Air Force. Wallops Flight Facility in Virginia, operated by NASA; White Sands Missile Range (WSMR) in New Mexico and Kwajalein Missile Range, both operated by the U.S. Army; and the Kauai Test Facility in Hawaii, operated by the U.S. Navy are other federal launch ranges that support licensed launches. Federal launch ranges provide the advantage of existing launch infrastructure and range safety services. Launch companies are able to obtain a number of services from a federal launch range, including radar, tracking and telemetry, flight termination and other launch services.

Today, most commercial launches still take place from federal launch ranges. However, the FAA anticipates that this pattern will change, as non-federal launch sites become more prevalent. On September 19, 1996, the FAA granted the first license to operate a launch site to Spaceport Systems International (SSI) to operate California Spaceport. That launch site is located within VAFB. Three other launch site operators have received licenses. The Spaceport Florida Authority (SFA) received an FAA license to operate Launch Complex 46 at CCAS as a launch site. Virginia Commercial Space Flight Authority (VCSFA) received a license to operate Virginia Spaceflight Center (VSC) within NASA's Wallops Flight Facility. Most recently, Alaska Aerospace Development Corporation (AADC) received a license to operate Kodiak Launch Complex (KLC) on Kodiak Island, Alaska as a launch site.

Whether launching from a federal launch range, a launch site located on a federal range, or a non-federal launch site, a launch operator is responsible for ground and flight safety under its FAA license. At a federal launch range a launch operator must comply with the rules and procedures of the federal range. The safety rules, procedures and practices, in concert with the safety functions of the federal launch ranges, have been assessed by the FAA, and found to satisfy the majority of the FAA's safety concerns. In contrast, when launching from a non-federal launch site, a launch operator's responsibility for ground and flight safety takes on added importance. In the absence of federal launch range oversight, it will be incumbent upon each launch operator to demonstrate the adequacy of its ground and flight safety to the FAA.

An NPRM containing licensing and safety requirements for the operation of a launch site was issued in June 1999, and that notice makes clear that a licensed launch site operator will not be playing the same role as a federal launch range. Licensing and Safety Requirements for Operation of a Launch Site, Notice of Proposed Rulemaking, 64 FR 34315 (Jun. 25, 1999) (“Launch Site NPRM”). That notice proposes specific requirements for operating a launch site, including the operation of a non-federal launch site; however, the notice proposes more limited launch site operator licensee requirements with respect to flight safety of a launch from a non-federal site. A launch site operator is not required to perform in a similar capacity as the current federal launch ranges. The FAA holds a launch licensee, not a launch site operator, responsible for flight safety, even in those cases where a launch site operator provides services in support of a launch. In that context, a launch site operator acts as a contractor or subcontractor to a licensed launch operator. The majority of public safety requirements for launch related ground and flight operations fall upon the launch licensee.

In addition to licensing the operation of the first non-federal launch site, the FAA issued, as of March 1999, its first launch license for launch from a non-federal launch site, which was, in this case, the Pacific Ocean. For this launch, no federal launch range safety review was available. Sea Launch Limited Partnership (Sea Launch), the licensee, was successful in conducting its first launch of a commercial rocket from a modified mobile oil rig located in the Pacific Ocean. Because Sea Launch does not plan to offer its launch platform or location to others for launch, the FAA did not require it to obtain a license to operate a launch site; accordingly, it needed only obtain a launch license. The FAA's approach to Sea Launch's license application was to ensure an equivalent level of safety as has been sought at the federal launch ranges. Although the foreign safety system, technology, procedures, and operations create a number of differences, the FAA was able to use the federal launch range approach as a benchmark to achieving safety for the FAA's safety determination.

The current regulations, 14 CFR part 415, governing launch primarily address launches as they take place from Department of Defense or National Aeronautics and Space Administration (NASA) launch ranges, and treat Start Printed Page 63924launches from a non-federal launch site on a case by case basis. The licensing regulations for launch from a federal launch range are designed to avoid duplication of effort between the FAA and the federal launch ranges in overseeing the safety of launches at the federal ranges. Although the FAA does require information and analyses not required by federal ranges to ensure that all flight safety issues are addressed, and imposes certain additional requirements derived from recommendations arising from a National Transportation Safety Board investigation, the FAA does not duplicate the safety assessments performed by federal launch ranges. The ranges require compliance with their safety rules as a condition of using their facilities and services. The federal ranges act, in effect, both as landlords and as providers of launch facilities and services. Under this notice of proposed rulemaking, that licensing approach will continue. A launch operator license applicant proposing to launch from a federal launch range will continue to be governed by subpart C of part 415. A launch operator proposing to launch from a non-federal launch site would be subject to the requirements proposed by subpart F which are, because of the lack of federal launch range involvement, more detailed in order to permit the FAA to adequately review the safety of each proposed launch.

A federal launch range requires a launch operator to provide data regarding its proposed launch. The range evaluates the data to ascertain whether the launch operator will comply with range requirements. The range also uses the data to prepare range support for the mission. DOD ranges require that a launch operator apply for and obtain specific mandatory approvals from the range in order to conduct certain specified operations. For example, the Air Force's “Eastern and Western Range Requirements 127-1,” (Mar. 1995) [2] (“EWR 127-1”) require a launch operator to obtain approvals for hazardous and safety critical procedures before the range will allow those operations to proceed. In the event that a launch operator's proposal does not fully comply with range requirements, a range may issue a deviation or a waiver if the mission objectives of the launch operator could not otherwise be achieved. A range may issue a deviation to allow a launch even when a launch operator's designs or proposed operations do not comply with range requirements. A range may issue a waiver when it is discovered after production that hardware does not satisfy range requirements or when it is discovered that operations do not meet range requirements after operations have begun at a federal range. A range will allow a deviation or grant a waiver only under unique and compelling circumstances.

The FAA performed baseline assessments of various federal launch ranges and found their safety services adequate. Under FAA regulations, the FAA does not require an applicant to demonstrate the adequacy of the range services it proposes to employ if the applicable baseline assessment included those federal launch range services and if those services remain adequate. Certain showings regarding the applicant's own capabilities are still required. The FAA requires specific information regarding the interface between the safety organizations of a federal launch range and of an applicant. In the event that a service or procedure upon which an applicant proposes to rely is not within the documented experience of the federal launch range that the applicant proposes to utilize, the applicant would have to demonstrate the safety of that particular aspect of its launch. This is also true if a documented range safety service has changed significantly or has experienced a recent failure. In those cases, the burden of demonstrating safety shifts to the applicant.

III. Discussion of Proposed Licensing and Safety Regulations for Launch

A. Proposed Revisions to Parts 415 and 417

The approach the FAA followed in developing technical requirements for this proposed rule is to build on the safety success of federal launch ranges and to seek the same high level of safety that the federal ranges have achieved. Wherever appropriate for public safety, federal launch range practices were used as the basis for the development of the FAA's regulatory regime. Additionally, this proposed rule would allow for flexibility through the use of performance standards where appropriate, and identifies specific technical requirements where necessary to ensure safety. The FAA worked extensively with federal launch range safety personnel to refine and adapt many of the federal range requirements to a performance standard approach for incorporation into this proposed rule. The text responds to the complexity of space launch systems and the potential for negative consequences to public safety. The proposed regulations specify detailed processes, procedures, analyses, and general safety system design requirements. Where necessary, for critical safety hardware and software, this proposed rule provides design and detailed test requirements. In every case, the proposed regulations define the material that must be prepared and submitted as part of a license application or by a licensee before launch. The FAA also proposes to build flexibility into its requirements. Although the proposed regulations would provide the requirements with which a licensee must comply, the FAA anticipates that a launch operator might wish to employ alternative means of achieving the same safety goal. In that case, if a launch operator can clearly and convincingly demonstrate an equivalent level of safety, the FAA would consider accepting that alternative, and describing it for the benefit of others through the notice, the FAA's advisory circular process or some other method.

This notice of proposed rulemaking proposes safety requirements for licensed launch, whether from a non-federal launch site or a federal launch range. It is the FAA's understanding that the U.S. Air Force launch ranges intend eventually to cross-reference the same requirements for flight for government launches. In the course of creating the requirements for this proposed rule, the FAA consulted with the federal launch ranges. As a result of these consultations, what the FAA understands to be a general sentiment within the launch community in favor of consistent requirements, and the recommendations contained in the White House's report, The Future of the Space Launch Bases and Ranges, (2000) the FAA and the Air Force plan to establish common safety standards for the flight of a launch vehicle. The FAA will implement its requirements through rulemaking, and launch operators using Air Force ranges for commercial launch would have to abide by the FAA regulations for flight safety in proposed part 417. Because the Air Force's ground safety requirements still provide greater specificity than what the FAA proposes through this notice, the Air Force does not, at this time, plan to substitute the FAA's proposed ground safety requirements for its own, but, because a launch operator will have to comply with the requirements of part 417, that launch operator will have to ensure that it complies with the FAA's proposed ground safety requirements as well. The FAA anticipates that, in most instances, satisfaction of the Air Force Start Printed Page 63925requirements will satisfy the FAA's ground safety requirements. In the event of conflicts, the FAA's requirements will govern licensed launch operators.

Both the Air Force and the FAA anticipate tangible benefits to having common safety standards. Because the FAA is building upon the requirements of the federal launch ranges, this proposed rule is meant to preserve the best of the Air Force public safety experience and expertise. The Air Force, which has subjected its own requirements to the scrutiny and comments of its range users in the past, will be able to rely on the fact that the FAA's proposed requirements will undergo the public notice and comment period mandated by the Administrative Procedure Act. This proposed rule will provide a forum for public participation on the proposed standards and economic impacts. An FAA rulemaking requires a cost benefit analysis, which is also subject to public comment, and ensures that issues regarding cost are taken into account. The FAA, in turn, is able to leverage the technical expertise of the Air Force legacy in promulgating its requirements. The FAA and the Air Force foresee greater ease of administration for launch operators and the government, as well as greater uniformity of treatment, with a common set of national standards.

This notice proposes to establish requirements for a flight safety analysis that covers the hazards of normal and non-normal flight. The results of the analysis will be used to develop and implement flight safety rules and procedures that govern the licensed launch. The flight safety analysis is a critical tool for determining that public safety is being adequately addressed. The analysis must accurately reflect the true circumstances of each launch. Consequently, the proposed rules would specify performance standards for each critical part of a flight safety analysis as well as identifying the specific safety criteria that must be met.

This notice would cover a number of major flight safety analysis issues. Flight control lines are necessary for a flight safety analysis. Establishing flight control lines involves the identification of those areas that must be protected from potential adverse effects of a launch vehicle's flight. Flight control lines are material input to the flight safety analysis and the determination of flight safety limits. They depend on the location of population centers, foreign territorial boundaries, and other areas that must be protected. Flight safety limits are used during a launch to determine when a malfunctioning vehicle's flight must be terminated to ensure that any adverse effects are contained. Flight safety limits may be a function of time and depend on the vehicle's debris footprint.

This notice of proposed rulemaking addresses other flight safety measures. For example, wind weighting is a technique used to determine launch azimuth and elevation settings for unguided launch vehicles, which are typically sub-orbital sounding rockets. Wind weighting predicts the wind effects on impact point displacement during the thrusting phases of flight as well as the ballistic free-fall phase of each launch vehicle stage.

Hazard areas must be established for both preflight processing of a launch vehicle and flight. Hazard areas are established to provide protection from both normal and anomalous launch events. The presence of the public in a hazard area is a constraint on preflight processing and flight, and must be controlled, typically by controlling access to the area or through flight commit criteria that depend on real-time surveys of the area at the time of flight. This notice proposes to specify the analysis that a license applicant must perform to define the appropriate hazard areas for each launch. These hazard areas generally include a launch hazard area that accounts for people, aircraft, and any ships, impact hazard areas for planned debris resulting from normal flight, and hazard areas for unique hazards such as toxic or radiological materials.

An applicant must demonstrate satisfaction of the FAA's risk criteria. This may be accomplished if a launch operator is able to show that the risk of casualties to the general public is acceptably low. An applicant must show that the collective casualty expectancy (EC) risk of the proposed launch is equal to or less than the FAA's established criteria of 30×10−6. This is a critical measure used to evaluate potential public risk due to a proposed launch. An applicant must also show that its proposed launch will be conducted without exceeding an individual casualty probability (PC) of 1×10−6. Not all federal launch ranges require an individual risk analysis. In most cases, if 30×10−6 is met, individual risk is also less than 1×10−6. This is not, however, always the case. The need to evaluate individual risk varies depending on the specifics of the launch and the launch site. Because FAA regulations must address the broad range of non-federal launch sites and launch vehicle combinations, the FAA proposes to require a launch operator to demonstrate that the individual risk criteria will not be exceeded for each launch regardless of whether the launch occurs from a non-federal launch site or a federal launch range. This notice will provide a method for accomplishing these analyses and allow for variations and possible simplifications to the analysis based on the applicant's specific situation. The applicant would perform risk analysis to demonstrate that each proposed launch will not exceed established criteria for the impact probability of hitting aircraft and ships.

The other essential component for flight safety is a flight safety system. The primary purpose of a flight safety system is to monitor a launch vehicle's flight status and provide the positive control needed to prevent the launch vehicle from impacting populated or other protected areas in the event of a vehicle failure. The requirements for properly qualifying the proposed flight safety system and validating its performance are critical. Comprehensive flight safety system requirements will be provided that are designed to ensure that a launch operator implements a highly reliable, acceptable system.

This proposed rulemaking addresses important components of and major issues related to a flight safety system. A typical flight safety system is composed of a flight termination system and a command control system. This notice proposes to define a flight termination system (FTS) as consisting of all components that are on board a launch vehicle and are needed to control the termination of a launch vehicle's flight. An FTS may also include automatic destruct system components designed to activate upon vehicle breakup or premature separation of individual powered stages or strap-on motors. This notice proposes requirements for the FTS components onboard a launch vehicle as well as command control components that are typically ground based, including associated software. A highly reliable FTS is critical to ensuring public safety. This notice would define a process for obtaining the necessary reliability. That process would consist of specific FTS design standards and criteria, a reliability analysis of the FTS design, and comprehensive testing to qualify the FTS design and certify and accept FTS components.

The proposed requirements would also address other elements of the flight safety system. This notice of proposed rulemaking would include requirements for compatible vehicle tracking, visual data sources, telemetry, communications, display, and recording systems that are necessary as part of the flight safety system to support a flight Start Printed Page 63926termination decision. The licensee would be responsible for ensuring that these required systems are available to support the launch. A flight safety system must be complemented with, and operated by a qualified flight safety crew that includes a flight safety official and support personnel. This proposed rule would identify the flight safety crew positions and the personnel qualifications required for each position. The FAA's proposed training and qualification approach is an adaptation of federal launch range practices.

This notice also addresses ground safety issues related to the preparation of a launch vehicle for flight. Many issues related to the safety of ground operations at a launch site are subject to regulation by other federal agencies. This notice would address ground safety issues, not otherwise addressed by other federal regulations, that are unique to space launch processing and that could affect the general public. A launch operator licensee would be responsible for developing and implementing a ground safety program in compliance with the specified standards, and should note that this proposed rulemaking does not supersede the ground safety requirements of other regulatory agencies.

Ground safety issues may be addressed through a number of measures in this notice. This proposed rulemaking includes a hazard assessment to ensure the safety of ground operations. A launch operator would be required to perform a hazard analysis for all hazardous operations to identify the potential of each hazard for affecting public safety. This proposed rulemaking would define requirements, processes, and procedures for mitigating identified public safety hazards. Launch processing typically involves the use of toxic and hazardous materials. This proposed rule would define ground safety program requirements designed to protect the public from these substances. The use of non-ionizing radiation in the form of communications and radar systems is also typical of launch processing. Proper control of such sources of energy is of particular concern due to the many explosives that could be inadvertently initiated and that are often present at a launch site. This proposed rulemaking would define ground safety program requirements designed to protect the public from non-ionizing radiation. A launch vehicle or payload may include materials that give off ionizing radiation. The presence of ionizing radiation is a safety issue that must be reviewed for each launch and requires that proper procedures be followed. There are many ground safety issues involving explosives associated with launch processing. The NPRM on licensing and safety requirements for the operation of a launch site addresses locating explosive substances at a launch site, and identifies appropriate safety separation distances, based on quantity, between facilities at the site and the public. In most cases, maintaining proper separation distances will provide protection for the general public. This proposed rulemaking would define ground safety program requirements for protecting the public from explosives through the maintenance of proper separation distances during operations and preventive explosive safety processes and procedures, including prevention of inadvertent initiation of explosives and propellants.

B. Payload Review and Determination

The proposed requirements address hazards that a payload may create during launch. This proposed rulemaking continues the agency's practice of addressing hazards presented by payloads during the flight of a launch vehicle. This includes payloads otherwise exempt from a payload review. The FAA wishes to clarify that flight safety analysis includes even those payloads exempted by 14 CFR 415.53, and is proposing to amend the text of § 415.51 to clarify accordingly. As is evident from inspection of the neighboring provisions, sections 415.51 (“the FAA reviews a payload proposed for launch to determine whether its launch would jeopardize public health and safety”) and 415.53 (“each payload is subject to compliance monitoring to determine whether its launch would jeopardize public health and safety”), the FAA intended to include safety issues within a payload review. Nonetheless, in order to avoid confusion, the FAA proposes to amend § 415.51 to state that all payloads, exempt or not, are subject to the safety requirements of subparts C and F of this part and of part 417. This should make clear that the exemption of Federal Communications Commission (FCC) or National Oceanic & Atmospheric Administration (NOAA) regulated payloads or those owned or operated by the U.S. Government applies to the payload determination and not to the safety reviews or requirements.

The Act provides the FAA authority over payloads. See 49 U.S.C. 70104; Commercial Space Transportation; Licensing Regulations, Interim Final Rule, 51 FR 6870, 6871 (Feb. 26, 1986) (“The Act gives the [agency] authority to determine whether the launch of a payload is inimical to the national interests specified in the Act and does not exclude any relevant factor from the [agency's] consideration.”) The commercial space transportation regulations implemented this authority, first, through a mission review, see 14 CFR 415.21-415.25 (1988), and then through the payload review adopted in 1999, see 14 CFR 415.51-415.63 (1999).

The Act also contains provisions describing the authority of various agencies with regard to certain payloads. The Act does not affect the authority of the FCC or the Secretary of Commerce under the Land Remote-Sensing Commercialization Act of 1984. 49 U.S.C. 70117(b). This means that these agencies may continue in their regulation of communications satellites and land remote sensing satellites. Accordingly, the FAA does not conduct a payload review of payloads that are subject to regulation by the Federal Communications Commission or the Department of Commerce, National Oceanic and Atmospheric Administration, or that are owned or operated by the U.S. government. This means that the FAA does not review those payloads for their impact on the national interests identified in the Act.

The FAA does, however, possess and exercise safety authority over issues presented by payload hazards during flight of a launch vehicle. The FAA recognizes that the legislative history accompanying the requirement in 49 U.S.C. 70104(b) that a licensee may launch a payload only if the payload complies with the requirements of the laws of the United States related to launching a payload, indicates that Congress did not want communications or land remote sensing satellites subjected to a duplicative regulatory process. See Commercial Space Launches, Sen. Committee Rep. No. 656, 98th Cong., 2d Sess., 15 (1984). The Committee recognized, for example, that the FCC provided authorization for the launch of a communications satellite and would therefore require no separate “documentation or certification” by the FAA. Id. Nor did Congress intend that the FAA obtain the authority “to override or modify any decision by the FCC to authorize the launch or operations of a communications satellite.” Id. at 16. The FAA does not purport to authorize the operation of communications satellites. That is why the exemption in § 415.53 exists. What the FAA does require, however, is information sufficient to evaluate the safety of a proposed launch. The FCC and NOAA do not analyze the launch safety of communications or land remote sensing satellites. Accordingly, Start Printed Page 63927the FAA's proposed safety requirements would not constitute duplicative regulation.

If the payload hazards dictate a change in commit criteria, trajectory or other safety related decision, the launch operator and the FAA need to be able to assess and respond to the hazards posed by the satellite. A satellite's hazards may consist of fuel, debris or both. In this regard the FAA notes that the Senate Committee, in discussing the agency's authority to issue an emergency order stopping a launch, recognized that the agency could have concerns “that may relate to the launch vehicle or its payload.” Id. at 24. This explicit recognition of the FAA's ability to respond to payload concerns supports the FAA's interpretation of the Act: subsection 70117(b) provides that the authority of the FCC and NOAA remain unaffected by the Act, but means nothing more than that. Although the FAA should not duplicate the roles of the FCC or NOAA, it may address areas not otherwise encompassed by their regulatory schemes, namely, the safety issues surrounding any particular launch. Accordingly, the FAA will continue to address payload safety issues that relate to the transport, or launch, of a payload, regardless of whether the payload is within the jurisdiction of the FCC or NOAA or whether it is owned or operated by the U.S. Government.

C. Safety Review for Launch From a Non-Federal Launch Site

Under current practice, the FAA requires a safety review for launch from a non-federal launch site. By this proposed rulemaking, the FAA proposes to codify its requirements for the safety review. Proposed part 417 contains the safety requirements with which a licensee must comply. Part 415, subpart F, would require a license applicant to demonstrate how it will satisfy the requirements of part 417 in order to obtain a license. The FAA would issue a safety approval if an applicant demonstrated that it would meet the safety responsibilities and requirements for launch. The safety review would require an applicant to submit data, prepare test plans, conduct and supply analyses and do so in accordance with specified timetables.

Not unlike what a launch operator must submit to a federal launch range in order to launch from a site such as Cape Canaveral or Vandenberg Air Force Base, a launch operator must demonstrate that it will satisfy the FAA's regulatory requirements. A launch operator will notice some differences. The same work will be performed, but by different entities. Where, for example, a federal launch range will perform much of the flight safety analysis for a launch operator to launch, the lack of a federal range and the proposed requirements would settle that task upon the launch operator. In the course of its safety review, the FAA will review the launch operator's information for validity and accuracy.

D. Part 417, Launch Safety

This proposed rulemaking clarifies the roles and responsibilities of a launch operator licensee. It specifies that a launch operator is responsible under an FAA license for the safety of the flight of its launch vehicle and the launch processing, or preparation of that launch vehicle for flight, at a U.S. launch site.

A launch license encompasses both the flight of a launch vehicle, referred to in common parlance as “launch,” and the launch processing of that vehicle. One of the idiosyncrasies of the Act is its definition of “launch.” The Act defines launch not only as including the flight of a launch vehicle, but as including activities “involved in the preparation of a launch vehicle or payload for launch, when those activities take place at a launch site in the United States.” 49 U.S.C. 70102(3). Accordingly, a launch license covers flight and launch processing, and a launch operator is responsible for the safety of both.

This proposed rulemaking also clarifies a number of issues of which a launch operator must be cognizant. A launch license does not relieve a licensee of other legal obligations. Under 49 U.S.C. 70105(b), unless otherwise provided by that subsection, all requirements of the laws of the United States applicable to the launch of a launch vehicle are license requirements as well. Additionally, this proposed rulemaking would impose on a launch operator the requirement to coordinate with a launch site operator in order for the launch site operator to satisfy its regulatory obligations.

The proposed requirements also highlight the interplay between the application process and compliance with the obligations of a licensee. Because the FAA grants a license based on the representations contained in a launch operator's license application, part of a licensee's obligations under its license are to ensure the continuing accuracy of all material representations. The FAA proposes to impose affirmative verification measures in order to ensure that a launch operator is operating as it represented it would.

In order to outline the proposed regulations, proposed subpart B of part 417 would serve as a guide to other parts of the regulations. It summarizes what a launch operator needs to address to achieve public safety and refers to the particular subpart, section and appendices that contain detailed requirements. This subpart would address a launch operator's safety organization, safety personnel and codify various criteria for the risks and hazards associated with launch.

E. Flight Safety Analysis

1. Introduction

A launch operator would be required to perform flight safety analysis to demonstrate how it would monitor and control risk to the public from hazards associated with normal launch vehicle flight and the potential hazards associated with the flight of a malfunctioning launch vehicle. The proposed regulations would require that a launch operator's analysis consist of a number of separate analyses, both deterministic and probabilistic in content and intent. For all expendable launch vehicles, a launch operator's flight safety analysis would determine the conditions under which the vehicle could be launched safely by demonstrating that the risk associated with the launch satisfied the public risk criteria. In addition, for a launch vehicle flown with a flight safety system as a means of ensuring public safety, the flight safety analysis would define the conditions that would dictate whether or not the flight of the launch vehicle had to be terminated due to safety considerations.

During the licensing process, the FAA would require a launch operator to submit the products of its analysis to demonstrate that the launch operator performed the required analyses properly and has the ability to conduct a launch safely. After licensing, the FAA would also require a launch operator to submit analysis products for each individual launch to provide the data that the FAA would use to verify a launch operator's compliance with the regulations and the terms of the license for each launch. The proposed analyses would thus demonstrate both capability and specific compliance. This has proved to be a successful process historically. The FAA does not, however, foreclose the possibility that a launch operator could dispense with one or more of the proposed analyses through innovation or the applicability of a previously performed analysis for a past mission to a planned mission. Nonetheless, the FAA would require the products of each of these analyses to verify their validity for those launch Start Printed Page 63928operators employing the more traditional approaches, and to serve as a benchmark against which to measure any alternative approach that a launch operator proposes.

2. Flight Safety Analysis for Launch Vehicles That Use a Flight Safety System to Achieve Public Safety

A launch operator would perform a series of analyses to define the extent of its launch vehicle's capabilities and hazards, both during normal flight and in the event of a malfunction. A launch operator would perform a trajectory analysis to determine a launch vehicle's planned nominal trajectory and the potential three-sigma trajectory dispersions about the nominal trajectory. The three-sigma dispersions, which routinely include the effects of winds on a launch vehicle, about the nominal trajectory define the extent of normal flight. A launch operator would perform a malfunction turn analysis to determine how far a launch vehicle's instantaneous impact point can deviate from the nominal trajectory when a malfunction occurs. A launch operator would perform a debris analysis that identifies inert, explosive, and other hazardous launch vehicle debris, such as toxic debris or debris that produces ionizing radiation, resulting from a launch vehicle malfunction and from any planned jettison of launch vehicle components. A launch vehicle's capabilities and hazards may be significantly affected by winds experienced during flight. A launch operator would perform a wind analysis to determine wind magnitude and direction as a function of altitude for the air space through which the launch vehicle will fly and for the airspace through which any malfunction and jettisoned debris may fall.

The launch operator would perform an analysis to establish flight control lines that define where a launch vehicle would be allowed to fly. As part of this analysis, the launch operator would assess the surroundings of its proposed launch site and trajectory to identify the boundaries of populated and other areas requiring protection from the potential adverse effects of the launch vehicle's flight, including, its possible breakup, whether commanded or accidental. The proposed regulations would require a launch operator to border the identified populated and other areas requiring protection with flight control lines, thus defining the region within which the launch vehicle and any breakup and jettisoned debris must be contained.

The FAA reviewed a recent National Academy of Sciences (the Academy) study that recommended that the federal launch ranges create their impact limit lines, which correlate fairly closely to the FAA's own proposed flight control lines, on the basis of risk. Streamlining Space Launch Range Safety, 22, National Research Council (Apr. 2000) (”Streamlining Safety”). The Academy recommended, among other things, that destruct lines be defined and implemented in a way that is directly traceable to accepted risk standards, including collective (EC) and individual risk. The Academy took exception to the creation of impact limit lines on the basis of risk avoidance. Id. at 20 (citing EWR 127-1, par. 2.3.6: “Whenever possible, the overflight of any inhabited landmasses is discouraged and is approved only if operational requirements make overflight necessary, and risk studies indicate probability of impact and casualty expectancy are acceptable.”) The FAA finds that it cannot pursue this recommendation. In the context of impact limit lines, the report makes no case for basing a decision as to what requires protection on the basis of risk. Instead, it ignores the portion of EWR 127-1 that permits overflight on the basis of risk through the creation of gates, which are the width of a destruct line opened for a normally performing vehicle,. Gates are acceptable only if risk levels are acceptable. EWR 127-1 at par. 2.3.6. The FAA proposes, like the federal launch ranges, to require the protection of populated areas, and permit the creation of gates as an exception to the flight control lines requirement. If the Academy means to suggest that impact limit lines or flight control lines should be created on the basis of risk, the Academy did not suggest how this should be accomplished or provide a justification. The FAA is also troubled by the possibility that the Academy recommendation could mean that certain populated areas and members of the public near a launch site would no longer benefit from being protected from a malfunctioning launch vehicle. The FAA does not believe that the Academy intended to distinguish between the levels of protection some members of the public are afforded. Accordingly, the FAA will not seek to deviate from the federal launch range approach to the creation of either impact limit lines or, as the FAA proposes, flight control lines.

The launch operator would perform a series of analyses to determine the conditions that would require termination of a launch vehicle's flight and to establish flight termination rules. Unless otherwise approved during the licensing process, the proposed regulations would require a launch operator to employ a traditional U.S. flight safety system where flight termination is accomplished by destroying the launch vehicle and ensuring that any resulting hazards are contained within an area that is isolated from the public. In general, if a launch vehicle strays off course, it must be destroyed or its thrust terminated before the vehicle, payload, or resulting debris is able to impact any populated or other protected area outside the established flight control lines.

A launch operator would perform a flight safety limits analysis and institute flight termination rules to establish the conditions under which the launch operator would have to terminate a malfunctioning launch vehicle's flight to ensure that the launch vehicle's debris impact dispersion does not extend beyond the flight control lines, or conflict with the risk criteria. A launch operator's flight safety limits analysis would have to account for any time delay that exists between recognizing that a malfunction has occurred, the point in time that a flight termination command is sent and the launch vehicle's destruction. A launch operator would perform a time delay analysis to determine the elapsed time, including an allowance for the flight safety official's decision and reaction time, between the start of a launch vehicle malfunction or violation of flight safety limits and the final motion of the vehicle's impact point or commanded flight termination.

Additional proposed analyses would address other conditions requiring termination of flight. If a launch vehicle malfunctions and flies a vertical or near vertical trajectory, usually referred to as a straight-up trajectory, rather than following a normal trajectory downrange, a launch operator would perform a straight-up time analysis to determine the latest time-after-liftoff by which flight termination must be initiated. If a launch operator lost all launch vehicle tracking data and did not regain tracking data for an amount of time sufficient for a launch vehicle to reach a populated or other protected area, the launch operator would have to terminate flight. A launch operator would perform a data loss flight time analysis to determine the shortest elapsed thrusting time during which a launch vehicle could move from its normal trajectory to a condition where the public might become endangered.

The FAA would permit flight over any populated or other protected area if a launch operator establishes a gate through a flight control line or other flight safety limit boundary. A launch Start Printed Page 63929operator would perform an analysis to determine any gate in a flight control line or other flight safety limit boundary, through which a launch vehicle would be allowed to pass without a launch operator being required to terminate flight. A launch operator would have to perform a risk analysis to determine whether the overflight permitted by the gate was acceptable and satisfied the risk criteria.

The FAA wishes to caution its licensees that proposed changes in the African gate may affect certain launches, and requests comments from its licensees on the possible impacts. A licensed launch operator would have to satisfy the requirements of proposed part 417. That would include the requirements governing the creation of a gate. The National Academy of Sciences report recommended that the Air Force consider not retaining downrange equipment and facilities in support of the African or other gates. Streamlining Safety at 24. If such a move conflicted with the FAA requirements governing creation and use of a gate, a launch operator would have to provide its own support for any launch employing the gate.

The FAA's proposed requirements would require a launch operator to terminate the flight of an abnormally performing launch vehicle prior to permitting land overflight. The Academy pointed out, without quantifying the costs, that the current downrange equipment that supports a termination decision is expensive. Streamlining Safety at 20. The Academy also noted that coordinating launches with remote facilities complicates range safety operations and increases the risk of delay. Id. The Academy also maintained that the need for downrange facilities was not necessary from a safety perspective. The FAA requests public comment on the Academy's position in light of the considerations addressed below.

The Academy argued for removal of the downrange facilities from a safety perspective. It stated that several factors suggested that the risk standard could still be satisfied with fewer facilities. In pursuit of this argument, the Academy reviewed the collective risk associated with launch of an Atlas. Streamlining Safety at 20-22. It did not, however, address launches that might present worst case scenarios such as the evolved expendable launch vehicles, whose flight time and opportunity for some type of malfunction between last contact and the commencement of overflight will be correspondingly greater, and whose instantaneous impact point range rate will be slower and whose dwell time over Africa or Europe will increase proportionately. Accordingly, the FAA believes that before it is possible to determine whether downrange facilities are superfluous to safety that a good analysis would consider the contribution of the overflight of launch vehicles other than an Atlas to the total mission risk, and whether those contributions would result in EC being exceeded.

Additionally, although Streamlining Safety quantifies the probability of impact to Africa, it does not provide the expected casualty contribution of that overflight. Instead, it cites a report regarding downrange risks created by an Athena or Titan launch vehicle for the proposition that “the risks from flying over Africa appear to be well within the standard acceptable for the U.S. population.” Id. at 21 (citing “Estimation of Downrange Risks for Northeast Titan and Athena Launches,” Research Triangle Inst., Ward (1997)). Whether these conclusions apply to an Atlas launch vehicle as well is unclear. Additionally, it is unclear whether the Academy's observations regarding the risks associated with the remainder of a launch mean that the Academy is aggregating the mission risks as it should, or applying different Ec thresholds to the populations of different continents. The FAA would appreciate any available clarification to this possible ambiguity.

Additionally, the FAA believes that the relationship of downrange risk analysis and the African Gate needs further clarification. When performing a risk study, the federal launch ranges do not look at regions of overflight unconstrained, but rather narrows their analysis to a hazard corridor defined in part by the width of the African or European Gate. In fact, because most launches are over the less densely populated southern half of Africa, moving the gate uprange could enlarge the hazard corridor for overflight and include higher population centers. Determining a gate, which is the width of a destruct line opened for a normally performing vehicle, would become dependent on the region of overflight for which risk has been accepted and the modes of failures considered in the risk analysis. Thus, by moving the gate further uprange, a concern over the proper gate width is created and needs to be defined. Should this be based on some limited vehicle performance, such as three-sigma performance, as suggested by the Academy's references to Western Range restrictions of flight azimuths, or more in terms of the maximum performance that will still allow orbital insertion as implemented by the Eastern Range? The latter is less restrictive than three-sigma vehicle performance requirements and allows larger overflight regions than if based strictly on three-sigma performance.

In accordance with this notice of proposed rulemaking, a launch operator would also perform a series of analyses to determine the safety conditions and criteria under which the flight of a launch vehicle might be initiated. A launch operator would perform a flight hazard area analysis to determine the land, sea, and air regions that would have to be publicized, monitored, controlled, or evacuated at the time of flight in order to inform the public and comply with the risk criteria in the event of planned and unplanned launch vehicle flight events. The hazard area analyses would contain both probabilistic and deterministic elements and would provide the launch operator the information necessary to establish exclusion, notice and surveillance zones, as well as other information required for flight commit criteria, which are the criteria which must be satisfied prior to flight. In order to meet flight commit criteria, a launch must comply with both the individual and collective risk criteria during planned and unplanned launch vehicle flight events. Hazard area analysis would include a blast hazard area analysis and determination of ship, aircraft, and individual risk hazard areas. A launch operator would perform a debris risk analysis to determine the expected average number of casualties to the collective and individual members of the public exposed to inert and explosive debris hazards from the proposed flight of a launch vehicle. This analysis would include an evaluation of risk to populations on land, including regions of launch vehicle flight following passage through any gate in a flight safety limit boundary. A launch operator would perform a toxic release analysis to determine the extent and amount of any public hazard resulting from any potential toxic release during preflight processing and flight of a nominal or non-nominal launch vehicle and to develop launch safety rules, including flight commit criteria to protect the public from any potential toxic release. A launch operator would perform a distant focus overpressure blast effects risk analysis to demonstrate that the potential public hazard resulting from impacting explosive debris would not cause windows to break with related injuries. This analysis would also contribute to any flight commit criteria necessary to comply with the public risk criteria. Start Printed Page 63930Further discussion on the distant focus overpressure blast effects risk analysis is provided in section III.E.5 of this discussion.

A launch operator would obtain a conjunction on launch assessment performed by United States Space Command to identify any periods of time, referred to as “waits,” within a planned launch window, during which period flight would not be permitted in order to maintain a 200-kilometer separation between the launch vehicle and any inhabitable orbiting object.

3. Aircraft and Ship Hazard Areas for Guided Launch Vehicle and Unguided Suborbital Rocket Launches

The proposed regulations would require a launch operator to determine aircraft and ship hazard areas. Near the launch point, these hazard areas would constitute part of a flight hazard area. Outside the flight hazard area, aircraft and ship hazard areas would be necessary to protect against planned stage impacts and other intentionally ejected debris such as a fairing, payload, or other component. The FAA proposes requirements for launch operators to provide information for public notification of aircraft and ship hazard areas, and proposes requirements for when such hazard areas would have to be surveyed to ensure that the public risk criteria are satisfied for each launch.

a. Aircraft hazard areas. For the protection of aircraft during flight of a guided launch vehicle or an unguided suborbital rocket, the FAA proposes to require that a launch operator initiate flight only if the probability of the launch vehicle or debris impacting any individual aircraft that is not operated in direct support of the launch does not exceed an individual probability of impact of 0.00000001 (Pi≤1×10−8).

For the immediate area around the launch point, the proposed regulations would require a launch operator launching a guided launch vehicle to establish an aircraft hazard area. The aircraft hazard area would consist of and encompass the air space region defined by the flight hazard area, which would, in turn, encompass an aircraft-hit contour that shows where the probability of impacting an unrelated aircraft would exceed 1×10−8, with an altitude extending from zero to 60,000 feet. For an unguided suborbital rocket, for the protection of aircraft, a launch operator's flight hazard area would be required to encompass the unguided suborbital rocket's three-sigma trajectory dispersion in the air space region from the Earth's surface at the launch point to an altitude of 60,000 feet.

For each downrange planned impact of a launch vehicle stage or component, the proposed regulations would require a launch operator to establish aircraft impact hazard areas to ensure that the 1×10−8 criterion is satisfied. The proposed regulations would also require that an aircraft hazard area for a planned impact encompass the three-sigma dispersion of the impacting launch vehicle stage or component. This requirement is intended to provide a high level of assurance both that a hazard area encompass the planned debris within the hazard area and that risk remains at acceptable levels. The FAA proposes that a launch operator ensure that an aircraft hazard area encompasses an air space region that contains the larger of the three-sigma impact dispersion ellipse or an ellipse, where, if an aircraft were located on the boundary of the ellipse, the probability of hitting the aircraft would be less than or equal to 1×10−8 and the debris path from an altitude of 60,000 feet to impact on the Earth's surface. This would ensure that a hazard area encompasses where the debris would fall and confines the area of risk. This requirement would apply to planned impacts from both guided launch vehicles and unguided suborbital rockets. A launch operator would have to ensure through communication with the FAA's air traffic control (ATC) facility having jurisdiction over the affected airspace that notices to airmen were issued and in effect at the time of flight for each aircraft hazard area.

Although an aircraft hazard area serves, through notices to airmen, to exclude or warn away aircraft from travelling too close to a launch, the size of that hazard area is usually determined through probabilistic means, and the FAA proposes to continue that practice. In other words, no aircraft would be allowed where the risks of impact are too great. Under current practice the federal launch ranges provide the air traffic control facility the outlines of an aircraft hazard area of which aircraft are notified. The federal launch ranges determine those aircraft hazard areas on the basis of the risk presented. NASA's Wallops Flight Facility implements an aircraft hit probability that equates to an individual aircraft hit probability of 1×10−8. See Range Safety Manual for Goddard Space Flight Center/Wallops Flight Facility, RSM-93, 24 (1993) (applying 1×10−7 criteria to 10 aircraft). Although EWR 127-1 does not contain an impact probability criteria, the Western Range employs an aircraft hit probability of 1×10−8 for planned impact hazard areas. Through this notice, and consistent with current practice as articulated by Wallops and the Western Range, the FAA proposes to follow the same course.

In its report on space launch range safety, the National Academy of Sciences suggested 1×10−6 as the appropriate measure of probability of impact. Streamlining Safety at 38. The Academy maintained that its proposal was more consistent with the individual ship hit impact probability criteria and Ec. Id. The FAA understands that the 1×10−6 aircraft hit criterion is used by some federal ranges for aircraft that support a launch such as weather and launch surveillance aircraft. This criterion does not account for the large numbers of people that may be aboard an aircraft not involved in the launch. Because the FAA wishes to maintain the same level of public safety as achieved by the federal launch ranges, the FAA is not proposing the suggested measure, which constitutes an increase in risk to the public.

There is one special situation that arises in the context of suborbital rockets, and that has led the FAA to consider permitting a launch operator to propose the creation of alternate aircraft hazard areas. The large dispersions of some unguided suborbital rockets' planned impact points create a conundrum. The requirements for creating an aircraft hazard area unearthed certain incongruities where, on the one hand, satisfaction of the probability of impact criteria would create a hazard area of no significant size at all; while, at the same time, employing the criteria for the aircraft hazard area to contain the three-sigma impact dispersion could result in a hazard area that is prohibitively large to implement. The FAA proposes to resolve this difficulty through creation of an alternate hazard area.

For the launch of an unguided suborbital rocket, if the impact of a stage or component has a three-sigma dispersion that results in an aircraft hazard area that is prohibitively too large to implement with the ATC, a launch operator may employ an alternate aircraft hazard area. The FAA proposes that a launch operator provide a clear and convincing demonstration, through the licensing process, that any alternate aircraft hazard area provides an equivalent level of safety based on further analysis of the proposed launch and potential air traffic in the launch area.

b. Ship hazard areas. Through this notice of proposed rulemaking, the FAA proposes requirements designed to keep a launch vehicle and its components Start Printed Page 63931from impacting ships when launching over water. A launch operator must identify where its launch vehicle's stages or other planned ejected debris or debris from a launch vehicle failure will impact, the corresponding ship hazard areas, whether the launch operator needs to survey the hazard areas for ships, and whether risks at the time of flight require that a launch operator wait until any ships have passed from a ship hazard area before initiating flight.

The standards governing the identification, surveillance and notice requirements for hazard areas for ships differ among the federal launch ranges based on their individual needs. The FAA's proposed requirements are an adaptation of the approaches used at the federal ranges resulting in a universally applicable approach. In accordance with the proposed requirements a launch operator would determine the collective probability of impacting a ship in the flight hazard area around the launch point and for each planned downrange impacting stage or component. The launch operator would perform a collective ship-hit analysis to determine the ship hazard areas and flight commit criteria and to determine whether the launch operator must survey the ship hazard areas. A launch operator would be permitted to initiate flight under these requirements only if the collective probability of impacting any ship would be less than or equal to 1×10−5. If a launch operator demonstrates, using statistical ship density data, that the collective ship-hit probability in the flight hazard area around the launch point or for the planned impact of a stage or component is less than or equal to 1×10−5, a launch operator would not need to survey the hazard area on the day of flight. Due to the uncertainty associated with statistical ship density data, the FAA is proposing that any ship density data obtained from a statistical source must be multiplied by a safety factor of 10 when used for any collective ship-hit probability analysis. This is because statistical density information is generally an average figure, does not reflect variances in time and is typically subject to limitations or other biases associated with deriving the density. If the launch operator fails to demonstrate that the collective ship-hit probability for the flight hazard area or an impacting stage or component is less than 1×10−5, using statistical ship density data, the launch operator would be required either to compute the probability of hitting the actual ships surveyed on the day of flight or define ship-hit contours and ellipses, which the launch operator would be required to survey for ships on the day of flight.

The proposed requirements would permit a launch operator to launch only if the collective probability of hitting any ship was less than or equal to 1×10−5.[3] A launch operator would determine this probability in one of two fashions. Under the first approach, a launch operator would, on the day of the planned flight, survey the ships in the vicinity of the flight hazard area and any planned impacts within 30 minutes of flight, and compute the probability of hitting a ship based on the number of ships surveyed. The analysis would account for the changes in impact locations resulting from any wind weighting operations on the day of flight, the speed of each ship in the vicinity of the impact area, and the ships' predicted location at the time of liftoff. The analysis would have to demonstrate that the collective probability of hitting a ship during flight was less than or equal to 1×10−5 in order for flight to occur.

If a launch operator preferred to conduct the analysis in advance of the day of flight, the launch operator could demonstrate that its launch would take place in accordance within the limit on the probability of impact by creating ship hit contours in the flight hazard area and ship-hit ellipses around each planned impact point. Ship-hit contours and ellipses would be required for one through ten ships in increasing increments of one ship. For a given number of ships, the associated ship-hit contour or ellipse would be required to encompass an area where if the ships were located on the boundary of the contour or ellipse, the probability of impacting one of the ships would be less than or equal to 1×10−5. The launch operator would then survey on the day of launch to ascertain that less than the corresponding number of ships were present within each contour and ellipse. The launch operator would also have to create flight commit criteria that accounted for the winds used in the analysis in order to ensure that flight did not take place unless the winds on the day of flight were within the winds used in the analysis.

Through this rulemaking, the FAA proposes a refinement to the notice and surveillance requirements, as they are implemented at the federal launch ranges. As under current practice, the FAA proposes to require satisfaction of the 1×10−5 collective ship-hit criterion in order for flight to occur. What would change is the nature of the verification required. Today at the federal launch ranges, surveillance takes place for ships in the vicinity of the launch point. The ranges do not survey downrange planned impact points because they assume that ship density is significantly less in those downrange locations. Through this notice, the FAA would require a launch operator desirous of avoiding surveillance in the flight hazard area or downrange planned impact areas to obtain confirmation of the density of ship traffic and demonstrate that the probabilities of impact for each launch are below 1×10−5, and the FAA would permit the use of statistical ship density data. Due to the uncertainty associated with any statistical ship density data and to make up for the lack of real-time surveillance, the FAA is proposing that any ship density obtained from a statistical source would have to be multiplied by a safety factor of 10 when used for the required collective ship-hit probability analysis. The FAA anticipates that in most cases of downrange planned impact, the criteria will be satisfied and that surveillance will continue not to be necessary. However, this approach would have universal applicability and would address a launch scenario with a planned impact point in an area where shipping density is relatively high and surveillance might become necessary in addition to posting a notice to mariners. For someone launching from the ocean, such as Sea Launch, surveillance requirements may decrease. However, the FAA does request public comment on this particular proposal and any available data that might show whether the criteria is indeed adequate to dispense with surveillance in either the flight hazard area or downrange.

As a final observation, the FAA is aware that the National Academy of Sciences addressed ship hazard areas and the requirements governing them in its study Streamlining Safety. Id. at 45. The Academy recommended that the federal launch ranges consider changing their threshold for probability of impact to increase the risk to ships and advised that the ranges conduct additional Start Printed Page 63932studies. Id. at 37, 45. In the interest of maintaining the same level of safety as achieved by the federal launch ranges, the FAA is reluctant to follow this recommendation absent some compelling countervailing reason.

The Academy bases its recommendation on an argument for consistency between the ranges. Streamlining Safety at 45. Although the Eastern Range may initiate a launch hold or scrub if the collective risk exceeds 1×10 −5, the Academy thought that the inconsistency between this approach and the Western Range's use of individual risk and what it characterized as accepted guidelines for the evacuation of hazard areas called for the use of individual risk. The FAA is not persuaded that this apparent inconsistency provides sufficient grounds for change; more so, because, in actuality, the Western Range employs individual risk because it has less shipping traffic to address. Were ship densities higher, the Western Range would also employ collective risk to ensure that a launch did not place any ship at risk.

4. Flight Safety Analysis for Unguided Suborbital Rockets Flown With a Wind Weighting Safety System

A launch operator would perform flight safety analysis to determine the launch parameters and conditions under which an unguided suborbital rocket could be flown using a wind weighting safety system and without a flight safety system. The results of this analysis would demonstrate whether any adverse effects resulting from flight would be contained within controlled operational areas that are isolated from the public. The analysis would also have to show whether any flight hardware or payload impacts would occur within planned impact areas that are isolated from the public. If such containment and isolation cannot be achieved, the launch operator must conclusively show that any adverse effect resulting from flight will not exceed individual or collective public risk criteria. The launch operator would perform a trajectory analysis, a hazard area analysis, a debris risk analysis, analyses for toxic and distant focus overpressure hazards, and a conjunction on launch assessment similar to those required of a launch vehicle with a flight safety system. The launch operator would also perform a wind weighting analysis to determine launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on an unguided suborbital rocket due to wind forces.

A launch operator must identify the dispersion around its nominal drag impact location. The launch operator must identify that area by analyzing the performance error parameters associated with the rocket's design and operation. A performance error parameter acts as a source of deviation from nominal performance. It is a quantifiable perturbing force that contributes to the dispersion of the launch vehicle's drag impact point in the uprange, downrange and crossrange directions. Performance error parameters typically include thrust, thrust misalignment, specific impulse, weight, variation in firing times of the stages, fuel flow rates, contributions from the wind weighting safety system employed, and winds.

5. Protected Areas and Flight Control Lines.

For a launch vehicle that uses a flight safety system to ensure public safety, a launch operator would establish flight control lines that border populated and other areas requiring protection. By implementing flight safety limits and flight termination rules, a launch operator would keep debris created by a malfunctioning launch vehicle from impacting any populated or other protected area outside the flight control lines. As part of the analysis to determine flight control lines, a launch operator would identify the boundaries of the areas that must be protected. To account for the uncertainties in knowing exactly where a protected area is on the face of the Earth in relation to the position of a launch vehicle, a launch operator would add map and tracking errors to offset flight control lines from the protected areas. The flight safety limits would account for the errors and dispersions associated with the launch vehicle and flight safety system, which includes the flight termination sequence of events.

The FAA notes that the proposed flight control lines are not unlike the impact limit lines currently employed by the federal launch ranges. The FAA intends the flight control lines as general performance requirements and also notes that employing impact limit lines as implemented by the federal launch ranges would satisfy the FAA's proposed requirements. The FAA proposes to employ the different terminology to clarify what is to be protected. EWR 127-1 defines an impact limit line as a hazardous launch area and the boundary within which trajectory constraints and flight termination systems are used to contain an errant launch vehicle and vehicle debris. EWR 127-1 at 1-vii (Oct. 31, 1997). In practice, an impact limit line is not a “line in the sand.” A worst-case map and tracking error could result in an impact beyond an impact limit line without necessarily indicating a failure of the flight safety analysis or the flight safety system as long as there is no impact of a protected area. Thus, an impact limit line does not mark only what must be protected.

One of the proposed criteria for establishing flight control lines dictates that flight control lines must protect any land area not controlled by the launch operator. The FAA's protected areas would not only include towns, cities and other obviously populated areas, but all land areas outside the control of the launch operator because of the relatively high probability that people could be present on any land and the fact that any land may constitute property or contain the property of others. The safety of ships and aircraft would be addressed through the establishment of hazard areas and flight commit criteria as discussed earlier in this notice.

If the overflight of a land area not controlled by the launch operator is necessary as part of normal flight, it may be accomplished by first establishing the flight control lines and then establishing a “gate” in the flight control lines in accordance with the risk criteria for overflight of land. A launch vehicle would be allowed to pass through a gate only if the vehicle was performing within normal limits. The land areas within a gate are still considered protected. The flight control lines protect such land areas up until the launch vehicle enters the gate. If the launch vehicle began to malfunction before it reached the gate, the flight safety system would terminate the flight before the launch vehicle reached the flight control line or the gate. FAA requirements would permit the launch vehicle to enter the gate and overfly a land area only if the launch operator obtained positive in-flight verification that the launch vehicle had performed within normal limits up to that point and performance parameters indicated that the launch vehicle would continue to perform normally and the launch vehicle's dwell time was such that it satisfied the risk criteria.

In addition to using the flight safety system, flight control lines, and gates as positive deterministic means to protect people and property, the regulations would also allow application of risk assessment techniques to quantify the risk to people in a proposed land overflight for purposes of determining whether the risk remains within acceptable limits. In effect, a launch operator's debris risk analysis would serve to restrict land overflight on the basis of the size of the population in any Start Printed Page 63933land overflown. For example, the FAA expects that no launch in the foreseeable future would be able to meet the E C criteria of 30×10−6 if the planned trajectory involved placing a gate in a flight control line that would result in overflight of a city or other densely populated area.

Flight control lines present other issues as well. The FAA defines the public to include other launch operators located at the same launch site. See Launch Site NPRM, 64 FR at 34334. The FAA's proposed use of a flight safety system and flight control lines would not necessarily provide protection for the property of such launch operators.[4] This is in keeping with the current practice at the federal launch ranges. Currently, at the federal launch ranges, two launch pads may be situated such that if flight control lines were drawn to demarcate and protect the property of others, launch might not take place at all because the flight control lines might intersect the normal flight trajectory. The unintended consequence of such an intersection at a federal range would be the requirement to destroy a perfectly good launch vehicle.

The basis of the FAA's proposed approach to ensuring the safety of another launch operator's property at the launch site is that, unlike the general public outside the launch site, another launch operator is in a significantly better position to be informed of launch activities and to participate in decisions on the best way to protect its property. The safety of another launch operator's property would be addressed through efforts coordinated by the launch site operator. Launch Site NPRM, 64 FR at 34337, 34364 (proposed section 420.55 and accompanying discussion). In this case, the FAA would not mandate how the safety of property is achieved, but would require that the coordination take place. As part of coordination with a launch site operator, a licensed launch operator would be required to provide any information on its activities and its potential hazards necessary to determine how to best protect another launch operator's property. For example, through coordinated scheduling, another launch operator may simply elect to ensure that its launch vehicle is not present when another launch is scheduled.

The FAA's flight control line requirements are not intended to preclude private arrangements that would result in more narrowly drawn flight control lines. After all, a launch site operator would have responsibility for coordination of its customers. For launch sites located outside of a federal launch range, where a launch site operator has the opportunity to select optimum launch point locations, the site operator could site each launch point so that it would be protected by flight control lines. Such a site operator would also be free to designate contractually that certain areas or property at a launch site or downrange be protected by flight control lines. The federal launch ranges do this today, describing impact limit lines around downrange assets such as transmitters whose loss would disrupt not just one but many launches. By not requiring flight control lines to protect the property of others at a launch site the FAA does not mean to imply that a launch operator might not face liability for any damage it caused to the property of others. Accordingly, the FAA recognizes that a launch site operator, in fulfilling its obligations under proposed section 420.55, and a launch operator, in the interests of avoiding damage to the property of others, may wish to establish flight control lines more stringent than those required by the FAA's proposed regulations.

A launch site operator's ability to require a launch operator to establish flight control lines by contract may create some confusion as to what is mandatory under the regulations. Regardless of whether a flight control line imposed by a launch site operator is more stringent than FAA requirements or not, that flight control line would still be mandatory under FAA regulation. Although flight control lines drawn within a launch site are not themselves required by FAA regulations, they are mandatory once included within the launch operator's flight safety plan. Because a flight safety plan is approved as part of the licensing process, it is mandatory upon a licensee. See 14 CFR 415.73(a).

6. Distant Focus Overpressure Blast Effects Risk Analysis

A launch operator would be required to conduct an analysis to demonstrate that the potential hazard resulting from impacting explosive debris, including impact of an intact launch vehicle, would not cause public exposure to distant focus overpressure blast effects, sufficient to break windows and cause injuries. Impacting explosive materials, both liquid and solid, have the potential to explode. Given the appropriate combination of atmospheric pressure and temperature gradients, the impact explosion can produce distant focus overpressure at significant distance from the original blast point. Overpressures ranging from as low as 0.1 psi and greater may cause windows to break; but, depending on the size and thickness of windows and number of panes in each window in the locality of the launch site, other forms of overpressure such as multiple pulses may prove hazardous as well. Also, different levels of overpressure can occur at different distances depending on atmospherics and the explosive yield. A launch operator would have to address whichever levels and forms of overpressure created a hazard for the windows in the locale.

The distant focus overpressure explosion hazard primarily arises out of the impact of un-ignited solid propellant motors or failures of segmented motors so that portions of the motor impact intact,[5] and, when the weather conditions for inversion and lapse layers are right, the overpressure can focus in distant locations. A weather condition, referred to as an inversion, where sonic velocity increases with altitude, reflects the shock wave back toward the surface, where it can produce an increased overpressure at distances far from the source of the blast. The largest overpressure increase is produced from a caustic condition where the sonic velocity first decreases from its surface value and then increases beyond its surface value with increasing altitude.

The federal launch ranges typically assess the hazards of potential distant focus overpressure on a programmatic basis to determine if any population may be at risk for a given combination of launch vehicle and launch point. Based on this analysis a federal range may or may not perform an analysis for each launch. The FAA considered the option of not requiring this analysis. The FAA is aware of only a few launches involving the largest launch vehicles being delayed due to concerns regarding distant focus overpressure. This raised the question of whether sufficient grounds for concern exist to export this requirement to non-federal launch sites. However, because breaking windows or glass may cause injury to the public and the purpose of this rulemaking is to address all potential expendable launch vehicles, from all launch sites, the FAA proposes to retain this requirement. A launch operator would employ either a deterministic or Start Printed Page 63934probabilistic analysis approach. For the deterministic approach, the launch operator would use the methodologies contained in the American National Standard Institute's ANSI S2.20-1983, “Estimating Air Blast Characteristics for Single Point Explosions in Air with a Guide to Evaluation of Atmospheric Propagation and Effects” to identify any populations that may be at risk and to establish flight commit criteria and other hazard mitigation measures. When using a probabilistic approach the launch operator would demonstrate through a distant focus overpressure risk analysis that the launch will be conducted in accordance with the proposed public risk criteria. The FAA proposes to evaluate any distant focus overpressure risk analysis on a case-by-case basis.

7. Dependent Analyses

Many of the proposed analyses are inherently dependent on one another. A launch operator would be required to ensure that each analysis product or data output is compatible in form and content with the data input requirements of any dependent analysis. A chart is provided in order to assist launch operators in determining which analyses depend on other analyses. The left column of figure 1 lists each analysis that is a source of data to be used as input by another analysis. The remaining columns in figure 1 identify the analyses that are dependent on the data from each data source analysis. The dependencies identified in figure 1 may vary depending on the methods that a launch operator chooses to implement to meet the proposed requirements for each analysis. A launch operator would have to understand the dependencies that its analyses have on one another in order to ensure that the overall analysis results accurately reflect the proposed launch and provide for public safety. The following paragraphs provide some examples of these dependencies that are of particular interest.

Start Printed Page 63935

All of the analyses depend on some form of trajectory analysis. Before a launch operator can analyze malfunction turns, establish flight safety limits or hazard areas, or perform various risk analyses, the launch operator must have a clear understanding of what the launch vehicle's trajectory would be under normal conditions when the vehicle performed as intended. For example, a launch operator would employ a point along the nominal trajectory as a starting point for a malfunction turn. As another example, in order to establish flight control lines and any gates in a flight control line that define the region over which a launch vehicle would be allowed to fly, a launch operator would have to know the limits of normal launch vehicle flight. The other proposed analyses have a similar dependence on the results of the trajectory analysis. An error made when performing the trajectory analysis or in translating the output of the trajectory analysis into input for the other analyses, can have a ripple effect, resulting in invalid analysis results with a potential negative effect on public safety.

Before a launch operator can establish flight safety limits or hazard areas to protect people and property from flight hazards, the launch operator must have a clear understanding of those hazards, which is the primary purpose of the debris analysis. A launch operator would conduct a debris analysis to identify inert, explosive and other hazardous launch vehicle debris resulting from a launch vehicle malfunction and from any planned jettison of launch vehicle components. A debris analysis would list and categorize the debris that would result from planned events and the potential activation of a flight termination system or spontaneous breakup due to a launch vehicle failure. Each debris piece would be categorized according to its physical properties and other characteristics, such as whether it is inert or explosive and the effects of impact, such as explosive overpressure radius, skip, splatter, or bounce. A launch operator 's flight safety limits analysis and hazard area analyses would use the debris characteristics established by the debris analysis to determine the debris impact dispersion, which shows where the debris might travel as it falls through the atmosphere and as it is affected by conditions such as wind and changing air density. The products of the debris analysis would also be used to determine where planned stage impacts would occur and, in the event of a malfunction, to ensure activation of the flight safety system in sufficient time to keep the impacting debris from impacting outside the flight control lines. The hazard area analysis would use debris data to identify the land, sea, and air regions that would have to be publicized, monitored, controlled, or evacuated in order to protect the public from potential impacting debris and comply with the public risk criteria.

As a final example, the debris analysis products would be employed in a debris risk analysis to determine the expected average number of casualties (EC) to the collective members of the public exposed to inert and explosive debris hazards from any one launch. The calculation of EC is dependent on the effective casualty area of the debris. A debris risk analysis would determine the effective debris casualty area as a function of, among other factors, launch vehicle flight time, whether the debris is from a launch vehicle breakup or a planned spent stage or jettisoned component impact, and whether the debris is inert or explosive on impact or dissipates through burning during its fall. A launch operator's debris analysis would also determine the effective casualty area for debris resulting from both payload and vehicle systems and subsystems.

8. Casualty Due to Debris

A launch operator should be aware that a debris analysis raises issues that have been the subject of debate for some time with respect to the definition of casualty. By this notice, the FAA proposes to employ its definition of serious injury as part of its definition of casualty. The FAA defines serious injury to mean any injury which requires hospitalization for more than 48 hours, commencing within seven days from the date the injury was received; results in a fracture of any bone (except simple fractures of fingers, toes, or nose); causes severe hemorrhages, nerve, muscle, or tendon damage; involves any internal organ; or involves second- or third-degree burns, or any burns affecting more than five percent of the body surface. See 14 CFR 401.5 (referencing “serious injury” within definition of “launch accident”).

The proposed debris analysis requirements would require a launch operator to identify each piece of debris. In determining the debris hazard area that constitutes part of a flight hazard area and in defining ship-hit contours, the proposed regulations would require a launch operator to account for debris pieces with a ballistic coefficient of three or greater. The FAA realizes that, depending on circumstances, the impact of a person by a debris piece with a ballistic coefficient of less than three might cause a casualty and conversely, a debris piece with a higher ballistic coefficient might not cause a casualty. However, based on a review of the approaches used at the federal launch ranges, the FAA believes that using a ballistic coefficient of three when determining hazard areas and performing debris risk analyses provides for an appropriate level of safety.

The Western Range has historically analyzed all debris, regardless of how small the debris may be. The Eastern Range uses a ballistic coefficient of three as the measure of concern. The FAA proposed a ballistic coefficient of three in its Launch Site NPRM. A ballistic coefficient of three correlates approximately to a hazardous debris piece possessing 58 foot-pounds of kinetic energy, the Air Force explosive safety standard for debris that would produce a casualty. “Casualty Areas from Impacting Inert Debris for People in the Open,” RTI/5180/60-31F Montgomery and Ward, 2.2 (Apr. 13, 1995). This report recognizes the difficulties in establishing a suitable threshold expressed in terms of kinetic energy. Id. (citing “Estimation of Casualty from Impacting Debris,” ACTA, Inc., Technical Rep. No. 39-217/15-01, prepared for the U.S. Department of the Air Force (Sept. 29, 1989)). Those difficulties may be illustrated through example. For instance, a tackled football player who experiences an energetic impact of 400 to 500 foot-pounds usually is not injured. On the other hand, someone who stops a 38-caliber bullet having a kinetic energy of only 120 foot-pounds may well be killed. Other difficulties in employing kinetic energy as an indicator of a hazard are apparent as well. A piece of launch vehicle debris with an area of one square foot and a tumbling ballistic coefficient of two can have a vertical velocity component at impact of about 21feet per second and a kinetic energy of about eight foot-pounds. Although a broad side impact from the debris piece might leave a person unharmed, a slashing end-on impact might result in a serious wound.

Accordingly, although the Air Force uses 58 foot-pounds as a safety standard for a hazardous debris fragment , the FAA does not consider 58 foot-pounds a sufficiently adequate measure of what might produce a casualty. ACTA points out that this impact energy could be obtained with a full 12-ounce beverage can dropped from seven stories up, and that it could kill someone at street level. “Estimation of Casualty” at 1-10. Nor does reliance on kinetic energy account Start Printed Page 63936for the surface area over which the impact may occur, or the duration of the impact, both of which are significant.

As a result, as the FAA proposed in the Launch Site NPRM, the FAA proposes to rely on a ballistic coefficient of three. See Launch Site NPRM, 64 FR at 34347 (relying on ballistic coefficient of three “because it is the most wind sensitive debris piece with a potential for harm of reasonable significance.”).

9. Collective Risk

As in previous rulemakings, this rulemaking raised a number of issues regarding risk. The FAA has had to address whether or not to limit risk based on an aggregation of the risks associated with each common launch hazard, whether to set a risk limit for each hazard separately and questions regarding the contribution of a flight termination system failure to risk in the launch area. The FAA proposes to limit acceptable risk to an aggregation of all hazards. On the basis of practices at the federal launch ranges, the FAA proposes to require consideration of the possibility of a flight termination system failure as a contributor to the risk of debris.

a. Aggregation of hazards to measure risk. In 1999, the FAA adopted a risk standard for debris which permitted launch only if flight of the launch vehicle did not exceed an expected average number of 0.00003 casualties (EC) per launch (EC≤30×10−6). 14 CFR 415.35(a). In this notice the FAA proposes to set a collective risk standard that accounts for all hazards, not just for debris, including such common hazards as those associated with toxic releases and blast overpressure. As permitted by 127-1, different federal launch ranges have different practices. EWR 127-1 establishes launch risk guidance on “a collective risk level of not more than 30 casualties in 1 million (30×10−6) for the general public.” EWR 127-1, 1-12, 1.4d (Oct. 31, 1997). The Air Force has not made a final decision on what that measure reflects. See id. at 1-41, Appendix 1D, 1D.1b (“The overall risk levels may or may not be an additive value that includes risks resulting from debris, toxic and blast overpressure exposures.” (Emphasis added.)) In practice, this has resulted in differing approaches at the Eastern and Western Ranges.

Historically, the 30th Space Wing, which oversees safety at the Western Range at VAFB, has reviewed an aggregated EC for all hazards of each launch when the measures of risk for each hazard are available.[6] The Western Range has found that one hazard usually predominates as the source of risk. The conditions that are conducive to driving up the risk of one hazard usually render another hazard less significant. Also, as a general rule, most launch vehicles do not generate multiple risks. Accordingly, on the basis of available risk measures, at the Western Range, the risks created by the combination of debris, toxic releases and blast overpressure do not tend to exceed EC≤30×10−6.

The same may or may not be true at the Eastern Range. The 45th Space Wing, which conducts launch safety for the Eastern Range, came more recently to the use and quantification of risk. Weather conditions and launch azimuths did not require the refinements of risk analysis to determine when conditions were satisfactory for launch. The Eastern Range used deterministic methods predicated on worst case conditions, assuming for toxic hazards that the undesired event would occur. Unlike the Western Range, the Eastern Range does not aggregate the risk numbers associated with each hazard for each launch. Instead, it caps two hazards, debris and overpressure, at EC≤30×10−6, and possibly toxic hazards as well. Were the Eastern Range to limit an aggregate of the identified hazards, rather than each one, the Eastern Range believes that launch availability would be curtailed below present launch rates. Accordingly, for commercial and government launches, the Eastern Range uses an EC≤30×10−6, for debris, an EC≤30×10−6 for blast overpressure and EC≤233×10−6 for toxic releases, where the Eastern Ranges defines the public as non-mission essential personnel located at the Cape and the general public outside of the Cape. The EC for toxic releases reflects the fact that the Eastern Range operates within the Range Commander's discretionary zone for accepting risk. The FAA foresees the possibility that capping risk at an EC≤30×10−6, for all hazards, may have an impact on launch availability and scheduling and invites comment from the launch operators regarding any data they may have regarding the possible effects.

The accuracy of the Eastern Range's measure of expected casualty is the subject of debate in light of the mitigation response available. In accordance with guidance from Space Command's Surgeon General, the Eastern Range approached local Brevard County authorities, described its risk management policy to the county and recommended a hazard level and management approach. The county agreed to the approach. The Eastern Range informed the county of its nominal public safety criteria of 30×10−6 for each hazard, but that the recommended concentrations and risk level represented a collective risk level of 233×10−6. The county agreed with the recommendation. The Eastern Range and the county reached agreement on what predicted concentration of parts per million for various substances would result in a launch delay. The Eastern Range has not developed any methodology by which the effectiveness of Brevard County's emergency response can be accounted for in its risk estimation model, LATRA.

The county and the Eastern Range improved their notification capability after a January 1997 Delta abort, which took place prior to county personnel being present on base for all launches. Notification to the Brevard County Emergency Management Coordinator about the actual abort hazards from the August 1998 Titan abort took only minutes, as opposed to hours for 1997 Delta abort. Additionally, since that time the county has activated its automated reverse 911 capability for calling thousands of residences per hour for emergency notifications. While this capability has not been exercised to date for hazards arising out of a launch, it certainly promises mitigation benefits. Also, arrangements between Brevard County emergency management personnel and National Weather Service (NWS) Melbourne weather personnel have been made to transmit emergency management announcements of toxic cloud information. The announcements are made over the NOAA Weather Alert Radio System, which is constantly monitored on thousands of radios throughout the county, particularly at all schools and other county facilities. These emergency response capabilities and their effectiveness in reducing overall risk of exposure have not been evaluated.

Maintaining all risks below an acceptable level provides the best course. The FAA seeks to avoid a person being injured by any cause. This constitutes current practice for the 30th Space Wing and may well prove to constitute current practice for the 45th Start Printed Page 63937Space Wing. The 45th may continue to abide by its understanding with Brevard County and alert the county at the concentration levels agreed to for government launches. The FAA anticipates that part of achieving a common approach to aggregations would require a launch operator to input identical failure response modes and associated probabilities for each hazard. If, for a commercial launch, risk exceeds 30×10−6 when calculated under a standardized approach, launch may not take place. The FAA seeks public comment on the potential impacts of this proposal.

b. Contribution to collective risk due to the possibility of flight termination system failure. The FAA proposes to require a launch operator to address the possibility of a flight termination system failure in the course of the launch operator conducting its risk analysis. Although it may appear that flight termination system contribution is not addressed for most operational systems launching from federal ranges today, the ranges do, in fact, review whether flight termination system failure may constitute a significant contribution to risk. The ranges make this assessment early in the process of assessing a new launch vehicle system, and the Eastern Range, for each launch, assesses failure modes where a potential flight termination system failure could result in significant contribution to collective risk. Because of the robust flight termination system test program, redundancy and the degree of oversight the ranges' flight safety system analysts exercise, those responsible for assessing risk count on the reliability of the flight termination system employed for each launch. Although in many instances initial analysis may demonstrate that the contribution of flight termination system failure to expected casualty is insignificant, a credible scenario may exist where the contribution would be significant. Accordingly, based on the ranges' experience and the reasons addressed in the following discussion, the FAA proposes to ensure through this rulemaking that all commercial launch operators employing a flight termination system account for the contribution to risk of possible flight termination system failure.

As a general rule, where a flight termination system plays a role in mitigating a hazard, the likelihood of a failure of a flight termination system may contribute to the final outcome of an EC analysis and the ranges assess that contribution to determine its significance. Where a flight termination system does not serve to mitigate the potential risk, its contribution is not assessed. With the exceptions of failure scenarios addressing toxic and distant focus overpressure hazards, this typically means that for failure scenarios in which the launch vehicle's instantaneous impact point remains within the range destruct lines, possible flight termination system failure does not contribute in a significant way to risk totals. This is because under those circumstances the consequences of such a failure remain extremely low. A flight termination system may fail while the launch vehicle performs successfully, or the launch vehicle and the flight termination system could both fail, but if the launch vehicle's instantaneous impact point stays within the destruct lines, the consequences are typically negligible.

For potential launch vehicle break up that occurs when the vehicle's instantaneous impact point has moved outside the range destruct line, the ranges consider flight termination system reliability a factor in debris, toxic and distant focus overpressure EC calculations because a flight termination system can prevent a launch vehicle from crossing destruct lines. The Western Range generally does not calculate the EC for vehicle instantaneous impact point outside the destruct lines for each launch. At the Eastern Range, the 45th Space Wing does account for the possibility of a launch vehicle's instantaneous impact point crossing destruct lines, in what it characterizes as a “mode 5” failure analysis, due to the presence of populations in the vicinity including launch viewing areas open to the public.

There are also scenarios where the vehicle's instantaneous impact point remains within the destruct lines and where potential flight termination system failure would contribute to collective risk. For example, an on course failure endangering the continued operation of the flight termination system itself, by, for example, tumbling, could contribute to risk, although the ranges do not consider it significant because of the flight termination system design and test requirements that ensure a flight termination system will survive launch vehicle failure environments to the point that the launch vehicle will break up. As another example, if a flight termination system failed to disperse toxic materials at altitude or prevent intact impact of propellant and resulting explosions, the flight termination system probability of failure might contribute to risk.

Toxic release and distant focus overpressure risks are both functions of the probability of vehicle breakup at a location near the launch site and their hazardous effects upon the public are not necessarily dependent on destruct line violation. Therefore, destruct line violation is not considered as a factor in calculating toxic release and distant focus overpressure risks.[7]

F. Flight Safety System

1. Introduction

This proposed rulemaking contains requirements governing a flight safety system. The FAA proposes to define a flight safety system as a system that provides a means of preventing a launch vehicle and its hazards, including any payload hazards, from reaching any populated or other protected area in the event of a launch vehicle failure. A flight safety system, unless otherwise approved in the course of the licensing process, consists of an onboard vehicle flight termination system, a command control system, and support systems on the ground, including tracking, telemetry, display, and communications, and includes all associated hardware and software. A flight safety system also includes the functions of any personnel who operate flight safety system hardware and software.

This proposed rulemaking reflects much that is current practice at the federal launch ranges today. As with the other proposed requirements, the FAA in this proposed rulemaking intends to regulate flight safety systems as necessary to protect the public health and safety and the safety of property against significant risks and to achieve a high level of safety. A flight safety system protects against the significant risks created by launch of a launch vehicle. The requirements of the federal launch ranges, including their design, testing and installation requirements, are all part of an approach that has resulted in members of the public experiencing no physical harm. The FAA seeks to maintain the same high level of safety that the federal ranges have achieved. At the same time, the Start Printed Page 63938FAA recognizes that more than one method exists by which to protect the public and to achieve the requisite levels of safety.

The proposed rulemaking proposes performance requirements for any flight safety system a licensed launch operator will employ, whether that flight safety system is the more familiar command destruct system, or an autonomous system, including Sea Launch's Russian and Ukrainian thrust termination system. As one of the more general performance goals, a flight safety system must keep the hazards associated with a launch vehicle and its payload from reaching populated and other protected areas. A launch operator seeking a license must demonstrate convincingly its ability to satisfy this requirement. If a launch operator plans to employ the flight termination system upon which most licensees rely today, this proposed rulemaking provides the performance, design, test and installation requirements with which that licensee must comply. If a launch operator proposes an atypical flight safety system, the launch operator must provide a clear and convincing demonstration that it will achieve an equivalent level of safety to that obtained through adherence to the requirements.

Although this proposed rulemaking would codify much of what the federal launch ranges require, some changes will be evident. Some of these changes arise out of the differences between regulatory requirements and the fact that the federal launch ranges may speak in terms of goals and the FAA must determine whether to require that goal or not. Other differences will evolve out of the existence of waivers issued by the federal launch ranges. A review of some of the background behind various flight safety systems is useful at the outset.

2. History and Background

Launch vehicles launching from the United States typically use a flight safety system, referred to at the federal launch ranges as a flight termination system or FTS, that is used to destroy the launch vehicle whenever the launch vehicle strays outside of a predefined flight envelope. Federal launch ranges typically require an FTS on guided launch vehicles that have the capability to violate established safety criteria under powered flight, in order to protect the public and range personnel. The reliability of the flight safety system plays more of a role than the reliability of the launch vehicle in achieving safety.

U.S. design standards normally require a redundant command flight termination system on every powered stage capable of reaching the public unless a particular stage possesses an autonomous destruct system such as an inadvertent separation destruct system (ISDS). The commonly employed inadvertent separation destruct system is usually implemented for solid rocket motors. Some rocket stages, primarily solid rocket boosters, may be capable of continued flight after becoming separated from the main launch vehicle if their propellant is not exhausted and continues to burn or even, as happens at times, begins to burn and produce thrust. An ISDS is required to ensure that a thrusting motor, freed by a vehicle breakup, will be destroyed. An ISDS uses lanyards, break wires, or other devices to detect the conditions in which it will initiate a destruct action. An ISDS is typically employed on stages that have the potential to become separated from the command flight termination system during the break up of a launch vehicle.

An autonomous system such as Sea Launch's Zenit-3SL's thrust termination system uses multiple computers to evaluate vehicle status as well as vehicle performance to determine if a flight termination command is required. The U.S. standards require a flight termination system to destroy a vehicle, not just terminate the motor thrust as is accomplished by a thrust termination system. An U.S. flight termination system is designed to terminate the thrust of the vehicle and to disperse the propellants with minimal explosive effect. Russian and Ukrainian space launch programs traditionally use an autonomous thrust termination system for liquid fueled vehicles. Such a system relies on the autonomous detection of trajectory or vehicle anomalies, the detection of which results in an autonomous shutdown of the liquid rocket engines. Termination of thrust allows an errant rocket to fall ballistically back to Earth. This approach tends to confine the damaged region on the earth more than mid-air destruction of the launch vehicle; however, the resulting intensity of the destruction may be more pronounced if a thrust termination system shuts down and leaves propellants in a vehicle's tanks, and the tanks survive until impact.

Although the federal launch ranges typically require a command flight termination system on the final powered stage capable of reaching the public, some U.S. launch vehicles, including the Scout and Pegasus, have previously been approved, through federal launch range waiver processes, for launch without a flight termination system on the final stage. Each vehicle provides a command hold fire capability on the final stage ignition, which means that if the launch vehicle is not on its intended trajectory that the flight safety official can transmit a command for the stage not to ignite. Range approval of these two vehicles resulted from a failure modes and effects analysis that identified all potential failure modes that could result in land impact, and an expected casualty analysis that satisfied the ranges' risk criteria, assuming these failures.

An examination of U.S. launch history shows that flight termination systems have been very dependable. Since the late 1950's there have been about ten flight termination system failures in approximately 3150 launches, resulting in a demonstrated flight termination system reliability of 0.996 at 95% confidence. The ten failures include both ground system and failures of the system located on the launch vehicle. In most of these failures, the flight termination system was not required to initiate a destruct action, but the flight termination system was declared “failed” because it would not have worked if it had been required at some point in its flight. This demonstrated reliability compares favorably to the federal launch range goal of 0.998 reliability at 95% confidence for the complete ground and airborne system. 45th Space Wing/Eastern Range Range Safety Operations Requirement Command Destruct System, 7.7.1.2.8 (Apr. 2, 1998); Range Commanders Council Document 319-92, “Flight Termination System Commonality Standards” 2.4.1 (Aug. 1992). In the 1960's, three flight termination system in-flight component failures occurred; two were ordnance-train failures and one was an electronic system single-channel failure.

There have been a few isolated instances of anomalies associated with human-commanded flight termination systems. In February 1993, a Pegasus launch of Brasilsat was successful but was marred by poor integration and poor communication between the operators and the personnel responsible for range safety.[8] Although there were no flight termination system component failures, an abort was called because of the dropout of one frame (40 milliseconds) of telemetry data from one of the flight termination system Start Printed Page 63939command receivers. The federal launch range required the vehicle's flight termination system to be fully functional for launch to occur. Due to lack of proper operational preparation and operational coordination between the range safety personnel and the operational controllers, the range safety call for abort was not acknowledged, and the launch proceeded. Despite this incident, the launch vehicle flew nominally and successfully orbited its payload.

In October 1995, a Conestoga launch from Wallops Flight Facility experienced a flight termination system anomaly. Although the vehicle broke up due to aerodynamic forces caused by a malfunction that induced a yaw, an attempt was made to issue a destruct command. The failure occurred at the exact time the command routing was being switched from one ground station to another, and it is questionable whether the command was actually sent. Frequency monitoring determined that the signal was not transmitted. The vehicle's seven solid rocket boosters should have been split down the side by their ISDS to destroy their flight capability. However, at least two of the boosters continued to fly unguided. Although no harm occurred, the flight termination system did not operate as designed.

3. Flight Safety System Reliability

Federal launch range standards require a flight termination system to be designed to function in environments that exceed normal environments expected during flight in order to ensure launch vehicle destruction following a failure. U.S. flight safety system components are required to be independent of vehicle systems and withstand a harsher environment than other launch vehicle components. The federal launch ranges have a reliability goal of a minimum of 0.999 at the 95% confidence level for the flight termination system onboard a launch vehicle. EWR 127-1 at 4.7.3.1(a). RCC Flight Termination System Commonality Standards at 2.4.1. A 0.999 reliability at a 95% confidence level can only be demonstrated through a large number of launches or tests of the complete system while exposed to flight environments. Because it is not practical to test systems in the numbers necessary to demonstrate this confidence level, the federal launch ranges employ robust testing of the individual flight termination system components and testing of the integrated system that is designed to identify problems that could lead to system failure. This test program incorporates the lessons learned over the many years of federal launch range operations and represents the industry's best practice for ensuring the reliability of such a system. Additionally, the command control system that transmits any flight safety commands to the onboard vehicle system also has a reliability goal of 0.999 at 95% confidence. This results in an overall federal range flight safety system reliability goal of 0.998 at 95% confidence. The federal ranges have been very successful in implementing their reliability goal as a goal rather than as a requirement. However, such a goal does not directly translate into a regulatory requirement. The FAA's proposed regulations would require each flight termination system and command control system to have a reliability design of 0.999 at a confidence level of 95 percent to be demonstrated through an analysis of the design. The FAA is not proposing that this reliability be demonstrated through testing because it is not practical to require the thousands of system level tests necessary to demonstrate compliance with the confidence level. Instead, the FAA is proposing an approach that has been developed in close coordination with the federal launch ranges that incorporates performance oriented design requirements for components coupled with comprehensive qualification and acceptance testing of components and preflight confidence tests of the entire system to ensure the system's reliability.

4. Flight Termination System Testing

The proposed regulations contain requirements for qualification and acceptance testing of flight termination system components based on the approach used at the federal launch ranges. At federal launch ranges, flight termination system components are tested according to federal range-approved test procedures and requirements. Verification methods include test, analysis, and inspection. As an alternative to testing, components of an FTS are sometimes qualified by similarity. A component that has been qualified through testing for one launch vehicle may be approved for use on a different launch vehicle if it can be shown that the environments in which it must operate on the second vehicle are no harsher than those of the first. Also, with limited additional testing, the component may be qualified for a more severe environment.

The flight safety system component manufacturers or vendors at their facilities typically perform qualification and acceptance tests. Qualification tests are performed to verify the design of a flight safety system component and to demonstrate that it will operate reliably at design margins that are greater than the environments to which the component will be exposed. In general, the test program requires qualification testing at levels twice the maximum predicted environment to which the flight termination system would be exposed during storage, transportation, handling, and flight. Functional and electrical tests are performed before and after each environmental test. Typical U.S. qualification test levels and tests include sinusoidal vibration, random vibration, acoustic, shock, thermal cycling, thermal vacuum, and functional tests. Units that undergo qualification testing are not used in flight. Each unit a vendor produces for actual flight undergoes acceptance testing. Acceptance tests provide quality-control assurance against workmanship or material deficiencies and demonstrate the acceptability of each item before flight. Acceptance testing is typically performed on all flight units at levels equal to the maximum predicted environment. Typical acceptance tests include acoustic, acceleration, thermal cycling, and random vibration. Electrical components to be used for flight typically are acceptance tested while single use components such as ordnance and some types of batteries are accepted for flight by performing destructive tests on a number of sample components taken from the same production lot as the component that will be flown.

Preflight confidence tests are conducted at the launch site in the form of bench tests of components and system level tests once the components are installed on the launch vehicle. For example, preflight bench tests are performed on a flight termination system receiver decoder after it arrives at the launch site. These tests are conducted to ensure the receiver decoder is compatible with range ground equipment and operational characteristics have not changed since they were acceptance tested by the vendor. These preflight tests are conducted before and after installation of the flight termination system in the launch vehicle, and before final approval for launch is given. Preflight system testing demonstrates the integrity of the entire system, including transmitters, antennas, receiver decoders, flight power supplies, vehicle engine shutdown valves, and vehicle flight termination system circuitry. Start Printed Page 63940

5. Tailoring

The federal launch ranges may “tailor” their flight termination system design and test requirements to fit a specific launch vehicle application. The tailoring is intended to ensure that only applicable or alternative range user requested equivalent requirements are levied upon the program and that range safety requirements are levied in the most efficient manner possible. Meets Intent Certification, a form of range tailoring, may be used when a launch operator does not meet the letter of the EWR 127-1 requirements but meets the intent of the requirements. The FAA proposes that a type of tailoring take place during the licensing process. The proposed regulations would allow a launch operator to meet the intent of a requirement through alternative means that provide an equivalent level of safety. Once approved during the licensing process, use of an alternative would be part of the terms of the license. Once licensed, if a launch operator wished to implement a new alternative, it would do so by applying for a license modification.

6. Deviations and Waivers

A federal launch range may grant deviations and waivers when a launch operator does not meet EWR 127-1 requirements. EWR 127-1 permits deviations and waivers when the mission objectives of the range user cannot otherwise be achieved. Deviations are used when a flight termination system design noncompliance is known to exist prior to hardware production or an operational noncompliance is known to exist prior to beginning operations at a federal launch range. Waivers are used when, through an error in the manufacturing process or for other reasons, a hardware noncompliance is discovered after hardware production, or an operational noncompliance is discovered after operations have begun at the ranges. Unlike Meets Intent Certification, the latest EWR 127-1 contemplates acceptance of greater risk for both deviations and waivers. Under the federal launch range process, a launch operator may obtain a deviation or a waiver to meet mission requirements. By implication, this involves an acceptance of greater risk. A launch operator under the proposed regulations would have to demonstrate an equivalent level of safety if it wanted to avoid a published requirement. This is in keeping with the FAA's current practice for licensed commercial launch, but may mark a change from current practice for some who are accustomed to conducting government launches.

7. Alternate Flight Safety Systems

A flight safety system would be required to satisfy all the functional, design, and test requirements of proposed subpart D of part 417 unless the FAA approved otherwise through the licensing process. The FAA would approve the use of a flight safety system that did not satisfy all of proposed subpart D if a launch operator demonstrated that the proposed launch achieved a level of safety equivalent to satisfying all the requirements of proposed subpart B and proposed subpart D. In such cases, a launch operator would have to demonstrate that the launch presented significantly less risk than would otherwise be required, both in terms of E C and any other significant factors underlying a risk determination. The reduced level of public risk would have to correspond to the reduced capabilities of the proposed flight safety system. To achieve the reduced level of public risk, the launch would typically have to take place from a remote launch site with an absence of population and any overflight of a populated area taking place only in the latter stages of flight. The proposed alternate flight safety system would have to perform its intended functions, however they might differ from the requirements of subpart D, with a reliability comparable to that required by subpart D.

To date, one launch operator has demonstrated this equivalent level of safety to the FAA for an alternate flight safety system. Sea Launch Limited Partnership, which the FAA has licensed to launch from the Pacific Ocean, satisfied the required conditions. The FAA concluded that Sea Launch proposed to employ a flight safety system that, although substantially different from its American counterparts in function, was of comparable reliability. Sea Launch's first launch, for example, presented less risk than otherwise required of a typical launch because of a conservatively calculated E C of noticeably less than 30×10−6, a launch location barren of population and overflight that took place only in the latter stages of flight.

The design and testing of the Sea Launch thrust termination system were not conducted in accordance with subpart D due to the development of the thrust termination system under foreign auspices. Although many similarities between the two systems in design, redundancy requirements and testing were evident, there were pronounced differences as well.

Sea Launch's flight safety system functions differently than one that satisfies the requirements of subpart D. Unlike an American command destruct system, Sea Launch's flight safety system terminates flight by autonomously terminating thrust without destroying the launch vehicle. The FAA's proposed requirements, like those of the federal launch ranges, would require a flight termination system to destroy a vehicle in order to reduce, if not eliminate, the potential for explosive effects upon debris impact. Sea Launch does not possess the capability to command flight termination from the ground. Additionally, where a U.S. flight termination system provides the ability to avoid terminating flight when an instantaneous impact point is over land, the thrust termination system did not.

Likewise, the FAA reviewed the test procedures, test levels, and maximum predicted environments for the thrust termination system components and compared them to U.S. federal launch range test requirements. Were the Sea Launch thrust termination system held to the requirements proposed in subpart D of part 417, not all requirements would apply and not all were satisfied. As expected there were differences in test requirements between the U.S. and Sea Launch's partners, Yuzhnoye and Energia. The Sea Launch experimental development tests were similar to U.S. qualification tests in that both forms of testing subjected hardware not used for flight to levels greater than maximum predicted environment for design verification. The thrust termination system's experimental development tests, however, were not typically conducted to twice the maximum predicted environment, as done for U.S. qualification tests. Additional differences appeared in Sea Launch's equivalent of acceptance testing. Although Sea Launch tested its flight units, it did not test them to the predicted flight environment.

The flight heritage of the many Russian and Ukrainian launches provided a measure of design verification for the Zenit-3SL rocket stages and thrust termination system components. The Zenit-3SL thrust termination system is based on heritage hardware and software used successfully for decades in launches conducted by the former Soviet Union. Accordingly, Sea Launch's use of a thrust termination system is not akin to the use of an untested or otherwise non-compliant flight safety system, or even to one with a very limited flight history.

Sea Launch also showed that, although its flight safety system did not Start Printed Page 63941possess all the functional capabilities required by subpart D, those capabilities that it possessed instead were of comparable reliability on the basis of vehicle and flight safety system heritage and use. Sea Launch informed the FAA that the thrust termination system had worked each time an errant launch vehicle had to be stopped. The FAA's own review found no evidence to the contrary. Historical thrust termination system performance data indicated that there have been over 3000 launches with an automated thrust termination system. Of these flights, 370 failed to achieve their mission objective. Of these 370 mission failures, 110 resulted in errant launch vehicles and Sea Launch reported that the thrust termination system functioned properly in all 110 cases. The FAA conducted an analysis as well. In the end, a combination of analysis, testing and use provided a demonstration of comparability.

The FAA did not base its determination to license Sea Launch solely on finding comparable reliability of the flight safety system. The reduced risk of the proposed flight profile played just as much of a role in the decision. Where the flight safety system presented reduced functional equivalence, the launch operator had to show a corresponding decrease in the proposed risk. Reviewing the risk presented by the Sea Launch mission for its first launch, the FAA concluded that Sea Launch's E C fell roughly one order of magnitude less than the required E C of 30×10−6. The FAA employed a conservative reliability number of 0.917 for the Zenit-3SL's upper stage,[9] population densities obtained from the “General Population Distribution (1990), Terrestrial Area and Country Name Information on a one-by-one degree Grid Cell basis (DB1016),” Carbon Dioxide Information Analysis Center, Oak Ridge National Laboratory, Oak Ridge, TN, the upper stage dwell time over South America and the risk to the command ship. In addition, the FAA's South American overflight risk analysis accounted for both a failure of the launch vehicle and an inadvertent actuation of the thrust termination system.

Certain other factors underlying a risk determination also took on added significance. The Sea Launch flight profile provided advantages that minimized public exposure. The launch vehicle underwent maximum dynamic pressure at about 60 seconds after liftoff, at a point near the launch site that limited public exposure to only those located on Sea Launch's command ship. The command ship was stationed uprange, outside the launch hazard area. This is significant in that historically most launch vehicle failures occur during the first stage of flight, with many occurring prior to or during maximum dynamic pressure. The instantaneous impact points for Sea Launch's first and second stages were over the Pacific Ocean. The FAA also noted that the third stage, the only stage to expose the public to any statistical risk, was subjected to first and second stage flight environments prior to third stage ignition. If a third stage manufacturing defect existed that resulted in a failure, the failure was more likely to occur prior to third stage ignition. This, plus the fact that a majority of third stage failures occur at ignition, would result in third stage failures that produced impacts in the Pacific Ocean. Public risk was also minimized by the remoteness of the SLLP launch location from populated areas. Nearby islands are located west of the launch point, in the opposite direction of flight. Christmas Island, located about 340 km to the west or uprange of the proposed launch location, is the closest inhabited island to the launch location. The only significant populated area within second stage impact range is Hawaii, located several thousand kilometers to the north.

8. Grandfathering

In the course of preparing this proposed rulemaking, the FAA had to confront questions surrounding flight safety system related waivers granted to launch operators by the federal launch ranges. The FAA is aware that this proposed rulemaking may affect a number of launch operators currently operating under range waivers. There may be other waivers of which the FAA is unaware; and the FAA invites comment on the potential impact of those as well. For example, this proposed rulemaking proposes to require that a launch operator employ a flight termination system that will terminate flight in each launch vehicle stage capable of reaching a populated or other protected area. A number of upper stages, including those of Lockheed Martin's Athena and Orbital Science Corporation's Pegasus and Taurus, do not carry an onboard flight termination system. For these vehicles, once the lower stages that contain the flight termination system have separated and the final stage begins thrusting, the range no longer has the ability to terminate flight. For a proposed launch that does not satisfy all of the proposed regulation's flight termination system requirements, the FAA would require the launch operator to demonstrate that the proposed launch achieves a level of safety that is equivalent to satisfying all the flight termination system and risk requirements. This may be accomplished by further isolating the launch from any population as was discussed in the case of Sea Launch. This may or may not be practical for other launch operators. Accordingly, for a launch occurring outside of a federal launch range, the range waiver may not provide grounds for relaxing the FAA's proposed requirements. Instead, each launch would have to be evaluated for an equivalent level of safety on a case-by-case basis.

A review of the available options suggested that the FAA could grandfather these upper stages or require that they comply with the requirements of this proposed rulemaking with an effective date sufficient to prepare for compliance. The consequences differ for each approach, and each possesses drawbacks. If the FAA grandfathers the upper stages in question, launches will continue to take place in which a propulsive stage can carry its hazards to the public. If the proposed requirements are applied to launch vehicles operating under a range waiver, those launch operators currently operating under waivers may experience an increase in costs, have to redesign their upper stages to include a flight termination system, suffer weight penalties, and obtain access to or possibly install command control systems downrange.

Although there are associated costs, the FAA is not persuaded that they are sufficient to outweigh the need to offer the public a high degree of protection. In the course of analyzing the question, the first important factor the FAA had to consider was that, even if one were to apply the federal launch range waiver process, launch from a location outside of a federal launch range might still result in a requirement for a flight termination system on each upper stage. For example, a launch from the East Coast of the continental United States presents different populations at different distances than would a launch from some other part of the country, which means that a risk analysis will produce different results. What satisfies a range risk analysis for Wallops Flight Facility or Cape Canaveral might not for a launch from a non-federal launch site in another part of the country. Additionally, the usual equities that weigh in favor of grandfathering are absent from this situation. Unlike the Start Printed Page 63942aircraft manufacturing industry, for example, the launch industry builds a new launch vehicle for each use, which permits changes in design more easily than retrofitting a fleet of aircraft. Also, the launch industry adjusts each launch vehicle configuration to some extent to meet the mission requirements for each launch so that a change in safety requirements provides merely one more change to what may be a list of such changes. The FAA is interested in comments on this proposal, both in the context of launches from new launch sites and for launches at current ranges. Should a launch system operating under a federal range waiver be grandfathered under part 417 or be expected to achieve the same level of safety? Does a waiver provide an equivalent level of safety?

G. Ground Safety

This proposed rulemaking addresses ground safety through the imposition of launch processing requirements that would apply both to a launch operator already in possession of a launch license and to an applicant for a launch license. Like the requirements governing flight safety analysis and a flight safety system, an applicant for a license must demonstrate that it will meet the requirements of part 417.

Proposed part 417 would contain ground safety requirements that apply to the preflight preparation of a launch vehicle and related post-launch activities [10] at a launch site in the United States. The Act defines “launch” to include not only the flight of a launch vehicle but “activities involved in the preparation of a launch vehicle or payload for launch when those activities take place at a launch site in the United States.” 49 U.S.C. 70102(3). Accordingly, the FAA intends to employ the term “launch processing” to describe the preparation for flight of a launch vehicle at a launch site. Because the Act gives the FAA licensing authority only over the preparatory activities at a launch site in the United States, the FAA does not seek to impose its requirements under this proposed subpart to launch processing activities that may occur outside the United States.

The ground safety requirements in this subpart would apply to all launch processing activities performed by, or on behalf of, a launch operator. The proposed requirements would attempt to ensure that safety issues unique to launch are addressed, while at the same time avoiding duplication with the requirements of other civilian regulatory agencies.

In addressing the area of ground safety the FAA had to consider, first and foremost, its goal of codifying safety standards that govern the unique issues associated with launch. Secondary to this goal, the FAA faced the question of overlapping jurisdiction between the FAA and the Occupational Safety and Health Administration (OSHA), the Environmental Protection Agency (EPA) and the Nuclear Regulatory Commission (NRC). This overlapping jurisdiction raised the question of how much information concerning ground safety the FAA should request in the course of a license application review, and issues regarding the consequences to a launch operator and the FAA in undertaking such a review. As a means of resolving the issues raised by such overlap, the FAA proposes to require that an applicant assess its hazards and institute controls that will keep those hazards from reaching the public.

Some background may be in order at the outset. Most of a U.S. launch operator's launch site experience with federal government safety oversight has taken place at the federal launch ranges. See Commercial Space Transportation Licensing Regulations, 64 FR at 19596-597, April 21, 1999. The federal launch ranges are not civilian regulatory agencies but operators of launch sites in their own right. A federal launch range offers its launch site to launch operators for launch. It coordinates and schedules its customers. Its personnel may conduct or participate in hazardous activities. To use a federal launch range, a launch operator must agree to abide by the safety requirements of the range. The federal launch ranges not only impose their own requirements, but also implement the requirements of civilian regulatory agencies such as OSHA, the EPA and others. Accordingly, the requirements that they have developed over the years have combined unique responses to the particular characteristics of launch as well as at the same time responding to the requirements of civilian regulatory agencies. In one sense, the federal launch ranges have stood in for some of these agencies, including the FAA, in ensuring safety through their oversight of the commercial and government contractor launch operators using their facilities.

With respect to ground safety, the FAA proposes to require launch operators to engage in a process derived from principles underlying a system safety process already familiar to the FAA's current licensees, both through their work as contractors for government launches and as users of the federal launch ranges. A launch operator would be required to identify its hazards, assess the risks associated to each of those hazards and implement hazard controls. In light of the existence of regulatory requirements established by the civilian agencies mentioned above, a launch operator will find that many of the hazard controls that a launch operator would have to develop under proposed part 417 are addressed through other regulatory regimes.

The FAA has neither the resources nor the intention of second guessing the regulatory requirements of other agencies nor purporting to issue approvals on their behalf. Under the Act, all requirements of the laws of the United States applicable to the launch of a launch vehicle are requirements for a launch license. 49 U.S.C. 70105(b)(1). The Act also provides, however, that, except as otherwise provided by the requirements of the statute, a launch operator “is not required to obtain from an executive agency a license, approval, waiver, or exemption to launch a launch vehicle.” 49 U.S.C. § 70117(a).[11] The FAA may prescribe by regulation that a requirement of a law of the United States not be a requirement for a license, if, after consulting with the head of the appropriate executive agency, the FAA decides that the requirement is not necessary to protect, in relevant part, the public health and safety and safety of property. 49 U.S.C. 70105(b)(2)(C). This rulemaking does not affect the regulatory requirements of other executive agencies.

Other agencies impose similar requirements to those being proposed here. For example, the FAA's proposed requirements strongly resemble a more general version of OSHA's process safety management (PSM) requirements. See 29 CFR 1910.119. This means that a launch operator's PSM plan designed to satisfy OSHA's requirements for worker safety may serve the dual purpose, in a number of contexts, of protecting the public as well. The FAA is aware of the confines of the jurisdiction OSHA seeks to exercise ;[12] however, especially in the context of avoiding catastrophic events, what protects worker safety may also protect Start Printed Page 63943the public, and the FAA proposes to consider such comparisons in the course of the licensing process. If a PSM plan that a launch operator prepares for OSHA contains hazard controls that would protect the public as well, the launch operator need not duplicate the work it does to comply with OSHA's requirements, but may, instead, point the FAA to the portion of the PSM plan relevant to public safety in order to satisfy the FAA's concerns. In reviewing a PSM plan, the FAA would not be opining on the adequacy of the PSM plan for purposes of worker safety.[13]

Likewise, the EPA administers, among other relevant laws, the Emergency Planning and Community Right-to-Know Act, 42 U.S.C. 11001 et seq. (EPCRA). That statute applies to facilities where a listed substance is present above a designated quantity, 42 U.S.C. 11002(b), and subjects such a facility, in relevant part, to notification, planning, response and training requirements. See, e.g., 42 U.S.C. 11003, 11004 and 11005.

The NRC regulates and licenses activities involving radioactive materials under the Atomic Energy Act of 1954, as amended, 42 U.S.C. 2011-2281. The NRC imposes standards for protection against radiation. See, e.g., 10 CFR part 20. Those regulations prohibit, for example, the release of radioactive materials to unrestricted areas above specified limits and to individual members of the public. 10 CFR 20.1301. Additionally, the EPA possesses generally applicable environmental radiation standards in 40 CFR part 190.

In short, a launch operator needs to be aware of the requirements of these other regulatory agencies and abide by them for launch processing activities at a U.S. launch site and any other location where these agencies have jurisdiction. This discussion focuses on the roles of these particular agencies because much of the safety a launch operator should achieve will be obtained through compliance with the specifics of their regulations. The very broad nature of the FAA's proposed regulations governing preparation for flight of a launch vehicle will obviously encompass much of what these other agencies already address. The FAA anticipates that during the course of pre-application consultation and the license application process itself, the FAA and an applicant will be able to review the nature of the applicant's proposed activities. The applicant will be able to explain and the FAA ascertain whether the launch operator's activities are of such a nature and scope as to fall within the ambit of these other agencies, and, if they do not, the applicant will provide a convincing demonstration to the FAA as to how it will satisfy part 417's requirements.

The ground safety application requirements of part 415 are intended to demonstrate that an applicant can and will satisfy the requirements of part 417. Part 417 requires a launch operator to perform a ground safety analysis. Part 415 asks for a ground safety analysis report. To satisfy the part 417 requirement for ground safety analysis, a launch operator would identify each potential public hazard, any and all associated causes, and any and all hazard controls that a launch operator would implement to keep each hazard from affecting the public. A launch operator's ground safety analysis would be required to demonstrate whether its launch vehicle hardware and launch processing present hazards to the public. The part 415 license application requirement would require an applicant to submit a more abbreviated ground safety analysis report that would review each launch related system and operation and identify potential public hazards and the controls to be implemented to protect the public from each hazard. This report would be required to describe each system and operation and show that all associated public hazards have been identified and controlled and would identify supporting documentation. The FAA might, in the course of the application review or in the course of compliance monitoring, ask to review all or parts of the supporting documentation that provides further detail on a ground safety analysis.

Part 415 would also require a launch operator to submit to the FAA a ground safety plan. A ground safety plan would specify the ground safety rules and procedures that a launch operator would implement to protect public safety. This plan would describe implementation of the hazard controls identified by an applicant's ground safety analysis and the specific ground safety requirements provided in subpart E of part 417. The difference between a ground safety analysis report and a ground safety plan is that the ground safety analysis report would describe the hazard controls and the ground safety plan would describe how hazard controls would be implemented. A ground safety plan would, for example, provide the location of safety clear zones and hazard areas and describe verification processes and the safety equipment and support requirements for each task that creates a hazard to the public.

In addition to the flight and ground safety plans, part 415 would require a series of other launch safety plans as well. These would include an emergency response plan, an accident investigation plan, a launch support equipment and instrumentation plan, a configuration management and control plan, a communications plan, a frequency management plan, a security plan, a public coordination plan, local plans and agreements, test plans, countdown plans, launch abort or delay recovery plan, and a license modification plan.

As discussed earlier, other agencies may also regulate in some of these areas. For example, the accident investigation plan requirement may be satisfied by using accident investigation procedures developed in accordance with the requirements of OSHA at 29 CFR 1910.119 and 120, and the EPA at 40 CFR part 68, to the extent that the procedures include the elements required by part 417.[14] OSHA's standard at 29 CFR 1910.119 includes provisions for investigating incidents and emergency response. See 29 CFR 1910.119(m) and (n). In addition, 29 CFR 1910.120, which addresses hazardous waste operations and emergency response (HAZWOPER), provides for emergency response planning for operations involving hazardous materials, including those listed by the Department of Transportation under 49 CFR 172.101.[15]

EPA's requirements at 40 CFR 68 also include standards for incident investigation and emergency response. See 40 CFR 68.60, 68.81, 68.90, and 68.180. Compliance with 42 U.S.C. 11003, Emergency Planning and Community Right-to-Know, may satisfy many of the emergency response provisions.

Part 417 would contain the requirements governing the safety of a launch operator's launch processing activities themselves. A launch operator would be responsible for the safe conduct of preflight preparation of its launch vehicle at a launch site in the United States and related post-launch Start Printed Page 63944activities. Subpart E of part 417 would contain the requirements for how a launch operator should perform a ground safety analysis, implement hazard control procedures and system hazard controls, define and implement a safety clear zone for hazardous operations, define hazard areas where public access is limited, implement hazard control procedures after a launch or a launch attempt, and would contain the requirements governing propellants and explosives.

The ground safety analysis would serve as the basis for much of a launch operator's license application and for the development and implementation of hazard controls for its launch processing activities. The requirements governing the ground safety analysis would differentiate between hazards on the basis of whether they are public hazards, launch location hazards, employee hazards, and whether they are credible or not.

The hazard category would drive the nature of the controls that must be employed to protect the public. A public hazard would mean any hazard that extends beyond the launch location under the control of the launch operator. Any system that poses a public hazard would be required to be single fault tolerant to protect against the initiation of a hazardous event that could affect the public. A launch location hazard would mean any hazard that extends beyond individuals performing a launch operator's work, but that stays within the confines of the location under the control of the launch operator. A launch location hazard may also affect the public depending on the public access controls employed. Public hazards and launch location hazards include blast overpressure and fragmentation resulting from an explosion, fire and deflagration, and the sudden release of hazardous materials into the air, water or ground, and inadvertent ignition of a propulsive launch vehicle payload stage or motor. Additional launch location hazards that may affect the public when the public is allowed access include oxygen deficient environments, unguarded electrical circuits or machinery, and fall hazards. A launch operator would be required to implement hazard areas and safety clear zones for public hazards and launch location hazards to ensure that any member of the public is kept at a safe distance. A launch operator may elect to treat its entire launch location as a safety clear zone at all times and never allow any member of the public to enter. This would simplify the procedural hazard controls that the FAA would require for protecting the public. However, based on experience at the federal launch ranges, a launch operator would likely need or desire to allow public access to the launch location. The proposed rule would allow public access to the launch location provided that the launch operator's systems incorporate specific safety designs and that specific procedural controls are implemented to ensure the safety of any visiting members of the public.

IV. Part Analysis

A. Part 413—License Application Procedures

Proposed part 413 continues to describe those license application procedures applicable to all license applications. The application procedures apply to license applications to launch a launch vehicle or to operate a launch site. More specific requirements applicable to obtaining a launch license or launch site operator license are set forth in parts 415 and 420. The FAA proposes to amend § 413.7 by adding a new paragraph (d) to require a license applicant to employ a consistent measurement system for each analysis, whether English or metric, in its application and licensing information. Errors stemming from failures to convert between English and metric units have resulted in mission failures of recent vintage. It is evident that such errors may have safety ramifications as well.

B. Part 415 Launch License

Part 415 will continue to contain requirements for obtaining a license to launch a launch vehicle. Proposed changes to part 415 would establish requirements for submitting an application to obtain a license to launch a launch vehicle from a non-federal launch site. Requirements applicable to obtaining a license to launch from a federal launch range will continue to be covered in subpart C of part 415. The application requirements specific to obtaining a license to launch from a non-federal launch site will be added to subpart F of part 415. Subpart F describes the material that a launch operator must submit to the FAA to demonstrate its ability to meet the part 417 safety responsibilities and requirements for launch. The provisions of part 415 as a whole apply to prospective and licensed launch operators and, where applicable, to prospective payload owners and operators, and should be read in conjunction with the general application requirements of part 413.

1. Part 415, Subpart D, Payload Review and Determination

The FAA proposes to amend § 415.51 to clarify that payloads otherwise exempted from an FAA payload review and determination are nonetheless still subject to review for purposes of launch safety. The particulars of this change are discussed earlier in this notice.

2. Part 415, Subpart E, Post—Licensing Requirements—Launch License Terms and Conditions

The FAA proposes to amend § 415.73(b)(2) to delete “submitted in accordance with subpart D.” The reference to subpart D appears to have been an error because subpart D only applies to a payload determination. In fact, the application amendment and license modification requirements apply regardless of whether the change is in subpart D or not.

3. Part 415, Subpart F, Safety Review and Approval for Launch From a non-Federal Launch Site

Proposed changes to subpart F of part 415 would apply to the safety review that the FAA requires as part of the licensing process for launch from a non-federal launch site. Section 415.101 would establish the scope of subpart F, which contains requirements for the application material that an applicant would submit to the FAA to demonstrate that it will meet the safety responsibilities and requirements for launch. Subpart F would also include all administrative requirements for submitting a license application, such as when data would have to be submitted and the form and content of each data submission. Material submitted to the FAA as required by proposed subpart F would measure an applicant's ability to comply with the launch operator responsibilities and technical requirements in proposed part 417. The related requirements in part 417 are referenced in this subpart where applicable. To facilitate the generation of the safety review material required by this subpart, an applicant would have to first become familiar with the launch operator requirements in part 417. The requirements in proposed subpart F apply to orbital launch vehicles and guided and unguided suborbital vehicles. Requirements in proposed § 415.103 through 415.125 apply to all proposed launches. The flight safety system related requirements in proposed §§ 415.127 through 415.131 apply to orbital launch vehicles and guided suborbital launch vehicles that use a flight safety system to ensure public safety Start Printed Page 63945

Section 415.103 would provide general FAA criteria for approval of an application to launch from a non-federal launch site. The FAA would conduct a safety review to determine whether an applicant is capable of launching a launch vehicle and its payload without jeopardizing public health and safety and safety of property. The FAA would issue a safety approval if an applicant satisfies the application requirements of subpart F and demonstrates, through the application process, that it will meet the safety responsibilities and requirements for launch from a non-federal launch site provided in part 417. The FAA will advise an applicant, in writing, of any issue raised during a safety review that would impede issuance of a safety approval. An applicant would have the option of responding in writing, or revising its license application.

Section 415.105 would require that an applicant conduct at least one pre-application consultation meeting with the FAA when planning to apply for a new launch license. This meeting would take place no later than 24 months before an applicant brings any launch vehicle to the proposed launch site and prior to an applicant's preparation of the flight safety analysis for its application. A launch operator must have a license before it brings a launch vehicle to the launch site and the application flight safety analysis is the earliest demonstration of an applicant's ability to protect public safety during launch. Section 415.105 would also provide requirements for the data to be presented during a pre-application consultation. This meeting would allow the FAA to review a proposed launch and provide a potential applicant with direction with respect to the licensing process and the required safety demonstrations. The FAA's proposed regulations for launch are meant to cover a broad range of launch vehicles and mission profiles. A pre-application consultation is considered necessary to focus an applicant on the applicable requirements and to ensure that the licensing process proceeds as efficiently as possible.

Section 415.107 would require that an applicant prepare a safety review document that contains all the information required by the FAA to conduct a safety review of a proposed launch and would address all aspects of an applicant's proposed launch safety program. This section would provide specific requirements for the form and content of an applicant's safety review document and reference appendix A to part 415, which would provide an outline for the document. Specific requirements for the content of each section identified in the outline would be provided in the remaining sections of subpart F. An applicant would identify any item incomplete at the time of a submission and provide a plan and schedule for completing the item. Any incomplete item would have to be finalized before conduct of the related operation. Once licensed, a licensee would be required to conduct its launch in accordance with an approved safety review document. A safety review document with the proposed standardized form and content would allow for efficiencies in the FAA's licensing review and approval process The FAA has 180 days to make a license determination upon receipt of a sufficiently complete application and the latest that a launch operator must have a license in place is when the launch vehicle arrives at the launch site. In order to facilitate these existing requirements, the FAA is proposing that the launch operator would have to submit a sufficiently complete safety review document no later than six months before the applicant brings any launch vehicle to the proposed launch site. The final safety review document would be used by a licensee and the FAA for ensuring the implementation of a launch safety program that protects public safety in accordance with part 417 and any special terms of a license.

Proposed § 415.109 would identify data describing a proposed launch that would be submitted to the FAA as part of an applicant's safety review document. The intent of this data is to provide the FAA with a general understanding of an applicant's proposed launch as needed to begin a safety review. This data would also allow for further focusing of the safety review process to the type of launch operations and hazards involved. An applicant would be required to identify each launch vehicle, each payload, and any payload customer. An applicant would be required to provide a launch schedule, launch site description, launch vehicle description, payload description, planned launch vehicle trajectory, description and time after liftoff of each launch vehicle staging event, and data describing the proposed launch vehicle's performance characteristics.

Proposed § 415.111 would ensure that a launch operator applicant's administrative information is submitted prior to or as part of a safety review application. Because an applicant may request a safety review independently of the other required licensing reviews, proposed § 415.111 would reference the specific launch operator administrative information identified in § 413.7 under the general license application procedures. If this information was previously submitted, an applicant's safety review document could reference the previously submitted documentation. Section 415.111 would also identify the launch operator organization data that an applicant would submit to verify compliance with the safety responsibilities and requirements of part 417. This data would include organizational charts, position descriptions, and information on an applicant's program for qualification, training, and certification of personnel who perform critical safety functions.

Proposed § 415.113 would require an applicant to submit information on how it will satisfy the personnel certification program requirements of proposed § 417.105. The FAA proposes that an applicant provide a summary description of its personnel certification program and other information that the FAA will use to evaluate the applicant's program. An applicant would be required to identify, by position, those individuals who implement the program and submit a copy of any program documentation used to implement the program and a table listing each safety critical task that would be performed by certified personnel. For each task, the table would be required to identify by position the individual who reviews personnel qualifications and certifies personnel for performing the task.

Proposed § 415.115 would require an applicant to submit information related to an applicant's program for protecting the public from hazards associated with the flight of a launch vehicle. Section 415.115(a) would require the submission of flight safety analysis data that demonstrated an applicant's ability to conduct a proposed launch in accordance with the public safety criteria required by part 417. This data would include information such as average number of expected casualties, individual risk, and ship and aircraft impact probabilities. This analysis data would also demonstrate an applicant's ability to operate a launch vehicle that uses a flight safety system to protect public safety or to operate an unguided suborbital rocket that uses a wind weighting safety system that protects the public. Requirements for performing a flight safety analysis would be provided in proposed part 417, subpart C. Section 415.115(a) would require that the flight safety analysis data submitted at the time of application be complete as specified in part 417 while allowing for situations where an analysis might need to be updated as a proposed launch date approaches. An applicant is not Start Printed Page 63946required to finalize a flight safety analysis before the FAA would issue a license. An applicant would be required to perform the analysis with the best input data that is available at the time of application. An applicant would identify any analysis product that may change, describe what needs to be done to finalize the product and identify when before flight it will be finalized. An applicant would be required to submit its flight safety analysis data no later than 18 months before the applicant brings any launch vehicle to the proposed launch site. The flight safety analysis data for a new license may be extensive, depending upon the launch characteristics.

Significant FAA resources will be required to review the analysis data and ensure that the safety requirements of part 417 will be met for the proposed launch or series of launches. Similar coordination between a launch operator and the range safety organization for launch from a federal range typically begins two years or more before launch. For licensed launches, a launch operator must have a license before it brings any launch vehicle to the launch site. The FAA proposes that the 18-month requirement for the application flight safety analysis, coupled with the pre-application consultation required 24-months before the applicant brings any launch vehicle to the proposed launch site as proposed in § 415.105, provides an acceptable time frame for the necessary review and coordination before the launch operator would need a license, provided that all the analysis data is complete and submitted on time. The FAA will coordinate with an applicant on its flight safety analysis much earlier than required by the licensing process if an applicant so desires to provide greater assurance that the safety review can be completed in time for a planned launch date. An applicant's safety review document must describe each analysis method employed to meet the analysis requirements of part 417, subpart C, and contain the analysis products for each of the analyses. Once licensed, a launch operator would be required to perform flight safety analysis for each launch and submit launch specific analysis products using the analysis methods approved by the FAA during the licensing process or as a license modification. The proposed regulations would allow for a launch operator to perform an alternate flight safety analysis. The FAA would approve an alternate analysis if an applicant provides a clear and convincing demonstration that its proposed analysis provides an equivalent level of safety to that required by part 417, subpart C. A launch operator would be required to obtain FAA approval of an alternate analysis before its license application would be found sufficiently complete under § 413.11 to commence review.

Section 415.115(b) would require an applicant's safety review document to contain conjunction on launch assessment input data for the first proposed launch. The input data submitted as part of a license application would be required to satisfy the requirements of proposed § 417.233. The FAA will evaluate the launch operator's ability to prepare the input data and initiate coordination with United States Space Command. An applicant need not obtain a conjunction on launch assessment from United States Space Command prior to being issued a license.

Section 415.115(c) would require an applicant, for each proposed launch, to identify the type and quantity of any radionuclide on a launch vehicle or payload. The FAA proposes that for each radionuclide, an applicant provide the FAA with a reference list of all documentation that addresses the safety of its intended use and indicates approval by the Nuclear Regulatory Commission for launch processing. An applicant would provide radionuclide information to the FAA at the pre-application consultation. The FAA proposes to evaluate the flight of any radionuclide on a case-by-case basis. For such an evaluation the FAA's analysis will likely be informed by and reflect the National Aeronautics and Space Council, “Nuclear Safety Review and Approval Procedure for Minor Radioactive Sources in Space Operations” and the Presidential Decision Directive, National Security Council (PDD/NSC) 25, “Scientific or Technological Experiments with Possible Large-Scale Adverse Environmental Effects and Launch of Nuclear Systems into Space.

Section 415.115(d) would contain requirements for an applicant to submit a flight safety plan that specifies the flight safety rules, limits, and criteria identified by an applicant's flight safety analysis and the specific flight safety requirements of part 417 to be implemented for launch. An applicant's flight safety plan need not be restricted to public safety related issues and may address other flight safety issues as well so as to be all-inclusive. An applicant's flight safety plan would identify flight safety personnel and flight safety rules for each launch including flight commit criteria and flight termination rules. The plan would contain a summary description of any flight safety system and its operation including any preflight system tests to be performed. The flight safety plan would contain a summary of the launch trajectory and identify the flight hazard areas and safety clear zones established for each launch and procedures for surveillance and clearance of these areas. The flight safety plan would identify any support systems and services implemented as part of ensuring flight safety, including any aircraft and ships and procedures for their use during flight. A flight safety plan would contain a summary of the flight safety related tests, reviews, rehearsals, and other critical safety activities conducted according to proposed §§ 417.115 through 417.121. A flight safety plan would contain or reference procedures for accomplishing all flight safety activities. For an unguided suborbital rocket, a flight safety plan would contain the additional information required by proposed section 417.125.

Section 415.115(e) would require that if any of the natural and triggered lightning flight commit criteria in appendix G of part 417 do not apply to a proposed launch, an applicant's safety review document must contain a demonstration of the reason that each criterion does not apply. The criteria in appendix G cover a broad range of conditions, which apply to most launches from most launch sites; however, there may be exceptions.

Section 415.115(f) would require that, for the launch of an unguided suborbital rocket, the flight safety data submitted in an applicant's safety review document must meet the other requirements of proposed section 415.115 and demonstrate compliance with the requirements contained in proposed §§ 417.125 and 417.235. In addition to meeting the requirements in paragraph (d) of proposed § 415.115, an applicant's flight safety plan would be required to contain the launch angle limits, procedures for measurement of launch day winds and performing wind weighting, identification of flight safety personnel qualifications and roles for performing wind weighting, and the procedures for any recovery of a launch vehicle component or payload.

Proposed section 415.117 would require an applicant to submit a ground safety analysis report that would review each launch related system and operation and identify potential public hazards and the controls to be implemented to protect the public from each hazard. The report would describe all the launch operator's system and operations and show that all hazards that could affect the public have been Start Printed Page 63947identified and controlled. A hazard that could affect the public is any hazard that extends beyond the boundaries of the launch location under the control of the individuals doing the work and that has the potential to effect the public regardless of where the public or property belonging to the public might be. An applicant would perform a ground safety analysis in accordance with the requirements in part 417, subpart E.

Section 415.117(a) would require a ground safety analysis report to be submitted as part of an applicant's safety review document and would contain requirements for the report's contents, timing requirements for submitting the report during the licensing process, requirements for informing the FAA of any changes, requirements for following the format prescribed by appendix C of proposed part 415, and verifiability and signature requirements.

Proposed section 415.117(b) would require an applicant to submit a ground safety plan that specifies the ground safety rules and procedures to be implemented to protect public safety. This plan would describe implementation of the hazard controls identified by an applicant's ground safety analysis and the specific ground safety requirements provided in subpart E of part 417. This plan need not be restricted to public safety related issues and may address other ground safety issues if an applicant intends it for all-inclusive uses. For example, if a launch operator intends to use the ground safety plan to address worker safety issues in response to OSHA requirements as well as the FAA's public safety requirements, the launch operator need not delete the material regarding worker safety. This is in keeping with the FAA's goal of not duplicating other agency requirements. The FAA does not wish, however, to drive launch operators into segregating what are otherwise intended as integrated safety plans.

Proposed § 415.119 would require a series of launch plans in addition to the flight and ground safety plans required by proposed §§ 415.115 and 415.117. Section 415.119(a) would require that each plan define how any associated launch operation is performed, identify operation personnel and their duties, contain mission specific information, and reference written procedures needed to ensure public safety. Each plan would identify personnel by position who implement the plan. Each plan must identify personnel by position who approve the baseline plan and any related procedures and any modification to the plan or procedures. The FAA would require that an applicant's safety review document include a copy of each launch plan to be implemented in accordance with part 417. The FAA will review these plans and procedures for compliance with part 417 and will reference these plans when performing inspections of a licensee's launch processing and flight operations.

Within each launch plan, an applicant shall provide any associated launch safety rules that satisfy proposed § 417.113. These written rules will govern operations conducted during launch processing and flight by identifying the environmental conditions and status of the launch vehicle, launch support equipment, and personnel under which operations may be conducted or allowed to continue without adversely affecting public safety. An applicant's launch safety rules would include, but need not be limited to flight commit criteria, weather constraints, flight termination rules, and launch crew rest rules. In addition to rules governing the flight of a launch vehicle, an applicant must provide rules that govern each preflight ground operation that has the potential to adversely effect public safety. In addition to complying with the generally applicable launch safety rules specified in proposed § 417.113, an applicant must develop launch safety rules specific to its planned launch based on the flight and ground safety analyses required by part 417.

Proposed § 415.119(b) through (n) would require launch plans in addition to the required flight and ground safety plans. These would include an emergency response plan, an accident investigation plan, a launch support equipment and instrumentation plan, a configuration management and control plan, a communications plan, a frequency management plan, a security and hazard area surveillance plan, a public coordination plan, any local agreements and plans, test plans, countdown plan, launch abort or delay recovery and recycle plan, a license modification plan, and a flight termination system electronic piece parts program plan. An applicant would be required to submit any plans and agreements with any local authority at or near a launch site whose support is needed to ensure public safety during launch processing and flight. Agreements with local authorities such as any site operator, U.S Coast Guard, and local air traffic control would have to be in place for the FAA to issue a license. Requirements for the implementation of these agreements are contained in part 417 and part 420. An applicant would also be required to submit an accident investigation plan that meets the requirements in part 415, subpart C, § 415.41. The accident investigation requirements for launch from a federal launch range in part 415, subpart C are also applicable to launch from a non-federal launch site. The FAA's approach to developing regulatory requirements is for the requirements to be performance oriented wherever possible, thereby allowing for any innovation that a launch operator may develop for their operations provided it accomplishes the related performance requirement. A launch operator's launch plans would document the launch operator's approach for compliance with the requirements. Each plan would become part of the terms of a license and the FAA would inspect a licensee for compliance with the license's launch plans.

Section 415.121 would require that an applicant submit a schedule for the tests, reviews, rehearsals, and safety critical launch operations conducted according to part 417. The schedule must show start and stop times for each activity referenced to time of liftoff for the first planned launch. An applicant would also be required to provide a written summary and point-of-contact for each scheduled activity. The FAA will review these schedules to verify an applicant's plans for complying with part 417. This data also will allow the FAA to focus on activities that are critical to public safety for each specific launch and efficiently schedule license compliance inspections.

Section 415.123 would contain requirements for the material that an applicant would be required to submit describing computing systems and software that perform a software safety critical function to be implemented in accordance with proposed § 417.123 and proposed appendix H of part 417. Reliance on computing systems and software as important components in flight safety systems and other safety critical systems and operations is expected to increase. The proposed requirements for safety critical computing systems and software were adapted from federal range requirements. The applicant would be required to demonstrate an effective program for ensuring the reliability of computing system and software that must operate properly to provide for public safety.

Section 415.125 would require an applicant to identify any public safety related policy and practice that is unique to the proposed launch Start Printed Page 63948according to proposed § 417.127. The FAA would require an applicant to submit a written discussion on how each unique safety policy or practice provided for public safety.

Section 415.127 would identify the data that an applicant would be required to submit to describe any flight safety system employed during a proposed launch. The FAA proposes to define a flight safety system as the system that provides a means of control during flight for preventing a launch vehicle and any component, including any payload, from reaching any populated or other protected area in the event of a launch vehicle failure. Under the FAA's proposed definition, a flight safety system would include hardware and software used to protect the public and the functions of any personnel who operated flight safety system hardware and software. The proposed requirements for the applicability, design, qualification, and implementation of a flight safety system provided in part 417 and its appendices are a critical part of ensuring public safety. Ensuring that an applicant will implement a highly reliable flight safety system in accordance with part 417 would be one of the major objectives of the FAA's safety review of the proposed launch. Accordingly, the FAA proposes to require that data related to an applicant's flight safety system be thorough and be submitted no later than 18 months before the applicant brings any launch vehicle to the proposed launch site. An applicant also would be required to participate with the FAA in technical meetings to facilitate the review and approval of a flight safety system. An applicant's flight safety system data would be submitted in the same time frame as an applicant's flight safety analysis, thus allowing for efficient coordination of flight safety analysis and flight safety system issues.

The intent of proposed § 415.127 is to identify the descriptions, diagrams, schematics, tables, and charts needed by the FAA to verify compliance with the flight safety system requirements of part 417. Proposed part 417 and its appendices contain a significant number of specific system and component requirements. An applicant would be required to comply with each requirement that is applicable to its flight safety system or an applicant would be permitted to show that its system meets the intent of an applicable requirement. The applicability of each flight safety system requirement would be established through the FAA's review and approval of an applicant's flight safety system compliance matrix. This matrix would identify each requirement in part 417 and its appendices and indicate whether or not the requirement applied to an applicant's flight safety system. For each applicable requirement the matrix would indicate strict compliance or that the applicant's system would meet the intent of the requirement through other means, which would have to be further demonstrated and documented. Once approved as part of a launch license, this matrix and any supporting documentation would dictate the design and configuration of a licensee's flight safety system. Any change to a licensee's flight safety system would have to be submitted to the FAA for approval as a license modification.

Proposed § 415.129 would identify the test data that an applicant must submit regarding any flight safety system used for a proposed launch. Part 417 and its appendices would contain flight safety system test requirements intended to ensure that an applicant implements a highly reliable flight safety system. Ensuring the implementation of a flight safety system test program in accordance with part 417 will be another major objective of the FAA safety review. Part 417 would require the preparation of test plans, reports, and procedures. Section 415.129 would require that an applicant submit these documents and a test compliance matrix. This matrix would identify each test requirement in part 417 and its appendices and indicate whether or not the requirement applies to an applicant's flight safety system test program. For each applicable requirement the matrix would be required to indicate compliance or that the applicant's test program would meet the intent of the requirement through other means, which must be further demonstrated and documented. Once approved as part of a launch license, this matrix, and any supporting documentation, would dictate the flight safety system testing that must be implemented by a licensee. Any change to a licensee's test program would have to be submitted to the FAA for approval as a license modification. The proposed regulations would require that the test data be submitted to the FAA no later than 15 months before the applicant brings any launch vehicle to the proposed launch site; however, all flight safety system testing need not be completed before the FAA would issue a launch license. A licensee would be required to successfully complete all testing and submit completed test reports prior to flight.

Proposed § 415.131 would require an applicant to identify each flight safety system crew position and role that it planned to employ during the conduct of a launch. The FAA would require an applicant to identify the senior flight safety official by name and submit documentation on this individual's qualifications for the position showing compliance with the requirements in proposed § 417.343. The FAA would require an applicant to describe the certification and training program for the flight safety system crew.

4. Part 415, Appendix B, Safety Review Document Outline

Proposed appendix B of part 415 would contain the format and numbering scheme for a safety review document to be submitted as part of an application for a launch license. Administrative requirements applicable to a safety review document are provided in proposed § 415.107. Requirements for the form and content of each part of a safety review document are provided in parts 413 and 415. Technical requirements related to the information contained in a safety review document are provided in part 417. The applicable sections of parts 413, 415, and 417 would be referenced in the outline provided in proposed appendix A. A safety review document with the proposed standardized format and numbering scheme would allow for efficiencies in the FAA's licensing review and approval process.

5. Part 415, Appendix C, Ground Safety Analysis Report

Proposed appendix C of part 415 would provide the format and content requirements for a ground safety analysis report. Proposed section C415.1 would require an applicant to perform a ground safety analysis in accordance with subpart E of part 417 and submit a ground safety analysis report in accordance with proposed appendix C of part 415. A ground safety analysis report would contain hazard analyses that describe all hazard controls, and describe a launch operator's hardware, software, and operations so that the FAA may assess the adequacy of the hazard analysis. A launch operator would document all hazard analyses on hazard analysis forms according to proposed section C415.3(d) and submit systems and operations descriptions as a separate volume of the report. A ground safety analysis report would include a table of contents and provide definitions of any acronyms and unique terms used in the report. A launch operator's ground safety analysis report may reference other documents submitted to the FAA that contain the information required by this appendix Start Printed Page 63949wherever applicable without repeating the data.

Proposed section C415.3 would describe the chapters that make up a ground safety analysis report. A ground safety analysis report must include an introductory chapter, a chapter that provides a summary of safety information about the launch vehicle and operations, including the payload and any flight safety system, and a chapter that provides safety information about each launch vehicle system, operation, and any associated interfaces. A ground safety analysis report must include a chapter containing a hazard analysis that identifies each hazard and all hazard controls to be implemented. A ground safety analysis report must also include a chapter containing data that supports the hazard analysis. Supporting data may include documents such as memoranda that explain why no public hazard exists for a particular hazardous system operation, or supporting data may display tables that consolidate hazard analysis information.

Proposed section C415.3(c) would contain the format requirements for describing systems and operations. A launch operator would also describe two kinds of hazards related to its flight safety system that could adversely affect the public. A launch operator would address potential inadvertent activation of a flight safety system, which could result in harm to the public, and the hazards created by ground operations that could adversely affect the reliability of the flight safety system itself. Any hazard controls implemented would be identified as part of the hazard analysis. For hazardous materials, a launch operator would identify any hazardous materials used in its flight and ground systems including the quantity and location of each. A launch operator would provide a summary of its approach to protecting the public from toxic plumes, including the toxic concentration thresholds used for controlling any public exposure and a description of any local agreements. Section C415.3(c) would also contain requirements for describing the subsystems of each hazardous system identified by the analysis. Proposed section C415.3(d) would contain an example hazard analysis form and an explanation of how to fill out the form. In addition to providing a launch operator further clarification on the data submitted as part of a ground safety analysis report, the use of this standard form would help facilitate the FAA's safety review process, allowing for greater efficiency in evaluating an applicant's ground safety analysis.

C. Part 417—Launch Safety, Subpart A, General

Proposed part 417, subpart A contains general requirements applicable to launch safety. Requirements for preparing a license application to conduct a launch, including related policy and safety reviews, are contained in parts 413 and 415. Because the provisions of part 417 would apply to prospective and licensed launch operators, an applicant seeking a license should read part 417 in conjunction with the application requirements of part 415, subpart F, and the general application requirements of part 413. Review of subpart F of part 415 will show that the subpart refers an applicant to the requirements proposed in part 417 on numerous occasions for purposes of the applicant demonstrating its ability to satisfy the requirements of part 417. Section 417.1 describes the scope of the requirements in part 417. Part 417 would prescribe the responsibilities of a launch operator conducting a licensed launch of an expandable launch vehicle and the requirements that a licensed launch operator must comply with to maintain a license and launch an expendable launch vehicle.

Section 417.3 contains definitions of terms used in proposed part 417.

Proposed § 417.5 would require that a launch operator ensure the safe conduct of a licensed launch. This section proposes that a launch operator ensure that members of the public and property belonging to the public are protected at all times during the conduct of a licensed launch, including preflight operations at a launch site and the flight of a launch vehicle.

Proposed § 417.7 would require a launch operator to ensure the safe conduct of launch processing at a launch site in the United States. A launch operator should anticipate that launch processing at a launch site outside the United States might be subject to the requirements of the governing jurisdiction. Requirements that apply to a launch site operator are contained in part 420. A launch operator would coordinate and perform launch processing in accordance with any agreements necessary to ensure that the responsibilities and requirements of this part and part 420 are met. Where there is a licensed launch site operator, a launch operator licensee would ensure that its operations are conducted according to any agreements that the launch site operator has with any local authorities. For example, under part 420, a launch site operator must obtain agreements with the FAA's regional office for air traffic services, and, if appropriate, the U.S. Coast Guard, see 14 CFR 420.57, to ensure that notices to airmen and mariners are issued before a launch. The launch operator must follow the procedures established by those agreements. A licensed launch operator would coordinate with the launch site operator and provide any information on its activities and potential hazards necessary to determine how to protect any other launch operators and persons and their property at the launch site. For a launch that is conducted from an exclusive use site where there is no launch site operator, the launch operator licensee would be responsible for meeting the requirements of this part and the public safety requirements of part 420, such as coordinating with the U.S. Coast Guard and the FAA's regional office for air traffic services.

Proposed § 417.9 would require a launch operator to conduct each launch in accordance with the safety review document developed during the part 415 licensing process, and maintained and updated for each specific launch in accordance with the requirements of proposed part 417. The FAA proposes that any launch specific update to a launch operator's safety review document be submitted to the FAA before flight. A launch operator would be required to submit the launch specific updates required by this part and any required by any special terms of a license as identified during the license application and evaluation process. Any other change to the information in a licensee's safety review document would have to be submitted to the FAA as a request for a license modification before flight in accordance with § 415.73 and the license modification plan required by proposed § 415.119.

Proposed § 417.11 would require a launch operator, for each specific launch, to verify that all license related information submitted to the FAA reflected the current status of the licensee's systems and processes as implemented for the specific launch. For each launch, a launch operator would submit a signed written statement to the FAA that the launch would be conducted in accordance with the terms and condition of the launch license and FAA regulations. The launch operator would also state in writing that all required license related information was submitted to the FAA and that the information reflected the current status of the licensee's systems and processes as implemented for that launch. The launch operator would be required to submit this written Start Printed Page 63950statement to the FAA no later than ten days before the first planned flight attempt for each launch. The FAA evaluates each planned launch for compliance with the terms and conditions of the launch license and the regulations. The FAA would notify a launch operator of any licensing issue and coordinate with the launch operator to resolve any issue prior to flight. The proposed regulations would prohibit a launch operator from proceeding with the flight of a launch vehicle if there were any unresolved licensing issues.

Proposed § 417.11(e) would require a launch operator, for each licensed launch, to provide FAA with a console for monitoring the progress of the countdown and communication on all channels of the countdown communications network. The launch operator would be required to ensure that the FAA was polled over the communications network during the countdown to verify that the FAA had identified no issues related to the launch operator's license. Although the FAA will not be participating in the launch in an operational capacity, the FAA is proposing this requirement in order to ensure that if the FAA identifies any issues that all persons involved in the launch are aware of those requiring resolution prior to flight. The FAA's participation in the poll is not intended to provide any additional authorization to the launch operator, but merely to serve as a final opportunity to communicate any issues identified. The FAA's provision of a “go” or ready statement during a poll would not mean that issues could not be identified later. It would mean only that none had been identified at that time.

D. Part 417, Subpart B, Launch Safety Requirements

Proposed part 417, subpart B would contain launch safety requirements that apply to the launch of orbital and sub-orbital expendable launch vehicles. Section 417.101 would identify the scope of subpart B, which would provide an overview of the public safety issues that a launch operator's launch safety program would be required to address. For each public safety issue, subpart B would either provide the requirements in their entirety or would provide an overview of the requirements and reference other subparts, sections, or appendices that contain further detail.

Section 417.103 would contain requirements for a launch operator to maintain an organization that ensured public safety and ensured that the requirements of proposed part 417 were satisfied. This section would identify the management positions and organizational elements that a launch operator's organization would incorporate, and would require that each launch management position and organizational element have documented roles, duties, and authorities. These proposed requirements are based on the approach used at the federal launch ranges and reflect only the organization elements needed to implement the safety-related requirements in proposed part 417.

Proposed § 417.105 would require a launch operator to have a program for ensuring that its personnel have the necessary qualifications and certifications to perform safety critical tasks. Based on experience at the federal launch ranges, the use of qualified personnel who are certified to perform specific tasks is considered one of the most effective methods of ensuring the safety of launch operations. Section 417.105 would require a launch operator to identify and document the qualifications, including education, experience, and training, for each launch personnel position that oversees, performs, or supports a hazardous operation with the potential to impact public safety or who uses or maintains safety critical systems or equipment that protect the public. This section would also contain requirements for a launch operator's personnel certification/re-certification program to ensure that personnel possess the qualifications for their assigned tasks.

Proposed § 417.107 would contain general requirements for protecting the public from the hazards associated with the flight of a launch vehicle. Section 417.107(a) would contain requirements for employing a flight safety system that provides a means of control during flight for preventing a launch vehicle and any component, including any payload, from reaching any populated or other protected area in the event of a launch vehicle failure. Section 417.107(a) would also identify the conditions under which an unguided suborbital rocket may be flown with a wind weighting safety system and without a flight safety system and requirements for the potential use of an alternate flight safety system. Further discussion on the FAA's proposed flight safety system requirements, including the use of an alternate flight safety system is provided in paragraph III.F of this preamble.

Section 417.107(b) would contain the public risk criteria that each launch must satisfy. A launch operator would be required to demonstrate compliance with the public risk criteria through analysis and by establishing flight commit criteria that ensure that a launch will take place only if the public risk criteria are satisfied. A launch operator would be required to demonstrate that the risk level due to all hazards associated with the flight of a launch vehicle not exceed an expected average number of 0.00003 casualties per launch (EC≤30×10−6), excluding water-borne vessels and aircraft. The FAA is proposing to codify the applicability of this criterion to all licensed launches, regardless of the launch site. A launch operator's determination of EC for a launch shall account for, but need not be limited to, risk due to impacting debris and any risk determined for toxic release and distant focus overpressure blast. The risk to the public from launch of an expendable launch vehicle is typically due to three major hazards. Further discussion on the requirements for determining expected casualty is provided in paragraph III.E.8 of this preamble.

Compliance with the EC criteria of 30×10−6 is a widely accepted approach for measuring and controlling the risk to the general public from launch activities and has been used successfully at the federal launch ranges. Experience at the federal launch ranges and a review of current and proposed commercial launch sites indicate there are possible situations where the EC calculated for a specific launch could be at an acceptable level, but the risk to one or more individuals may be unacceptably high. Through this rulemaking the FAA proposes that in conjunction with demonstrating EC≤30×10−6 for each launch, a launch operator also demonstrate that the casualty probability for any individual (PC) does not exceed 0.000001 per launch (PC≤1×10−6). This PC criteria has been used successfully by some federal launch ranges and is based on statistical studies of the levels of involuntary risk that people are exposed to in every day life. The general logic being applied is that an individual member of the public, someone who is not involved with the launch of a launch vehicle, should not be exposed to any risk greater than the individual would otherwise be subjected to as part of a normal day. A launch operator would be required to establish an individual casualty contour according to proposed § 417.225 such that, if a single person were present inside that contour at the time of liftoff, the 1×10−6 criteria would be exceeded. The FAA would require an individual casualty contour to be treated as a safety clear zone and a launch operator would be required to ensure that no member of Start Printed Page 63951the public is present within the safety clear zone during the flight of a launch vehicle.

The FAA proposes to use the criteria for ship and aircraft hit probability used at federal launch ranges for creating ship and aircraft hazard areas. A launch operator would be required to demonstrate that the risk probability of a launch vehicle or debris impacting any individual water-borne vessel that is not operated in direct support of the launch does not exceed 0.00001 (PI≤1×10−5). The FAA proposes that the risk probability of a launch vehicle or debris impacting any individual aircraft not operated in direct support of the launch shall not exceed 0.00000001 (PI≤1×10−8). A launch operator would be required to establish ship and aircraft impact hazard areas according to proposed § 417.225 to ensure these criteria are satisfied. Section 417.107(c) would require a launch operator to ensure that a launch vehicle, any jettisoned components, and its payload do not pass closer than 200 kilometers to a habitable orbital object throughout a sub-orbital launch. For an orbital launch, a launch operator would be required to ensure that a launch vehicle, any jettisoned components, and its payload do not pass closer than 200 kilometers to a habitable orbiting object during ascent to initial orbital insertion through at least one complete orbit. The FAA would require a launch operator to obtain a conjunction on launch assessment from United States Space Command according to proposed § 417.233 and to use the results to develop flight commit criteria that ensure the 200-kilometer criteria is satisfied. The flight commit criteria would typically identify specific periods of time (waits) during a launch window where flight must not be initiated. The FAA is in discussions with United States Space Command regarding a process for commercial launch operators to obtain a Conjunction On Launch Assessment (COLA). There may be other methods of obtaining this analysis; however, United States Space Command is the primary source of the most current data on orbital objects and must perform this analysis as part of its mission to protect national assets on orbit. The FAA proposes to require that a COLA be performed to protect habitable orbital objects such as the space shuttle and the international space station as is the current practice at the federal launch ranges. A launch operator may request COLA results for other orbital objects as desired for mission assurance purposes.

Section 417.107(d) would require a launch operator to perform and document a flight safety analysis according to subpart C of proposed part 417. The analysis must demonstrate compliance with the public risk criteria specified in paragraph (b) of proposed § 417.107 and establish flight safety limits for each launch. A launch operator would be required to use the analysis products to develop launch safety rules, including flight commit and flight termination criteria, to ensure that the public risk criteria are met. Further discussion on the proposed flight safety analysis requirements is provided in section III.E of this preamble.

Section 417.107(e) would require that the launch of any radionuclide be approved by the FAA as part of the launch licensing process according to proposed § 415.115 or a launch operator would be required to apply for a license modification. The launch of any radionuclide involves special safety considerations as well as possible coordination with other government agencies that may have jurisdiction. FAA safety review and approval of a launch involving any radionuclide would be handled on a case-by-case basis. For each launch, a launch operator would be required to verify that the type and quantity of any radionuclide on a launch vehicle or payload is in accordance with the terms of its launch license.

Section 417.107(f) would require a launch operator to implement a flight safety plan prepared as required during the license application process according to proposed § 415.115 and in accordance with the launch plan requirements in proposed § 417.111. Specific requirements applicable to a flight safety plan for the launch of an unguided suborbital launch vehicle are provided in proposed § 417.125.

Proposed § 417.109 would require a launch operator to perform a ground safety analysis and implement a ground safety plan to protect the public from adverse affects of operations associated with preparing a launch vehicle for flight at a launch site in the United States. Specific ground safety requirements that must be met by a launch operator would be provided in proposed subpart E of proposed part 417. Further discussion on the proposed ground safety requirements is provided in section III.G of this discussion.

Proposed § 417.111 would contain requirements for a launch operator to update, maintain, and implement its launch plans developed during the licensing process according to proposed § 415.117. The FAA's approach to developing regulatory requirements is for the requirements to be performance oriented wherever possible, thereby allowing for any innovation that a launch operator may develop for its operations, provided the innovation accomplishes the related performance requirement. A launch operator's launch plans would document the launch operator's approach for compliance with the performance requirements. Each plan would become part of the terms of the license and the FAA would inspect a licensee for compliance with the license's launch plans.

Proposed § 417.113 would contain requirements for written launch safety rules that govern launch. The launch safety rules would identify the environmental conditions and status of the launch vehicle, launch support equipment, and personnel under which launch operations may be conducted without adversely affecting public safety. Launch rules would address flight and ground safety issues and would be documented in a launch operator's launch plans. The flight and ground safety analyses that would be required by proposed subparts C and E of part 417 would be used to establish many of a launch operator's launch safety rules. Section 417.113 would also contain specific requirements for flight commit criteria, flight termination criteria, and launch crew work shift and rest rules.

Proposed § 417.115 would contain requirements for testing all flight and ground systems and equipment that protect the public from the adverse effects of a launch. A launch operator would be required to determine the cause of any discrepancy identified during testing, develop and implement any correction, and perform re-testing to verify each correction. A launch operator would be required to notify the FAA of any discrepancy identified during testing and submit information on corrections implemented and the results of re-testing before the system or equipment would be used in support of a launch. The configuration of safety critical systems may change from one flight to the next. Testing of safety critical systems in preparation for each launch in the configuration used for the launch is considered one of the most effective approaches for ensuring the reliability of the safety critical systems when needed during launch processing and flight.

Proposed § 417.117 would contain requirements for review meetings that a launch operator would be required conduct to determine the status of launch operations, systems, equipment, and personnel and their readiness to support launch and to review the results of a launch. This section would contain Start Printed Page 63952the general requirements that apply to all reviews and would identify the specific reviews that a launch operator must conduct for each launch. A launch operator would maintain documented criteria for successful completion of each review and document all review proceedings. Any corrective actions identified during a review would be documented and tracked to completion. Launch operator personnel who oversee a review would attest in writing to successful completion of the review. The series of reviews that would be required reflect a proven practice for ensuring safety issues are identified and resolved prior to launch based on the experience of the federal launch ranges.

Proposed § 417.119 would contain requirements for rehearsals designed to exercise all launch personnel and systems under nominal and non-nominal preflight and flight conditions and identify corrective actions or operational changes needed to ensure public safety. This section would contain general requirements that apply to all rehearsals and would identify the specific rehearsals that a launch operator would conduct for each launch.

A launch operator would develop and conduct the rehearsals identified in proposed § 417.119 for each launch unless otherwise approved by the FAA through the licensing process. For example, when conducting a series of launches within days of one another, a launch operator may propose that one rehearsal applies to more than one launch. The FAA would consider such a proposal if all the same personnel are involved in each launch and the launch operator demonstrates that an equivalent level of safety is achieved.

Proposed § 417.121 would contain requirements for the safety critical preflight operations that a launch operator would perform to ensure public safety. A safety critical preflight operation is an activity performed specifically to protect the public from any adverse effects of a launch vehicle's flight or from hazards associated with launch processing at a launch site, including activities such as disseminating notices of hazard areas and surveillance of hazard areas to ensure that flight commit criteria are satisfied. This section would contain general requirements that apply to all safety critical preflight operations and would contain requirements for specific safety critical preflight operations that a launch operator would conduct for each launch.

Proposed § 417.123 would require a launch operator to ensure that any flight and ground computing system that performs or potentially performs a software safety critical function is implemented in accordance with the requirements of appendix H of proposed part 417. A launch operator would identify any software safety critical functions, as defined by appendix H, associated with handling, pre-flight assembly, checkout, test, or flight of a launch vehicle including any computing systems and software that are part of a flight safety system. The proposed software safety approach is an adaptation of the approach that has been successfully implemented at the Air Force launch ranges and is one with which most current launch operators are familiar.

Proposed § 417.125 would contain requirements that apply specifically to the launch of an unguided suborbital rocket. The process of ensuring public safety for such a launch is typically completed prior to flight and involves setting the launcher azimuth and elevation (aiming the rocket) to correct for the effects of actual time of flight wind conditions to provide a safe impact location. This safety process, called wind weighting, has some unique organizational and operational requirements. Unlike the launch of a guided launch vehicle, an unguided suborbital rocket may be flown without a flight safety system that provides safety control during flight. This section would contain the specific requirements under which an unguided suborbital rocket may be flown with a wind weighting safety system and without a flight safety system.

Proposed § 417.127 would contain requirements for a launch operator to review operations, system designs, analysis, and testing, and identify and implement any additional policies and practices needed to protect the public. The FAA suggests that this include public safety related practices designed to ensure that there are no conflicts with the requirements of other Federal, State, and local regulations and to ensure that any necessary agreements and interfaces are in place. A launch operator is responsible for all aspects of public safety. As the launch industry continues to grow, advances in technology and implementation of innovations by launch operators will likely introduce new and unforeseen public safety issues. The FAA plans to work with launch operators on a case-by-case basis to resolve any public safety issues not specifically addressed by current regulations. A launch operator would be required to implement any unique safety policies and practices identified during the licensing process and documented in the launch operator's safety review document. For any new launch operator unique safety policy or practice or change to an existing safety policy or practice, the launch operator would be required to submit a request for license modification.

E. Part 417, Subpart C, Flight Safety Analysis

Proposed subpart C would contain the requirements governing a launch operator's performance of flight safety analysis to demonstrate a launch operator's capability to monitor and control risk to the public from normal and malfunctioning launches. Proposed section 417.201 would identify the scope of subpart C. A flight safety analysis consists of a number of analyses, which in some cases are dependent on one another. The sections of subpart C would contain performance standards for each of the analyses that make up an overall flight safety analysis. This subpart would also identify the analysis products that a launch operator would submit to the FAA when applying for a launch license and that would be submitted for each specific launch. Further discussion on the proposed flight safety analysis requirements is provided in section III.E of this preamble.

Proposed § 417.203 contains general requirements that apply to performing flight safety analysis, incorporating the analysis products into the launch operator's flight safety plan, and submitting analysis products to the FAA. The FAA anticipates that different launch operators will employ different methods for satisfying the requirements of proposed subpart C. In the course of the licensing process the FAA will review a launch operator's proposed method and determine whether it satisfies the FAA's requirements. Accordingly, a launch operator may not change its methods for conducting a flight safety analysis without FAA approval, and a launch operator would be required to submit any change to a launch operator's flight safety analysis methods to the FAA as a request for license modification before the launch for which it was performed.

Section 417.203 would require that a launch operator meet the requirements of proposed subpart C unless the FAA approves an alternate analysis during the license application process or as a license modification. The FAA would approve an alternate analysis if a launch operator provided a clear and convincing demonstration that its proposed analysis provided an equivalent level of safety to that required by proposed subpart C. A launch operator would have to obtain Start Printed Page 63953FAA approval of an alternate flight safety analysis before its license application or application for license modification could be found sufficiently complete.

Proposed § 417.205 contains requirements governing a trajectory analysis that a launch operator would perform to define the limits of a launch vehicle's normal flight for any time after liftoff. Many of the other analyses, such those performed to establish flight safety limits and hazard areas, would use the products of the trajectory analysis as input.

Proposed § 417.207 contains requirements governing a malfunction turn analysis that a launch operator would perform to determine a launch vehicle's greatest turning capability as a function of trajectory time. A launch operator would use the products of its malfunction turn analysis as input to its flight safety limits analysis and other analyses where it is necessary to determine how far a launch vehicle's impact point can deviate from the nominal impact point ground trace if a malfunction occurs.

Proposed § 417.209 contains the requirements governing a debris analysis that a launch operator would perform to determine the inert, explosive, and otherwise hazardous launch vehicle debris resulting from a launch vehicle malfunction and from any planned impact of a jettisoned launch vehicle stage, component, or payload. A launch operator would develop debris models in the form of lists of the debris that is planned as part of a launch or that results from breakup of the launch vehicle. Each list would describe each debris piece produced, its physical characteristics, whether it is inert, explosive or otherwise hazardous, and the effects of impact, such as explosive overpressure, skip, splatter, or bounce radius, including its effective casualty area.

A launch operator would use the products of its debris analysis as input to other flight safety analyses such as those performed to establish flight safety limits and hazard areas and to determine if the launch satisfies the public risk criteria.

Proposed § 417.211 contains requirements governing the analysis that a launch operator would perform to determine the geographic placement of flight control lines that define the region over which a launch vehicle will be allowed to fly and any debris resulting from normal flight and any launch vehicle malfunction, will be allowed to impact. As part of a flight control lines analysis, a launch operator would identify the boundaries of populated and other areas requiring protection from potential adverse effects of a launch vehicle's flight. A launch operator would ensure that the flight control lines bound all such protected areas. A launch operator would use the flight control lines to establish flight termination rules used in conjunction with a flight safety system to ensure that the debris associated with a malfunctioning launch vehicle does not impact any populated or other protected area outside the flight control lines. Proposed § 417.213 would contain requirements governing a flight safety limits analysis that a launch operator would perform to establish criteria for terminating a malfunctioning launch vehicle's flight. These flight termination criteria used in conjunction with a flight safety system would ensure that the launch vehicle's three-sigma debris impact dispersion, including the effects of any explosive debris, did not extend beyond the flight control lines established according to proposed § 417.211. A launch operator's flight safety limits analysis would determine a set of temporal and geometric extents of a launch vehicle's debris impact dispersion on the Earth's surface resulting from any planned debris impacts and potential debris impacts resulting from launch vehicle failure. A launch operator's flight safety limits would provide for the identification of a launch vehicle malfunction with sufficient time to terminate flight to prevent the adverse effects of the resulting debris from reaching any protected area outside the flight control lines.

Proposed § 417.215 would contain requirements governing a straight-up time analysis that a launch operator would perform to determine the latest time-after-liftoff by which flight termination would be initiated in the event of a launch vehicle malfunction resulting in the launch vehicle flying a vertical or near vertical trajectory, referred to as a straight-up trajectory, rather than following a normal trajectory downrange. Straight-up time is a special type of flight safety limit used to address this specific type of failure. In the event of such a failure, the launch operator would terminate flight at the straight-up time to ensure that debris or critical over-pressure does not extend outside the flight control lines in the launch area.

Proposed § 417.217 contains requirements governing a wind analysis that a launch operator would perform to determine wind magnitude and direction as a function of altitude for the air space through which its launch vehicle will fly and for the airspace through which jettisoned debris will travel. The products of this analysis would have to satisfy the input requirements of the other flight safety analyses that are dependent on wind data. Additional wind analysis requirements for the launch of an unguided suborbital rocket using a wind weighting safety system would be contained in proposed § 417.235 and appendix C of part 417.

Proposed § 417.219 contains requirements governing a no-longer terminate gate analysis that a launch operator would perform to determine the portion, referred to as a gate, of a flight control line or other flight safety limit boundary, through which a launch vehicle's tracking icon is allowed to proceed without a launch operator being required to terminate flight. A tracking icon is the representation of a launch vehicle's position in flight available to a flight safety official during real-time tracking of the launch vehicle's flight. A launch operator would be permitted to employ a gate for planned launch vehicle flight over a populated or other protected area only if the launch could be accomplished while meeting the public risk criteria of proposed § 417.107.

Proposed § 417.221 contains requirements governing a data loss flight time analysis that a launch operator would perform to determine the shortest elapsed thrusting time during which a launch vehicle can move from a state where it does not endanger any populated or other protected area to a state where endangerment is possible. A data loss flight time analysis would also determine the earliest destruct time, which is the earliest time after liftoff that public endangerment is possible, and the no longer endanger time, which is the earliest time after liftoff that public endangerment is no longer possible. A launch operator would employ data loss flight times following any malfunction that prevents the flight safety official from knowing the location or behavior of a launch vehicle. A launch operator would be required to incorporate data loss flight times into the flight termination rules for each launch.

Proposed § 417.223 contains requirements governing a time delay analysis that a launch operator would perform to determine the mean elapsed time between the start of a launch vehicle malfunction and the final commanded flight termination, including the flight safety official's decision and reaction time. A launch operator would also determine the time delay plus and minus three-sigma values relative to the mean time delay. Start Printed Page 63954A time delay analysis would account for data flow decelerations, decision time, and reaction time due to hardware, software, and personnel that comprise a launch operator's flight safety system and would be used to establish flights safety limits.

Proposed § 417.225 contains requirements governing a flight hazard area analysis that a launch operator would perform to determine the regions of land, sea, and air that must be publicized, monitored, controlled, or evacuated to protect the public from the adverse effects and hazards of planned and unplanned launch vehicle flight events and to ensure that the public risk criteria in proposed § 417.107(b) are satisfied. A launch operator's flight hazard area analysis would define the ship and aircraft hazard areas for which Notices to Mariners (NOTMAR) and Notices to Airman (NOTAM) must be issued and the areas where the launch operator would survey prior to flight. The products of a launch operator's flight hazard area analyses would be used to establish launch safety rules. Typically, these rules would preclude liftoff if the public would be exposed within a flight hazard area or if the extent of public presence would exceed the public risk criteria of proposed § 417.107(b).

Proposed § 417.227 contains requirements governing a debris risk analysis that a launch operator would perform to determine the expected average number of casualties (EC) to the collective members of the public exposed to inert and explosive debris hazards from any one launch. This analysis would include an evaluation of risk to populations on land, including regions of launch vehicle flight following passage through any gate in a flight safety limit boundary established according to proposed § 417.219. The requirements in proposed § 417.227 apply to a debris risk analysis for all launches. A launch operator would perform a debris risk analysis using the methodology provided in appendix B of proposed part 417. This analysis would be part of the launch operator's demonstration of compliance with the overall (EC) criteria of 30 × 10-6.

Proposed § 417.229 contains requirements governing a toxic release analysis that a launch operator would perform to determine any potential public hazard resulting from any potential toxic release during preflight processing and flight of a launch vehicle and to develop launch safety rules, including flight commit criteria to protect the public from any potential toxic release. A launch operator would perform a toxic release analysis using the methodology contained in appendix I of proposed part 417.

Proposed § 417.231 contains requirements governing a distant focus overpressure blast effects analysis that a launch operator would perform to demonstrate that the potential public hazard resulting from impacting explosive debris would not cause windows to break with related injuries. In order to satisfy the requirements of this section, a launch operator would be required to evaluate potential distant focus overpressure blast effects hazards in accordance with a multi-level screening approach, in which the launch operator would employ either a deterministic analysis or a probabilistic analysis, to prevent casualties that could arise due to potential distant focus overpressure blast.

Proposed § 417.233 contains requirements governing the performance of a conjunction on launch assessment that a launch operator would obtain from United States Space Command. A launch operator would implement any waits in the launch window, as identified by United States Space Command, during which flight must not be initiated in order to maintain a 200-kilometer separation from any habitable orbiting object. A licensee may request a conjunction on launch assessment be performed for other orbital objects to meet mission needs or to accommodate other satellite owners or operators.

Proposed § 417.235 contains requirements governing flight safety analysis for the launch of an unguided suborbital rocket that is flown with a wind weighting safety system and without a flight safety system. A launch operator would demonstrate that any adverse effects resulting from flight would be contained within controlled operational areas and any flight hardware or payload impacts would occur within planned impact areas. The launch operator would also demonstrate compliance with the public risk criteria. A launch operator would perform the analyses using the methodologies contained in appendixes B and C of proposed part 417.

F. Part 417, Subpart D, Flight Safety System

Subpart D would contain requirements applicable to a launch operator's flight safety system, the primary purpose of which is to prevent a launch vehicle from impacting populated or other protected areas in the event of a launch vehicle failure.

Proposed § 417.301 contains general requirements applicable to any type of flight safety system including any that may differ from the human operated system traditionally used in the United States. A launch operator would ensure that a flight safety system satisfies all the requirements of subpart D unless the FAA approves the use of an alternate flight safety system in accordance with proposed § 417.107(a). The FAA will evaluate any alternate flight safety system on a case-by-case basis.

An example of a flight safety system for which all of the requirements in subpart D do not apply is the thrust termination system employed by Russian and Ukrainian launch vehicles. The FAA has licensed Sea Launch launches, which use such a thrust termination system. The Sea Launch licensing determination was made based on a clear understanding of how the thrust termination system compares with the requirements in proposed subpart D. With that and a review of all safety related issues and the specifics of each launch of Sea Launch, including the remote isolation of the launch site, the FAA determined that an acceptable level of public safety was being provided that was equivalent to a commercial launch from a United States federal launch range. (Further discussion on the issue of using an alternate flight safety system that does not meet all the requirements of subpart D of proposed part 417 is provided in section III.F.7 of this discussion.) The requirements in proposed subpart D are based on the use of a human operated system where flight termination is initiated by radio command. When evaluating an alternate flight safety system, the FAA will use the requirements in subpart D as guidelines, where applicable, for which the launch operator must demonstrate an equivalent level of safety.

A launch operator's flight safety system would consist of a flight termination system, a command control system, and the support systems defined in this subpart, including all associated hardware and software. A flight safety system would also include the functions of any personnel who operate flight safety system hardware and software. A launch operator would be required to satisfy each requirement in this subpart, including all requirements contained in referenced appendices, by meeting the requirement or by employing an alternate method approved by the FAA through the licensing process. The FAA will approve an alternate method if a launch operator provides a clear and convincing demonstration that its proposed method provides an equivalent level of safety to that required by subpart D. A launch operator would have to obtain FAA approval of any proposed alternate Start Printed Page 63955method before its license application or application for license modification could be found sufficiently complete.

A launch operator would implement a test program for its flight safety system that demonstrates the ability of flight safety system components to meet the design margins and reliability requirements of proposed subpart D.

Any change to a licensee's flight safety system design or flight safety system test program that was not coordinated during the licensing process would be submitted to the FAA for approval as a license modification prior to flight. The modification requirement of § 415.73 is of special significance in the context of a flight safety system. Each requirement of proposed subpart D is designed to ensure that a launch takes place with a reliable and functioning flight safety system. A licensee must obtain FAA approval through the license modification process before implementing any changes. This includes any changes that may occur shortly before flight itself. The FAA's proposed license application timetable for submitting complete flight safety system design data and test program described in proposed §§ 415.127 and 417.129 respectively is intended to reduce the number of last minute changes and consequent delays.[16]

Prior to the flight of each launch vehicle, a licensee would confirm to the FAA in writing that its flight safety system is as described in its license application, including all applicable application amendments and license modifications, and complies with any terms of the license and the requirements of proposed part 417. Upon review of a proposed launch, the FAA may identify and impose additional requirements needed to address unique issues presented by a flight safety system, including its design, operational environments, and testing.

Proposed § 417.303 contains functional requirements for a flight termination system. A flight termination system is a major part of a flight safety system and consists of the hardware and software onboard a launch vehicle that accomplish the termination of flight in the event of a launch vehicle failure. Proposed § 417.303 would identify the functions that a flight termination system must accomplish to stop the flight of a launch vehicle and disperse hazardous energy in a way that protects public safety. Once initiated, a flight termination system would render each stage and any other propulsion system, including any propulsion system that is part of a payload, with the capability of reaching a populated or other protected area, non-propulsive and any stage or propulsion system not thrusting at the time the flight termination system is initiated would be rendered incapable of becoming propulsive. Rendering each stage and propulsion system non-propulsive would ensure that the impact location of the launch vehicle pieces could be accurately predicted and allows for the development of flight termination criteria that would prevent the launch vehicle, any component, or payload from impacting populated or other protected areas. A flight termination system would cause rapid dispersion of any liquid propellant by rupturing the propellant tank or other equivalent method and initiate burning of any toxic liquid propellant. The release of a toxic propellant like hydrazine could pose a significant risk to public safety. The proposed requirement would ensure that the concentrations of any liquid propellants are reduced to non-hazardous levels as quickly as possible and thereby minimize the risk of a toxic cloud reaching a populated or other protected area.

A flight termination system would include a command destruct system that is initiated by radio command. Use of a radio command destruct system is the proven method for ensuring public safety from a malfunctioning launch vehicle that has been used at United Stated launch ranges for over 40 years. The FAA will evaluate the use of any other type of system in place of a command destruct system, such as an autonomous flight termination system, on a case-by-case basis. In such a case, the launch operator would be required to provide a clear and convincing demonstration that its proposed method provided an equivalent level of safety.

A flight termination system would provide for flight termination of any inadvertently or prematurely separated stage or strap-on motor capable of reaching a populated or other protected area before orbital insertion. Some rocket stages, primarily strap-on solid rocket motors, may be capable of continued flight after becoming separated from the main launch vehicle if their propellant is not exhausted and continues to burn or begins to burn and produce thrust. Each stage or strap-on motor that does not possess its own complete command destruct system must be equipped with an inadvertent separation destruct system. An inadvertent separation destruct system would be considered a part of the overall flight termination system. The commonly employed inadvertent separation destruct system, frequently referred to as an ISDS, responds to a launch vehicle breaking up on its own and does not respond to guidance errors. An inadvertent separation destruct system is intended to ensure that the flight of any stage or booster that becomes separated from the main vehicle would be terminated.

Proposed section 417.305 contains requirements that a flight termination system must satisfy to ensure that it is capable of accomplishing the functional requirements contained in proposed section 417.303 with a high level of reliability. The FAA is proposing that a flight termination system have a reliability design of 0.999, which would be demonstrated through analysis. Historically, the federal launch ranges have mandated that a flight termination system have a design “goal” of 0.999 at a 95% confidence level. The FAA recognizes that flight termination systems are not tested several thousand times to prove the 95% confidence level because of the costs and the difficulty in trying to test the complete system. Instead, the federal launch ranges have relied on specific component test requirements with a strong heritage of success behind them to provide an acceptable level of confidence in the design and manufacture of a flight termination system's components. The federal launch ranges also rely on a series of system tests performed after flight termination system installation on the launch vehicle to ensure the integrity of the system as installed. Accordingly, the FAA's proposed reliability design requirement is directed at ascertaining whether a launch operator's flight termination system employs reliable components, and whether they are assembled to enhance reliability of the system. In order to achieve a reliability design of 0.999, a flight termination system's design is expected to incorporate high quality, highly reliable parts that are assembled using redundancy and other system reliability design approaches. A launch operator would prepare the system analyses required by proposed § 417.329 to demonstrate through analysis the reliability design of its Start Printed Page 63956flight termination system. A launch operator would demonstrate confidence in a flight termination system by performing specific component and system testing adapted from the approach used at the federal ranges. Proposed § 417.303 also contains requirements for redundancy of flight termination system components and system independence and physical separation from other launch vehicle systems. Requirements for specific components, piece parts, and software would be contained in appendixes D, F, and H respectively.

Proposed § 417.307 contains requirements for ensuring that a flight termination system would function when subjected to flight and other environments. A flight termination system must function under conditions that would exist after other systems on the launch vehicle have failed. The design of a flight termination system and its components, including all mounting hardware, cables and wires, would provide for the system and each component to function without degradation in performance when subjected to dynamic environments greater than those it is expected to experience during environmental stress screening tests, ground transportation, storage, launch processing, system checkout, and flight up to the point that the launch vehicle could no longer impact any populated or other protected area or to the point that any combination of environments would cause structural breakup of the launch vehicle. For example, the most extreme thermal environment might occur while a vehicle is still in the atmosphere, but structural break up might produce the most extreme vibration environment.

Proposed § 417.307 would identify required design environments with which launch operators conducting launches at federal launch ranges are already familiar. The FAA proposes to adopt these federal launch range requirements because they represent proven environmental design safety factors intended to ensure that a system can withstand the environments to which it will be exposed without degradation in performance.

A launch operator would establish the maximum predicted environments for the operating and non-operating environments that a flight termination system is to experience based on analysis, modeling, testing, or flight data. Proposed § 417.307 would identify the specific environments that apply to the design of a flight termination system. The federal launch ranges historically have obtained information regarding each of the enumerated environmental factors because of the ability of those factors to affect the performance and reliability of a flight termination system and its components. For the same reasons, the FAA is proposing to codify these requirements as part of its proposed regulations.

A launch operator would verify its maximum predicted environments through monitoring and ensure that the maximum predicted environments for future launches are adjusted as needed based on the flight data obtained via monitoring. The FAA is also proposing the federal launch ranges' safety margins be added to maximum predicted environments obtained through analysis for launch vehicles that cannot yet provide at least three samples of flight data. A launch operator would ensure that transportation, storage, launch processing, and system checkout environments are monitored and the associated maximum predicted environments are adjusted as needed. A launch operator would be required to notify the FAA of any change to a maximum predicted environment because any change may indicate the need for a change in the design of a flight termination system or component.

Proposed § 417.309 contains requirements applicable to a command destruct system, which is a critical part of a flight termination system. A flight termination system would include at least one command destruct system that is initiated by radio command and meets the redundancy and other component requirements provided in proposed appendix D of proposed part 417. The initiation of a command destruct system by the flight safety official would result in accomplishing all flight termination functions required by proposed section 417.303. A command destruct system would process a valid arm command as a prerequisite for destroying the launch vehicle. For any liquid propellant, when the arm command is received, the command destruct system would nondestructively shut down any thrusting liquid engine as a prerequisite for destroying the launch vehicle. This capability provides a flight safety official with additional options in controlling the termination of a launch vehicle's flight. There are possible situations where it would be desirable to terminate the thrust of a malfunctioning launch vehicle but allow it to continue to fly a ballistic path for a period of time to move away from a populated or other protected area before destroying the launch vehicle. It is also possible to reduce the size of the debris footprint by terminating the thrust of a launch vehicle that is at a high altitude and allow it to fall to a lower altitude before destroying the launch vehicle.

Proposed § 417.311 contains requirements for an inadvertent separation destruct system (ISDS). Each stage or strap-on motor, capable of reaching a populated or other protected area, that does not possess its own complete command destruct system would be equipped with an inadvertent separation destruct system. An inadvertent separation destruct system may be required on a stage that has a command destruct system depending on the command destruct system's ability to survive breakup of the launch vehicle. Initiation of an inadvertent separation destruct system would result in accomplishing all flight termination system functions that apply to the stage or strap on motor on which it is installed in accordance with proposed § 417.303.

Proposed § 417.313 contains requirements governing the safing and arming of a flight termination system. Safing a flight termination system typically involves placing a mechanical barrier or other means of interrupting power between each of the ordnance firing circuits and its power source. Safing places the system's firing circuits in a state that prevents initiation of the system's ordnance. Arming a flight termination system removes any firing circuit barriers or other means of safing the system and places the firing circuits in a state from which the system's ordnance can be initiated if commanded. The ability to safe and arm a flight termination system prevents any inadvertent initiation of any flight termination system ordnance while allowing a flight termination system to function in case destruction of the launch vehicle is required. Although many of the immediately apparent benefits of safing a flight termination system accrue to the protection of workers, a safe and arm system also prevents inadvertent initiation of a flight termination system that could result in consequences propagating to the public. Safing and arming of flight termination system ordnance would be accomplished through the use of ordnance initiation devices or arming devices, also referred to as safe and arm devices, that provide a removable and replaceable mechanical barrier or other means of interrupting power to each of the ordnance firing circuits.

Proposed § 417.315 contains requirements for testing of a flight termination system and its components and documenting the results. A flight termination system's components would Start Printed Page 63957be subjected to a comprehensive test program patterned after the approach developed at the federal launch ranges over many years of experience. This approach provides for demonstrating the reliability of flight termination system components and establishing an appropriate confidence level. The FAA worked extensively with Air Force flight termination system experts to refine the federal range testing requirements and develop the proposed regulatory requirements. A launch operator would employ flight termination system components that are tested in accordance with the qualification, acceptance, and age surveillance test requirements contained in proposed appendix E of part 417 as well as the preflight test requirements provided in proposed § 417.317.

Proposed § 417.317 contains requirements for preflight testing performed at the component level and the system level to be conducted at the launch site after qualification and acceptance testing to detect any change in performance that may have resulted from shipping, storage, or other environments that may have affected performance. Proposed § 417.317 also contains preflight test requirements for specific flight termination components, such as batteries, safe and arm devices, and command destruct receivers. All the preflight component test requirements being proposed by the FAA were developed in direct coordination with the Air Force based on the experience of range safety personnel in ensuring flight termination system reliability. The performance of some flight termination system components may degrade over time as they are exposed to various environments after installation on a launch vehicle. Proposed § 417.317 contains requirements that address at what point before flight such components would be required to undergo preflight tests, and also contains requirements for retesting if launch is delayed or if a subsystem or system is compromised due to a configuration change or other event such as a lightning strike or inadvertent connector mate or de-mate.

Proposed § 417.319 contains requirements for written flight termination system installation procedures. Installation procedures serve two purposes. They ensure the correct installation of flight termination system components so that the system will work as intended. They also serve the corollary purpose of addressing worker safety issues. Although, as discussed previously, the FAA has no current plans to duplicate OSHA's role in the area of worker safety, it nonetheless bears mentioning that, in establishing such procedures, a licensee may likely respond to worker safety requirements and concerns as well. The FAA proposes that a launch operator implement written procedures to ensure that flight termination system components, including electrical components and ordnance, are installed on a launch vehicle in accordance with the flight termination system design and that the installation of all mechanical interfaces associated with a flight termination system is complete.

Proposed § 417.321 contains requirements for monitoring critical flight termination system parameters to ensure that the status of a flight termination system can be ascertained and relayed to the appropriate launch operator personnel. The FAA would require that a launch operator establish pass/fail criteria for monitored flight termination system data to support launch abort decisions and to ensure a flight termination system is performing as expected.

Proposed § 417.323 contains requirements for a command control system which consists of the flight safety system elements that ensure that a command signal will reach a flight termination system on a launch vehicle during flight. A command control system includes all flight termination system activation switches at the flight safety official console, all intermediate equipment, linkages, and software and any auxiliary stations, and each command transmitting antenna. In short, it consists of the flight safety system components that are typically located on the ground; however, there are command control system concepts that involve air, sea, or even space borne elements. Section 417.323 would contain requirements for a command control system to be compatible with the flight termination system onboard the launch vehicle. For example, when a launch vehicle's onboard flight termination system is active and its ordnance is electrically connected, a command control system's transmitter must radiate at the proper frequency to capture the receivers on the flight termination system. Section 417.323 would also contain requirements for the reliability of a command control system, requirements for specific subsystems such as the transmitter and antenna, and general requirements for the system's performance.

Of particular interest is the requirement proposed in § 417.323(e)(5)(vi), namely, that a transmitter must operate at a radio carrier frequency authorized for the launch operator's use. Traditionally, licensed launches that take place at federal launch ranges have had access to government frequencies between 400-450 MHz because those frequencies are available to the federal launch ranges. As a result, flight safety system components, including command control system transmitters and receiver decoders, are often manufactured to operate on the available government frequencies. A launch that takes place at a non-federal launch site may or may not have access to those same frequencies. The FAA considered requiring that a launch operator always use the government frequencies for its flight safety system, but the FAA does not have authority to allocate spectrum or to authorize its use. The Federal Communications Commission (FCC) licenses and regulates commercial spectrum. A launch operator is likely to have to seek authorization from the FCC should it choose or need to use other frequencies for its flight safety system. Additionally, in the interests of permitting innovation, the FAA does not seek to foreclose the use of other frequencies.

Proposed § 417.325 contains test requirements for a command control system. The test requirements are not as demanding as for the airborne flight termination system because the command control system is not subjected to the rigors of a flight environment. Accordingly, the federal launch ranges do not require qualification testing to the environments required for flight units, and the FAA does not propose to expand upon the range requirements in this instance. Section 417.325 would contain requirements for a command control system, its subsystems, and components, to be subjected to acceptance and preflight tests and would provide general requirements that apply to all command control system testing, including requirements for documenting test results.

Proposed § 417.327 contains requirements for the additional subsystems that are part of an overall flight safety system. These subsystems are referred to as support systems because they support the flight safety official's ability to make a flight termination decision. Support systems would include vehicle tracking, visual data source, telemetry, communications, data display and data recording systems, the flight safety official console, and the launch timing system. Section 417.327 would require these support systems to be compatible with each other and would contain requirements applicable to each specific support system. Section 417.327 would also contain Start Printed Page 63958requirements for support equipment calibration and a destruct initiator simulator that a launch operator would use when performing preflight tests of the flight termination system.

Of particular interest are the proposed requirements for a launch vehicle tracking system that provides continuous vehicle position and status data to the flight safety official from lift-off until the launch vehicle reaches orbit or can no longer reach any populated or other protected area. The FAA proposes launch vehicle tracking requirements for two, independent data sources, where at least one source is independent of any system used to aid the launch vehicle guidance system. Historically, the federal launch ranges have required three sources of tracking data regarding a vehicle's location, including telemetry and two additional independent sources for verification and back up. It is the FAA's understanding that the ranges require the second independent system for reasons of mission assurance and to avoid destroying what might have proven to be a normally functioning vehicle had additional tracking data been available to establish the fact. The FAA proposes to require one independent system to verify the accuracy of the launch vehicle's own telemetry. In light of the requirements proposed in § 417.113, which would require destruction of a vehicle when a launch operator loses tracking data, a launch operator may choose to follow the federal range practice of employing two independent tracking systems for the purpose of mission assurance. The FAA does not envision entertaining waiver requests for this requirement.

An independent tracking system would include a vehicle tracking aid onboard the launch vehicle, and compatible ground tracking system and onboard tracking system components. Onboard tracking system components, such as beacon transponders and GPS translators and their components must be independent of any system used to support the launch vehicle's inertial guidance system. Onboard tracking components that are not directly associated with determining or measuring vehicle position and performance constitute an exception to the requirement for independence. Examples of components that may be used by the vehicle telemetry system but that are not directly associated with determining or measuring vehicle position and performance include S-band down link antennas, transmitters, and associated cabling and power dividers.

When a flight safety system employs radar as an independent tracking source, the launch vehicle would be required to have a tracking beacon onboard the launch vehicle unless the launch operator provides a clear and convincing demonstration through the licensing process that any skin tracking maintains a tracking margin of no less than six dB above noise throughout the period of flight that the radar is used and that the flight control lines and flight limits account for the larger tracking errors associated with skin tracking. The proposed requirements for radar tracking follow current practice at the federal launch ranges for ensuring reliable and accurate radar tracking data.

The FAA weighed the possibility that a launch operator be permitted to use whatever secondary tracking source it desired, because proposed § 417.113's requirement to terminate flight in the event of a loss of telemetry would achieve the goal of keeping the launch vehicle from reaching the public. A number of reasons led the FAA to decide against such a proposal. As noted earlier, the federal launch ranges require three sources of vehicle tracking data: telemetry, radar, and backup radar. The FAA would require two sources, thereby reducing the tracking requirement at the start. Additionally, it is still important to have accurate tracking data because reliance on telemetry must be validated by some independent means, and because valid tracking data shows whether it is necessary to terminate flight. Finally, concerns over the unnecessary risks created by terminating flight also argue against permitting a less accurate means of tracking.

Proposed § 417.329 contains requirements for system analyses that a launch operator would perform to verify that a flight termination system, a command control system, and their components meet the reliability requirements of this proposed subpart. These analyses would be performed following standard industry system safety and reliability analysis methodologies. Guidelines for performing these analyses could be obtained through FAA Advisory Circular AC 431-01, a draft of which was made available April 21, 1999. Section 417.329 would contain requirements for the specific analyses and requirements for documenting the results.

Proposed § 417.331 contains requirements for a flight safety system crew and the roles and qualifications of crewmembers. A flight safety system would be operated by a flight safety crew made up of a flight safety official and support personnel. The flight safety crew positions and roles proposed by the FAA were developed based on the approach traditionally used at the federal launch ranges. Flight safety personnel who make up the flight safety crew are a critical link in the protection of the public from the hazards associated with launch, in particular assuring that a malfunctioning launch vehicle does not impact populated or other protected areas. Flight safety personnel are responsible for making instantaneous, irreversible, real time decisions that could affect the safety of public personnel and property. Highly qualified and skilled personnel must work as a team to operate a flight safety system in a highly efficient and reliable manner. The proposed standards for personnel qualifications and training would provide assurance that the personnel responsible for the flight safety system will meet the public safety related demands placed upon them.

The traditional approach to qualifying a flight safety crewmember at federal launch ranges primarily involves on-the-job-training. Candidates who possess an appropriate engineering and scientific education and technical experience may enter into an apprenticeship type of program under the cognizance of senior personnel who are responsible for training and evaluating performance. In the future, it may be possible for a launch operator to develop or obtain a formal flight safety training program. For example: NASA's Wallops Flight Facility has a flight safety official training curriculum developed for NASA's purposes and has, in the past, provided training for personnel outside of NASA. This type of training program might have to be tailored to meet a launch operator's specific needs and is expected to still involve a degree of hands on experience and evaluation to certify someone for a flight safety crew position. A person with previous federal range experience, who has successfully completed federal range training, and is certified to perform a flight safety function at a federal range, is likely to be qualified to perform that same function as a flight safety crew member for a launch from a non-federal launch site. Such crewmembers would still require training to familiarize them with the specific characteristics of the vehicle to be flown and the flight safety systems to be used for the launch. Initially, for launches from non-federal launch sites, the FAA appreciates that the flight safety crew positions would likely have to be filled by personnel with previous federal launch range experience or by personnel trained by the federal launch Start Printed Page 63959ranges. At this time, a federal launch range is the primary source for the necessary training and experience. This is expected to change over time as the commercial launch industry continues to mature and experience at non-federal launch sites increases.

G. Part 417, Subpart E, Ground Safety

Proposed subpart E of part 417 contains safety requirements for launch processing and post-launch activities, typically referred to as ground safety requirements. Proposed § 417.401 describes the scope of subpart E. The requirements in subpart E would apply to launch processing and post-launch activities at a launch site in the United States that were performed by, or on behalf of, a launch operator. Launch processing and post-launch activities at a launch site outside the United States may be subject to the requirements of the governing jurisdiction.

Proposed § 417.403 contains requirements for a launch operator to ensure that the hazard controls necessary to protect the public are in place. The launch operator would perform a ground safety analysis, implement a ground safety plan, and conduct launch processing according to any local agreements. For a launch that is conducted from a launch site exclusive to its own use, a launch operator would be required to satisfy the requirements of subpart E and applicable requirements of part 420, which contains requirements that would govern a launch site operator. A launch operator would keep its ground safety plan current and provide the FAA with any change no later than 30 days before that change is implemented. When a launch operator is following procedures approved through the grant of a launch license the FAA does not seek to be advised of the changes in order to approve them but so that the FAA, when performing an inspection, knows, for example, where a hazard area is located for a specific operation. However, any change that involves the addition of a hazard that could affect the public or the elimination of any previously identified hazard control for a hazard that still exists, shall be submitted to the FAA for approval as a license modification.

Proposed § 417.405 would contain requirements for a launch operator to perform a ground safety analysis for all its launch vehicle hardware and launch processing at a U.S. launch site to identify each potential public hazard, any and all associated causes, and any and all hazard controls that a launch operator will implement to keep each hazard from reaching the public. § 417.405 would also contain the qualification requirements for personnel who prepare a ground safety analysis, identification of specific types hazards that would be addressed, and requirements for analyzing specific types of hazards.

Proposed § 417.407 contains requirements governing implementation of hazard controls and inspections to ensure that hazard controls are in place and no unsafe conditions exist.

Proposed § 417.409 contains requirements for a launch operator's implementation of the system hazard controls it identified through its ground safety analysis. For example, the FAA proposes to require that any system that presents a public hazard must be single fault tolerant. Also, each hazard control used to provide fault tolerance would be required to be independent so that no single action or event can remove more than one inhibit. A single command signal must not close two switches, if the two switches provide single fault tolerance. Switches, valves and similar actuation devices must be prevented from inadvertent actuation. § 417.409 would contain specific hazard control requirements for structures and material handling, pressure vessels and pressurized systems, electrical and mechanical systems, propulsion systems, and ordnance systems.

Proposed § 417.411 contains requirements for the establishment and control of safety clear zones for hazardous operations. A safety clear zone would be an area within which any potential adverse effect of a launch location hazard or public hazard will be confined. A launch operator would prohibit access by the public to any safety clear zone during a hazardous operation.

Proposed § 417.413 contains requirements for establishing and controlling hazard areas for each hardware system that presents a potential public or launch location hazard within which any adverse effects would be confined should an actuation or other undesirable hazardous event occur.

Proposed § 417.415 contains requirements for hazard controls for protecting the public after a launch or an attempted launch. A launch operator would implement procedures for controlling hazards and returning the launch facility to a safe condition after a successful launch attempt and in the event of a failed launch attempt where a solid or liquid launch vehicle engine start command was sent, but the launch vehicle did not liftoff. These procedures would include provisions for ensuring a flight termination system remained operational until it was verified that the launch vehicle did not represent a risk of inadvertent liftoff, assuring that the vehicle was in a safe configuration that included its propulsion and ordnance systems, and prohibiting launch complex entry until a pad safing team has performed all necessary safing tasks.

A launch operator would also implement procedural controls for hazards associated with an unsuccessful launch attempt where the launch vehicle has a land or water impact. The launch operator would provide for extinguishing any fires, evacuation and rescue of personnel, modeling and tracking of any toxic plume and communication with local government authorities, and securing impact areas to ensure that all personnel are evacuated, that no unauthorized personnel enter, and to preserve evidence. A launch operator would also provide for recovery and salvage of launch vehicle debris to ensure public safety and the safe disposal of any hazardous materials.

Proposed § 417.417 contains specific ground safety requirements for handling propellants and explosives during launch processing. A launch operator would comply with the explosive safety criteria and the explosive site plan developed for the launch site in accordance with 14 CFR part 420. A launch operator would implement procedures for the receipt, storage, handling and disposal of explosives and would implement its emergency response plan for the control of hazards in the event of a mishap associated with any propellant or explosive. Section 417.417 would also contain specific requirements for procedural system controls to preclude inadvertent initiation of explosives and propellants. These controls would include protection from stray energy sources such as static electricity, lightning, heat, and sources of spark and flame.

H. Appendix A, Methodologies for Determining Flight Hazard Areas for Orbital Launch

Appendix A of proposed part 417 would provide methodologies and equations used in determining flight hazard areas as part of the flight hazard area analyses required by proposed § 417.225. The establishment of flight hazard areas depends on calculating the dispersions associated with impacting debris and performing hit-probability calculations and making comparisons to established hit-probability criteria, such as the individual probability of casualty of 1×10−6 and the ship-hit criterion of 1×10−5. There may be numerous ways to perform the hit-probability Start Printed Page 63960calculations and to demonstrate meeting the established criteria. The methodologies in appendix A would provide a standard approach to which alternate methods could be compared and would assist in ensuring that the hit-probability criteria are implemented equally for all launches by all launch operators. The FAA proposes that a launch operator use the methodologies and equations provided in appendix A when performing the flight hazard area analyses unless, through the licensing process, the launch operator provides a clear and convincing demonstration that an alternative provides an equivalent level of safety.

With regards to the proposed requirements governing the creation of a specific hazard area, the FAA notes that a launch operator may anticipate that a hazard area established for one launch would likely apply to subsequent launches of the same vehicle on the same launch azimuth. A launch operator may demonstrate that earlier analyses applicable to launches with similar characteristics also may apply to later launches.

I. Part 417, Appendix B, Methodology for Performing Debris Risk Analysis

A launch operator shall use the equations and methodology contained in proposed appendix B when calculating expected casualty (EC) due to debris as part of a debris risk analysis required by proposed §§ 417.227 and 417.235. The total EC due to debris for a launch is calculated as the sum of the EC due to planned debris impacts, the EC due to potential launch vehicle failure during flight, which is referred to as overflight EC, and any risk to populations due to potential failure of any flight termination system. A launch operator must include the EC due to debris for a proposed launch when demonstrating that the launch does not exceed the overall EC criterion of 30×10−6 for all hazards. As noted with regard to the flight hazard area analyses of appendix A, there may be numerous approaches to performing debris risk calculations as well. The methodology in appendix B would provide a standard approach to which alternate methods may be compared and would assist in ensuring that the debris risk overall EC criterion is implemented equally for all launches by all launch operators. The FAA proposes that a launch operator use the methodology and equations provided in appendix B when performing the debris risk analysis unless through the licensing process, the launch operator provides a clear and convincing demonstration that another method or equation provides an equivalent level of safety. Further discussions on casualty due to debris and collective risk are contained in paragraphs III.E.8 and 9 of this preamble.

Of particular interest in appendix B is the proposed methodology for evaluating the risk to populations outside the flight control lines due to the potential failure of a flight safety system. Using the risk assessment tools employed by the Air Force, the FAA developed criteria for screening the populations in the areas surrounding a launch point and determining if further debris risk analysis would be necessary for a launch. The FAA's intent in developing the screening methodology was to simplify the analysis process for launches from relatively remote sites. For a launch that satisfied the screening criteria, a detailed risk analysis for populations outside the flight control lines would not be required.

When employing the screening criteria, a launch operator would divide the land areas around the launch point into sectors, determine the population in each sector, and compare those populations to the population limits established by the FAA for each sector. Proposed appendix B provides population limits for new and mature large launch vehicles and new and mature medium and small launch vehicles. The proposed population limits for a large launch vehicle were developed using computer models for a Titan 4. The computer models for an Atlas 2AS were used to develop the proposed population limits for medium and small launch vehicles. Failure rates that approximate the Titan 4 and Atlas 2AS failure rates based on their history of performance were used to represent the failure rates for mature launch vehicles. The overall failure rate for a new launch vehicle was assumed to be 0.31 as proposed in § 417.227(b)(6). Based on historical data on new launch vehicles, it was assumed that 15% of launch vehicle failures would occur during the first stage burn and 15% of those failures would result in impact outside the flight control lines if the flight safety system failed. The flight safety system was assumed to be in full compliance with the proposed requirements of subpart D of part 417 with a failure rate of 0.002.

J. Part 417, Appendix C, Flight Safety Analysis for an Unguided Suborbital Rocket Flown With a Wind Weighting Safety System and Flight Hazard Areas for Planned Impacts for All Launches

Appendix C of proposed part 417 would contain methodologies for performing the flight safety analysis required for the launch of an unguided suborbital rocket. The requirements in proposed appendix C for establishing ship and aircraft hazard areas for planned debris impact, such as for jettisoned spent stages and fairings, apply to all launches. The FAA proposes that a launch operator perform a flight safety analysis to determine the launch parameters and conditions under which an unguided suborbital rocket can be flown using a wind weighting safety system and without a flight safety system in accordance with proposed § 417.235. The results of this analysis would be required to show that any adverse effects resulting from flight would be contained within controlled operational areas, and that any flight hardware or payload impacts would occur within planned impact areas. The flight safety analysis must demonstrate compliance with the safety criteria and operational requirements for the launch of an unguided suborbital rocket contained in proposed § 417.125. The FAA would require that a launch operator ensure that the flight safety analysis for an unguided suborbital rocket be conducted in accordance with the methodologies provided in proposed appendix C unless the FAA approved alternative methods. Any alternative that meets the intent of the requirements of proposed appendix C may be submitted to the FAA through the licensing process, whether as part of an initial application for a license or as a request for a license modification, for evaluation of whether it satisfies the requirements of proposed § 417.235. A launch operator would also be required to perform a debris risk analysis for an unguided suborbital rocket launch in accordance with proposed § 417.227 and appendix B of part 417 and a conjunction on launch assessment in accordance with proposed § 417.233.

K. Part 417, Appendix D, Flight Termination System Components

Appendix D to proposed part 417 would contain requirements that apply to specific components of a flight termination system. Section D417.1(a) proposes that a launch operator ensure that the flight termination system requirements of proposed part 417, subpart D are met in conjunction with meeting the applicable component requirements of appendix D. The proposed requirements in appendix D were developed based on requirements traditionally used at federal launch ranges; however, the federal launch range requirements are not proposed in total. The FAA worked extensively with Air Force flight termination system experts to refine the requirements to a Start Printed Page 63961performance level that eliminates the use of design solutions as requirements wherever possible, while maintaining the lessons learned over the many years of Air Force launch experience. The FAA proposes to require a launch operator to meet these requirements unless otherwise approved through the licensing process. The FAA would use these requirements as guidelines when evaluating an alternate flight termination system approach on a case-by-case basis. A launch operator would be required to demonstrate clearly and convincingly that any alternative provides a level of safety equivalent to the proposed requirements.

Section D417.1 (b) would require the design of each flight termination system component to provide for the component to be tested in accordance with § 417.315 and appendix E of proposed part 417.

Section D417.1 (c) would require that a launch operator ensure that compliance with each requirement in proposed appendix D is documented as part of a safety review document prepared during the licensing process according to § 415.107 of part 415. A licensee would submit any change to the FAA for approval as a license modification.

Proposed § D417.3 would contain requirements for the component design environments and the design margins above the maximum predicted environment levels that each flight termination system component must be capable of withstanding without degradation in performance. This section would define the environments and design margins for thermal, random vibration, shock, acceleration, acoustic and other environments to which the component could be exposed.

L. Part 417, Appendix E, Flight Termination System Component Testing and Analysis

Appendix E of proposed part 417 would contain testing requirements applicable to specific flight termination system components. The FAA proposes to require that flight termination system components be subjected to a comprehensive test program patterned after the approach developed at the federal launch ranges over many year of experience. This approach provides for demonstrating the reliability of flight termination system components and establishing an appropriate confidence in each component's reliability. The FAA worked extensively with Air Force flight termination system experts to refine the traditional requirements and develop the proposed regulatory requirements. What has resulted is both a reflection of current practice and an improvement intended to respond to launch operator requests for performance requirements. In response to the industry request for performance requirements, the FAA and the range safety personnel have attempted to capture the intent behind the ranges' flight termination system testing requirements. This creates an opportunity for flexibility on the part of the launch operator to employ different means of satisfying the performance driven test requirements. Both the FAA and the ranges believe that this represents an improvement over existing requirements. However, it does not, on a fundamental level represent a change from current requirements because both expressions of the requirements reflect the same goals. Performance requirements merely provide more flexibility in how one goes about achieving those goals.

Proposed appendix E would contain specific component, qualification, acceptance, and age surveillance tests to be implemented according to subpart D of proposed part 417. Compliance with proposed appendix E for each flight termination system component would be documented as part of a licensee's safety review document prepared according to proposed subpart F of part 415.

M. Part 417, Appendix, F, Flight Termination System Electronic Piece Parts

Appendix F of proposed part 417 would contain requirements for ensuring the quality of electronic piece parts used in flight termination system electronic components. The use of high quality electronic piece parts that perform consistently from one sampling of a part to the next is critical to ensuring the reliability of flight termination system components. The need for high quality parts becomes evident when reviewing the required approach for qualifying the design of a component and then building components for flight. When qualifying the design of a flight termination system component, a number of sample components are built and subjected to the required qualification tests. Qualification testing involves stressing a sample component beyond its intended operational environments to verify the required safety margins, and, in some cases, involves destructive testing and disassembly. Therefore, upon satisfying the qualification testing, a sample component must be retired and not used for flight. The use of high quality piece parts, which perform consistently from one sample part to the next, provides assurance that when the flight components are built they will be capable of the same performance that was demonstrated by the sample component that was qualification tested.

Piece parts may be purchased with different quality ratings depending on the amount of quality control and testing performed by the manufacturer to ensure that the parts perform with consistent reliability. Piece parts with a higher quality rating have a correspondingly higher price. A sample piece part with a lessor quality rating may in fact be just as reliable as a similar part with a higher rating, without, however, the assurances for consistent performance from one sample part to the next that come with the higher rating. Rather then just require that a launch operator purchase piece parts with a certain quality rating, the federal launch ranges have, within the past few years, developed an approach that allows a launch operator to upgrade the rating of an electronic piece part through testing. This allows the launch operator some options in selecting piece parts for a flight termination system while providing for an acceptable level of reliability assurance. The FAA worked in coordination with Air Force flight termination system experts to refine the piece part selection criteria and testing requirements and develop the proposed regulatory approach provided in appendix F. Proposed appendix F would contain requirements that address capacitors, connectors, diodes, transistors, hybrids, inductors, transformers, magnetic parts, microcircuits, resistors, and wire.

N. Part 417, Appendix G, Natural and Triggered Lightning Flight Commit Criteria

Proposed appendix G would provide flight commit criteria that protect against natural and triggered lightning during the flight of a launch vehicle. The FAA proposes to require a launch operator to implement these criteria in accordance with proposed § 417.113 for any launch vehicle that utilizes a flight safety system. The primary concern behind the proposed requirements is that a lightning strike that could disable a flight safety system yet allow continued flight of the launch vehicle without the ability to control flight termination. Criteria to guard against this eventuality were developed by a Lightning Advisory Panel composed of nationally recognized experts in the field of atmospheric electricity. (Revised 45 Space Wing Range Safety (Natural and Triggered Lightning) Weather Launch Commit Criteria, LCC-K 5/26/98) NASA and the Air Force chartered Start Printed Page 63962this panel and have adopted these updated criteria for use at the federal launch ranges. These criteria cover a broad range of conditions, which apply to most launches at most launch sites; however, there may be exceptions. The FAA would require a launch operator to determine if any of these criteria do not apply to a planned licensed launch and provide the FAA with a justification during the licensing process in accordance with proposed § 415.115(e). The FAA proposes to approve a launch operator's flight commit criteria as part of the terms of a launch license.

O. Part 417, Appendix H, Safety Critical Computing Systems and Software

Proposed appendix H would contain safety requirements for all flight and ground systems for computing systems that perform or may perform any software safety critical function. The FAA would require a launch operator to ensure that any computing system with a software safety critical function associated with handling, preflight assembly, checkout, test, or flight of a launch vehicle, including any flight safety system, be implemented in accordance with the proposed appendix. The FAA proposes that software safety critical functions include, but need not be limited to the following: software used to control or monitor the functioning of safety critical hardware; software used or having the capability to monitor or control hazardous systems [17] ; software associated with fault detection of safety critical hardware including software associated with fault signal transmission (faults shall include any manifestation of an error in software); software that responds to the detection of a safety critical fault; any software that is part of a flight safety system; processor interrupt software associated with safety critical software; and any software used to compute safety critical data. The FAA would require a launch operator to identify all software safety critical functions associated with its computing systems and software. For each software safety critical function, a launch operator would be required to define the boundaries of the associated system or software and implement the analysis, test, and other software validation requirements contained in this appendix. The requirements contained in proposed appendix H were adapted from the approach used successfully at the Air Force launch ranges and should therefore be familiar to current launch operators.

P. Part 417, Appendix I, Methodologies for Toxic Release Analysis

Proposed appendix I would provide methodologies for performing toxic release hazard analysis for the flight of a launch vehicle to contain the hazards or to determine whether risks created by toxic hazards remained within acceptable limits as identified in proposed § 417.107(b). Proposed appendix I would also provide methodologies for addressing the toxic hazards of launch processing at a launch site in the United States. For purposes of flight safety,[18] this appendix would prescribe a method for establishing flight commit criteria for each launch to protect the public from a casualty arising out of any potential toxic release during flight. A launch operator would first identify a toxic hazard area around the proposed launch point. The toxic hazard area would consist of a circle whose radius consisted of the greatest toxic hazard distance identified by the tables proposed in appendix I. If the toxic hazard area contained no members of the public, or if the launch operator were able to convince all members of the public to leave the toxic hazard area during flight through evacuation, the launch operator would be subject to no additional requirements under appendix I. If a launch operator were unable to avoid the presence of the public in the toxic hazard area, appendix I would require the launch operator to constrain preflight fueling and flight of a launch vehicle to times during which prevailing winds would transport any toxic release away from populated areas that would otherwise be at risk due to their presence within the toxic hazard area.

Current rocket propulsion systems require many pounds of chemical propellant for each pound of payload placed into orbit. Rocket motors rely on propellant combinations that consist of both fuel and oxidizer. Many of the chemical propellants currently in use are compounds that are toxic or produce toxic combustion byproducts. Among the toxic liquid propellants are the hydrazine based fuels: hydrazine, monomethylhydrazine (MMH) and unsymmetrical-dimethylhydrazine (UDMH). These fuels are toxic compounds and pose a potential air borne toxic hazard if spilled or released during a catastrophic failure of the launch vehicle. The hydrazine based fuels react with liquid oxidizers such as nitrogen tetroxide or nitric acid. These oxidizers are also toxic compounds and pose a potential hazard if spilled or released during a launch vehicle failure.

Solid propellants are also in common use in rocket motors and are often employed in conjunction with liquid propellant booster stages. Solid propellants are typically formulated from a mixture of solid fuel (such as, aluminum powder), solid oxidizer (such as, ammonium perchlorate) and polymeric binder (such as, PBAN). Most commercial launch vehicles use ammonium perchlorate (AP) based solid propellant. These AP based solid fuels are non-toxic in their solid state but produce approximately 20% by weight of toxic hydrogen chloride (HCl) gas as a combustion byproduct. Therefore the AP based fuels produce toxic emissions from both normal launch and abort scenarios. During launch vehicle processing, conditions may arise that will cause solid rocket propellant ignition or combustion, when, for instance a motor is dropped during movement or stacking, or static build up occurs on open grain propellant. Solid propellants using metal powders as the fuel also produce metal oxide particulates as a combustion by-product. Depending upon the size distribution and chemical composition, these particulates may also constitute a potential hazard.

Once released to the atmosphere, vaporized liquid propellants and gaseous propellant combustion products are subject to transport and diffusion by the local winds and atmospheric turbulence. Energy produced by the propellant chemical reactions may also cause the exhaust cloud to rise some distance above the initial release altitude. The quantity of material emitted, the height above ground of the emitted material, the prevailing weather conditions and the toxicity of the emitted chemicals are all factors affecting the hazard to people downwind of the release.

A launch operator's toxic release hazard analysis must determine any potential public hazards from any toxic release that will occur during the proposed flight of a launch vehicle or that would occur in the event of a flight mishap or that could occur during launch processing at the launch site in preparation for flight. A launch operator shall use the results of the toxic release Start Printed Page 63963hazard analysis to establish flight commit criteria for each launch and hazard controls for launch processing. A launch operator's toxic release hazard analysis must determine if toxic release can occur based on an evaluation of the propellants, launch vehicle materials, and estimated combustion products. This evaluation must account for both normal combustion products and the chemical composition of any unreacted propellants.

The FAA proposes that a launch operator evaluate potential toxic hazards in accordance with a multi-level screening approach in which the launch operator employs either exclusion, containment, or statistical risk management to prevent casualties that could arise out of exposure to any toxic release. The methodologies contained in appendix I for accomplishing this screening approach were developed based on the processes currently used at the Air Force launch ranges which have been highly successful in protecting the public from potential toxic release. The Air Force relies on sophisticated computer modeling to predict the dispersion of a toxic propellant in the atmosphere and its effect on the surrounding area. This type of modeling is available to a launch operator through the Air Force or commercially. It does, however, require significant expertise. The FAA worked in coordination with the Air Force, using the Air Force toxic release models to develop the proposed appendix I tables for determining hazard distances for potential release during the flight of a launch vehicle. The FAA believes the proposed containment methodology will work for a majority of launches. If not, a launch operator may elect to employ the more involved modeling and risk assessment techniques to demonstrate satisfaction of the risk criteria.

Paperwork Reduction Act

As required by the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq., the Federal Aviation Administration has reviewed the information collection requirements associated with this notice of proposed rulemaking. The FAA has determined that there would be no additional burden to respondents over and above that which the Office of Management and Budget has already approved under the existing rule, titled, “Commercial Space Transportation Licensing Regulations” (OMB control number 2120-0608). Under the existing rule, the FAA considers license applications to launch from non-federal sites on a case-by-case basis. In conducting a case-by-case review, the FAA gives due consideration to current practices in space transportation, generally involving launches from federal sites. Accordingly, the FAA believes that, under this proposed rule, there would be no additional information collection not already included in the previously approved information collection activity. This rule would eliminate the case-by-case review, thereby streamlining the licensing process, and would not place any additional burden on the respondent.

Regulatory Evaluation Summary

Changes to federal regulations must undergo several economic analyses. First, Executive Order 12866 directs that each federal agency propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980, as amended March 1996, requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act (19 U.S.C. 2531-25330 prohibit agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. In developing U.S. standards, this Trade Act also requires the consideration of international standards and, where appropriate, that they be the basis of U.S. standards. And fourth, the Unfunded Mandates Reform Act of 1995 requires agencies to prepare a written assessment of the costs, benefits and other effects of proposed or final rules that include a federal mandate likely to result in the expenditure by state, local or tribal governments, in the aggregate, or by the private sector, of $100 million or more. In conducting these analyses, the FAA has determined that this proposed rule: (1) Is not “a significant regulatory action” as defined in the Executive Order and in the Department of Transportation Regulatory Policies and Procedures; (2) will not have a significant impact on a substantial number of small entities; (3) will not impose restraints on international trade; and (4) does not contain any federal intergovernmental or private sector mandate. These analyses, available in the docket, are summarized below.

This proposed rule would codify the FAA's license application process for launch from a non-federal launch site. The proposed regulations are also intended to codify the safety requirements for launch operators regarding license requirements, criteria, and responsibilities in order to protect the public from the hazards of launch whether launching from a federal launch range or a non-federal launch site.

The FAA does not expect there to be any change in safety benefits. There may be some cost savings to the licensee because launch operators would have improved knowledge of the FAA license requirements, data and information requirements, and reporting requirements and formats beforehand. The FAA codified requirements will apply to all licensed commercial launches. Launch operators would know the FAA and federal range requirements, data and information requirements, and reporting requirements and formats. Finally, there may be some cost savings from launching at federal ranges since the launch operators would have improved knowledge of requirements.

The incremental cost of this proposal is expected to be at most, minimal. In general, there would be no change in costs to the licensee of satisfying the requirements of the proposed rulemaking. Costs would be the same whether licensing on a case-by-case basis or according to the proposed rulemaking.

In view of the minimal additional cost of compliance to the proposed rule, the FAA has determined that the proposed rule would be cost-justified.

Initial Regulatory Flexibility Determination

The Regulatory Flexibility Act of 1980 (RFA) establishes “as a principle of regulatory issuance that agencies shall endeavor, consistent with the objective of the rule and of applicable statues, to fit regulatory and informational requirements to the scale of the business, organizations, and governmental jurisdictions subject to regulation. To achieve that principal, the Act requires agencies to solicit and consider flexible regulatory proposals and to explain the rationale for their actions.” The Act covers a wide-range of small entities, including small businesses, not-for-profit organizations, and small governmental jurisdictions.

Agencies must perform a review to determine whether a proposed or final rule would have a significant economic impact on a substantial number of small entities. If the determination is that it will, the agency must prepare a regulatory flexibility analysis.

However, if an agency determines that a proposed or final rule is not expected to have a significant economic impact on a substantial number of small entities, section 605(b) of the 1980 act provides that the head of the agency may so certify and a regulatory flexibility analysis is not required. The Start Printed Page 63964FAA conducted the required review of this proposed rule and determined that it would not have a significant economic impact on a substantial number of small entities. Enactment of this proposal would impose, at most, only minimal cost. Accordingly, pursuant to the Regulatory Flexibility Act, 5 U.S.C. 605(b), the FAA certifies that this proposed rule will not have a significant economic impact on a substantial number of small entities.

International Trade Impact Assessment

The Trade Agreement Act of 1979 prohibits federal agencies from promulgating any standards or engaging in any related activities that create unnecessary obstacles to the foreign commerce of the United States. Legitimate domestic objectives, such as safety, are not considered unnecessary obstacles. The statute also requires consideration of international standards and where appropriate, that they be the basis for U.S. standards. In addition, consistent with the Administration's belief in the general superiority and desirability of free trade, it is the policy of the Administration to remove or diminish to the extent feasible, barriers to international trade, including both barriers affecting the export of American goods and services to foreign countries and barriers affecting the import of foreign goods and services into the United States.

In accordance with the above statute and policy, the FAA has assessed the potential effect of this proposed rule and has determined that it would impose the same costs on domestic and international entities and thus has a neutral trade impact.

Executive Order 13132, Federalism

The FAA has analyzed this proposed rule under the principles and criteria of Executive Order 13132, Federalism. The FAA has determined that this action will not have a substantial direct effect on the states, on the relationship between the national U.S. Government and the states, or on the distribution of power and responsibilities among the various levels of government. Therefore, the FAA has determined that this final rule does not have federalism implications.

Unfunded Mandates

The Unfunded Mandates Reform Act of 1995 (UMRA), enacted as Pub. L. 104-4 on March 22, 1995, is intended, among other things, to curb the practice of imposing unfunded federal mandates on state, local, and tribal governments.

Title II of the Act requires each federal agency to prepare a written statement assessing the effects of any federal mandate in a proposed or final agency rule that may result in a $100 million or more expenditure (adjusted annually for inflation) in any one year by state, local, and tribal governments, in the aggregate, or by the private sector; such a mandate is deemed to be a “significant regulatory action.”

This proposed rule does not contain such a mandate. Therefore, the requirements of Title II of the Unfunded Mandates Reform Act of 1995 do not apply.

Environmental Assessment

The FAA has determined that the proposed amendments to the commercial space transportation licensing and safety rules are categorically excluded from environmental review under 102(2)(C) of the National Environmental Policy Act (NEPA). The proposed rules, which address obtaining and maintaining a license, are administrative and procedural in nature and are therefore categorically excluded under FAA Order 1050.1D, appendix 4, paragraph 4(i). In addition, part 415 already requires an applicant to submit sufficient environmental information for the FAA to comply with NEPA and other applicable environmental laws and regulations during the processing of each license application, thereby ensuring that any significant adverse environmental impacts from licensing commercial launches will be considered during the application process. Accordingly, the FAA has determined that this rule is categorically excluded because no significant impacts to the human environment will result from finalization or implementation of its administrative and procedural provisions for licensing commercial launches.

Energy Impact

The energy impact of the rulemaking action has been assessed in accordance with the Energy Policy and Conservation Act (EPCA) and Public Law 94-163, as amended (42 U.S.C. 6362). It has been determined that it is not a major regulatory action under the provisions of the EPCA.

Start List of Subjects

List of Subjects

End List of Subjects

The Proposed Amendment

In consideration of the foregoing, the Federal Aviation Administration proposes to amend parts 413, 415 and 417 of Chapter III, Title 14, Code of Federal Regulations as follows:

Start Part

PART 413—LICENSE APPLICATION PROCEDURES

1. The authority citation for part 413 continues to read as follows:

Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority

2. Amend § 413.7 by adding paragraph (d) to read as follows:

Application.
* * * * *

(d) Measurement system consistency. For each analysis, an applicant must employ a consistent measurements system, whether English or metric, in its application and licensing information.

End Part Start Part

PART 415—LAUNCH LICENSE

3. The authority citation for part 415 continues to read as follows:

Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority

4. Revise § 415.1 to read as follows:

Subpart A—General

Scope.

This part prescribes requirements for obtaining a license to launch a launch vehicle, other than a reusable launch vehicle, and post-licensing requirements with which a licensee shall comply to remain licensed. Post-licensing requirements governing launch from a federal launch range or a non-federal launch site are also contained in part 417 of this subchapter. Requirements for preparing a license application are contained in part 413 of this chapter.

5. Amend § 415.51 to add the following sentence to the end of the section: “All payloads, exempt or not, are subject to the safety requirements of subparts C and F of this part and of part 417 of this chapter.”

6. In § 415.73, amend paragraph (b)(2) by removing the words “submitted in accordance with subpart D of this part”.

7. Redesignated §§ 415.101 and 415.103 as §§ 415.201 and 415.203, respectively.

8. Revise subpart F to read as follows:

Start Printed Page 63965

Subpart F—Safety Review and Approval for Launch of an Expendable Launch Vehicle From a Non-Federal Launch Site

415.91-415.100
[Reserved]
415.101
Scope.
415.103
General.
415.105
Pre-application consultation.
415.107
Safety review document.
415.109
Launch description.
415.111
Launch operator information.
415.113
Launch personnel certification program.
415.115
Flight safety.
415.117
Ground safety.
415.119
Launch plans.
415.121
Launch schedule and points of contact.
415.123
Computing systems and software.
415.125
Unique safety policies and practices.
415.127
Flight safety system design and operation data.
415.129
Flight safety system testing data.
415.131
Flight safety system crew data.
415.132-415.200
[Reserved]

Subpart F—Safety Review and Approval for Launch of an Expendable Launch Vehicle From a Non-Federal Launch Site

Scope.

(a) This Subpart F contains requirements that a launch operator must meet as part of the safety review process when applying for a license to launch an expendable launch vehicle from a non-federal launch site. This subpart identifies specific tasks that an applicant must complete and identifies the safety review material that an applicant must submit. This subpart also covers all administrative requirements, such as when and how the data is to be submitted, as well as the requirements for the form and content of each data submission.

(b) The requirements in this subpart apply to orbital launch vehicles and guided and unguided suborbital launch vehicles. Requirements in §§ 415.103 through 415.125 apply to all proposed launches of expendable launch vehicles. Sections 415.127 through 415.131 contain the flight safety system related requirements and apply to all expendable launch vehicles that use a flight safety system to ensure public safety.

(c) Material submitted to the FAA under this subpart measures an applicant's ability to comply with the launch operator responsibilities and technical requirements in part 417 of this chapter. The related requirements in part 417 are referenced in this subpart where applicable. To facilitate production of the safety review material required by this subpart, an applicant must first become familiar with the launch operator requirements in part 417 of this chapter.

General.

(a) The FAA conducts a safety review as part of the licensing process to determine whether a launch license applicant will conduct launch processing and flight without jeopardizing public health and safety and safety of property. The FAA issues a safety approval if the applicant satisfies the requirements of this subpart and demonstrates, through the safety review process of this subpart, that it will meet the safety responsibilities and requirements for launch contained in part 417 of this chapter.

(b) The FAA advises an applicant, in writing, of any issue raised during a safety review that would impede issuance of a safety approval. The applicant may respond, in writing, or amend its license application in accordance with § 413.17 of this chapter.

(c) An applicant shall make available to the FAA upon request a copy of any record required by this subpart including any material incorporated into a license application by reference.

Pre-application consultation.

(a) An applicant shall participate in no less than one pre-application consultation meeting at FAA headquarters when planning to apply for a new launch license. The purpose of the consultation is to review the proposed launch and obtain direction from the FAA related to the licensing process.

(b) When applying for a new launch license, a pre-application consultation meeting must be conducted no later than 24 months before an applicant brings any launch vehicle to the proposed launch site and before the applicant begins preparation of the initial flight safety analysis required by § 415.115. An applicant may request additional pre-application consultation meetings.

(c) At a pre-application consultation meeting, an applicant shall provide as complete a description of the planned launch as is available at the time. Data presented by an applicant to the FAA during a pre-application consultation meeting must include, but need not be limited to, the following:

(1) Launch vehicle. A launch vehicle description, the planned trajectory and flight azimuth, a description of any flight termination system, and a description of all hazards associated with the launch vehicle and any payload, including the type and amounts of all propellants, explosives, toxic materials and any radionuclides.

(2) Proposed mission. The apogee, perigee, and inclination of any orbital objects and any stage or other component impact locations.

(3) Potential launch site. The name and location of the proposed launch site, including latitude and longitude, and identity of any launch site operator of that proposed site and identification of any facilities at the launch site that will be used for launch processing and flight.

Safety review document.

(a) A license applicant shall submit a safety review document that contains all the information required by this subpart for the FAA to conduct a launch safety review during the licensing process. An applicant shall comply with the scheduling requirements of part 417 of this chapter and this subpart. This subpart contains requirements for an applicant to submit certain data by a specified time during the licensing process. An applicant shall submit a sufficiently complete safety review document no later than six months before the applicant brings any launch vehicle to the proposed launch site.

(b) An applicant shall submit the data required for a safety review document in accordance with the outline in appendix B of this subpart. Sections 415.109 through 415.131 of this subpart provide the requirements for the content of each section of a safety review document. Related technical requirements and requirements governing a launch operator's implementation of the safety provisions described in its safety review document are provided in part 417 of this chapter. A launch operator's safety review document must be in accordance with the following:

(1) A safety review document must contain a glossary of unique terms and acronyms used listed in alphabetical order.

(2) A safety review document must contain a listing of all referenced standards, codes, and publications.

(3) A safety review document must be logically organized, with a clear and consistent page numbering system and with cross-referenced topics clearly identified.

(4) All text in a safety review document must be in English. If supplemental information is originally in a language other than English, the launch operator shall provide the FAA with an accurate and complete translation. Start Printed Page 63966

(5) All equations and mathematical relationships contained in a safety review document must be derived or referenced to a recognized standard or text and all algebraic parameters shall be clearly defined.

(6) The units of all numerical values shall be included in a safety review document.

(7) Any schematic diagrams contained in a safety review document shall include a legend or key that identifies all symbols used.

(c) An applicant's safety review document may include sections not required by appendix B of this part. An applicant shall identify each such section by using the word “ADDED” preceding the title of the added section. In the first paragraph of the added section, an applicant shall provide a description and justification for the circumstances that require an addition to the appendix B outline.

(d) There may be safety review document sections specified in appendix B of this part that are not applicable to an applicant's proposed launch. An applicant shall identify such sections in the application by the words “NOT APPLICABLE” preceding the title of the section. An applicant shall demonstrate why the section is not applicable.

(e) An applicant may reference documentation previously submitted to the FAA in a safety review document.

(f) An applicant shall submit one bound paper copy, one unbound paper copy, and an electronic copy of a safety review document as part of a license application.

(1) Paper copies must be on standard letter size paper, 8.5 × 11 inches. Larger paper may be used where needed for charts and graphs, but must be folded to 8.5 × 11 inches. The body text type font size shall be 12 points.

(2) The electronic copy must be in a data format compatible with commercial word processing software.

Launch description.

(a) General. An applicant's safety review document must describe each proposed launch or series of launches in accordance with the requirements of this section.

(b) Purpose. An applicant's safety review document must describe the purpose of each proposed launch or series of launches and identify each launch vehicle, each payload, and any payload customer.

(c) Launch schedule. An applicant's safety review document must identify each planned flight date and time and each alternate date and time. For the licensing of more than one launch, an applicant shall submit schedule information for the earliest planned launch and best estimates for each subsequent launch.

(d) Launch site description. An applicant's safety review document must describe the proposed launch site and identify the following:

(1) All launch site boundaries;

(2) Launch point location, including latitude and longitude;

(3) Average weather conditions for the launch period;

(4) Major geographic features within 100 nautical miles of the launch point, including federal, state, local and any foreign territorial boundaries, elevations, rivers, lakes, canals, bridges, roadways, railroads, towns and cities, vessel ports, and airports; and

(5) Major shipping and aircraft routes within 100 nautical miles of the launch point.

(e) Launch vehicle description. An applicant's safety review document must describe the proposed launch vehicle. An applicant shall submit a written description and a drawing of the launch vehicle that identifies major stages, physical dimensions, the location of any flight termination system hardware, and the location of any tracking aids. The drawing must also identify the location of major vehicle control systems, propulsion systems, pressure vessels, and any other hardware that contains potential hazardous energy or hazardous material. The launch vehicle description must include a table specifying the type and quantities of all hazardous materials including propellants, explosives, and toxic materials.

(f) Payload description. An applicant's safety review document must contain, or reference documentation previously submitted to the FAA that contains, the payload information required by § 415.59 for any payload in accordance with part 415, subpart D. The safety review document must also contain a table specifying the type and quantities of all hazardous materials within each payload.

(g) Trajectory. An applicant's safety review document must contain two drawings depicting trajectory information. One drawing must depict the proposed nominal flight profile with downrange depicted on the abscissa and altitude depicted on the ordinate axis. The nominal flight profile must be labeled to show each planned staging event and its time after liftoff from launch through orbital insertion or final impact. The second drawing must depict instantaneous impact point ground traces for each of the nominal trajectory, the three-sigma left lateral trajectory and the three-sigma right lateral trajectory determined in accordance with § 417.205 of this chapter. The trajectories must be depicted on a latitude/longitude grid, and the grid must include the outlines of any continents and islands. An applicant shall submit additional trajectory information as part of the flight safety analysis data required by § 415.115.

(h) Staging events. An applicant's safety review document must contain a table of nominal and ± three-sigma times for each major staging event and a description of each event, including the predicted impact point and dispersion of each spent stage.

(i) Vehicle performance graphs. An applicant's safety review document must contain graphs of the nominal and ± three-sigma values as a function of time after liftoff for the following launch vehicle performance parameters: thrust, altitude, velocity, instantaneous impact point arc-range measured from the launch point, and present position arc-range measured from the launch point.

(j) Unguided suborbital rocket. For launch of an unguided suborbital rocket, in addition to the other applicable data requirements contained in this section, an applicant's safety review document must describe the rocket design configuration. The description must include:

(1) Construction materials and assembly of rocket body and control surfaces;

(2) Physical dimensions and weight;

(3) Propulsion and safety critical systems; and

(4) Location of the unguided suborbital rocket's center of pressure in relation to its center of gravity for the entire flight profile.

Launch operator information.

(a) Launch operator administrative information. An applicant's safety review document must contain, or reference documentation previously submitted to the FAA that contains, the launch operator administrative information required by § 413.7(b) of this chapter.

(b) Launch operator organization. An applicant's safety review document must describe the applicant's organization established to ensure public safety and satisfy the requirements of part 417 of this chapter. The safety review document must describe the launch management positions and launch team organizational elements established by the applicant as required by § 417.103 of this chapter. An applicant's internal management positions and Start Printed Page 63967organizational elements shall be identified as such and any contractors to the applicant shall be identified as such. An applicant's safety review document must contain organizational charts and written text that identify and describe:

(1) All launch management positions.

(2) All launch team organizational elements.

(3) The lines of communication and approval authority for launch safety decisions.

(4) The specific safety functions performed by each launch management position and organizational element.

Launch personnel certification program.

(a) A safety review document must describe how the applicant will satisfy the personnel certification program requirements of § 417.105 of this chapter and identify by position those individuals who implement the program.

(b) An applicant's safety review document must contain a copy of any program documentation used to implement the personnel certification program.

(c) An applicant's safety review document must contain a table listing each hazardous operation or safety critical task that certified personnel must perform. For each task, the table must identify by position the individual who reviews personnel qualifications and certifies personnel for performing the task.

Flight safety.

(a) Flight safety analysis. An applicant shall perform flight safety analysis for a proposed launch or proposed series of launches in accordance with subpart C of part 417 of this chapter. An applicant's safety review document must contain analysis products and other data that demonstrate the applicant's ability to meet the public risk criteria in § 417.107 of this chapter and to establish launch safety rules in accordance with § 417.113 of this chapter. An applicant's flight safety analysis must satisfy the following requirements:

(1) An applicant shall submit the flight safety analysis data required by this section no later than 18 months before the applicant brings any launch vehicle to the proposed launch site.

(2) The flight safety analysis performed by an applicant must be completed as specified in subpart C of part 417 of this chapter. An applicant may identify those portions of the analysis that it expects to refine as the first proposed flight date approaches. An applicant shall identify any analysis product subject to change, describe what needs to be done to finalize the product, and identify when before flight it will be finalized. If a license is for more than one launch, an applicant shall provide a discussion on the applicability of the analysis methods to each of the proposed launches and identify any expected differences in the flight safety analysis methods among the proposed launches. Once licensed, a launch operator is required to perform flight safety analysis for each launch using final launch vehicle performance and other data in accordance with subpart C of part 417 of this chapter and using the analysis methods approved by the FAA through the licensing process or as a license modification.

(3) An applicant's safety review document must describe each analysis method employed to meet the analysis requirements of part 417, subpart C of this chapter. An applicant's safety review document must contain the analysis products for each of the analyses required by part 417, subpart C of this chapter for each proposed launch. An applicant's safety review document must contain the following data for each analysis product:

(i) A discussion and justification of any assumptions made by the applicant when performing the analysis; and

(ii) A sample of each flight safety analysis computation showing input data and processing algorithms leading to the required analysis products.

(b) Conjunction on launch assessment. An applicant's safety review document must contain conjunction on launch assessment input data for the first proposed launch. The input data submitted as part of a license application must satisfy the requirements of § 417.233 of this chapter. An applicant need not obtain a conjunction on launch assessment from United States Space Command prior to being issued a license.

(c) Radionuclides. An applicant's safety review document must identify the type and quantity of any radionuclide on a launch vehicle or payload. For each radionuclide, an applicant's safety review document must contain a reference list of all documentation addressing the safety of its intended use and describe all approvals by the Nuclear Regulatory Commission for launch processing. An applicant shall provide radionuclide information to the FAA at pre-application consultation in accordance with § 415.105. The FAA will evaluate launch of any radionuclide on a case-by-case basis, and issue an approval if the FAA finds that the launch is consistent with public health and safety.

(d) Flight safety plan. An applicant's safety review document must contain a flight safety plan that identifies the flight safety roles to be performed by the applicant's flight safety personnel; the flight safety rules, limits, and criteria identified by an applicant's flight safety analysis; and the specific flight safety requirements of part 417 of this chapter to be implemented for launch. The flight safety plan need not be restricted to public safety related issues and may combine other flight safety issues as well, such as employee safety, so as to be all-inclusive. A flight safety plan must include, but need not be limited to, the following:

(1) Flight safety personnel. Identification of personnel by position who approve and implement each part of the flight safety plan and any modifications to the plan. Identification of personnel by position who perform the flight safety analysis and ensure that the results, including the flight safety rules and establishment of flight hazard areas, are incorporated into the flight safety plan.

(2) Flight safety rules. Flight safety rules required by § 417.113 of this chapter.

(3) Flight safety system. A description of any flight safety system and its operation, including any preflight flight safety system tests to be performed.

(4) Trajectory and debris dispersion data. A description of the launch trajectory, including planned orbital parameters, stage burnout times and state vectors, and planned stage impact times, locations, and downrange and crossrange dispersions.

(5) Flight hazard areas and safety clear zones. Identification and location of the flight hazard areas and safety clear zones established for each launch in accordance with § 417.225 of this chapter, and identification of procedures for surveillance and clearance of these areas and zones as required by § 417.121(f).

(6) Support systems and services. Identification of any support systems and services to be implemented as part of ensuring flight safety, including any aircraft and ships and procedures that will be used during flight.

(7) Flight safety operations. A description of the flight safety related tests, reviews, rehearsals, and other flight safety operations to be conducted in accordance with §§ 417.115 through 417.121 of this chapter. A flight safety plan must contain or incorporate by reference written procedures for accomplishing all flight safety operations.

(e) Natural and triggered lightning. An applicant shall demonstrate that it will Start Printed Page 63968satisfy the flight commit criteria required by § 417.113(b)(5) of this chapter and appendix G of part 417 of this chapter for natural and triggered lightning. If an applicant's safety review document states that any flight commit criterion that is otherwise required by appendix G of part 417 of this chapter does not apply to a proposed launch, the applicant's safety review document must demonstrate that the criterion does not apply.

(f) Unguided suborbital rockets. For the launch of an unguided suborbital rocket, the flight safety data submitted in an applicant's safety review document must meet the requirements of this section and demonstrate compliance with the requirements contained in § 417.125 and § 417.235 of this chapter. An applicant's flight safety plan for the launch of an unguided suborbital rocket must meet the requirements in paragraph (d) of this section and provide the following data:

(1) Launch angle limits;

(2) Procedures for measurement of launch day winds and for performing wind weighting in accordance with §§ 417.125 and 417.235 of this chapter;

(3) Flight safety personnel qualifications and roles for performing wind weighting; and

(4) Procedures for any recovery of a launch vehicle component or payload.

Ground safety.

(a) General. An applicant shall submit a ground safety analysis report and ground safety plan for its launch processing and post-launch operations in accordance with this section when launching from a launch site in the United States. Launch processing and post-launch operations at a launch site outside the United States may be subject to the requirements of the governing jurisdiction.

(b) Ground safety analysis report. An applicant shall perform a ground safety analysis of its launch processing and post-launch operations in accordance with subpart E of part 417 of this chapter. As part of its safety review document, an applicant shall submit a ground safety analysis report that reviews each system and operation used in launch processing and post-launch operations, and identifies all public hazards and the controls to be implemented to protect the public from each hazard. The ground safety analysis report must describe each of the launch operator's systems and operations and show that all hazards that could affect the public have been identified and controlled. A hazard that could affect the public is any hazard with an effect that may extend beyond the launch personnel doing the work and that has the potential to reach the public, regardless of where members of the public are located. An applicant shall perform a ground safety analysis in accordance with the requirements in part 417, subpart E of this chapter. This section contains requirements for the ground safety analysis report to be submitted in support of an applicant's safety review.

(1) An applicant shall submit an initial ground safety analysis report no later than 12 months before the applicant brings any launch vehicle to the proposed launch site. An initial ground safety analysis report must be in a proposed final or near final form and identify any incomplete items. An applicant shall document any incomplete items and track them to completion. An applicant shall resolve any FAA comments on the initial report and submit a complete ground safety analysis report, no later than two months before the applicant brings any launch vehicle to the proposed launch site. Furthermore, an applicant shall ensure that its ground safety analysis report is kept current. Any late developing change to a ground safety analysis report shall be coordinated with the FAA as an application amendment in accordance with § 413.11 of this chapter as soon as the need for the change is identified.

(2) An applicant shall submit a ground safety analysis report in accordance with the format and content requirements of appendix C of this part.

(3) All information in a ground safety analysis report must be verifiable, including design margins, fault tolerance and successful completion of tests. Any identified hardware must be traceable to an engineering drawing or other document that describes hardware configuration. Any test or analysis identified must be traceable to a report or memorandum that contains details about how the test or analysis was performed and the results and identifies those who ensure the accuracy of the test or analysis. Any procedural hazard control identified must be traceable to a written procedure, approved by the launch safety director or designee, with the paragraph or step number of the procedure specified. A verifiable hazard control shall be identified for each hazard. For each hazard control the report must reference a released drawing, report, procedure or other document that verifies the existence of the hazard control. A launch operator shall maintain records, in accordance with § 415.77, of the verification documentation that supports the information in the ground safety analysis report.

(4) Any text describing a sequence of events or multiple pieces of information must be provided in the form of numbered lists. An applicant's ground safety analysis report must contain figures to illustrate systems and aid understanding of the data provided in the text, such as sketches to show dimensions and configuration, and schematics that show how systems function and how fault tolerance is provided. Facility drawings shall be provided to illustrate where operations take place and how public access to a hazard area would be controlled.

(5) A ground safety analysis report must be approved and signed by the launch safety director and the launch director. Each individual who prepares any part of a ground safety analysis report, shall sign and date a written statement certifying that the part of the report that person prepared is true, complete and accurate as of that date. Each statement must be included as part of the report or as an attachment.

(c) Ground safety plan. An applicant's safety review document must contain a ground safety plan that describes the ground safety roles to be performed by launch personnel and the ground safety rules and procedures to be implemented to protect public safety. This plan must describe implementation of the hazard controls identified by an applicant's ground safety analysis and implementation of the ground safety requirements of subpart E of part 417 of this chapter. A ground safety plan must address all public safety related issues and may include other ground safety issues if an applicant intends it to have a broader scope. A ground safety plan must include, but need not be limited to, the following:

(1) A description of the launch vehicle and payload identifying all hazards, including explosives, propellants, toxics and other hazardous materials, radiation sources, and pressurized systems. A ground safety plan must include figures that show the location of each hazard on the launch vehicle and where at the launch site, launch processing involving the hazard is performed.

(2) Propellant and explosive information including:

(i) Total net explosive weight of the launch operator's propellants and explosives for each explosive hazard facility as defined in part 420 of this chapter;

(ii) For toxic propellants, any hazard controls and process constraints determined in accordance with the launch operator's toxic release hazard Start Printed Page 63969analysis for launch processing performed in accordance with § 417.229 and appendix I of part 417 of this chapter.

(iii) The facility explosive and occupancy limits;

(iv) Individual explosive item data, including configuration (such as, solid motor, motor segment, or liquid propellant container), explosive material, net explosive weight, storage hazard classification and compatibility group as defined in part 420 of this chapter;

(3) A graphic depiction of the layout of the launch operator's launch complex and other launch processing facilities at the launch site. The depiction must show separation distances and any intervening barriers between explosive items that affect the total net explosive weight that each facility is sited to accommodate. An applicant shall identify any proposed facility modifications or operational changes that may affect a launch site operator's explosive site plan.

(4) A description of the process for ensuring that any procedures and procedure changes are reviewed for safety implications and are approved by a launch operator's launch safety director or designee.

(5) Procedures that launch personnel will follow when reporting a hazard or mishap to the launch operator's safety organization.

(6) Procedures for ensuring that personnel have the qualifications and certifications needed to perform a task involving a hazard that could affect public safety.

(7) A summary of the means for announcing when any hazardous operation is taking place, the means for making emergency announcements and alarms, and identification of the recipients of each type of announcement.

(8) A summary of the means of implementing access control to safety clear zones and hazard areas, including any procedures for allowing public access to such areas.

(9) General ground safety rules.

(10) A description of the process for ensuring that all safety precautions and verifications are in place prior to, during, and after hazardous operations. This includes the process for verification that an area can be returned to a non-hazardous work status.

(11) A flow chart of launch processing and a list of all major tasks. This must include all hazardous tasks and an identification of where and when, with respect to liftoff, they will take place.

(12) Identification of safety clear zones and hazard areas established in accordance with § 417.411 of this chapter.

(13) A description of the hazard controls and required verifications, in accordance with the ground safety analysis, for each task that creates a public hazard, including procedures for implementing any safety clear zones for the protection of the public.

(14) For each task that creates a public hazard, a procedure for the use of any safety equipment that protects the public.

(15) For each task creating a hazard that could affect the public, the requirements and procedures for coordinating with any launch site operator and local authorities.

(16) Generic emergency procedures that apply to all emergencies and the emergency procedures that apply to specific tasks that may create a public hazard including any task that involves a hazardous material as described in § 417.407 of this chapter.

(17) A listing of safety documentation, by title and date, which supplements the data provided in the ground safety plan, such as the ground safety analysis report, explosive quantity-distance site plan and other ground safety related documentation.

Launch plans.

(a) General. In addition to the flight and ground safety plans required by § § 415.115 and 415.117, an applicant's safety review document must contain the public safety related launch plans required by this section. Each plan must identify operation personnel and their duties, contain mission specific information for the first planned launch and include written procedures that contain the specifics of the operations and activities conducted in accordance with the plan. Procedures may be incorporated by reference. Each plan must identify personnel by position who approve and implement the plan, the related procedures, and any modification to the plan or procedures. An applicant shall incorporate each launch safety rule established in accordance with § 417.113 of this chapter into each related launch safety plan. An applicant's launch plans shall include, but need not be limited to, those required by this section.

(b) Emergency response plan. An applicant's safety review document must contain an emergency response plan that ensures public safety in the event of a mishap during launch processing or flight. An emergency response plan must identify emergency response personnel and their duties and describes the methods to be used to ensure public safety. An emergency response plan must define the process for providing assistance to any injured people and describe the methods used to control any hazards associated with a mishap. An emergency response plan must describe the types of emergency support required, equipment to be used, emergency response personnel and their qualifications, and any related agreements with any launch site operator and state, county or local government agencies. The types of emergency support described in the plan shall include, but need not be limited to, firefighting, explosive ordnance disposal, chemical spill response, and medical support.

(c) Accident investigation plan. An applicant's safety review document must contain an accident investigation plan that meets the requirements of § 415.41 of this part. The accident investigation requirements for launch from a federal launch range in part 415, subpart C also apply to launch from a non-federal launch site.

(d) Launch support equipment and instrumentation plan. An applicant's safety review document must contain a launch support equipment and instrumentation plan that ensures the reliability of the equipment and instrumentation that is involved in ensuring public safety during launch processing and flight. A launch support equipment and instrumentation plan must list and describe such equipment and must identify personnel who are responsible for its operations and maintenance and who must be certified in accordance with § 417.105 of this chapter. The plan must also contain, or incorporate by reference, written procedures for support equipment operation, test, and maintenance that are to be implemented for each launch. The plan must also identify equipment and instrumentation reliability and contingencies that protect the public in the event of a malfunction.

(e) Configuration management and control plan. A safety review document must contain a configuration management and control plan for all safety critical system, such as, any flight safety system and any launch processing system that represents a hazard to the public. A configuration management and control plan must define the applicant's process for managing and controlling any change to a safety critical system to ensure its reliability. For each system, the plan must identify each person with authority for approving design changes as well as the personnel, by position, who maintain documentation of the most current approved design. This plan must contain, or incorporate by reference, all Start Printed Page 63970configuration management and control procedures that apply to the launch vehicle and each support system.

(f) Communications plan. An applicant's safety review document must contain a communications plan that ensures clear concise communications between personnel involved in launch processing, countdown, and flight. A communications plan must list and describe all forms of communication that ensure public safety and any voice and data circuits required to allow real-time interface among launch control and safety personnel for each task during the conduct of hazardous operations, launch processing, countdown, and flight. This includes communications to locations outside of the launch site boundaries when those communications are necessary for public safety and includes those communications that are part of any flight safety system as required by § 417.327 of this chapter. A communications plan must delineate clear lines of communication and unimpeded flow of reporting and direction. The plan must define precise and formal communication protocols using well-defined terminology and acronyms that can be clearly understood over a voice network. The communications plan must also identify communication system reliability and backup circuits.

(g) Frequency management plan. An applicant's safety review document must contain a plan that identifies the radio frequencies used in support of a launch and the process for allocating use of those frequencies for each operation performed during launch processing and flight to avoid interference, and must identify and provide contact information for the personnel who implement the plan. A frequency management plan must:

(1) Identify each frequency, allowable frequency tolerances, and each frequency's intended use, operating power, and source;

(2) Provide for the monitoring of frequency usage and enforcement of frequency allocations;

(3) Identify agreements and procedures for coordinating use of radio frequencies with any launch site operator and any local and federal authorities, including the Federal Communications Commission; and

(4) Satisfy the requirements of any launch site operator's frequency management plan developed in compliance with part 420 of this chapter.

(h) Security and hazard area surveillance plan. An applicant's safety review document must contain a plan that defines the process for ensuring that any unauthorized persons, ships, trains, aircraft or other vehicles do not enter any hazard areas designated in accordance with the flight safety analysis or the ground safety analysis. The plan must describe how the launch operator will provide for day-of-flight surveillance of the flight hazard area established in accordance with § 417.225 of this chapter and ensure that the presence of any member of the public in or near a flight hazard area is consistent with flight commit criteria developed for each launch in accordance with § 417.113 of this chapter. This plan must identify the number of security and surveillance personnel employed for each launch and the qualifications and training each must have. This plan must identify the location of roadblocks and other security checkpoints, the times that each station must be manned, and any surveillance equipment used. This plan must contain, or incorporate by reference, all procedures for launch personnel control, handling of intruders, communications and coordination with launch personnel and other launch support entities, and implementation of any agreements with local authorities and any launch site operator.

(i) Public coordination plan. An applicant's safety review document must contain a plan that describes the processes for coordinating launch processing and flight with the local population and local government officials to ensure public safety. A public coordination plan must include the following:

(1) Procedures for implementing any launch-related agreements with local authorities;

(2) A schedule and procedures for the release of launch information prior to flight, post flight, and in the event of an anomaly;

(3) Procedures for public access to any launch viewing areas that are under the applicant's control; and

(4) A description of the interfaces established between launch personnel who implement the plan and any local authorities.

(j) Local agreements and plans. An applicant's safety review document must contain any agreements and plans with local authorities at or near a launch site whose support is needed to ensure public safety during all launch processing and flight activities. An applicant's local agreements and plans must satisfy any launch site operator's local agreements and plans developed in accordance with part 420 of this chapter. Local agreements and plans must include coordination with the following where applicable:

(1) Launch site operator;

(2) United States Coast Guard;

(3) FAA Air Traffic Control (ATC); and

(4) Any other local agency that supports the launch, such as local law enforcement agencies, emergency response agencies, fire departments, National Park Service, and Mineral Management Service.

(k) Test plans. An applicant's safety review document must contain a plan for the testing of each flight and ground system or equipment that provides public protection from adverse effects of launch processing and flight. Specific requirements applicable to testing of a flight safety system are provided in § 415.129 and subpart D of part 417 of this chapter. Each test plan must:

(1) Identify personnel who conduct the tests, and include a test schedule that indicates when specific tests are to be performed referenced to liftoff ;

(2) Identify the pass/fail criteria for each system or piece of equipment to be used for a launch;

(3) Contain, or incorporate by reference, test procedures for each system or piece of equipment to be used for a launch.

(1) Countdown plan. An applicant's safety review document must contain a countdown plan that describes the personnel and equipment that must be in place, the conditions that must be met, and the timed sequence of events that must take place to initiate flight of a launch vehicle while ensuring public safety. A countdown plan must:

(1) Cover the period of time when launch support personnel are to be at their designated stations through initiation of flight. (The period of time that a countdown plan covers may vary with launch vehicle configuration, the complexity of the supporting infrastructure, and complexity of vehicle processing leading to a flight attempt);

(2) Include procedures for handling anomalies that occur during a countdown and events and conditions that may result in a constraint to initiation of flight;

(3) Include procedures for delaying or holding a launch when necessary to allow for corrective actions, to await improved conditions, or to accommodate a launch wait;

(4) Describe a process for resolving issues that arise during a countdown and identify each person responsible for approving corrective actions; and

(5) Include a written countdown checklist that provides a formal decision process leading to flight initiation. A Start Printed Page 63971countdown checklist must include the preflight tests of a flight safety system required in subpart D of part 417 of this chapter and must contain, but need not be limited to, the following:

(i) Identification of operations and specific actions completed and verifications performed that there are no constraints to flight and that all launch safety rules and launch commit criteria are satisfied;

(ii) Time of each event;

(iii) Identification of personnel responsible for each operation or specific action, including reporting to the launch conductor;

(iv) Identification of communication channel to be used for reporting each event;

(v) Identification of communication and event reporting protocols;

(vi) Polling of personnel who oversee all safety critical systems and operations to verify their readiness to proceed with the launch, and

(vii) Provisions for recording the status of countdown events.

(m) Launch abort or delay recovery and recycle plan. An applicant's safety review document must contain a plan for recovering from a launch abort or launch delay that results during a launch countdown and recycling for the next launch attempt following procedures that provide for public safety. The plan must:

(1) Contain, or incorporate by reference, all procedures for recovery from a launch abort or delay.

(2) Identify the conditions that must exist in order to make another launch attempt;

(3) Include a schedule depicting the flow of tasks and events in relation to when the abort or delay occurred and the new planned launch time;

(4) Identify all technical and readiness reviews scheduled to be conducted during the recovery period; and

(5) Identify the interfaces and supporting entities needed to support recovery operations.

(n) License modification plan. An applicant's safety review document must contain a plan that:

(1) Describes the applicant's process for identifying a proposed material change and making a request to the FAA for a launch license modification, pursuant to § 415.73, prior to implementing the change;

(2) Identifies the applicant's process for seeking a waiver from an FAA requirement under part 404 of this chapter;

(3) Describes a process for determining when a license modification is needed and the applicant's internal process for documenting, reviewing, and internally approving a request for license modification before it is submitted to the FAA; and

(4) Identifies the applicant's internal authorizing personnel.

(o) Flight termination system electronic piece parts program plan. An applicant's safety review document must contain a plan that describes the applicant's program for selecting and testing electronic piece parts used in a flight termination system to ensure their reliability. This plan must demonstrate compliance with the requirements of appendix F of part 417 of this chapter and must:

(1) Describe the applicant's program for selecting piece parts for use in a flight termination system;

(2) Identify any derating, qualification, screening, lot acceptance testing, and lot destructive physical analysis to be performed for electronic piece parts;

(3) Identify personnel who conduct the piece part tests;

(4) Identify the pass/fail criteria for each test for each piece part;

(5) Identify the levels to which each piece part specification will be derated;

(6) Contain, or incorporate by reference, test procedures for each piece part.

Launch schedule and points of contact.

(a) An applicant's safety review document must contain a launch schedule that identifies each test, review, rehearsal, and safety critical preflight operation to be conducted for each launch in accordance with §§ 417.115, 417.117, 417.119, and 417.121 of this chapter. The schedule must show start and stop times for each activity referenced to liftoff. A schedule must include, but need not be limited to those activities required by part 417 of this chapter.

(b) Either as part of the schedule or as an attachment, an applicant's safety review document must contain a summary of each scheduled activity that includes criteria for successful completion of the activity and that identifies a person by position who oversees the activity.

Computing systems and software.

(a) An applicant's safety review document must describe all computing systems and software that perform a software safety critical function for any operation performed during launch processing or flight that could have a hazardous effect on the public. This includes any software function that, if not performed, if performed out of sequence, or if performed incorrectly, may directly or indirectly cause a public safety hazard. An applicant shall implement such computing systems and software in accordance with § 417.123 and appendix H of part 417 of this chapter.

(b) An applicant's safety review document must list and describe all software safety critical functions involved in a proposed launch, including associated hardware and software interfaces. For each system with a software safety critical function, an applicant's safety review document must contain the following:

(1) A listing of all software safety critical functions including identification of safety critical interfaces with other systems;

(2) A description, including hardware, software, and layout, of any operator console and display;

(3) Flow charts or diagrams showing hardware data busses, hardware interfaces, software interfaces, data flow, power systems, and the functionality of each software safety critical function;

(4) Logic diagrams and software design descriptions;

(5) Listing of operator user manuals and documentation by title and date;

(6) The results of software hazard analyses as integrated into the system;

(7) Software test plan, test procedures, and test results; and

(8) Software development plan, including descriptions of the launch operator's implementation of the following:

(i) Software development process;

(ii) How the software will be partitioned;

(iii) Coding standards used;

(iv) Configuration control;

(v) How software changes will be implemented and tested;

(vi) How qualified software loads will be validated;

(vii) Policy on throughput and memory use limitations;

(viii) Software analysis;

(ix) Software testing and methods of independent verification and validation employed;

(x) Policy on the reuse of software;

(xi) Policy on the use of any commercial-off-the-shelf software; and

(xii) Operating system and language compilers to be employed.

Unique safety policies and practices.

An applicant's safety review document must identify any public safety related policy and practice that is unique to the proposed launch in Start Printed Page 63972accordance with § 417.127 of this chapter. An applicant's safety review document must describe how each unique safety policy or practice provides for public safety.

Flight safety system design and operation data.

(a) General. An applicant's safety review document must contain the flight safety system data identified in this section for the launch of an orbital or guided sub-orbital launch vehicle that uses a flight safety system to protect public safety in accordance with § 417.107(a) of this chapter. Unless otherwise specified, all data required by this section that is applicable to an applicant's flight safety system must be submitted no later than 18 months before the applicant brings any launch vehicle to a proposed launch site. An applicant shall participate in a series of technical meetings with the FAA as needed to facilitate the review and approval of a flight safety system and its implementation.

(b) Flight safety system description. A safety review document must contain an overview design description of an applicant's flight safety system and its operation. Flight safety system and subsystems design and operational requirements are provided in part 417, subpart D and the appendices to part 417 of this chapter.

(c) Flight safety system diagram. An applicant's safety review document must contain a block diagram that identifies all flight safety system subsystems. The diagram must include, but is not limited to, the following subsystems defined in part 417, subpart D of this chapter: flight termination system; command control system; tracking; telemetry; communications; flight safety data processing, display, and recording system; and flight safety official console.

(d) Subsystem design information. An applicant's safety review document must contain all of the following data as applicable to each subsystem identified in the block diagram required by paragraph (c) of this section:

(1) Subsystem description. A physical description of each subsystem and its components, its operation, and interfaces with other systems or subsystems.

(2) Subsystem diagram. A physical and functional diagram of each subsystem, including interfaces with other systems and subsystems.

(3) Component location. Drawings showing the location of all subsystem components as installed on the vehicle, and at the launch site.

(4) Electronic components. A physical description of each subsystem electronic component, including operating parameters and functions at the system and piece-part level. An applicant shall also provide the name of the manufacturer and the model number of each component where applicable and identify whether the component is custom designed and built or off-the-shelf-equipment.

(5) Mechanical components. An illustrated parts breakdown of all mechanically operated components for each subsystem, including the name of the manufacturer and any model number.

(6) Subsystem compatibility. A demonstration of the compatibility of the onboard launch vehicle flight termination system with the command control system.

(7) Flight termination system component storage, operating, and service life. A listing of all flight termination system components that have a critical storage, operating, or service life and a summary of the applicant's procedures for ensuring that each component does not exceed its storage, operating, or service life before flight.

(8) Flight termination system element siting. For a flight termination system, a description of where each subsystem element is sited, where cables are routed, and identification of mounting attach points and access points.

(9) Flight termination system electrical connectors and connections and wiring diagrams and schematics. For a flight termination system, a description of all subsystem electrical connectors and connections, and any electrical isolation. The safety review document must also contain system wiring diagrams and schematics and identify the test points to be used for integrated testing and checkout.

(10) Flight termination system batteries. A description of each flight termination system battery and cell, the name of the battery or cell manufacturer, and any model numbers.

(11) Controls and displays. For a flight safety official console, a description identifying all controls, displays, and charts depicting how real time vehicle data and flight safety limits are displayed. The description shall identify the scales used for displays and charts.

(e) System analyses. An applicant shall perform the reliability and other system analyses for a flight termination system and command control system in accordance with § 417.329. An applicant's safety review document must contain the results of each analysis.

(f) Environmental design. An applicant must determine the flight termination system maximum predicted environment levels in accordance with § 417.307(b) of this chapter and the design environments that include design margins in accordance with D417.3 of appendix D of part 417. An applicant's safety review document must contain a summary of the analyses and measurements used to derive the maximum predicted environment levels. The safety review document must contain a matrix that identifies the maximum predicted environment levels and the design environments.

(g) Flight safety system compliance matrix. An applicant's safety review document must contain a compliance matrix of the function, reliability, system, subsystem, and component requirements of part 417 of this chapter and its appendices. This matrix must identify each requirement and indicate compliance as follows:

(1) “Yes” shall be indicated if the applicant's system meets the requirement in part 417 of this chapter. The matrix shall reference documentation verifying compliance;

(2) “Not applicable” shall be indicated if the applicant's system design and operational environment are such that the requirement does not apply. For each such case, the applicant shall provide a clear and convincing demonstration of the non-applicability of that requirement as an attachment to the matrix; and

(3) “Meets intent” shall be indicated in each case where the applicant proposes to show that its system meets the intent of the requirement through some means other than those defined in part 417 of this chapter. For each such case, an applicant shall provide a clear and convincing demonstration through a technical rationale within the matrix, or as an attachment, that the proposed alternative achieves an equivalent level of safety.

(h) Flight termination system installation procedures. An applicant's safety review document must contain a list of the flight termination system installation procedures to be implemented in accordance with § 417.319 of this chapter and a synopsis of the procedures that demonstrates how they meet the requirements of § 417.319 of this chapter. The list must reference each procedure by title, any document number, and date.

(i) Tracking validation procedures. An applicant's safety review document must contain the procedures to be implemented according to § 417.121(h) Start Printed Page 63973of this chapter for validating that the accuracy of the launch vehicle tracking data supplied to the flight safety official is in accordance with the flight safety system design and flight safety limits developed in accordance with part 417 of this chapter.

Flight safety system test data.

(a) General. An applicant's safety review document must contain the flight safety system test data required by this section. Except for test reports, an applicant shall submit all required test data no later than 12 months before the applicant brings any launch vehicle to the proposed launch site. An applicant may submit test data earlier to allow greater time for addressing issues that may be identified by the FAA and avoid possible impact on the proposed launch date. The requirements in this section apply to all testing required by part 417, subpart D of this chapter and its appendices, including qualification, acceptance, age surveillance, and preflight testing of a flight safety system and its subsystems and individual components. Flight safety system testing need not be completed before the FAA issues a launch license. Prior to flight, a licensee must successfully complete all required flight safety system testing and submit the completed test reports and summaries of test results required by § 417.315(f) and § 417.325(d) of this chapter.

(b) Testing compliance matrix. An applicant's safety review document must contain a compliance matrix of all the flight safety system, subsystem, and component testing requirements of part 417 and appendices to part 417 of this chapter. This matrix must identify each test requirement and indicate compliance as follows:

(1) “Yes” shall be indicated if the applicant's system or component testing is performed in accordance with part 417 of this chapter. The matrix shall reference documentation verifying compliance;

(2) “Not applicable” shall be indicated if the applicant's system design and operational environment are such that the test requirement does not apply. For each such case, an applicant shall provide a clear and convincing demonstration, providing its technical rationale within the matrix or as an attachment to the matrix, that the test requirement does not apply;

(3) “Similarity” shall be indicated where the test requirement applies to a component whose design is being qualified based on its similarity to a previously qualified component that successfully passed all the required testing. For each such case, an applicant shall provide a demonstration of similarity by performing the analysis required by appendix E of part 417 of this chapter. The results of each analysis must be contained within the matrix or as an attachment; and

(4) “Meets intent” shall be indicated in each case where the applicant proposes to show that its test program meets the intent of the requirement through some means other than those in part 417 of this chapter. For each such case, an applicant shall provide a clear and convincing demonstration through a technical rationale, within the matrix or as an attachment, that the alternative means achieves an equivalent level of safety.

(c) Test program overview and schedule. A safety review document must contain a summary of the applicant's flight safety system test program that identifies where the tests are to be performed and the personnel who ensure the validity of the results. A safety review document must contain a schedule for successfully completing each test before flight. The schedule must be referenced to the time of liftoff for the first proposed flight attempt.

(d) Flight safety system test plans and procedures. An applicant's safety review document must contain test plans that satisfy § 415.119(k) and the flight safety system testing requirements in subpart D and appendix E of part 417 of this chapter for all flight safety system testing. An applicant's safety review document must contain a list of all flight termination system test procedures and a synopsis of the procedures that demonstrates how they meet the testing requirements of part 417. The list must reference each procedure by title, any document number, and date.

(e) Test reports. An applicant's safety review document must contain test reports, prepared in accordance with § 417.315(f) and § 417.325(d) of this chapter, for each flight safety system test completed at the time of license application. An applicant shall submit any remaining test reports before flight in accordance with § 417.315(f) and § 417.325(d) of this chapter.

(f) Reuse of flight termination system components. For any flight termination system component to be used for more than one flight, an applicant's safety review document must contain a reuse qualification test, refurbishment plan, and acceptance test plan. This test plan must define the applicant's process for demonstrating that the component can function without degradation in performance when subjected to the qualification test environmental levels plus the total number of exposures to the maximum expected environmental levels for each of the flights to be flown.

Flight safety system crew data.

(a) An applicant's safety review document must identify each flight safety system crew position and the role of that crewmember during launch processing and flight of a launch vehicle.

(b) An applicant's safety review document must identify the senior flight safety official by name and demonstrate that this individual's qualifications comply with the requirements of § 417.331 of this chapter.

(c) An applicant's safety review document must describe the certification and training program for flight safety system crewmembers established to ensure compliance with § 417.105 and § 417.331 of this chapter.

9. Appendixes B and C to part 415 are added to read as follows:

Appendix B to Part 415—Safety Review Document Outline

This appendix contains the format and numbering scheme for a safety review document to be submitted as part of an application for a launch license. Administrative requirements applicable to a safety review document are provided in § 415.107. Requirements for the form and content of each part of a safety review document are provided in parts 413 and 415 of this chapter. Technical requirements related to the information contained in a safety review document are provided in part 417 of this chapter. The applicable sections of parts 413, 415, and 417 of this chapter are referenced in the outline below.

Safety Review Document

1.0 Launch Description (§ 415.109)

1.1 Purpose

1.2 Launch Schedule

1.3 Launch Site Description

1.4 Launch Vehicle Description

1.5 Payload Description

1.6 Trajectory

1.7 Staging Events

1.8 Vehicle Performance Graphs

1.9 Unguided Suborbital Rocket Design Configuration

2.0 Launch Operator Information (§ 415.111)

2.1 Launch Operator Administrative Information (§ 415.111 and § 413.7)

2.2 Launch Operator Organization (§ 415.111 and § 417.103)

2.2.1 Organization Summary

2.2.3 Organization Charts

2.2.4 Office Descriptions and Safety Functions

3.0 Launch Personnel Certification Program (§ 415.113 and § 417.105)

3.1 Program Summary

3.2 Program Implementation Document(s)

3.3 Table of Safety Critical Tasks Performed by Certified Personnel Start Printed Page 63974

4.0 Flight Safety (§ 415.115)

4.1 Initial Flight Safety Analysis

4.1.1 Flight Safety Sub-Analyses, Methods, and Assumptions

4.1.2 Sample Calculation and Products

4.1.3 Conjunction On Launch Assessment Input Data

4.1.4 Launch Specific Updates and Final Flight Safety Analysis Data

4.2 Radionuclide Data (where applicable)

4.3 Flight Safety Plan

4.3.1 Flight Safety Personnel

4.3.2 Flight Safety Rules

4.3.3 Flight Safety System Summary and Preflight Tests

4.3.4 Trajectory and Debris Dispersion Data

4.3.5 Flight Hazard Areas and Safety Clear Zones

4.3.6 Support Systems and Services

4.3.7 Flight Safety Activities

4.3.8 Unguided Suborbital Rocket Data (where applicable)

5.0 Ground Safety (§ 415.117)

5.1 Ground Safety Analysis Report

5.2 Ground Safety Plan

6.0 Launch Plans (§ 415.119 and § 417.111)

6.1 Emergency Response Plan

6.2 Accident Investigation Plan

6.3 Launch Support Equipment and Instrumentation Plan

6.4 Configuration Management and Control Plan

6.5 Communications Plan

6.6 Frequency Management Plan

6.7 Security and Hazard Area Surveillance Plan

6.8 Public Coordination Plan

6.9 Local Agreements and Plans

6.10 Test Plans

6.11 Countdown Plans

6.12 Launch Abort/Delay Recovery Plan

6.13 License Modification Plan

7.0 Launch Schedule and Points of Contact (§ 415.121)

7.1 Schedule Charts

7.2 Activity Summaries and Points-of-Contact

8.0 Computing Systems and Software (§ 415.123)

8.1 Hardware and Software Descriptions

8.2 Flow Charts and Diagrams

8.3 Logic Diagrams and Software Design Descriptions

8.4 Operator User Manuals and Documentation

8.5 Software Hazard Analyses

8.6 Software Test Plans, Test Procedures, and Test Results

8.7 Software Development Plan

9.0 Unique Safety Policies and Requirements (§ 415.125)

10.0 Flight Safety System Design and Operation Data (§ 415.127)

10.1 Flight Safety System Description

10.2 Flight Safety System Diagram

10.3 Flight Safety System Subsystem Design Information

10.4 Flight Safety System Analyses

10.5 Flight Termination System Environmental Design

10.6 Flight Safety System Compliance Matrix

10.7 Flight Termination System Installation Procedures

10.8 Tracking System Validation Procedures

11.0 Flight Safety System Test Data (§ 415.129)

11.1 Test Program Overview

11.2 Testing and Installation History

11.3 Test Levels

11.4 Test Plans, Procedures, and Reports

11.5 Testing Compliance Matrix

12.0  Flight Safety System Crew Data (§ 415.131)

12.1 Position Descriptions

12.2 Personnel Qualifications

12.3 Certification and Training Program Description

Appendix C to Part 415—Ground Safety Analysis Report

C415.1 General

(a) This appendix provides the content and format requirements for a ground safety analysis report that must be submitted to the FAA as part of a launch license application in accordance with § 415.117. An applicant shall perform a ground safety analysis in accordance with subpart E of part 417 of this chapter and submit a ground safety analysis report in accordance with this appendix.

(b) A ground safety analysis report must contain hazard analyses that describe all hazard controls, and describe a launch operator's hardware, software, and operations so that the FAA may assess the adequacy of the hazard analysis. A launch operator shall document all hazard analyses on hazard analysis forms in accordance with C415.3(d) and submit systems and operations descriptions as a separate volume of the report.

(c) A ground safety analysis report must include a table of contents and provide definitions of any acronyms and unique terms used in the report.

(d) Instead of repeating the data, a launch operator's ground safety analysis report may reference other documents submitted to the FAA that contain the information required by this appendix.

C415.3 Ground Safety Analysis Report Chapters

(a) Introduction. A ground safety analysis report must include an introductory chapter that describes all administrative items such as purpose, scope, safety certification of personnel who performed any part of the analysis, and any special interest items, such as high-risk situations or potential non-compliance with any applicable FAA requirement.

(b) Launch vehicle and operations summary. A ground safety analysis report must include a chapter that provides general safety information about the vehicle and operations, including the payload and flight termination system. This chapter must serve as an executive summary of detailed information contained within the report.

(c) Systems, subsystems, and operations information. A ground safety analysis report must include a chapter that provides detailed safety information about each launch vehicle system, subsystem and operation and any associated interfaces. The data in this chapter must be in accordance with the following:

(1) Introduction. A launch operator's ground safety analysis report must contain an introduction to its systems, subsystems, and operations information that serves as a roadmap and checklist to ensure all applicable items are covered. All flight and ground hardware must be identified with a reference to where the items are discussed in the document. All interfacing hardware and operations must be identified with a reference to where the items are discussed in the document. The introduction must identify interfaces between systems and operations and the boundaries that describe a system or operation.

(2) Subsystem description. For each hardware system identified in a ground safety analysis report as falling under one of the hazardous systems listed in paragraphs (c)(3), (c)(4) and (c)(5) of this section, the report must identify each of the hardware system's subsystems. A ground safety analysis report must describe each hazardous subsystem in accordance with the following format:

(i) General description, including nomenclature, function, and a pictorial overview ;

(ii) Technical operating description, including text and figures describing how a subsystem works and any safety features and fault tolerance levels;

(iii) Safety critical parameters, including those that demonstrate implemented system safety approaches that are not evident in the technical operating description or figures, such as factors of safety for structures and pressure vessels;

(iv) Major components including any part of a subsystem that must be technically described in order to understand the subsystem hazards. For a complex subsystem such as a propulsion subsystem, a majority of the detail, including any figures shall be provided at the major component level such as tanks, engines and vents. The Start Printed Page 63975presentation of figures in the report shall progress in detail from broad overviews to narrowly focused figures. Each figure must have supporting text that explains what the figure is intended to illustrate;

(v) Ground operations and interfaces including interfaces with other launch vehicle and launch site subsystems. A ground safety analysis report must identify a launch operator's hazard controls for all operations that are potentially hazardous to the public. The report must contain facility figures that illustrate where hazardous operations take place and must identify all areas where controlled access is employed as a hazard control; and

(vi) Hazard analysis summary of subsystem hazards that identifies each specific hazard and the threat to public safety. This summary must provide cross-references to the hazard analysis form required in C415.3(d) and indicate the nature of the control, such as design margin, fault tolerance, or procedure.

(3) Flight hardware. For each stage of a launch vehicle, a ground safety analysis report must identify all flight hardware systems using the following sectional format:

(i) Structural and mechanical systems;

(ii) Ordnance systems;

(iii) Propulsion and pressure systems;

(iv) Electrical and non-ionizing radiation systems; and

(v) Ionizing radiation sources and systems.

(4) Ground hardware. A ground safety analysis report must identify the launch operator's ground hardware, including launch site and ground support equipment, that contains hazardous energy or materials, or that can affect flight hardware that contains hazardous energy or materials. All ground hardware shall be identified using the following sectional format:

(i) Structural and mechanical ground support and checkout systems;

(ii) Ordnance ground support and checkout systems;

(iii) Propulsion and pressure ground support and checkout systems;

(iv) Electrical and non-ionizing radiation ground support and checkout systems;

(v) Ionizing radiation ground support and checkout systems;

(vi) Hazardous materials; and

(vii) Support and checkout systems and any other safety equipment used to monitor or control a potential hazard not otherwise addressed above.

(5) Flight safety system. A ground safety analysis report must describe the hazards of inadvertent actuation of the launch operator's flight safety system, potential damage to the flight safety system during ground operations, and the hazard controls to be implemented.

(6) Hazardous materials. A ground safety analysis report must identify any hazardous materials used in the launch operator's flight and ground systems, including the quantity and location of each. A ground safety analysis report must contain a summary of the launch operator's approach for protecting the public from toxic plumes, including the all toxic concentration thresholds used to control public exposure and a description of any related local agreements. The ground safety analysis report must describe any toxic plume model used to protect public safety and contain any algorithms implemented by the model. For a launch that involves the use of any toxic propellants, the ground safety analysis report must include the products of the launch operator's toxic release hazard analysis for launch processing in accordance with paragraph I417.7(m) of appendix I of part 417 of this chapter.

(d) Hazard analysis. A ground safety analysis report must include a chapter containing a hazard analysis of the launch vehicle and launch vehicle processing and interfaces. The hazard analysis must identify each hazard and all hazard controls to be implemented. A ground safety analysis report must contain the results of the launch operator's hazard analysis of each system, subsystem, and operation using a standardized format that includes all of the items listed on the example hazard analysis form provided in figure C415-1 and in accordance with the following:

(1) Introduction. A ground safety analysis report must contain an introduction that serves as a roadmap and checklist to the launch operator's hazard analysis forms. All flight and ground hardware must be identified with a reference to where the items are discussed in the ground safety analysis report. All interfacing hardware and operations must be similarly addressed. The introduction must explain how a launch operator has chosen to present its hazard analysis in terms of hazard identification numbers as identified in figure C415-1.

(2) Analysis. Each hazard may be presented on a separate form or a launch operator may consolidate hazards of a specific system, subsystem, component, or operation onto a single form. There must be at least one form for each hazardous subsystem and each hazardous subsystem operation. A launch operator must state which approach it has chosen in the introduction to the hazard analysis section. Each identified hazard control must be separately tracked.

(3) Numbering. Each hazard analysis form shall be numbered with the applicable system or subsystem identified. Each line item on a hazard analysis form shall be numbered, with numbers and letters provided for multiple entries against an individual line item. A line item consists of a hardware or operation description and a hazard.

(4) Hazard analysis data. A hazard analysis form must contain or reference all information necessary to understand the relationship of a system, subsystem, component, or operation with a hazard cause, control, and verification.

(e) Hazard analysis supporting data. A ground safety analysis report must include data that supports the hazard analysis. If such data does not fit onto the hazard analysis form it shall be provided in a supporting data chapter. This chapter must contain a table of contents and may reference other documents that contain supporting data.

Start Printed Page 63976

9. Revise part 417 to read as follows:

End Part Start Part

PART 417—LAUNCH SAFETY

Subpart A—General
417.1
Scope.
417.3
Definitions.
417.5
Launch safety responsibility.
417.7
Launch site responsibility.
417.9
Safety review document and launch specific updates.
417.11
License flight readiness.
417.12-417.100
[Reserved]
Subpart B—Launch Safety Requirements
417.101
Scope.
417.103
Launch operator organization.
417.105
Launch personnel qualifications and certification.
417.107
Flight safety.
417.109
Ground safety.
417.111
Launch plans.
417.113
Launch safety rules.
417.115
Tests.
417.117
Reviews.
417.119
Rehearsals.
417.121
Safety critical preflight operations.
417.123
Computing systems and software.
417.125
Launch of an unguided suborbital rocket.
417.127
Unique safety policies and practices.
417.128-417.200
[Reserved]
Subpart C—Flight Safety Analysis
417.201
Scope.
417.203
General.
417.205
Trajectory analysis.
417.207
Malfunction turn analysis.
417.209
Debris analysis.
417.211
Flight control lines analysis.
417.213
Flight safety limits analysis.
417.215
Straight-up time analysis.
417.217
Wind analysis.
417.219
No-longer-terminate (gate) analysis.
417.221
Data loss flight time analysis.
417.223
Time delay analysis.
417.225
Flight hazard area analysis.
417.227
Debris risk analysis.
417.229
Toxic release hazard analysis.
417.231
Distant focus overpressure explosion hazard analysis.
417.233
Conjunction on launch assessment.
417.235
Analysis for launch of an unguided suborbital rocket flown with a wind weighting safety system.
417.236-417.300
[Reserved]
Subpart D—Flight Safety System
417.301
General.
417.303
Launch vehicle flight termination system functional requirements.
417.305
Flight termination system reliability.
417.307
Flight termination system environment survivability.
417.309
Command destruct system.
417.311
Inadvertent separation destruct system.
417.313
Flight termination system safing and arming.
417.315
Flight termination system testing.
417.317
Flight termination system preflight testing.
417.319
Flight termination system installation procedures.
417.321
Flight termination system monitoring.
417.323
Command control system requirements.
417.325
Command control system testing.
417.327
Support systems.
417.329
Flight safety system analysis.
417.331
Flight safety system crew roles and qualifications.
417.332-417.400
[Reserved]
Subpart E—Ground Safety
417.401
Scope.
417.403
General.
417.405
Ground safety analysis.
417.407
Hazard control implementation.
417.409
System hazard controls.
417.411
Safety clear zones for hazardous operations.Start Printed Page 63977
417.413
Hazard areas.
417.415
Post-launch and post-flight-attempt hazard controls.
417.417
Propellants and explosives.
417.418-417.500
[Reserved]

Appendix A to Part 417—Methodologies for Determining Flight Hazard Areas for Orbital Launch

Appendix B to Part 417—Methodology for Performing Debris Risk Analysis

Appendix C to Part 417—Flight Safety Analysis for an Unguided Suborbital Rocket Flown With a Wind Weighting Safety System and Hazard Areas for Planned Impacts for All Launches

Appendix D to Part 417—Flight Termination System Components and Circuitry

Appendix E to Part 417—Flight Termination System Component Testing and Analysis

Appendix F to Part 417—Flight Termination System Electronic Piece Parts

Appendix G to Part 417—Natural and Triggered Lighting Flight Commit Criteria

Appendix H to Part 417—Safety Critical Computing Systems and Software

Appendix I to Part 417—Methodologies for Toxic Release Hazard Analysis

Start Authority

Authority: 49 U.S.C. 70101-70121.

End Authority

Subpart A—General

Scope.

This part prescribes the responsibilities of a launch operator conducting a licensed launch of an expendable launch vehicle and the requirements with which a licensed launch operator must comply to maintain a license and conduct a launch. The safety requirements contained in this part apply to all licensed launches of expendable launch vehicles. The administrative requirements for submitting material to the FAA contained in this part apply in total to all licensed launches from a non-federal launch site. For a licensed launch from a federal launch range where there is a federal range safety organization overseeing the safety of each licensed launch, the administrative requirements contained in this part that apply to such a launch will be identified during the licensing process in accordance with subpart C of part 415 of this chapter, but may vary depending on the FAA's current baseline assessment of the federal launch range's safety process. Requirements for preparing a license application to conduct a launch, including all related policy and safety reviews and payload determinations are contained in parts 413 and 415 of this chapter.

Definitions.

For the purpose of this part,

Casualty means serious injury or death.

Command control system means the portion of a flight safety system that includes all components needed to send a flight termination control signal to an onboard vehicle flight termination system. A command control system starts with flight termination activation switches at the flight safety official console and ends at each command-transmitting antenna. It includes all intermediate equipment, linkages, and software and any auxiliary transmitter stations that ensure a command signal will reach the onboard vehicle flight termination system from liftoff until the launch vehicle achieves orbit or can no longer reach a populated or other protected area.

Command destruct system means a portion of a flight termination system that includes all components on board a launch vehicle that receive a flight termination control signal and achieve destruction of the launch vehicle. A command destruct system includes all receiving antennas, receiver decoders, explosive initiating and transmission devices, safe and arm devices and ordnance necessary to achieving destruction of the launch vehicle upon receipt of a destruct command.

Conjunction on launch means the approach of a launch vehicle or any launch vehicle component or payload within 200 kilometers of a habitable orbiting object, either during the flight of an unguided suborbital rocket or during the ascent to orbit and first orbit of an orbital launch vehicle.

Countdown means the timed sequence of events that must take place to initiate flight of a launch vehicle.

Crossrange means the distance measured along a line whose direction is either 90 degrees clockwise (right crossrange) or counter-clockwise (left crossrange) to the projection of a launch vehicle's planned nominal velocity vector azimuth onto a horizontal plane tangent to the ellipsoidal Earth model at the launch vehicle's sub-vehicle point. The terms, right crossrange and left crossrange, may also be used to indicate direction.

Data loss flight time means the shortest elapsed thrusting time during which a launch vehicle can move from its normal trajectory to a condition where it is possible for the launch vehicle to endanger the public. Data loss flight times are used to determine when a launch vehicle's flight must be terminated if launch vehicle tracking data is no longer available to the flight safety official.

Destruct means the act of terminating the flight of a launch vehicle in a way that destroys the launch vehicle and disperses or expends all remaining propellant and renders remaining energy sources non-propulsive before the launch vehicle or any launch vehicle component or payload impacts the Earth's surface.

Document means, when used as a verb, to create and maintain a written record.

Downrange means the distance measured along a line whose direction is parallel to the projection of a launch vehicle's planned nominal velocity vector azimuth into a horizontal plane tangent to the ellipsoidal Earth model at the launch vehicle sub-vehicle point. The term downrange may also be used to indicate direction.

Drag impact point means a launch vehicle impact point corrected for atmospheric drag.

Dwell time means the period during which a launch vehicle impact point is over a populated or other protected area. Dwell time also means the period during which an object is subjected to a test condition.

Expendable launch vehicle means a launch vehicle whose propulsive stages are flown only once.

Family performance data means the results of launch vehicle component and system tests that represent similar characteristics for a launch vehicle component or system and is data that is continuously updated as additional samples of a given component or system are tested. Family performance data is used as a baseline for comparison to the results of subsequent tests of the given component or system.

Flight control line means a boundary used to define the region over which a launch vehicle will be allowed to fly and where any debris resulting from normal flight or any launch vehicle malfunction will be allowed to impact.

Flight safety limit means criteria that ensure that a launch vehicle's debris impact dispersion does not cross over any flight control line established for the flight.

Flight safety official means the person designated by a launch operator who monitors the flight of a launch vehicle and makes a flight termination decision when a launch vehicle failure occurs and the launch vehicle violates an established flight safety limit or other flight safety criterion.

Flight safety system means the system that provides a means of control during flight for preventing a launch vehicle and any component, including any payload, from reaching any populated or other protected area in the event of a launch vehicle failure. A flight safety system includes the hardware and software used to protect the public in the event of a launch vehicle failure and the functions of any flight safety system crew. One typical U.S. flight safety Start Printed Page 63978system, for example, incorporates a flight termination system, a command control system, and support systems such as tracking and telemetry.

Flight safety system crew means each of the personnel, designated by a launch operator, who operate flight safety system hardware and software. The functions of a flight safety system crew are part of the flight safety system. A flight safety system crew includes a flight safety official and the personnel who support the flight safety official during launch.

Flight termination system means all components, onboard a launch vehicle, that provide the ability to end a launch vehicle's flight in a controlled manner. A flight termination system consists of all command destruct systems, inadvertent separation destruct systems, or other systems or components that are onboard a launch vehicle and used to terminate flight.

Gate means the portion of a flight control line or other flight safety limit boundary through which a launch vehicle's tracking icon may pass without flight termination.

HTPB means hydroxy-terminated polybutadiene.

In-family means a launch vehicle component or system test result indicating that the component or system's performance conforms to the family performance data that was established by previous test results.

Inadvertent separation destruct system means an automatic destruct system that uses mechanical means to trigger the destruction of a launch vehicle stage.

Instantaneous impact point means an impact point, following thrust termination of a launch vehicle, calculated in the absence of atmospheric drag effects.

Launch area means the portion of a flight corridor defined by the flight control lines from the launch point to a point 100 nautical miles in the downrange direction.

Launch azimuth means the horizontal angular direction initially taken by a launch vehicle at liftoff, measured clockwise in degrees from true north.

Launch conductor means a person designated by a launch operator who conducts preflight launch processing, hazardous operations, systems testing, and the launch countdown. A launch conductor coordinates activities with a launch safety director and reports directly to a launch director.

Launch crew means all personnel who control the countdown and flight of a launch vehicle or who make irrevocable operational decisions that have the potential for impacting public safety. A launch crew includes, but is not limited to, members of the flight safety system crew.

Launch director means an internal launch operator management employee who ensures public safety and who has final approval authority for launch. A launch director ensures that all public safety related issues are resolved prior to flight.

Launch processing means all preflight preparation of a launch vehicle at a launch site, including buildup of the launch vehicle, integration of the payload, and fueling.

Launch safety director means a person designated by a launch operator who oversees a launch safety organization and all activities related to ensuring public safety. A launch safety director reports directly to the launch director.

Launch wait means a relatively short period of time when launch is not permitted in order to avoid a conjunction on launch or to safely accommodate temporary intrusion into a flight hazard area. Launch waits can occur within a launch window, can delay the start of a launch window, or terminate a launch window early.

Launch window means a period of time during which the flight of a launch vehicle may be initiated.

Nominal means in reference to launch vehicle performance, trajectory, or stage impact point, a launch vehicle flight where all vehicle aerodynamic parameters are as expected, all vehicle internal and external systems perform exactly as planned, and there are no external perturbing influences other than atmospheric drag and gravity.

Non-operating environment means an environment that a launch vehicle component experiences before flight and when not otherwise being subjected to acceptance tests. Non-operating environments include, but need not be limited to, storage, transportation, and installation.

Operating environment means an environment that a launch vehicle component will experience during acceptance testing, launch countdown, and flight. Operating environments include shock, vibration, thermal cycle, acceleration, humidity, and thermal vacuum.

Operating life means, for a flight safety system component, the period of time beginning with activation of the component or installation of the component on a launch vehicle, whichever is earlier, for which the component is capable of satisfying all its performance specifications through the end of flight.

Operation hazard means a hazard derived from an unsafe condition created by a system or operating environment or by an unsafe act.

Out-of-family means a component or system test result where the component or system's performance does not conform to the family performance data that was established by previous test results and is an indication of a potential problem with the component or system requiring further investigation and corrective action.

Passive component means a flight termination system component that does not contain active electronic piece parts such as microcircuits, transistors, and diodes. Passive components include, but need not be limited to, radio frequency antennas, radio frequency couplers, and cables and rechargeable batteries, such as nickel cadmium batteries.

PBAN means polybutadiene-acrylic acid-acrylonitrile terpolymer.

Performance specification means a statement prescribing the particulars of how a component or part is expected to perform in relation to the system that contains the component or part. A performance specification includes specific values for range of operation, input, output, or other parameters that define the component's or part's expected performance.

Populated area means an outdoor location, structure, or cluster of structures that may be occupied by people. Sections of roadways and waterways that are frequented by automobile and boat traffic are populated areas. Agricultural lands, if routinely occupied by field workers, are also populated areas.

Protected area means a populated or other area not controlled by a launch operator that is not evacuated during flight and that must, in order to protect the public, be protected from the effects of nominal and non-nominal launch vehicle flight.

Public safety means, for a particular licensed launch, the safety of people and property that are not involved in supporting the launch and includes those people and property that may be located within the boundary of a launch site, such as, visitors, individuals providing goods or services not related to launch processing or flight, and any other launch operator and its personnel.

Safety critical means essential to safe performance or operation. A safety critical system, subsystem, component, condition, event, operation, process, or item is one whose proper recognition, control, performance, or tolerance is essential to ensuring public safety. A safety critical item may create a safety hazard or provide protection from a safety hazard. Start Printed Page 63979

Serious injury means any injury which: (1) Requires hospitalization for more than 48 hours, commencing within seven days from the date the injury was received; (2) results in a fracture of any bone (except simple fractures of fingers, toes, or nose); (3) causes severe hemorrhages, nerve, muscle, or tendon damage; (4) involves any internal organ; or (5) involves second- or third-degree burns, or any burns affecting more than five percent of the body surface.

Service life means, for a flight termination system component, the sum total of the component's storage life and operating life.

Sigma means standard deviation.

Storage life means, for a flight termination system component, the period of time after manufacturing of the component is complete until the component is activated or installed on a launch vehicle, whichever is earlier, during which the component may be subjected to storage environments and must remain capable of satisfying all its performance specifications.

Sub-vehicle point means the location on the ellipsoidal Earth model where the normal to the ellipsoid passes through the launch vehicle's center of gravity. The term is the same as the weapon system term “sub-missile point.”

System hazard means a hazard associated with a hardware system and that generally exist even when no operation is occurring. System hazards that may be found at a launch site include, but are not limited to, explosives and other ordnance, solid and liquid propellants, toxic and radioactive materials, asphyxiants, cryogens, and high pressure.

Tracking icon means the representation of a launch vehicle's present position displayed to a flight safety official at the flight safety official's console during real-time tracking of the launch vehicle's flight.

Uprange means the distance measured along a line that is 180 degrees to the downrange direction. The term uprange may also be used to indicate direction.

Launch safety responsibility.

A launch operator shall safely conduct a licensed launch in accordance with § 415.71 of this chapter. A launch operator shall conduct the flight of a launch vehicle from any launch site in accordance with the requirements of part 415 of this chapter and this part.

Launch site responsibility.

A launch operator shall ensure the safe conduct of launch processing at a launch site in the United States in accordance with the requirements of this part 417. Launch processing at a launch site outside the United States may be subject to the requirements of the governing jurisdiction. Requirements that apply to a launch site operator are contained in part 420 of this chapter. A launch operator shall coordinate and perform launch processing in accordance with any local agreements designed to ensure that the responsibilities and requirements in this part and part 420 of this chapter are met. Where there is a licensed launch site operator, a launch operator licensee shall ensure that its operations are conducted in accordance with any agreements that the launch site operator has with any federal and local authorities pursuant to part 420 of this chapter. A licensed launch operator shall coordinate with the launch site operator and provide the launch site operator any information on its activities and potential hazards necessary for the launch site operator to determine how to protect any other launch operators and persons and their property at the launch site in accordance with the launch site operator's obligations under 14 CFR 420.55. For a launch that is conducted from an exclusive use site where there is no licensed launch site operator, the launch licensee shall satisfy the requirements of this part and the public safety requirements of part 420 of this chapter.

Safety review document and launch specific updates.

(a) General. A launch operator shall conduct each launch in accordance with a safety review document developed in accordance with part 415 of this chapter and maintained and updated for each launch in accordance with the requirements of this part. A launch operator shall submit launch specific updates required by this part and any required by the terms of the launch operator's license. A launch specific update must be submitted to the FAA to allow for review and determination prior to the associated scheduled activity. Any change to the information in a licensee's safety review document that is not identified as a launch specific update must be submitted to the FAA as a request for license modification in accordance with § 415.73 of this chapter and the license modification plan required by § 415.119(n) of this chapter. A launch operator must obtain FAA approval of any license modification before flight.

(b) Launch specific updates. For each launch, a launch operator's launch specific updates shall include, but need not be limited to, the following:

(1) Launch schedule and points of contact. A launch operator shall conduct a launch in accordance with the launch schedule submitted during the licensing process in accordance with § 415.121 of this chapter and as updated for each launch. For each launch, a launch operator shall submit an updated launch schedule and points of contact no later than six months before flight. A launch operator shall immediately submit any later change to ensure that the FAA has the most current data.

(2) Flight safety system test schedule. A launch operator shall test its flight safety system in accordance with the flight safety system test schedule submitted during the licensing process in accordance with § 415.129(c) of this chapter and as updated for each launch. For each launch, a launch operator shall submit an updated flight safety system test schedule and points of contact no later than six months before flight. A launch operator shall immediately submit any subsequent change to ensure that the FAA has the most current data.

(3) Launch operator organization. A launch operator shall submit updated organization data no later than six months prior to flight in accordance with § 417.103(a).

(4) Launch plans. A launch operator shall submit any changes or additions to its flight safety plan, ground safety plan, or other launch plans to the FAA no later than 15 days before the associated activity is to take place in accordance with § 417.111(b).

(5) Six-month flight safety analysis. A launch operator shall perform flight safety analysis for each launch and submit launch specific analysis products to the FAA no later than six months prior to the date of each planned flight in accordance with § 417.203(c)(2).

(6) Thirty-day flight safety analysis update. A launch operator shall submit updated flight safety analysis products for each launch no later than 30 days prior to flight in accordance with § 417.203(c)(3).

(7) Flight termination system qualification test reports. A launch operator shall submit all flight termination system qualification test reports to the FAA no later than six months prior to the first flight attempt in accordance with § 417.315(f)(1).

(8) Flight termination system acceptance and age surveillance test report summaries. A launch operator Start Printed Page 63980shall submit a summary of the results of each flight termination system acceptance and age surveillance test no later than 30 days prior to the first flight attempt for each launch in accordance with § 417.315(f)(2).

(9) Command control system acceptance test reports. A launch operator shall submit all command control system acceptance test reports to the FAA no later than 30 days prior to the first flight attempt in accordance with § 417.325(d).

(10) Ground safety plan. A launch operator shall keep current its ground safety plan for each launch and shall submit any change to the FAA no later than 15 days before the change is implemented in accordance with § 417.403(c).

License flight readiness.

(a) For each launch, a launch operator shall verify that the launch is conducted in accordance with the terms and conditions of the launch license and the requirements of this part.

(b) For each launch, a launch operator shall verify that all license related information submitted to the FAA in accordance with the terms and conditions of the launch license and the requirements of this part reflects the current status of each of the licensee's systems and processes as they are implemented for that launch.

(c) For each launch, a launch operator shall submit a signed written statement in accordance with the signature requirements in § 413.7 of this chapter, that the launch is being conducted in accordance with the terms and conditions of the launch license and FAA regulations. The launch operator must state in writing that all required license related information was submitted to the FAA and that the information reflects the current status of the licensee's systems and processes as they are being implemented for that launch. The launch operator shall submit this written statement to the FAA no later than ten days before the first planned flight attempt for each launch.

(d) The FAA will evaluate each planned launch for compliance with the terms and conditions of the launch license and FAA regulations. The FAA will notify a launch operator of any licensing issue and coordinate with the launch operator to resolve any issue prior to flight. A launch operator shall not proceed with the flight of a launch vehicle if there is any licensing issue that has not been resolved.

(e) For each licensed launch, the launch operator shall provide the FAA with a console for monitoring the progress of the countdown and communication on all channels of the countdown communications network. The launch operator shall ensure that the FAA is polled over the communications network during the countdown to verify that the FAA has identified no issues related to the launch operator's license.

Subpart B—Launch Safety Requirements

Scope.

This subpart contains requirements that apply to the launch of orbital and suborbital expendable launch vehicles. This subpart provides an overview of the public safety issues that a launch operator's launch safety program must address. For each public safety issue, this subpart provides either the applicable requirements in their entirety or an overview of the requirements and references other subparts, sections, or appendices that contain additional requirements.

Launch operator organization.

(a) For each launch, a launch operator shall establish and maintain an organization that ensures public safety and that the requirements of this part are satisfied. Each launch management position and organizational element must have documented roles, duties, and authorities. Any change in a licensee's organization from the data that was provided during the licensing process must provide for an equivalent level of safety. For each launch a launch operator shall submit updated organization data no later than six months prior to flight. A launch operator shall immediately submit any later change to ensure that the FAA has the most current data as the date of the planned flight approaches.

(b) A launch operator's organization must include, but need not be limited to, the following launch management positions and organizational elements:

(1) Launch director. A launch operator shall designate as launch director the launch operator employee who has the launch operator's final approval authority for launch. The launch director shall ensure public safety and shall ensure that all of the launch safety director's concerns are resolved prior to flight.

(2) Launch safety director. A launch operator shall designate an official who oversees its launch safety organization and all activities related to ensuring public safety. A launch safety director shall report directly to the launch director.

(3) Launch conductor. A launch operator shall designate an official who conducts preflight launch processing, hazardous operations, systems testing, and countdown. A launch conductor shall coordinate activities with the launch safety director and shall report directly to the launch director.

(4) Flight safety organization. For a launch using a flight safety system, a launch operator shall establish an organization that performs and documents the flight safety analysis required by subpart C of this part and ensures compliance with the flight safety system requirements of subpart D, including the flight safety system crew requirements of § 417.331. For launch of a unguided suborbital rocket that uses a wind weighting safety system, a launch operator shall establish an organization that ensures compliance with the flight safety analysis required by subpart C of this part and the flight safety and personnel requirements of § 417.125(g).

(5) Ground safety organization. A launch operator shall establish an organization that ensures compliance with the ground safety analysis and program requirements of subpart E of this part.

(6) Launch processing. A launch operator shall establish organizational elements that implement launch plans in accordance with § 417.111 and accomplish the tests, reviews, rehearsals, and safety critical operations required by §§ 417.115, 417.117, 417.119, and 417.121.

Launch personnel qualifications and certification.

(a) General. A launch operator shall establish and document the qualifications, including education, experience, and training, for each launch personnel position that oversees, performs, or supports a hazardous operation with the potential to adversely affect public safety or who uses or maintains safety critical systems or equipment that protect the public. A launch operator shall implement a certification program that ensures that personnel possess the qualifications for their assigned tasks. These personnel positions include, but need not be limited to, those listed in § 417.103(b). Flight safety system crew qualification requirements for a launch using a flight safety system are provided in § 417.331.

(b) Personnel certification program. A launch operator's personnel certification program must include, but need not be limited to, the following:

(1) For each hazardous operation or safety critical system or equipment, a launch operator shall designate an individual by position who reviews Start Printed Page 63981personnel qualifications and issues certifications for demonstrated knowledge, skill and competence to perform safety related tasks.

(2) Re-certification of personnel shall be performed annually or for each launch if the time period between each launch is greater than one year. Re-certification procedures shall be established and followed by the certifying organization, and shall include, but need not be limited to, a review of an individual's work record and current job knowledge and skill requirements, determination of the need for additional training, and completion of additional training where needed.

(3) A launch operator shall revoke individual certifications for negligence or failure to satisfy certification or re-certification requirements.

(4) A launch operator shall maintain qualification and certification records for each individual performing safety-related functions.

Flight safety.

(a) Flight safety system. For each launch, a launch operator shall employ a flight safety system that provides a means of control during flight for preventing a launch vehicle and any component, including any payload, from reaching any populated or other protected area in the event of a launch vehicle failure. For each launch vehicle, vehicle component, and payload, a launch operator shall employ a flight safety system that satisfies all the functional, design, and test requirements of subpart D of this part unless one of the following exceptions applies:

(1) A launch operator need not employ a flight safety system if the launch vehicle, vehicle component, or payload does not have sufficient energy at any time during flight to reach any protected area.

(2) A launch operator need not employ a flight safety system if the launch vehicle is a suborbital rocket that does not employ a guidance system for directional control and the launch operator demonstrates that the launch will be conducted safely using a wind weighting safety system in accordance with § 417.125.

(3) A launch operator's flight safety system must satisfy all the functional, design, and test requirements of subpart D of this part unless the FAA approves the use of an alternate flight safety system through the licensing process. The FAA will approve the use of an alternate flight safety system that does not satisfy all of subpart D of this part if a launch operator demonstrates clearly and convincingly that the proposed launch achieves a level of safety that is equivalent to satisfying all the requirements of this subpart and subpart D of this part. The following apply when a launch operator seeks FAA approval for such a launch:

(i) The launch operator shall demonstrate that the launch presents significantly less public risk than the risk criteria required by paragraph (b) of this section. The reduced level of public risk must correspond to the reduced capabilities of the proposed alternate flight safety system. To achieve the reduced level of public risk, the launch must take place from a remote launch site with an absence of population and any overflight of a populated area must take place only in the later stages of flight.

(ii) The launch operator shall demonstrate the reliability of the proposed alternate flight safety system to perform its intended functions. An alternate flight safety system that does not possess all the functional capabilities required by subpart D of this part must perform its intended functions with a reliability that is comparable to that required by subpart D of this part. A launch operator shall demonstrate the reliability of a proposed alternate flight safety system through analysis, testing, and use.

(iii) The launch operator shall provide all flight safety system data required by § 415.127 of this chapter during the licensing process that is applicable to the proposed alternate flight safety system. The launch operator shall identify the similarities and differences between the design and operation of the proposed alternate flight safety system and the requirements of subpart D of this part. The launch operator shall provide an evaluation of how each difference from the requirements of subpart D of this part affects the overall safety achieved for the proposed launch.

(iv) The FAA may identify and impose additional design, test, and operational requirements for an alternate flight safety system as necessary to achieve an equivalent level of safety.

(v) A launch operator shall obtain FAA approval of any proposed alternate flight safety system that does not satisfy all of subpart D of this part before its license application or application for license modification will be found sufficiently complete to initiate review pursuant to § 413.11 of this chapter.

(b) Public risk criteria. A launch operator shall conduct all licensed launches in accordance with the following public risk criteria:

(1) A launch operator shall initiate flight only if the risk to the public due to all hazards associated with the flight does not exceed an expected average number of 0.00003 casualties (EC) per launch (EC≤30×10−6), excluding water-borne vessels and aircraft. A launch operator shall determine the risk to the public from liftoff through orbital insertion for an orbital launch vehicle, and through final stage impact for a suborbital launch vehicle. A launch operator's determination of EC for a launch shall account for, but need not be limited to, risk due to impacting debris determined in accordance with § 417.227 and any risk determined for toxic release and distant focus overpressure blast in accordance with § 417.229 and § 417.231, respectively.

(2) A launch operator shall initiate flight only if the risk to any individual member of the public does not exceed a casualty probability (PC) of 0.000001 per launch (PC≤1×10 −6). A launch operator shall define an individual casualty contour in accordance with § 417.225, such that if a single person were present inside that contour at the time of liftoff, the Pc≤1×10 −6 criteria would be exceeded. A launch operator shall treat an individual casualty contour as a safety clear zone and ensure that no member of the public is present within the contour during the flight of a launch vehicle.

(3) A launch operator shall initiate flight only if the collective risk to any water-borne vessel that is not operated in direct support of the launch does not exceed a probability of impact (Pi) of 0.00001 (Pi≤1×10 −5) during launch vehicle flight. To ensure that this criterion is not exceeded, a launch operator shall establish each ship impact hazard area in accordance with § 417.225(g), § 417.225(i), § 417.235(c), and appendixes A and C of this part.

(4) A launch operator shall initiate flight only if the individual risk to an aircraft not operated in direct support of the launch does not exceed a probability of impact of 0.00000001 (Pi≤1×10 -8). To ensure that this criterion is not exceeded, a launch operator shall establish each aircraft impact hazard area in accordance with § 417.225(g), § 417.225(i), § 417.235(c), and appendixes A and C of this part.

(c) Conjunction on launch assessment. A launch operator shall ensure that a launch vehicle, any jettisoned components, and its payload do not pass closer than 200 kilometers to a habitable orbital object throughout a sub-orbital launch. For an orbital launch, a launch operator shall ensure that a launch vehicle, any jettisoned components, and its payload do not pass closer than 200 kilometers to a habitable orbiting object during ascent Start Printed Page 63982to initial orbital insertion through at least one complete orbit. A launch operator shall obtain a conjunction on launch assessment from United States Space Command in accordance with § 417.233 and shall use the results to develop flight commit criteria for collision avoidance in accordance with § 417.113(b).

(d) Flight safety analysis. A launch operator shall perform and document flight safety analysis in accordance with subpart C of this part. The analysis must demonstrate compliance with the public risk criteria of paragraph (b) of this section and establish flight safety limits for each launch. The flight of a launch operator's launch vehicle shall take place in accordance with the flight safety limits established pursuant to subpart C of this part. A launch operator shall use the analysis products to develop flight safety rules that govern a launch as required by § 417.113.

(e) Radionuclides. For launch of any radionuclide, a launch operator must, through the licensing process and in accordance with § 415.115(c) of this chapter, demonstrate clearly and convincingly that any such launch would be consistent with public health and safety. The FAA will evaluate launch of any radionuclide on a case-by-case basis, and issue an approval if the FAA finds that the launch is consistent with public health and safety.

(f) Flight safety plan. A launch operator shall conduct each launch in accordance with its flight safety plan that was prepared during the licensing process in accordance with § 415.115 of this chapter and updated for each launch in accordance with the launch plan requirements of § 417.111 of this chapter.

Ground safety.

(a) FAA requirements for ground safety apply to launch processing at a launch site in the United States. Launch processing at a launch site outside the United States may be subject to the requirements of the governing jurisdiction.

(b) A launch operator shall protect the public from any hazards presented by operations and support systems at a launch site that are used in preparing a launch vehicle for flight. A launch operator shall perform a ground safety analysis and conduct each launch in accordance with a ground safety plan designed to protect the public from any adverse effects of preparing a launch vehicle for flight. Specific ground safety requirements that must be met by a launch operator are provided in subpart E of this part.

Launch plans.

(a) A launch operator shall implement a flight safety plan, a ground safety plan, and additional written launch plans that define how launch processing and flight of a launch vehicle will be conducted without adversely affecting public safety and how to respond to accidents and other unplanned emergencies.

(b) A launch operator shall update its flight safety plan, ground safety plan, and the additional launch plans that were prepared during the licensing process in accordance with §§ 415.115, 415.117 and 415.119 of this chapter for each specific launch. A launch operator shall submit any launch plan changes or additions to the FAA no later than 15 days before the associated activity is to take place. If a change involves the addition of a new public hazard or the elimination of any control for a previously identified public hazard, a launch operator licensee shall submit a license modification request in accordance with § 415.73 and the license modification plan required by § 415.119(n) of this chapter.

(c) A launch operator shall ensure that its activities are conducted in accordance with the public safety and environmental plans and agreements of any launch site operator for the launch site from which a launch operator launches.

Launch safety rules.

(a) General. A launch operator shall implement written safety rules that govern launch processing and flight of a launch vehicle. These launch safety rules must identify the environmental conditions and status of the launch vehicle, launch support equipment, and personnel under which launch processing and flight may be conducted without adversely affecting public safety. Launch rules must include flight safety rules that govern the flight of a launch vehicle and ground safety rules to be followed for each preflight ground operation at a launch site that has the potential to adversely affect public safety. Launch safety rules must be documented in a launch operator's launch plans. A launch operator's launch safety rules shall include those rules required by this section and any launch safety rules unique to a planned launch based on the launch operator's flight and ground safety analyses.

(b) Flight commit criteria. For each launch, a launch operator shall implement written flight commit criteria that identify the conditions that must be met to initiate flight. For each launch a launch operator shall document the actual conditions at the time of liftoff indicating that the flight commit criteria have been met. A launch operator's flight commit criteria must provide for:

(1) Assurance that the time of liftoff will be such that a launch vehicle's planned trajectory will avoid habitable spacecraft in Earth orbit in accordance with § 417.107 and the results of the conjunction on launch assessment required in § 417.233.

(2) Surveillance of established hazard areas and any aircraft and ship traffic to verify that any exposure to the public satisfies the public safety criteria of § 417.107 as determined by a flight hazard area analysis performed in accordance with § 417.225.

(3) Verification that any local agreements created pursuant to § 417.7 and § 417.121(e) have been satisfied.

(4) Verification that any flight safety system is available and operational, including all required equipment and personnel.

(5) Verification that flight day meteorological conditions, such as wind, lightning, and visibility, are within required limits defined by a flight safety analysis performed in accordance with subpart C of this part. If the flight day conditions violate the meteorological limits, flight must not be initiated unless an updated analysis is performed and shows that the public risk criteria in § 417.107(b) can be met under the existing conditions. For a launch vehicle flown with a flight safety system, a launch operator shall implement weather constraints designed to avoid natural lightning strikes and lightning triggered by the flight of the launch vehicle. A launch operator's flight safety rules must include the lightning related weather constraints provided in appendix G of this part unless otherwise approved by the FAA during the licensing process based on applicability to each planned launch.

(c) Flight termination rules. For a launch vehicle flown with a flight safety system, a launch operator shall implement a set of written rules that specify the conditions under which flight termination shall be initiated to ensure public safety. Flight termination rules must include, but need not be limited to the following:

(1) Flight must be terminated when valid data indicate that the launch vehicle has violated a flight safety limit established by a flight safety analysis performed in accordance with § 417.213. This shall be accomplished by monitoring real-time launch vehicle flight status parameters (such as debris footprint, instantaneous impact point, or vehicle present position and velocity vector flight angles) using the flight safety data processing system and the flight safety official console in Start Printed Page 63983accordance with § 417.327(f) and § 417.327(g), respectively, and initiating flight termination when a flight status parameter reaches a pre-defined flight safety limit.

(2) Flight must be terminated at the straight up time established in accordance with § 417.215 if the launch vehicle continues to fly a straight up trajectory and, therefore, does not turn downrange when it should.

(3) Flight must be terminated when real-time data provide grounds for concluding that the performance of the launch vehicle is erratic and the potential exists for the loss of flight safety system control of the launch vehicle when further flight is likely to violate the established safety criteria.

(4) A launch operator shall establish flight termination rules that apply the data loss flight times, earliest destruct time, and no longer endanger time determined in accordance with § 417.221. These flight termination rules must satisfy the following:

(i) Flight must be terminated no later than the earliest destruct time if tracking of the launch vehicle is not established and vehicle position and status data is not available to the flight safety official by the earliest destruct time.

(ii) Once launch vehicle tracking is established, if there is a loss of tracking data before the no longer endanger time and tracking data is not re-established, flight must be terminated no later than the expiration of the data loss flight time for the point in flight that the data was lost.

(5) In order to permit its launch vehicle to traverse a “gate” established in accordance with § 417.219, a launch operator shall verify that the launch vehicle is performing normally and shows no indication that the launch vehicle's performance will deviate from normal performance. If a launch vehicle is not performing normally immediately prior to entering a gate, the launch operator shall terminate flight. Once the launch vehicle has successfully traversed a gate, a launch operator shall not terminate flight while the launch vehicle's debris impact dispersion is over a populated or other protected area.

(d) Launch crew work shift and rest rules. A launch operator shall implement written rules governing the maximum length of work shifts and the amount of rest that must be afforded a launch crew. A launch operator's launch crew work shift and rest policies must provide for the following for any operation with the potential to have an adverse effect on public safety:

(1) Maximum 12-hour work shift with at least 8 hours of rest after 12 hours of work. The 8 hours of rest must be in addition to the round trip travel time between work and home or living quarters.

(2) Maximum 60 hours worked in the preceding 7 days.

(3) Maximum of 14 consecutive work days.

(4) No more than five consecutive 12-hour work shifts shall be scheduled without a 48-hour rest period.

Tests.

(a) General. A launch operator shall test all flight and ground systems and equipment that protect the public from any adverse effect of a launch in accordance with its test plans and procedures prepared during the licensing process in accordance with part 415, subpart F of this chapter and updated for each launch in accordance with § 417.111. A launch operator shall coordinate test plans and all associated test procedures with any launch site operator or other local entity associated with the operation. A launch operator shall determine the cause of any discrepancy identified during testing, develop and implement all corrective actions, and perform re-testing to verify each correction. A launch operator shall notify the FAA, including any onsite FAA inspector, of any discrepancy identified during testing and submit information on corrections implemented and the results of re-testing before the system or equipment is used in support of a launch.

(b) Flight safety system testing. A launch operator shall test any flight safety system and all flight safety system components, including any onboard launch vehicle flight termination system, command control system, and support system, in accordance with the test requirements of subpart D of this part.

(c) Ground system testing. A launch operator shall meet the test requirements of paragraph (a) of this section for any system or equipment used to support hazardous ground operations identified by the ground safety analysis required by § 417.405.

(d) Communications systems testing. A launch operator shall meet the test requirements of paragraph (a) of this section for any communication system used for voice, video, or data transmission that support a flight safety system or any other communication system that is used for a launch.

Reviews.

(a) General. A launch operator shall conduct meetings to review the status of operations, systems, equipment, and personnel required by this part 417. A launch operator shall implement its launch processing schedule submitted at the time of license application according to § 415.121 of this chapter and updated in accordance with § 417.9, which identifies each review to be conducted and when it is to be conducted, referenced to the planned liftoff. A launch operator shall maintain documented criteria for successful completion of each review. A launch operator shall document all review proceedings. Any corrective actions identified during a review shall be tracked to completion and documented. Launch operator personnel who oversee a review shall attest to successful completion of the review's criteria in writing. Reviews conducted by a launch operator for each launch shall include, but need not be limited to those identified in this section.

(b) Hazardous operations safety readiness reviews. A launch operator shall conduct a review prior to performing any hazardous operation with the potential to adversely effect public safety. The review must determine the launch operator's readiness to perform the operation and ensure that safety provisions are in place. The review must determine the readiness status of safety systems and equipment and verify that the personnel involved satisfy certification and training requirements.

(c) Flight termination system design review. A launch operator shall conduct a review of any onboard vehicle flight termination system and all components to ensure the design requirements have been satisfied and that the system components are ready for qualification testing in accordance with subpart D of this part.

(d) Flight safety analysis review. A launch operator shall conduct a flight safety analysis review to ensure that each analysis method used satisfies subpart C of this part and that the results are correct for each launch. A flight safety analysis review shall be conducted to allow any corrective actions to be completed before the launch safety review required in paragraph (f) of this section. The person who prepares the analysis must not conduct its review.

(e) Ground safety analysis review. A launch operator shall conduct a review of the ground safety analysis required by subpart E of this part and the status of ground safety systems, plans, procedures, and personnel that ensure public safety during ground operations. This review must be conducted in coordination with any launch site operator. A ground safety review must be successfully completed before Start Printed Page 63984ground operations begin at a launch site for each launch.

(f) Launch safety review. For each launch, a launch operator shall conduct a launch safety review no later than 15 days prior to the planned flight day. This review must determine the readiness of ground and flight safety systems, safety equipment, and safety personnel to support a flight attempt. Successful completion of a launch safety review must ensure, but need not be limited to, satisfaction of the following criteria:

(1) Verification that all safety requirements have been or will be satisfied before flight. All safety related action items must be resolved.

(2) Flight safety personnel must be assigned and certified in accordance with § 417.105.

(3) The flight safety rules and flight safety plan must incorporate a final flight safety analysis in accordance with subpart C of this part.

(4) A ground safety analysis must be complete in accordance with subpart E of this part and the results must be incorporated into the ground safety plan. The launch operator shall verify, at the time of the review, that the ground safety systems and personnel satisfy or will satisfy all requirements of the ground safety plan for support of flight.

(5) Safety related coordination with any launch site operator or local authorities must be accomplished in accordance with local agreements.

(6) A licensee shall verify that all safety related information for a specific launch has been submitted to the FAA in accordance with FAA regulations and any special terms of a license. A licensee shall verify that information submitted to the FAA reflects the current status of safety-related systems and processes for each specific launch. A licensee shall document this verification as part of the launch license readiness statement to the FAA in accordance with § 417.9.

(g) Launch (flight) readiness review. A launch operator shall conduct a launch readiness review in accordance with § 415.37 of this chapter and the requirements in this section within 48 hours of the first flight attempt. A launch director, designated in accordance with § 417.103, shall review all preflight testing and launch processing conducted up to the time of the review. The status of systems and support personnel shall be reviewed to determine readiness to proceed with launch processing and the launch countdown. A decision to proceed must be in writing and signed by the launch director and any launch site operator or federal range launch decision authority. Additional launch readiness reviews may be held at the discretion of the launch director. Information presented during a launch readiness review must address, but need not be limited to, the following:

(1) Readiness of launch vehicle and payload.

(2) Readiness of any flight safety system and personnel and the results of flight safety system testing.

(3) Readiness of all other safety-related equipment and services.

(4) Launch safety rules and launch constraints.

(5) Launch weather forecasts.

(6) Abort, hold and recycle procedures.

(7) Results of rehearsals conducted in accordance with § 417.119 of this subpart.

(8) Unresolved safety issues as of the time of the launch readiness review and plans for their resolution.

(9) Additional safety information that may be required to assess readiness for flight.

(10) Review launch failure initial response actions and investigation roles and responsibilities.

(h) Post-launch review and report. A launch operator shall conduct a post-launch review no later than 48 hours after completion of a launch and provide a post-launch report to the FAA no later than ten working days following completion of a launch. A launch operator shall identify any discrepancy or anomaly that occurred during the launch countdown and flight. A post-launch report must identify deviations from any term of the license or event that otherwise relate to public safety and any corrective actions to be implemented before any future launch. A post launch report must contain the results of any monitoring of flight environments performed in accordance with § 417.307(b) and any measured wind profiles used for the launch in accordance with § 417.217(d)(2). Additional post-launch review requirements that apply to launch of an unguided suborbital rocket are contained in § 417.125(j).

Rehearsals.

(a) General. A launch operator shall rehearse the launch crew and systems to identify corrective actions needed to ensure public safety. All rehearsals shall be conducted in accordance with each of the following:

(1) A launch operator shall conduct all rehearsals in accordance with the launch processing schedule submitted at the time of license application in accordance with § 415.121 of this chapter and any launch specific updates for each launch in accordance with § 417.9.

(2) A launch operator shall assess any anomalies identified by a rehearsal, ensure any changes needed to ensure public safety are incorporated into the launch processing and flight, and ensure the rehearsal or the related part of the rehearsal is repeated until successfully completed. A launch operator shall ensure that all rehearsals are completed at least 48 hours before the first flight attempt.

(3) A launch operator shall inform the FAA of any anomalies and related changes in operations performed during launch processing or flight resulting from a rehearsal.

(4) For each launch, each person that is to participate in the launch processing or flight of a launch vehicle shall participate in at least one related rehearsal that exercises all that person's functions.

(5) A launch operator must develop and conduct the rehearsals identified in this section for each launch unless the launch operator clearly and convincingly demonstrates an equivalent level of safety through the licensing process.

(6) Each rehearsal must simulate normal and abnormal preflight and flight conditions as needed to exercise the launch operator's launch plans.

(7) Rehearsals may be conducted at the same time provided that joint rehearsals do not create hazardous conditions, such as changing a hardware configuration that affects public safety.

(b) Countdown rehearsal. A launch operator shall develop and conduct a rehearsal with the countdown plan, procedures, and checklist required by § 415.119(l) of this chapter and updated as needed for each launch according to § 417.111. A countdown rehearsal must familiarize launch personnel with all countdown activities, demonstrate that the planned sequence of events is correct, and demonstrate that there is adequate time allotted for each event. A launch operator shall hold a countdown rehearsal after the launch vehicle and any launch support systems are assembled into their final configuration for flight and before the launch readiness review required by § 417.117.

(c) Launch abort or delay recovery and recycle rehearsal. A launch operator shall conduct a rehearsal of the launch abort or delay recovery and recycle plan developed during the licensing process in accordance with § 415.119(m) of this chapter and updated as needed for each launch in accordance with § 417.111. A launch operator shall conduct this rehearsal Start Printed Page 63985after or in conjunction with a countdown rehearsal.

(d) Emergency response rehearsal. A launch operator shall conduct a rehearsal of the emergency response plan developed in accordance with § 415.119(b) of this chapter and updated as needed for each launch according to § 417.111. A launch operator shall conduct an emergency response rehearsal for a first launch, for any additional launch that involves a new safety hazard, for a launch where there is a change in emergency response personnel, or for any launch where more than a year has passed since the last rehearsal. An emergency response rehearsal shall be conducted in conjunction with a countdown rehearsal.

(e) Communications rehearsal. A launch operator shall ensure that each part of the communications plan developed according to § 415.119(f) of this chapter and updated as needed for each launch according to § 417.111, is rehearsed either in conjunction with another rehearsal or during a specific communications rehearsal.

Safety critical preflight operations.

(a) General. A launch operator shall perform safety critical preflight operations that protect the public from the adverse effects of hazards associated with launch processing and flight of a launch vehicle. All safety critical preflight operations must be identified in the launch schedule submitted according to § 415.121 of this chapter. Safety critical preflight operations must include, but need not be limited to those defined in this section.

(b) Countdown. A launch operator shall conduct a launch countdown in accordance with a countdown plan, including procedures and checklists, developed during the licensing process according to § 415.119 of this chapter and which must be updated as needed for each specific launch according to § 417.111. A countdown plan must be disseminated to, and followed by, all personnel responsible for the countdown and flight of a launch vehicle. A countdown shall be communicated over a dedicated communications network that is controlled by a launch conductor responsible for ensuring that all countdown checklist items are successfully completed. A launch operator shall ensure that all channels of the communications network are recorded during each countdown. A launch conductor shall be in direct communication with launch support personnel and receive readiness statements when checklist events are successfully completed.

(c) Conjunction on launch assessment. A launch operator shall coordinate with United States Space Command to obtain a conjunction on launch assessment in accordance with § 417.233. A launch operator shall develop and incorporate flight commit criteria as required by § 417.113(b) to ensure that each launch meets the criteria of § 417.107(c).

(d) Meteorological data. A launch operator shall conduct operations and coordinate with weather organizations as needed to ensure accurate meteorological data is obtained to support the flight safety analysis required by subpart C of this part and to ensure compliance with the flight commit criteria developed in accordance with § 417.113.

(e) Local notification. A launch operator shall implement any local plans and agreements developed during the licensing process according to § 415.119 of this chapter. For a launch from a site with a licensed launch site operator, the launch operator shall coordinate as needed to ensure that the launch site operator's local plans and agreements are implemented and satisfied in accordance with part 420 of this chapter. A launch operator shall ensure the following are accomplished for each launch, either as part of its local plans and agreements or as part of any launch site operator's local plans and agreements:

(1) Any local plans and agreements shall be updated to reflect each launch.

(2) Local authorities shall be informed of designated hazard areas associated with a launch vehicle's planned trajectory and any planned impacts of flight hardware as defined by the flight safety analysis required by subpart C of this part. Notifications must be designed to ensure that the public is aware of hazard areas and when to avoid them.

(3) Any hazard area information prepared in accordance with § 417.225 or § 417.235 shall be provided to the local United States Coast Guard for dissemination to mariners.

(4) Hazard area information prepared in accordance with § 417.225 or § 417.235 for each aircraft hazard area within a flight corridor shall be provided to the FAA Air Traffic Control (ATC) office having jurisdiction over the airspace through which the launch will take place for the issuance of notices to airmen.

(5) A launch operator shall be in communication with the local Coast Guard and the FAA ATC office, either directly or through any launch site operator, to ensure that notices to airmen and mariners are issued and in effect at the time of flight.

(f) Hazard area surveillance. A launch operator shall implement its security and hazard area surveillance plan developed in accordance with § 415.119(h) of this chapter to ensure that the public safety criteria in § 417.107(b) are met for each launch. A launch operator shall determine any hazard areas that require surveillance in accordance with § 417.225 for an orbital launch or § 417.235 for a suborbital launch. For hazard areas requiring surveillance, a launch operator shall ensure that each hazard area is surveyed on the day of launch, and ensure that the presence of any members of the public in a surveyed hazard area is consistent with flight commit criteria developed for each launch in accordance with § 417.113. A launch operator shall verify the accuracy of any radar or other equipment used for hazard area surveillance and ensure that any inaccuracies in the surveillance system are accounted for when enforcing the flight commit criteria.

(g) Flight safety system preflight tests. A launch operator shall conduct preflight tests of any flight safety system in accordance with the requirements in subpart D of this part.

(h) Launch vehicle tracking data verification. For each launch a launch operator shall implement written procedures for verifying the accuracy of any launch vehicle tracking data provided to the flight safety official during flight. Any source of tracking data must satisfy the requirements of § 417.327(b).

(i) Unguided suborbital rocket preflight operations. For the launch of an unguided suborbital rocket, in addition to meeting the other requirements of this section where applicable, a launch operator shall perform the preflight wind weighting and other preflight safety operations required by § 417.125, § 417.235, and appendix C of this part.

Computing systems and software.

A launch operator shall ensure that any flight and ground computing system that performs or potentially performs a software safety critical function that can affect public safety is implemented in accordance with the requirements of appendix H of this part. Software safety critical functions that apply to the launch processing and flight of a launch vehicle are defined in appendix H. A launch operator shall ensure that computing systems and software used for each launch and any process for ensuring its reliability are as Start Printed Page 63986represented by the computing system and software data provided to the FAA as part of the licensing process according to § 415.123 of this chapter.

Launch of an unguided suborbital rocket.

(a) General. In addition to meeting the other requirements contained in this subpart, a launch operator shall conduct the launch of an unguided suborbital rocket in accordance with the requirements of this section.

(b) Flight safety. An unguided suborbital rocket shall be launched with a flight safety system in accordance with § 417.107 (a) and subpart D of this part unless one of the following exceptions applies:

(1) The unguided suborbital rocket, including any component or payload, does not have sufficient energy to reach any protected area in any direction from the launch point; or

(2) The launch operator demonstrates through the licensing process that the launch will be conducted using a wind weighting safety system that meets the requirements of paragraph (c) of this section.

(c) Wind weighting safety system. A launch operator's wind weighting safety system must consist of equipment, procedures, analysis and personnel functions used to determine the launcher elevation and azimuth settings that correct for the windcocking and wind drift that an unguided suborbital rocket will experience during flight due to wind effects. The launch of an unguided suborbital rocket that uses a wind weighting safety system must meet the following requirements:

(1) The unguided suborbital rocket must not contain a guidance or directional control system.

(2) The launcher azimuth and elevation settings must be wind weighted to correct for the effects of time of flight wind conditions to provide a safe impact location. The launch shall be conducted in accordance with the wind weighting analysis requirements and methods of § 417.235 and appendix C of this part.

(3) A launch operator shall use a launcher elevation angle setting that ensures the rocket will not fly uprange. A launch operator shall set the launcher elevation angle in accordance with the following:

(i) The nominal launcher elevation angle must not exceed 85°, and must be determined based on the proximity of population to the launch point.

(ii) For an unproven unguided suborbital rocket, the nominal launcher elevation angle must not exceed 80°. A proven unguided suborbital rocket is one that has demonstrated, by two or more launches, that flight performance errors are within all the three-sigma dispersion parameters modeled in the wind weighting safety system.

(iii) The launcher elevation angle setting may exceed the limits of paragraph (c)(3)(i) and (c)(3)(ii) of this section if the launch operator demonstrates, clearly and convincingly, an equivalent level of safety through the licensing process.

(iv) The launcher elevation angle setting need not be limited if the unguided suborbital rocket does not have sufficient energy for any component or payload to reach any protected area in any direction from the launch point.

(d) Public risk criteria. A launch operator shall conduct the launch of an unguided suborbital rocket in accordance with the public risk criteria in § 417.107(b). The casualty expectancy (EC) determined prior to the day of flight must satisfy the public risk criteria for the area defined by the range of launch azimuths that the launch operator will use to accomplish wind weighting. After wind weighting on the day of flight, a launch operator shall initiate flight only after verifying that the wind drifted impacts of all planned impacts and their five-sigma dispersion areas satisfy the public risk criteria.

(e) Stability. An unguided suborbital rocket, in all configurations, must be stable in flexible body to 1.5 calibers and rigid body to 2.0 calibers throughout each stage of powered flight. An unguided suborbital rocket is considered stable if, when measured from the tip of the rocket's nose, the distance to the rocket's center of pressure is greater than the distance to the rocket's center of gravity for each rocket configuration for the duration of flight. A caliber, for a rocket configuration, is defined as the distance between the center of pressure and the center of gravity divided by the largest frontal diameter of the rocket configuration.

(f) Flight safety analysis. A launch operator shall ensure that a flight safety analysis is performed for each unguided suborbital rocket launch in accordance with § 417.235. The results of the flight safety analysis shall be used to establish launch safety rules, including launch commit criteria as required by § 417.113.

(g) Flight safety personnel. A launch operator shall ensure that all personnel involved in the launch of an unguided suborbital rocket are certified to perform their roles as required by § 417.105. The flight safety organization for the launch of an unguided suborbital rocket must include the management positions and organizational elements required by § 417.103 and the following:

(1) A flight safety official who oversees launch-day activities and ensures that all launch commit criteria are met prior to flight.

(2) A wind weighting official who uses actual measured wind data and computes launch elevation and azimuth settings that correct for the wind-cocking and wind-drift effects on an unguided suborbital rocket due to wind conditions at the time of flight. The process used by a wind weighting official must satisfy the requirements of § 417.235 and appendix C of this part.

(h) Flight safety plan. A launch operator shall conduct a launch in accordance with its flight safety plan developed at the time of license application according to § 415.115 of this chapter and updated for each launch according to § 417.111.

(i) Tracking. A launch operator shall track the flight of an unguided suborbital rocket. The tracking system must provide data to determine the actual impact locations of all stages and components, to verify the effectiveness of the launch operator's wind weighting safety system, and to obtain rocket performance data for comparison with the preflight performance predictions.

(j) Post-launch review. A launch operator shall ensure that the post-launch review required by § 417.117(h) includes:

(1) Actual impact location of all impacting stages and any impacting components.

(2) A comparison of actual and predicted nominal performance.

(3) Investigation results of any launch anomaly. If flight performance deviates by more than a three-sigma dispersion from the nominal trajectory, the launch operator shall conduct an investigation to determine the cause of the rocket's deviation from normal flight and take corrective action before the next launch. Any corrective actions must be submitted to the FAA as a request for license modification before the next launch in accordance with § 415.73 of this chapter and the license modification plan required by § 415.119(n) of this chapter.

Unique safety policies and practices.

For each launch, a launch operator shall review operations, system designs, analysis, and testing, and identify and implement any additional policies and practices needed to protect the public. These policies and practices must ensure the safety of the public. A launch operator shall implement any launch Start Printed Page 63987operator unique safety policies and practices identified during the licensing process and documented in a launch operator's safety review document in accordance with § 415.125 of this chapter. For any new launch operator unique safety policy or practice or change to an existing safety policy or practice, the launch operator shall submit a request for license modification in accordance with § 415.73 of this chapter and the license modification plan required by § 415.119(n) of this chapter.

Subpart C—Flight Safety Analysis

Scope.

This subpart provides requirements for performing flight safety analysis in accordance with § 417.107(d) and performance standards for the analyses that a launch operator shall complete. This subpart also identifies the analysis products that a launch operator shall submit to the FAA when applying for a launch license in accordance with subpart F of part 415 of this chapter and as required by this subpart for each launch.

General.

(a) Compliance. A launch operator shall perform flight safety analysis to demonstrate that it will monitor and control risk to the public from normal and malfunctioning launch vehicle flight in accordance with the public risk criteria of § 417.107(b) and subpart C of this part. For each launch, a licensee shall perform flight safety analysis using methods approved by the FAA during the licensing process or as a license modification. Any change to a licensee's flight safety analysis methods shall be submitted to the FAA as a request for license modification in accordance with § 415.73 of this chapter before the launch to which the proposed change applies.

(b) Flight safety plan. Flight safety analysis products must be incorporated in a launch operator's flight safety plan. This plan shall be prepared during the license application process in accordance with § 415.115 of this chapter and updated to incorporate final analysis products for each launch in accordance with § 417.107(d).

(c) Submission of analysis products. A launch operator shall perform flight safety analysis and submit analysis products for each of the analyses required by this subpart to the FAA in accordance with the following:

(1) License application flight safety analysis. A launch operator shall perform flight safety analysis at the time of license application and submit the analysis products required by this subpart as part of the launch operator's safety review document in accordance with § 415.115(a) of this chapter. The FAA will evaluate the submitted analysis material to determine whether a launch operator's analysis methods for each launch are in compliance with the requirements of this subpart.

(2) Six-month flight safety analysis. A launch operator shall perform flight safety analysis for each launch and submit launch specific analysis products to the FAA no later than six months prior to the date of each planned flight. This analysis shall be performed with vehicle and mission specific input data as intended for the planned flight. A launch operator may reference previously submitted analysis products and data that are applicable to the launch. A launch operator shall identify any analysis product that may change as a flight date approaches. A launch operator shall describe what needs to be done to finalize any analysis product and identify when it will be finalized. The launch operator shall submit the analysis products using the same format and organization as submitted during the license application process. The FAA may request the launch operator to present the six-month flight safety analysis products in a technical meeting at the FAA.

(3) Thirty-day flight safety analysis update. A launch operator shall perform analysis and submit updated analysis products no later than 30 days prior to flight. The analysis must account for potential variations in input data that may affect the analysis products within the final 30 days prior to flight. The launch operator shall submit the analysis products using the same format and organization employed during the license application process. A launch operator shall not change an analysis product within the final 30 days prior to flight unless the change is an enhancement to public safety and making the change is identified as part of the launch operator's flight safety analysis process approved by the FAA through the licensing process.

(d) Applicability of analyses. Flight safety analysis must assess the flight of a guided or unguided expendable launch vehicle, whether it uses a flight safety system or a wind weighting safety system to protect the public. The requirements for wind analysis of § 417.217, the debris risk analysis of § 417.227, the toxic release hazard analysis of § 417.229, the distant focus overpressure blast effects risk analysis of § 417.231, and the conjunction on launch assessment requirements of § 417.233 apply to all launches. The requirements in § 417.235 apply only to the flight of any unguided suborbital launch vehicle that uses a wind weighting safety system. All other analyses required by this subpart apply to the flight of any launch vehicle that uses a flight safety system to ensure public safety in accordance with § 417.107(a).

(e) Dependent analyses. Because some analyses required by this subpart are inherently dependent on one another, a launch operator shall ensure that each product or data output of any one analysis is compatible in form and content with the data input requirements of any other analysis that depends on that output. Figure 417.203-1 illustrates the flight safety analyses that would be performed for a typical launch that uses a flight safety system and the dependent relationships that exist between the analyses.

Start Printed Page 63988

(f) Alternate analysis. A launch operator shall meet the requirements in this subpart unless the FAA approves an alternate analysis method through the licensing process. The FAA will approve an alternate method if a launch operator provides a clear and convincing demonstration that its proposed method provides an equivalent level of safety to that required by this subpart. A launch operator shall obtain FAA approval of an alternate method before the FAA will find the launch operator's license application or application for license modification sufficiently complete to initiate review pursuant to § 413.11 of this chapter. An alternate flight safety analysis method used by a federal launch range, that is documented and approved in the FAA baseline safety assessment of that federal launch range, is an acceptable alternate analysis method for a commercial launch from that range.

Trajectory analysis.

(a) General. A launch operator shall perform a trajectory analysis to determine a launch vehicle's nominal trajectory and potential three-sigma trajectory dispersions about the nominal trajectory. A launch operator's trajectory analysis shall also determine, for any time after lift-off, the limits of a launch vehicle's normal flight. Normal flight is defined as a properly performing launch vehicle whose real-time instantaneous impact point does not deviate from the nominal instantaneous impact point by more than the sum of the wind effects and the three-sigma performance deviations in the uprange, downrange, left-crossrange, or right-crossrange directions. Figure 417.205-1 illustrates the nominal trajectory and the three-sigma left and right dispersed trajectories for a sample launch from Florida.

Start Printed Page 63989

(b) Wind standards. A trajectory analysis shall incorporate wind data developed in accordance with the wind analysis in § 417.217 and in accordance with the following:

(1) A launch operator shall compute “with-wind” launch vehicle trajectories pursuant to § 417.205(f)(6) using annual composite wind profiles. When a launch operator will launch only at a particular time period during the year the launch operator may use the monthly composite wind for that time period.

(2) A launch operator shall compute the annual composite wind profile with a cumulative percentile frequency that represents wind conditions that are at least as severe as the worst wind conditions under which flight would be attempted. These worst wind conditions must account for the launch vehicle's ability to operate normally in the presence of wind and accommodate any flight safety limit constraints.

(c) Nominal trajectory. A launch operator shall compute a nominal trajectory that describes a launch vehicle's flight path, position and velocity, assuming all vehicle aerodynamic parameters are as expected, all vehicle internal and external systems perform exactly as planned, and there are no external perturbing influences other than atmospheric drag and gravity.

(d) Dispersed trajectories. A launch operator shall compute the following dispersed trajectories and describe a launch vehicle's position and velocity as a function of winds and three-sigma performance in the uprange, downrange, left-crossrange and right-crossrange directions.

(1) Three-sigma maximum and minimum performance trajectories. A launch operator shall compute a three-sigma maximum performance trajectory that provides the maximum downrange distance of the instantaneous impact point for any given time after lift-off. A launch operator shall compute a three-sigma minimum performance trajectory that provides the minimum downrange distance of the instantaneous impact point for any given time after lift-off. For any time after lift-off, the flight of a normally performing launch vehicle that is subjected to the assumed wind, shall have three-sigma impact dispersion, assuming a normal bivariate Gaussian distribution, lying between the extremes achieved at that time by the three-sigma maximum performing and three-sigma minimum performing launch vehicles.

(i) In calculating the three-sigma maximum and minimum performance trajectories, a launch operator shall use annual composite head wind and annual composite tail wind profiles that represent the worst wind conditions under which a launch would be attempted as described in accordance with paragraph (b)(2) of this section.

(ii) The three-sigma maximum and minimum performance trajectories must account for all launch vehicle performance error parameters that have a significant effect upon instantaneous impact point range. A launch operator shall identify these parameters and incorporate them into the analysis in accordance with paragraph (f)(1) of this section.

(2) Three-sigma left and right lateral trajectories. A launch operator shall compute a three-sigma left lateral trajectory that provides the maximum left crossrange distance of the instantaneous impact point for any given time after lift-off. A launch operator shall compute a three-sigma right lateral trajectory that provides the maximum right crossrange distance of the instantaneous impact point for any given time after lift-off. For any time-after-liftoff, the instantaneous impact point ground trace for three-sigma of all normally performing vehicles, assuming a normal bivariate Gaussian distribution, subjected to the assumed winds, must lie between the three-sigma left lateral instantaneous impact point ground trace and the three-sigma right lateral instantaneous impact point ground trace.

(i) In calculating each left and right lateral trajectory, composite left and composite right lateral-wind profiles Start Printed Page 63990shall be used which represent the worst wind conditions for which a launch would be attempted as required by paragraph (b)(2) of this section.

(ii) The three-sigma left and right lateral trajectories must account for the launch vehicle performance error parameters that have a significant effect upon the lateral deviation of the instantaneous impact point. A launch operator shall identify these performance error parameters and incorporate them into the analysis in accordance with paragraph (f)(1) of this section.

(3) Fuel-exhaustion trajectory. A launch operator shall compute a fuel exhaustion trajectory that is an extension of either the nominal trajectory taken through fuel exhaustion or the three-sigma maximum trajectory taken through fuel exhaustion, whichever of the two trajectories produces instantaneous impact points with the greatest range for any given time-after-liftoff. The fuel exhaustion trajectory shall be determined in accordance with the following:

(i) Trajectory data through fuel exhaustion is required even if a programmed thrust termination is scheduled in advance of fuel exhaustion.

(ii) For sub-orbital flights, fuel exhaustion trajectory data need only be determined for the last stage. Any previous stage is assumed to have nominal or three-sigma maximum performance as described by paragraph (d)(3) of this section.

(iii) For orbital flights, the fuel exhaustion trajectory data need only be determined for the last suborbital stage. Any previous stage is assumed to have nominal or three-sigma maximum performance as described by paragraph (d)(3) of this section.

(iv) The wind constraints for a fuel exhaustion trajectory shall be the same as those that apply to the nominal or three-sigma trajectory used to compute the fuel exhaustion trajectory.

(e) Straight-up trajectory. A launch operator shall compute a straight-up trajectory, beginning at the planned time of ignition, which simulates a malfunction that causes the launch vehicle to fly its entire flight in a vertical or near vertical direction above the launch point. The amount of time that a straight-up trajectory lasts must be no less than the sum of the straight-up time determined in accordance with § 417.215 plus the duration of a potential malfunction turn determined in accordance with § 417.207(b)(2).

(f) Analysis process and computations. A launch operator shall use a six-degree-of freedom trajectory model to generate each required three-sigma trajectory in terms of instantaneous impact point distance from the nominal location. In the course of generating each trajectory a launch operator shall use a root-sum-square trajectory analysis method that satisfies the requirements of paragraphs (f)(1) through (6) of this section or may employ an alternate method, such as a Monte Carlo analysis, if the launch operator demonstrates clearly and convincingly through the licensing process that its alternate method provides an equivalent level of safety. When using the root-sum-square method, a launch operator shall:

(1) Performance error parameters. Identify individual launch vehicle performance error parameters that contribute to the dispersion of the launch vehicle's instantaneous impact point. A launch operator shall identify all launch vehicle performance error parameters and any standard deviations for each parameter that reflect launch vehicle performance variations and any external forces that can cause offsets from the nominal trajectory during normal flight. Each dispersed trajectory must account for these performance error parameters. The performance error parameters must include thrust; thrust misalignment; specific impulse; weight; variation in firing times of the stages; fuel flow rates; contributions from the guidance, navigation, and control systems; steering misalignment; and winds.

(2) No-wind trajectory simulation. Perform a series of no-wind trajectory simulation runs using a six degree-of-freedom model. Each trajectory simulation run must introduce no more than one three-sigma value of a performance error parameter while all other parameters are held at nominal levels.

(3) Tabulate individual instantaneous impact point deviations. Tabulate at even one-second intervals, the individual downrange, uprange, left-crossrange, and right-crossrange instantaneous impact point deviations from the nominal instantaneous impact point location caused by each three-sigma value of the performance error parameters.

(4) Combine individual instantaneous impact point deviations. For each one-second interval, for each downrange, uprange, left crossrange, and right crossrange direction calculate the square root of the sum of the squares of all the individual instantaneous impact point deviations for each direction. The resulting values for downrange, uprange, left crossrange, and right crossrange represent the three-sigma maximum, minimum, left lateral, and right lateral instantaneous impact point deviations, respectively.

(5) No-wind matching trajectories. By further trajectory simulation, generate four thrusting flight no-wind trajectories that match the three-sigma instantaneous impact point deviations calculated in accordance with paragraph (f)(4) of this section.

(6) With-wind three-sigma trajectories. Generate each three-sigma trajectory using the worst wind conditions determined in accordance with paragraph (b) of this section and the launch vehicle performance error parameters and magnitudes used to generate the no-wind matching trajectories in accordance with paragraph (f)(5) of this section. The effect of winds on the three-sigma trajectory must be modeled from liftoff through the point in flight where the launch vehicle attains an altitude where the wind no longer affects the launch vehicle.

(g) Trajectory analysis products. A launch operator shall submit the products of its trajectory analysis to the FAA in accordance with § 417.203(c). Those products shall include the following:

(1) Assumptions and procedures. A description of all assumptions, procedures and models used in deriving the nominal and dispersed trajectories, with particular attention to the six-degrees-of-freedom model.

(2) Three-sigma launch vehicle performance error parameter(s). A description of the three-sigma performance error parameters accounted for by a trajectory analysis and each parameter's standard deviations determined in accordance with paragraph (f)(1) of this section.

(3) Wind profile(s). A graph and tabular listing of the annual winds required by paragraph (b)(1) of this section and the worst case winds required by paragraph (b)(2) of this section. The graph and tabular wind data must be the same as that used in performing the trajectory analysis and must provide wind magnitude and direction as a function of altitude for the air space regions from the Earth's surface to 100,000 feet in altitude for the area intersected by the launch vehicle trajectory. Altitude intervals must not exceed 1000 feet. Statistical wind geographic reference points shall not exceed spatial intervals greater than 2.5 degrees latitude or 2.5 degrees longitude. The graphical and tabular data shall conform to the presentation requirements of § 417.217(d)(1)(i) and § 417.217(d)(1)(ii), respectively. Start Printed Page 63991

(4) Launch azimuth. The azimuthal direction of the trajectory's “X-axis” at liftoff measured clockwise in degrees from true north.

(5) Launch point. Identification and location of the proposed launch point, including its name, geodetic latitude (+N), longitude (+E), and geodetic height.

(6) Reference ellipsoid. The name of the reference ellipsoid that the launch operator uses in performing trajectory analysis to approximate the average curvature of the Earth and the length of semi-major axis, length of semi-minor axis, flattening parameter, eccentricity, gravitational parameter, and angular velocity of the Earth at the equator. If the reference ellipsoid is not a WGS-84 ellipsoidal Earth model, the applicant shall submit the equations needed to convert the submitted ellipsoid information to the WGS-84 ellipsoid.

(7) Temporal trajectory items. A launch operator shall provide the following temporal trajectory data for time intervals not in excess of one second and for the discrete time points that correspond to each jettison, ignition, burnout, and thrust termination of each stage. For a sub-orbital launch vehicle, these data must account for the weight of any and all payloads to be flown and the planned nominal quadrant elevation angles of the vehicle's launcher. These data must be provided on paper in text format or electronically via disk files. The text format must have a column for each data item and a row for each time point. Disk files must be in ASCII text, space delimited format, with a column for each data item and a row for each time point. An electronic “readme” file shall be provided that clearly identifies the data, and their units of measure, in the individual disk files.

(i) Trajectory time-after-liftoff. Time-after-liftoff is measured from first motion of the first thrusting stage of the launch vehicle. The first motion time is identified as T-0 and shall be tabulated as the “0.0” time point on the trajectory.

(ii) Launch Vehicle Direction Cosines. The direction cosines of the roll axis, pitch axis, and yaw axis. The roll axis is a line identical to the launch vehicle's longitudinal axis with its origin at the nominal center of gravity positive towards the vehicle nose. The roll plane is normal to the roll axis at the vehicle's nominal center of gravity. The yaw axis and the pitch axis are any two orthogonal axes lying in the roll plane, and are chosen at the launch operator's discretion. Roll, pitch and yaw axes must be right-handed systems so that, when looking along the roll axis toward the nose, a clockwise rotation around the roll axis will send the pitch axis toward the yaw axis. The right-handed system must be oriented such that the yaw axis is positive in the downrange direction while in the vertical position (roll axis upward from surface) or positive at an angle of 180 degrees to the downrange direction. The axis may be related to the vehicle's normal orientation with respect to the vehicle's trajectory but, once defined, remain fixed with respect to the vehicle's body. The launch operator shall indicate the positive direction of the yaw axis chosen. The reference system for the direction cosines shall be the EFG system described in paragraph (g)(7)(iv) of this section.

(iii) X, Y, Z, XD, YD, ZD trajectory coordinates. The launch vehicle position coordinates (X, Y, Z) and velocity magnitudes (XD, YD, ZD) must be referenced to an orthogonal, Earth-fixed, right-handed coordinate system. The XY-plane must be tangent to the ellipsoidal Earth at the origin, which is the launch point, the positive X-axis must coincide with the launch azimuth, the positive Z-axis must be directed away from the ellipsoidal Earth, and the Y-axis must be positive to the left looking downrange.

(iv) E, F, G, ED, FD, GD trajectory coordinates. The launch vehicle position coordinates (E, F, G) and velocity magnitudes (ED, FD, GD) must be referenced to an orthogonal, Earth fixed, Earth centered, right-handed coordinate system. The origin of the EFG system must be at the center of the reference ellipsoid. The E and F axes lie in the plane of the equator and the G-axis coincides with the rotational axis of the Earth. The E-axis is positive through 0° East longitude (Greenwich Meridian), the F-axis is positive through 90° East longitude, and the G-axis is positive through the North Pole. This system is non-inertial and rotates with the Earth.

(v) Resultant Earth-fixed velocity. The square root of the sum of the squares of the XD, YD, and ZD components of the trajectory state vector.

(vi) Path angle of velocity vector. The angle between the local horizontal plane and the velocity vector measured positive upward from the local horizontal. The local horizontal is a plane tangent to the ellipsoidal Earth at the sub-vehicle point.

(vii) Sub-vehicle point. Sub-vehicle point coordinates include present position geodetic latitude (+N) and present position longitude (+E). These coordinates are found at each trajectory time on the surface of the ellipsoidal Earth model and are located at the intersection of the line normal to the ellipsoid and passing through the launch vehicle center of gravity.

(viii) Altitude. The distance from the sub-vehicle point to the launch vehicle's center of gravity.

(ix) Present position arc-range. The distance measured along the surface of the reference ellipsoid, from the launch point to the sub-vehicle point.

(x) Total weight. The sum of the inert and propellant weights for each time point on the trajectory.

(xi) Total thrust. This thrust is a scalar quantity.

(xii) Instantaneous impact point data. These data include instantaneous impact point geodetic latitude (+N), instantaneous impact point longitude (+E), instantaneous impact point arc-range, and time to instantaneous impact. The instantaneous impact point arc-range is the distance, measured along the surface of the reference ellipsoid, from the launch point to the instantaneous impact point. The time to instantaneous impact is the vacuum flight time remaining to impact, assuming all thrust is terminated at the associated time-after-liftoff.

(xiii) Dynamic pressure as a function of time-of-flight. Tabular data as part of the temporal trajectory items and a two-dimensional graph, with time-of-flight on the X-axis and dynamic pressure on the Y-axis.

(xiv) Coriolis displacement. The geodetic distance from the instantaneous impact point to the displacement point caused by Coriolis accelerations if this effect is not included in the trajectory computations.

(8) Conditions for guided expendable launch vehicles. For guided expendable launch vehicles, all trajectories must be provided from launch up to a point in flight where effective thrust of the final stage has terminated, or to thrust termination of the stage or burn that places the vehicle in orbit.

(9) Conditions for unguided expendable launch vehicles. For unguided expendable launch vehicles, trajectories shall be provided from launch until burnout of the final stage for each nominal quadrant elevation angle and payload weight. Time steps of the trajectory must be at even intervals, not to exceed one second increments during thrusting flight, and for discrete times corresponding to each jettison, ignition, burnout, and thrust termination of each stage. If any stage burn time is less than four seconds, time intervals must be reduced to 0.2 seconds or less.

Malfunction turn analysis.

(a) General. A launch operator shall perform a malfunction turn analysis to Start Printed Page 63992determine a launch vehicle's greatest turning capability as a function of trajectory time. A launch operator shall use the products of its malfunction turn analysis as input to its flight safety limits analysis and other analysis where it is necessary to determine how far a launch vehicle's impact point can deviate from the nominal impact point when a malfunction occurs. A launch operator shall determine the set of launch vehicle velocity vector angular deviations, measured from the nominal launch vehicle velocity vector, that cause deviation from the nominal instantaneous impact point. The velocity vector angular deviations shall be determined as a function of time, beginning at the malfunction start time. A launch operator shall also determine the corresponding change in launch vehicle velocity magnitude from the nominal velocity magnitude, as a function of time, beginning at the malfunction start time.

(b) Malfunction turn analysis constraints. A launch operator shall apply the following constraints to a malfunction turn analysis:

(1) A launch operator shall determine a flight safety system time delay in accordance with § 417.223 and use the results to determine the required malfunction turn duration in accordance with paragraph (b)(2) of this section.

(2) A malfunction turn shall start at a given malfunction start time and have a duration of no less than 12 seconds or the product of 1.2 times the flight safety system time delay, whichever is greater. These duration limits apply regardless of whether or not the vehicle would break up or tumble before the prescribed duration of the turn.

(3) A malfunction turn analysis must cover the thrusting periods of flight along a nominal trajectory. Malfunction turn data are required for all trajectory times from ignition to thrust termination of the final thrusting stage or until the launch vehicle achieves orbital velocity (orbital insertion), whichever occurs first.

(4) A malfunction turn must be a 90-degree turn or a turn in both the pitch and yaw planes that would produce the largest deviation from the nominal instantaneous impact point of which the launch vehicle is capable at any time during the malfunction turn. A 90-degree turn is a turn produced at the malfunction start time by instantaneously re-directing and maintaining the vehicle's thrust at 90 degrees to the velocity vector, without regard for how this situation can be brought about. A launch operator shall determine the type of turn to use as a malfunction turn in accordance with paragraph (d) of this section. If a launch operator elects not to use a 90-degree turn, the following types of turns apply when determining the malfunction turn in accordance with paragraph (d) of this section:

(i) Pitch turn. A pitch turn is the angle turned by the launch vehicle's total velocity vector in the pitch-plane. The velocity vector's pitch-plane is the two dimensional surface that includes the launch vehicle's yaw-axis and the launch vehicle's roll-axis. Figure 417.207-1 shows relative spatial relationships between the pitch plane, acceleration vector (Ao), initial velocity vector (Vo), malfunction turn velocity vector (Vturn), angle of attack (α), and malfunction turn angle (θ). The depiction of the acceleration vector, as shown in Figure 417.207-1, was simplified by aligning it with the roll axis.

(ii) Yaw turn. A yaw turn is the angle turned by the launch vehicle's total velocity vector in the lateral plane. The velocity vector's lateral plane is the two dimensional surface that includes the launch vehicle's pitch axis and the launch vehicle's total velocity vector. Figure 417.207-2 shows relative spatial relationships between the lateral turn plane, acceleration vector (Ao), initial velocity vector (Vo), malfunction turn velocity vector (Vturn), angle of attack (α), and malfunction turn angle (θ). The depiction of the acceleration vector, as shown in Figure 417.207-2, was simplified by aligning it with the roll axis. The launch operator shall measure Start Printed Page 63993the angle of attack between the roll axis and the velocity vector.

(iii) Trim turn. A trim turn is a turn where a launch vehicle's thrust moment balances the aerodynamic moment while a constant rotation rate is imparted to the launch vehicle's longitudinal axis. A maximum-rate trim turn is made at or near the greatest angle of attack that can be maintained while the aerodynamic moment is balanced by the thrust moment, whether the vehicle is stable or unstable.

(iv) Tumble turn. A tumble turn is a turn that results if the launch vehicle's airframe rotates in an uncontrolled fashion, at an angular rate that is brought about by a thrust vector offset angle, which is held constant throughout the turn. A series of tumble turns, each turn with a different thrust vector offset angle, shall be plotted on the same graph for a given malfunction start time.

(v) Turn envelope. A turn envelop is a curve on a tumble turn graph that has tangent points to each individual tumble turn curve computed for a given malfunction start time. This curve envelops the actual tumble turn curves giving a prediction of tumble turn angle for data areas between the calculated turn curves. This envelope is required because an infinite number of thrust vector deviation angles is possible and it is impractical to produce a curve for each deviation angle. Figure 417.207-3 depicts a series of tumble turn curves and the tumble turn envelope curve.

Start Printed Page 63994

(5) A launch operator's first malfunction turn start time must not be greater than the nominal trajectory time corresponding to the earliest destruct time determined in accordance with § 417.221 minus the flight safety system delay time determined in accordance with § 417.223. Subsequent malfunction turns shall be initiated at regular nominal trajectory time intervals not to exceed the flight safety system delay time.

(6) A malfunction turn analysis must provide malfunction turn computation intervals of one second over the duration of each malfunction turn.

(7) For the purposes of performing the various malfunction turn computations, a launch operator shall assume that the launch vehicle performance is nominal up to the point of the malfunction that produces the turn.

(8) A launch operator shall not include the effects of gravity in a malfunction turn analysis, unless a launch operator ensures that there is no duplication of gravity effects by any other dependent analysis that uses the products of the malfunction turn analysis as input. Other analyses that may account for gravity effects include, but need not be limited to, the flight safety limits analysis (§ 417.213), data lose flight time analysis (§ 417.221), toxic release hazard analysis (§ 417.229), distant focus overpressure blast effects risk analysis (§ 417.231), hazard areas analysis (§ 417.225), and debris risk analysis (§ 417.227).

(9) A launch operator shall evaluate both pitch and yaw turns for malfunction start times that correspond to each sub-vehicle point. A launch operator shall use the velocity vector turn angle rate that causes the largest dispersion, from either the pitch or yaw turn computations, in the development of flight safety limits. If the pitch turn angle and yaw turn angle are the same except for the effects of gravity, the yaw turn angles may be determined from pitch calculations that, in effect, have had the gravity component subtracted out at each step in the computations.

(10) A launch operator's malfunction turn analysis shall ensure the tumble turn envelope curve maintains a positive slope throughout the malfunction turn duration as illustrated in figure 417.207-3. A launch operator may encounter a known difficulty with calculating tumble turns for an aerodynamically unstable launch vehicle. In the high aerodynamic region it often turns out that no matter how small the initial deflection of the rocket engine, the airframe tumbles through 180 degrees, or one-half cycle, in less time than the required turn duration period. In such a case, the launch operator shall use a 90-degree turn as the malfunction turn.

(c) Failure modes. A malfunction turn analysis must evaluate the significant failure modes that result in a thrust vector offset from the nominal state. If the malfunction turn at a given malfunction start time can occur as a function of more than one failure mode, the launch operator must evaluate the malfunction turn for the mode causing the most rapid and largest launch vehicle instantaneous impact point deviation. Failure modes will vary as a function of flight time. The same set of failure modes shall be used for each malfunction start time where applicable to that point of a vehicle's flight.

(d) Determining type of malfunction turn to use. A launch operator shall establish the maximum turning capability of a launch vehicle's velocity vector based on an evaluation of trim turns and tumble turns, in both the pitch and yaw planes, or a 90-degree turn. The different types of turns are defined in paragraph (b)(4) of this section. When computing malfunction turn angles on the basis of a 90-degree turn, a launch operator shall ensure that its flight safety plan, including the flight corridor, flight safety limits, and mission rules reflect the conservative safety buffers that result from using this approach. When not using a 90-degree turn, a launch operator shall establish the launch vehicle maximum turning capability in accordance with the following malfunction turn capabilities:

(1) Launch vehicle stable at all angles of attack. If a launch vehicle is so stable Start Printed Page 63995that the maximum thrust moment cannot produce tumbling, but produces a maximum-rate trim turn at some angle of attack less than 90 degrees, the launch operator shall determine a series of trim turns, including the maximum-rate trim turn, by varying the initial thrust vector offset at the beginning of the turn. If the maximum thrust moment results in a maximum-rate trim turn at some angle of attack greater than 90 degrees, a launch operator shall determine a series of trim turns for angles of attack up to and including 90 degrees.

(2) Launch vehicle aerodynamically unstable at all angles of attack. During the part of launch vehicle flight where the maximum trim angle of attack is small, tumble turns may result in the greatest malfunction turn angles. If the maximum trim angle of attack is large, trim turns may lead to higher malfunction turn angles than tumble turns. If the launch operator clearly and convincingly demonstrates that flying a trim turn even for a period of only a few seconds is impossible, the malfunction turn analysis need only determine tumble turns. Otherwise, the launch operator's malfunction turn analysis must determine a series of trim turns, including the maximum-rate trim turn, and the family of tumble turns.

(3) Launch vehicle unstable at low angles of attack but stable at some higher angles of attack. If large engine deflections result in tumbling, and small engine deflections do not, a series of trim and tumble turns shall be generated as required by paragraph (d)(2) of this section for launch vehicles aerodynamically unstable at all angles of attack. If both large and small constant engine deflections result in tumbling, regardless of how small the deflection might be, the malfunction turn capabilities achieved at the stability angle of attack, assuming no upsetting thrust moment, shall be used in addition to the turns achieved by a tumbling vehicle. This situation arises because the stability at high angles of attack is insufficient to arrest the angular velocity, which is built up during the initial part of a tumble turn where the launch vehicle is unstable. Although the launch vehicle cannot arrive at this stability angle of attack as a result of the constant engine deflection, there is some deflection behavior, such as a deflection rate, that will produce this result. If a launch operator determines that arriving at such a deflection program is too difficult or too time consuming, the launch operator may assume that the launch vehicle instantaneously rotates to the trim angle of attack and stabilizes at this point. In such a case, tumble turn angles may be used during that part of launch vehicle flight for which the tumble turn envelope curve maintains a positive slope throughout the duration of the computation.

(e) Malfunction turn analysis products. The products of a launch operator's malfunction turn analysis to be submitted to the FAA in accordance with § 417.203(c) must include the following:

(1) A description of the assumptions, techniques, and equations used in deriving the malfunction turns.

(2) A set of sample calculations for at least one flight hazard area malfunction start time and one downrange malfunction start time. The sample computation for the downrange malfunction start time shall be at least 50 seconds greater than the flight hazard area malfunction start time or at the time of nominal thrust termination of the final stage minus the malfunction turn duration.

(3) A description of how any yaw turn angles were developed from pitch turn computations as described in paragraph (b)(9) of this section.

(4) A launch operator shall submit malfunction turn data in tabular and graphic formats. Scale factors of graphs must be selected so the plotting and reading accuracy do not degrade the accuracy of the data. For each malfunction turn start time, the time scales on malfunction velocity vector turn angle and malfunction velocity magnitude plot pairs shall be the same. Tabular listings of the data used to generate the graphs are required in digital ASCII file format. A launch operator shall submit the data items required in this paragraph for each malfunction start time. These data must be provided at intervals of one second or less over the malfunction turn duration

(i) Velocity turn angle graphs. For each malfunction turn angle graph, the ordinate axis must represent the total angle turned by the velocity vector, and the abscissa axis must represent the time duration of the turn. The abscissa must be divided into one-second increments. A launch operator shall submit a graph for each malfunction start time. The series of tumble turns shall include the envelope of all tumble turn curves. The tumble turn envelope shall represent the tumble turn capability for all possible constant thrust vector offset angles (or other parameter). For this case, plots of each tumble turn curve selected to define the envelope are required on the same graph with the envelope. For trim turns, a series of trim turn curves for representative values of thrust vector offset (or other parameter) is required. The series of trim turn curves shall include the maximum-rate trim turn. Figure 417.207-4 depicts an example family of tumble turn curves and the tumble turn velocity vector envelope.

(ii) Velocity magnitude graphs. For each malfunction velocity magnitude graph, the ordinate axis must represent the magnitude of the velocity vector and the abscissa axis must represent the time duration of the turn. The abscissa must be divided into one-second increments. A launch operator shall submit a graph for each malfunction start time. The total velocity magnitude shall be plotted as a function of time after the malfunction start time for each thrust vector offset (or other parameter) used to define the corresponding velocity turn-angle curve. A corresponding velocity magnitude curve is required for each velocity tumble-turn angle curve and each velocity trim-turn angle curve. For each individual tumble turn curve selected to define the tumble turn envelope, its point of tangency to the envelope shall be indicated on the corresponding velocity magnitude graph. The point of tangency is the point where the tumble turn envelope is tangent to an individual tumble turn curve produced with a discrete thrust vector offset angle (or other parameter). Transposing the points of tangency to the velocity magnitude curves is accomplished by plotting a point on the velocity magnitude curve at the same time point where tangency occurs on the corresponding velocity tumble-turn angle curve. Figure 417.207-5 depicts an example tumble turn velocity magnitude curve.

Start Printed Page 63996

Start Printed Page 63997

(iii) Vehicle orientation. If thrust-augmenting rocket motors are used on a launch vehicle, the launch operator shall submit tabular or graphical data for the vehicle attitude in the form of roll, pitch, and yaw angular orientation of the vehicle longitudinal axis as a function of time into the turn for each turn initiation time. Angular orientation of a launch vehicle's longitudinal axis is illustrated in figures 417.207-6 and 417.207-7.

Start Printed Page 63998

Start Printed Page 63999

(iv) Onset conditions. A launch operator shall provide launch vehicle state information for each malfunction start time. This state data shall include the launch vehicle thrust, weight, velocity magnitude and pad-centered topocentric X, Y, Z, XD, YD, ZD state vector.

(v) Breakup information. A launch operator shall specify if its launch vehicle will remain intact throughout each malfunction turn. If the launch vehicle will breakup during a turn, then the time for launch vehicle breakup must be indicated on the velocity magnitude graphs. The time into the turn at which vehicle breakup would occur must be either a specific value or a probability distribution for time to breakup.

(vi) Inflection point. A launch operator shall indicate the inflection point on each tumble turn envelope curve and maximum rate trim turn curve for each malfunction start time as illustrated in figure 417.207-4. The inflection point marks the point in time during the turn where the slope of the curve stops increasing and begins to decrease or, in other words, the point where the concavity of the curve changes from concave up to concave down. The inflection point on a malfunction turn curve indicates the time in the malfunction turn that the launch vehicle body achieves a 90-degree rotation from the nominal position. On a tumble turn curve the inflection point represents the start of the launch vehicle tumble.

(vii) Gravity effects. A launch operator's malfunction turn analysis products must identify whether the malfunction turn analysis accounts for the effects of gravity. If the malfunction turn analysis accounts for the effects of gravity, the products must include a demonstration of how the analysis satisfies paragraph (b)(8) of this section.

Debris analysis.

(a) General. A launch operator shall perform a debris analysis that identifies inert, explosive and other hazardous launch vehicle debris resulting from a launch vehicle malfunction and from any planned jettison of launch vehicle components for orbital and sub-orbital launch.

(b) Debris analysis constraints. A debris analysis must produce the debris models described in paragraphs (c) and (d) of this section, in the form of lists of debris that results from breakup of a launch vehicle and any planned jettison of debris or components. Each list must describe each debris fragment produced, including its physical characteristics, whether it is inert or explosive, and the effects of impact, such as explosive overpressure, skip, splatter, or bounce radius. Each debris list must be produced in accordance with the following:

(1) A debris analysis must account for launch vehicle breakup caused by the activation of any flight termination system in accordance with the following:

(i) A debris analysis must account for the effects of debris produced when an intact malfunctioning vehicle is destroyed by flight termination system activation.

(ii) A debris analysis must account for spontaneous breakup of the launch vehicle assisted by the action of any inadvertent separation destruct system included as part of a flight termination system.

(iii) A debris analysis must account for the effects of debris produced when a flight termination system is activated after inadvertent breakup of the launch vehicle.

(2) A debris analysis must account for debris due to any malfunction where the launch vehicle's structural integrity limits may be exceeded.

(3) A debris analysis must account for the immediate post-breakup or jettison Start Printed Page 64000environment of the launch vehicle debris, any change in debris characteristics over time from launch vehicle break-up or jettison to debris impact, and the effects of the debris upon impact.

(4) A debris analysis must account for the impact overpressure, fragmentation, and secondary debris effects of any confined or unconfined solid propellant chunks and fueled components containing either liquid or solid propellants that could survive to impact, as a function of vehicle malfunction time.

(5) A debris analysis must account for the effects of impact of the intact vehicle as a function of failure time. The intact impact debris analysis must identify the trinitrotoluene (TNT) yield of impact explosions, and the numbers of fragments projected from all such explosions, including non-launch vehicle ejecta and the blast overpressure radius. The TNT yield of impact explosion may be estimated from several models. The input to these models must include the propellant weight at impact, the impact speed, the orientation of the propellant, and the impacted surface material. Figure 417.209-1 shows the generic relationship between impact speed and TNT yield. A launch operator shall identify the impact yield relationship for its launch vehicle propellant for use in the debris analysis.

(c) Debris model. A debris analysis must produce a model of the debris resulting from unplanned breakup of a launch vehicle for use as input to other analyses, such as establishing flight safety limits and hazard areas and performing debris risk, toxic, and blast analyses. A launch operator's debris model must satisfy the following:

(1) Debris fragments. A debris model must contain debris fragment data for the launch vehicle flight period from the planned ignition time until the launch vehicle achieves orbital velocity for an orbital launch. For a sub-orbital launch, the debris model must contain debris fragment data for the launch vehicle flight period from the planned ignition time up to thrust termination of the last thrusting stage.

(2) Inert fragments. A debris model must identify all inert fragments that are not volatile and that could not burn or explode. A debris model must identify inert fragments for each breakup time during flight corresponding to a critical event when the fragment catalog is significantly changed by the event. Critical events include staging, payload fairing jettison, or other normal hardware jettison activities.

(3) Explosive and non-explosive propellant fragments. A debris model must identify all propellant fragments that are explosive or non-explosive upon impact. The debris model must describe each propellant fragment as a function of time, from the time of breakup through ballistic free-fall to impact. The data shall describe the fragment characteristics, including its weight, at the time of breakup and at the time of impact. The fall time characteristics shall be described as a function of time, such as burn rate under ambient atmospheric conditions. The time frequency of the data must represent the rate at which the fragment characteristics change so as not to reduce the accuracy of the data. The debris model shall identify the following types of propellant fragments:

(i) Un-contained non-explosive solid propellant fragment. Solid propellant that is exposed directly to the atmosphere and that could burn but not explode upon impact.

(ii) Contained non-explosive propellant fragment. Solid or liquid propellant that is enclosed in a container, such as a motor case or pressure vessel, and that could burn but not explode upon impact.

(iii) Contained explosive propellant fragment. Solid or liquid propellant that is enclosed in a container, such as a Start Printed Page 64001motor case or pressure vessel, and that will explode upon impact.

(iv) Un-contained explosive solid propellant fragment. Solid propellant that is exposed directly to the atmosphere and that will explode upon impact.

(4) Other non-inert debris fragments. In addition to the explosive and flammable fragments required by paragraph (c)(3) of this section, a debris model must identify any other non-inert debris fragments, such as toxic or radioactive fragments, that present any other hazards to the public.

(5) Fragment ballistic coefficient. A debris model must include the axial, transverse, and tumble orientation ballistic coefficient for each fragment's projected area as described in paragraph (c)(8) of this section.

(6) Fragment weight. At each modeled breakup time, the individual fragment weights must approximately add up to the total weight of inert material in the vehicle combined with the weight of contained liquid propellants and solid propellants that are not consumed in the initial breakup or conflagration.

(7) Fragment imparted velocity. A debris model must include the maximum velocity imparted to each fragment due to potential explosion or pressure rupture. Unless otherwise defined by the launch operator, the velocity shall be modeled with a Maxwellian distribution with the specified maximum value equal to the 97th percentile. If the velocity distribution is different than the Maxwellian, a launch operator shall define the distribution, including whether the specified maximum value is interpreted as a fixed value with no uncertainty.

(8) Fragment projected area. A debris model must include the planform area of the fragment normal to the drag force at the stability angle of attack. If the fragment will not stabilize, the projected area is the tumble area normal to the drag force.

(9) Fragment effective casualty area. A debris model must identify the effective casualty area of each debris fragment. For inert fragments and non-explosive propellant fragments the casualty area must account for the size of the fragment, the path angle of the fragment trajectory at impact, the effects of slide, bounce and splatter produced from hard and soft surfaces, and whether a non-explosive propellant fragment is contained or un-contained. For explosive propellant fragments the effective casualty area must account for blast overpressure, non-explosive remains, ejecta originating from the impact location, and whether the propellant fragment is contained or un-contained. For other non-inert fragments, such as toxic or radioactive fragments, the effective casualty area must account for the diffusion, dispersion, deposition, radiation or other hazard exposure characteristics of the non-inert debris and must be a circle that is defined by a hazard radius for the non-inert fragment.

(10) Debris fragment count. A debris model must include the total number of each type of fragment listed in paragraphs (c)(2), (c)(3), and (c)(4) of this section resulting from a malfunction.

(11) Fragment classes. A launch operator shall categorize malfunction debris fragments into classes where the hazards associated with the mean fragment in each class conservatively represent the hazards for every fragment in the class. A launch operator shall define fragment classes as one or more fragments whose characteristics are similar enough to allow all the fragments in the class to be described and treated by a single average set of characteristics. Fragments shall be categorized into classes in accordance with the following:

(i) A launch operator shall use fragment type as the primary parameter for categorizing fragments. All fragments within a class must be of the same type as defined in paragraphs (c)(2), (c)(3), and (c)(4) of this section.

(ii) A launch operator shall use the debris subsonic ballistic coefficient (βsub) as the secondary parameter for categorizing fragments. A launch operator shall keep the difference of the smallest log10 10(βsub) value from the largest log10 10(βsub) value in a class less than 0.5.

(iii) A launch operator shall use the breakup-imparted velocity (ΔV) as the tertiary parameter for categorizing fragments. Fragments shall be categorized as a function of the range of ΔV for the fragments within a class and the class's median subsonic ballistic coefficient. For each class, a launch operator shall keep the ratio of the maximum breakup-imparted velocity (ΔVmax) to minimum breakup-imparted velocity (ΔVmin) within the following bound:

Where: β′sub is the median subsonic ballistic coefficient for the fragments in a class.

(d) Jettisoned body model. A launch operator's debris analysis must produce a jettisoned body model of the launch vehicle debris resulting from scheduled launch vehicle events for use as input to other analyses, such as the flight safety limits, hazard areas, and debris risk analyses. Jettisoned bodies include, but need not be limited to, stages, payload fairings, thrust reversal ports, solid rocket motors, attach fittings and associated hardware components. A jettisoned body model must include, but need not be limited to the following:

(1) Jettisoned body fragment count. The number of each type of jettisoned body resulting from a specific scheduled jettison.

(2) Re-entry breakup. If the jettisoned body breaks up during reentry, the launch operator's debris model must include an estimate of the number of debris fragments, their approximate weights, projected areas, and ballistic coefficients.

(3) Jettison flight time. The time from liftoff during normal flight that each jettison is planned to occur.

(4) Weights. Total weight of each jettisoned body at the time it is jettisoned.

(5) Projected area. The stability angle of attack planform area of the jettisoned body normal to the drag force. If the jettisoned body will not stabilize, the projected area is the tumble area normal to the drag force.

(6) Ballistic coefficient. The axial, transverse, and tumble orientation ballistic coefficient for each fragment's projected area as identified in accordance with paragraph (d)(5) of this section.

(e) Debris analysis products. A launch operator shall submit the products of its debris analysis to the FAA in accordance with § 417.203(c). Those products shall include the following:

(1) Multiple fragment lists. Lists of fragments that identify the variation of the fragment characteristics with breakup time.

(2) Fragment descriptions. A description of the fragments contained in the launch operator's debris model required by paragraph (c) of this section. The description must identify the fragment as a launch vehicle part or component, describe its shape and dimensions and include any drawings.

(3) Minimum distance fragment. As a function of breakup time, identification of the fragment that, in the absence of winds, will travel the least distance in comparison to all other fragments.

(4) Intact impact TNT yield. For an intact impact of a launch vehicle, for each failure time, a launch operator shall identify the TNT yield of each impact explosion, blast overpressure radius, and the number of fragments projected from all such explosions including non-launch vehicle ejecta. Start Printed Page 64002

(5) Maximum distance fragment. As a function of breakup time, identification of the fragment that, in the absence of winds, will travel the greatest distance in comparison to all other fragments.

(6) Fragment class data. The class name, boundaries of the class grouping parameters, and the number of fragments in any fragment class established in accordance with paragraph (c)(11) of this section.

(7) Breakup altitude. For breakup due to aerodynamic loads, inertial loads, and atmospheric reentry, identification of the range of altitudes at which breakup may occur.

(8) Ballistic coefficient (β). The mean and plus and minus three-sigma values for each fragment. A launch operator shall include graphs of the coefficient of drag (Cd) as a function of Mach number for the nominal and three-sigma beta variations for each fragment shape. Each graph must be labeled with the shape represented by the curve and reference area used to develop the curve. A launch operator shall provide a Cd vs. Mach curve for any axial, transverse, and tumble orientations for fragments that will not stabilize during free-fall conditions. For fragments that may stabilize during free-fall, a launch operator shall provide Cd vs. Mach curves for the stability angle of attack. If the angle of attack where the fragment stabilizes is other than zero degrees, a launch operator shall provide both the coefficient of lift (CL) vs. Mach number and the Cd vs. Mach number curves. The equations for Cd vs. Mach curves shall also be provided.

(9) Pre-flight propellant weight. The initial preflight weight of solid and liquid propellant for each launch vehicle component that contains solid or liquid propellant.

(10) Normal propellant consumption. The nominal and plus and minus three-sigma solid and liquid propellant consumption rate, and pre-malfunction consumption rate for each component that contains solid or liquid propellant.

(11) Fragment weight. The mean and plus and minus three-sigma weight of each fragment.

(12) Projected area. The mean and plus and minus three-sigma axial, transverse, and tumbling areas for each fragment. This information is not required for those fragment classes classified as burning propellant classes as described in paragraph (e)(17) of this section.

(13) Imparted velocities. The maximum incremental velocity imparted to each fragment and the mean fragment of each fragment class created by flight termination system activation, or explosive or overpressure loads at breakup. The launch operator shall identify the velocity distribution as Maxwellian or shall define the distribution, including whether the specified maximum value is interpreted as a fixed value with no uncertainty.

(14) Fragment type. The fragment type for each fragment established in accordance with paragraphs (c)(2), (c)(3), and (c)(4) of this section.

(15) Effective casualty area. The effective casualty area established in accordance with paragraph (c)(9) of this section for each fragment and for the effective casualty area for the mean fragment of each fragment class.

(16) Stage of origination. The launch vehicle stage from which each fragment originated.

(17) Burning propellant classes. The propellant consumption rate for those fragments that burn during free-fall.

(18) Contained propellant fragments, explosive or non-explosive. For fragments defined as contained propellant fragments, whether explosive or non-explosive, a launch operator shall provide the initial weight of contained propellant and the consumption rate during free-fall. The initial weight of the propellant in a contained propellant fragment is the weight of the propellant before any of the propellant is consumed by normal vehicle operation or failure of the launch vehicle.

(19) Solid propellant fragment snuff-out pressure. The ambient pressure and the pressure at the surface of a solid propellant fragment, in pounds per square inch, required to sustain a solid propellant fragment's combustion during free-fall.

(20) Other non-inert debris fragments. For each non-inert debris fragment identified in accordance with paragraph (c)(4) of this section, a launch operator shall describe the diffusion, dispersion, deposition, radiation, or other hazard exposure characteristics used to determine the effective casualty area required by paragraph (c)(9) of this section.

(21) Residual thrust dispersion. For each thrusting or non-thrusting stage having residual thrust capability following a launch vehicle malfunction, a launch operator shall identify either the total residual impulse imparted or the full-residual thrust in foot-pounds as a function of break-up time. For any stage not capable of thrust after a launch vehicle malfunction, a launch operator shall identify the conditions under which the stage is no longer capable of thrust. For each stage that can be ignited as a result of a launch vehicle malfunction on a lower stage, a launch operator shall identify the effects and duration of the potential thrust, and the maximum deviation of the instantaneous impact point which can be brought about by the thrust. A launch operator shall provide the explosion effects of all remaining fuels, pressurized tanks, and remaining stages, particularly with respect to ignition or detonation of upper stages if the flight termination system is activated during the burning period of a lower stage.

(22) Jettisoned body data. A launch operator shall identify each scheduled jettison of any launch vehicle component, the jettison flight time, the number of jettisoned bodies resulting from each specific scheduled jettison, and the following:

(i) For a jettisoned body that will break up during reentry, the number of debris fragments, and the approximate weight, projected area, ballistic coefficient and nominal and three-sigma left crossrange, right-crossrange, uprange, and downrange impact range and the impact range distribution of each fragment. If the jettisoned body will stabilize, the launch operator shall provide the projected area as the stability angle of attack planform area of the jettisoned body normal to the drag force. If the jettisoned body will not stabilize, the projected area shall be the tumble area normal to the drag force.

(ii) Total weight of all jettisoned bodies and the weight of each jettisoned body.

(iii) For each jettisoned body, the aerodynamic reference area that is normal to the drag force and used to determine the drag coefficient data required by paragraph (e)(22)(iv) of this section.

(iv) The axial, transverse and tumbling Cd as a function of Mach number or subsonic and supersonic W/Cd A for each jettisoned body. The Cd as a function of Mach number data are to be provided in graphical format for the nominal and plus and minus three-sigma drag coefficients and shall cover the range of possible Mach numbers from zero to the maximum values during free-fall. A launch operator shall also identify whether each body is stable and, if so, at what angles of attack. For each jettisoned body that can stabilize during free-fall, a launch operator shall provide drag coefficient curves for the stability angle of attack. If the stability angle of attack is other than zero degrees, a launch operator shall also provide a graph of coefficient of lift (CL) as a function of Mach number.

Flight control lines analysis.

(a) General. A launch operator shall determine the geographic placement of Start Printed Page 64003flight control lines that define the region over which a launch vehicle will be allowed to fly and where any debris resulting from normal flight and any launch vehicle malfunction will be allowed to impact. A launch operator shall implement flight safety limits in accordance with § 417.213 and flight termination rules in accordance with § 417.113, to ensure that debris associated with a malfunctioning launch vehicle does not impact any populated or other protected area outside the flight control lines. Flight over any populated or other protected area may be performed when a launch operator establishes a gate through a flight control line in accordance with § 417.219.

(b) Input. A launch operator shall obtain the following information to perform a flight control lines analysis:

(1) Geographic data. Geographic data includes maps, charts, or digital data depicting the geographic region protected by the flight control lines. The data must include federal, state, local and launch site boundaries and any foreign territorial boundaries, including foreign territorial waters. Depictions of the launch area landmass must include, but need not be limited to, topographical features such as elevations, rivers, lakes, and canals. Launch area landmass depictions must also include significant structures and populated areas, such as bridges, roadways, railroads, towns and cities, airports, and launch points. Downrange area landmass depictions shall include cities with populations greater than 25,000 people, country borders, national capitals and the largest city in the country. For flight control lines that encompass planned impact areas for jettisoned launch vehicle components, the data must depict land, air, and sea routes that will be the subject of notices in accordance with § 417.121. Sources of acceptable geographic data may include the National Imagery and Mapping Agency, the United States Department of Commerce, and the National Oceanic and Atmospheric Administration.

(2) Launch vehicle trajectory data. Launch vehicle trajectory data must describe the limits of normal launch vehicle flight, and include the launch vehicle's instantaneous impact points for the nominal, three-sigma left, and three-sigma right trajectories and the fuel exhaustion trajectories as determined by a trajectory analysis performed in accordance with § 417.205.

(3) Special areas or zones. Special areas or zones must include geographic descriptions of any local, state, or federal special use areas or zones that require protection from impacting debris or that cannot accommodate the overflight of a launch vehicle.

(4) Map errors. A flight control lines analysis must identify direction and scale map distortions and errors as a function of distance from the point of tangency, from a parallel of true scale and true direction, or from a meridian of true scale and true direction. Map errors vary depending on the type of map projection used, such as cylindrical, conic, or plane projections used to project a round body onto a flat surface sheet. A launch operator shall select a map with a projection that accommodates the plotting technique to be used in accordance with paragraph (d) of this section. Information on calculating the error attributable to the various map projections is available from the Department of the Interior, United States Geological Survey, Geological Survey Bulletin 1532.

(5) Tracking errors. A flight control lines analysis must identify the crossrange, uprange, and downrange launch vehicle tracking errors in the domain of the data used to make flight control decisions, such as drag corrected impact prediction, instantaneous impact point, present position, and body attitude, or one or more combinations of these. If actual tracking error information is not available at the time of the analysis, a launch operator may use a conservative tracking error estimate. If a conservative estimate is used, a launch operator shall clearly and convincingly demonstrate that the conservative estimate exceeds the tracking source manufacturer's predicted tracking error by at least 20%. For each tracking source used for all flight termination decisions, a flight control line analysis must account for each source of significant tracking error. Sources of significant tracking error include, but need not be limited to, the following:

(i) Radar errors. Where radar tracking is used, a flight control lines analysis must account for radar errors due to the combination of solar heating effects, internal and external pedestal variations, antenna variations, target dependencies, signal propagation variations, refraction variations, transmitter variations, ranging variations, receiver variations, data handling effects, servo variations, and signal processing variations.

(ii) Global Positioning System (GPS) errors. Where GPS tracking is used, a flight control lines analysis must account for GPS errors due to the combination of satellite clock error, ephemeris error, receiver or translator errors, delays due to satellite equipment, multi-path errors, atmosphere or ionosphere distortions, selective availability and geometric dilution of precision estimates.

(iii) Optical errors. Where optical tracking is used, a flight control lines analysis must account for optical tracking errors due to the combinations of azimuth and elevation biases, pitch and roll variations, non-orthogonality, optical skew, lens droop, refraction variations, atmosphere and ionosphere distortions, data handling effects, servo variations, and signal processing variations.

(c) Flight control line constraints. A launch operator shall apply the following constraints when generating flight control lines.

(1) Flight control lines must not extend on land beyond the area controlled by the launch operator or the launch site operator. A launch operator may establish flight control lines to protect personnel or facilities located within the area controlled by the launch operator or launch site operator. A launch operator shall establish flight control lines to protect any launch-viewing site with public access within the area controlled by the launch operator or launch site operator.

(2) Flight control lines must not intersect a foreign territorial boundary, including territorial waters, as recognized by the United States.

(3) A launch operator shall ensure that a positive mission success margin separates the launch vehicle's debris dispersion as a function of time during normal flight from the flight control lines as depicted in figure 417.211-1 of this section. This separation ensures that the flight of a normally performing launch vehicle will not be terminated. The flight control lines analysis must demonstrate a mission success margin for the most conservative normal launch vehicle trajectory relative to the flight control lines for all points along the trajectory. The launch vehicle debris dispersion at each point in time along the launch vehicle trajectory shall be determined in accordance with the flight safety limits analysis required by § 417.213.

(4) Flight control lines must border the boundaries of all protected areas. Although protected areas are populated areas and other areas from which the potential adverse effects of a launch vehicle's flight must be isolated, a protected area is not necessarily a land area. For example, a protected area may include ocean areas with high shipping or fishing traffic.

(5) Each flight control line, whether over land or water, must be offset from Start Printed Page 64004any populated or other protected area by no less than a distance equal to the total of the map and launch vehicle tracking errors. Because the source of tracking data may vary throughout flight, the tracking error offset for a protected area must account for errors due to the source of tracking data for the period of flight during which the launch vehicle could reach the protected area. Map and tracking error offsets are depicted in figures 417.211-2 and 417.211-3 of this section. A launch operator may use a conservative total offset distance to simplify analysis and ease implementation of the flight control lines only if the launch operator demonstrates through the licensing process that its offset distance is greater than or equal to the total of the map and tracking errors for all protected areas.

(d) Plotting. A launch operator shall plot flight control lines in accordance with the following:

(1) Flight control lines must be comprised of connected geodesic-line segments of variable length that may or may not form a closed polygon, depending on the inclusion of a gate in accordance with § 417.219.

(2) When plotting flight control lines, a launch operator shall ensure that data source oblate spheroid latitude and longitude coordinates are transformed to the oblate spheroid used for the map on which the flight control lines are projected.

(3) On a map with a scale greater than or equal to 1:1,000,000 in/in, a straight flight control line segment must have a scaled distance less than or equal to 7.5 times the map scale. On a map with a scale less than 1:1,000,000 in/in, a straight flight control line segment must have scaled distances of 100 nautical miles or less.

(4) Mechanical plotting. A launch operator may use mechanical drafting equipment to plot the location of flight control lines on a map. The map must have a conformal conic projection.

(5) Semi-automated plotting. A launch operator may use range and bearing techniques to plot latitude and longitude points on a map that has a cylindrical, conic, or plane (azimuthal) projection. Each flight control line segment must be a geodesic. Information on the various techniques for performing these calculations is available from the FAA upon request.

(6) Fully automated plotting. A launch operator may plot flight control lines using geographic information system software, a computer aided design system, or a computerized drawing program and global mapping data using the map projection supported by the software application. The launch operator shall ensure that each flight control line segment generated by such an automated process is a geodesic.

(e) Flight control line analysis products. The flight control lines analysis products, submitted to the FAA in accordance with § 417.203(c), must include:

(1) A graphic depiction of all flight control lines, the launch point, all launch site boundaries, surrounding geographic area, all protected area boundaries, and the nominal and three-sigma launch vehicle instantaneous impact point ground traces from the launch point to a distance 100 nautical miles downrange. Within 100 nautical miles of the launch point, the smallest map scale used to show flight control lines must be less than 1:15,000 inch/inches and greater than or equal to 1:250,000 inch/inches. The launch vehicle trajectory instantaneous impact points must be plotted with sufficient frequency to provide a conformal representation of the launch vehicle's instantaneous impact point ground trace curvature.

(2) A graphic depiction of all flight control lines, protected areas, and the nominal and three-sigma instantaneous impact point ground traces from liftoff through orbital insertion or final stage impact. The smallest map scales for this depiction must be greater than or equal to 1:20,000,000 inch/inches.

(3) A tabular description of the flight control lines. This must include the geodetic latitude (positive north of the equator) and longitude (positive east of the Greenwich Meridian) coordinates of both endpoints of each flight control line segment in units of decimal degrees. The quantitative values of the flight control line coordinates must be rounded to the number of significant digits that can reasonably be determined from the uncertainty of the measurement device used to determine the flight control lines. Flight control line coordinates shall be limited to a maximum of six decimal places.

(4) A map error table of direction and scale distortions as a function of distance from the point of tangency from a parallel of true scale and true direction or from a meridian of true scale and true direction. A launch operator shall provide a table of tracking error as a function of downrange distance from the launch point for each tracking station used to make flight safety control decisions. A launch operator shall submit a description of the method, showing equations and example calculations, used to determine the tracking error. The interval between map and tracking error data points within 100 nautical miles of the reference point shall be one data point every 10 nautical miles, including the reference point. The interval between map and tracking error data points beyond 100 nautical miles from the reference point shall be one data point every 100 nautical miles out to a distance that includes all flight control line endpoints.

(5) A launch operator shall provide the equations used for geodetic datum conversions and one sample calculation for converting the geodetic latitude and longitude coordinates between the datum ellipsoids used. A launch operator shall provide any equations used for range and bearing computations between geodetic coordinates and one sample calculation.

Start Printed Page 64005

Start Printed Page 64006

Flight safety limits analysis.

(a) General. A launch operator shall perform a flight safety limits analysis to establish criteria for terminating a malfunctioning launch vehicle's flight. The criteria must ensure that the launch vehicle's debris impact dispersion does not extend beyond the flight control lines established in accordance with § 417.211. A launch operator's flight safety limits analysis must determine the temporal and geometric extents of a launch vehicle's debris impact dispersion on the Earth's surface resulting from any planned debris impacts and potential debris impacts created by unplanned events for any point during flight. At any time during a launch vehicle flight, a launch operator's flight safety limits must provide for the identification of a launch vehicle malfunction and the termination of flight before any adverse effects of the resulting debris could reach outside the flight control lines.

(b) Flight safety limits constraints. A launch operator shall apply the following constraints when establishing flight safety limits:

(1) A launch operator's flight safety limits must account for malfunctions occurring during the time from launch vehicle first motion through flight to the no longer endanger time determined in accordance with § 417.221(c).

(2) A launch operator's flight safety limits shall account for a worst case debris impact dispersion to ensure that the flight safety system is activated in sufficient time to keep the adverse effects of any debris impacts from extending beyond the flight control lines. The worst case dispersion shall be developed by combining dispersion effects in a direction that maximizes the dispersion envelope in the uprange, downrange, right crossrange and left crossrange directions.

(3) A launch operator's flight safety limits must, for a flight termination at any time during launch vehicle flight, represent the extent of the debris impact dispersion, in the uprange, downrange and crossrange directions on the Earth's surface. The surface area bounded by the debris impact dispersion represents the geographic area that will be exposed to the adverse effects of debris impact resulting from flight termination at a given time during flight.

(4) Each debris impact area determined by a launch operator's flight safety limits analysis shall be offset from the flight control lines in a direction away from populated or other protected areas. The size of the offset shall be determined in accordance with paragraph (a) of this section based on impact dispersion parameters that include, but need not be limited to:

(i) Bounce, splatter and skip of inert debris.

(ii) Critical over-pressures greater than or equal to 3.0 psi resulting from detonation of explosive debris.

(iii) Malfunction turns.

(iv) Malfunction imparted velocities.

(v) Winds. Wind data shall be determined in accordance with § 417.217.

(vi) Residual thrust.

(vii) Guidance dispersions.

(viii) Variations in drag predictions of fragments and debris.

(ix) Other impact dispersion parameters peculiar to the launch vehicle.

(x) Debris impact location uncertainties generated from conditions prior to, and after, activation of the flight termination system.

(c) Flight safety limits analysis products. The products of a flight safety limits analysis to be submitted to the FAA in accordance with § 417.203(c) must include the following:

(1) A description of each method used to develop and implement the flight safety limits. The description must include equations and example computations used in the flight safety limits analysis.

(2) A description of how each analysis method meets the analysis requirements and constraints of this section, including how the method produces a worst case scenario for each impact dispersion area.

(3) A description of how the results of the analysis are used in relation to flight control lines to protect populated and other protected areas.

(4) A graphical depiction of the flight safety limits aligned on the nominal flight azimuth, the flight control lines, surrounding landmass areas within 100 nm of the flight control lines, and labeled geodetic latitude and longitude lines from liftoff to orbital insertion or the end of flight. The flight safety limits Start Printed Page 64007shall be shown at trajectory time intervals sufficient to depict the mission success margin between the flight safety limits and the flight control lines. The flight safety limits shall be plotted using the same scales and frequency of plotted points as required for the flight control lines in accordance with § 417.211(e)(1) and (2).

(5) A tabular description of the flight safety limits including the geodetic latitude and longitude for each flight safety limit boundary, the nominal and three-sigma total launch vehicle velocities corresponding to each flight safety limit boundary, the altitude height from the sub-vehicle point to the launch vehicle present position, and the range and bearing from the sub-vehicle point to the vacuum impact point. This data must show the same number of significant digits as the flight control line data submitted in accordance with § 417.211(e)(3).

Straight-up time analysis.

(a) General. A launch operator shall perform a straight-up time analysis to determine the latest time-after-liftoff by which flight termination must be initiated were a launch vehicle to malfunction and fly a vertical or near vertical trajectory (a straight-up trajectory) rather than follow a normal trajectory downrange.

(b) Straight-up time constraints. The following constraints apply to straight-up time analysis:

(1) A straight-up trajectory shall be defined as the flight path flown by a launch vehicle that produces vertical or near-vertical flight, beginning at liftoff.

(2) Straight-up time shall be defined as the latest time-after-liftoff, assuming a launch vehicle flies a straight-up trajectory, at which activation of the launch vehicle's flight termination system or spontaneous breakup of the launch vehicle would not cause debris or critical over-pressure to cross over any flight control line established in accordance with § 417.211.

(3) A straight-up-time analysis must account for the following:

(i) Launch vehicle trajectory.

(ii) Drag impact point of each debris fragment.

(iii) Wind effects on the drag impact point of each debris fragment.

(iv) Residual thrust effects on drag impact point of each debris fragment.

(v) Explosion velocity effects on the drag impact point of each debris fragment.

(vi) Malfunction-turn effects on the drag impact point of each debris fragment.

(vii) Distance from the launch point to any flight control line.

(viii) Delay time from the initiation of a flight termination command to actual flight termination.

(ix) Effective casualty area of each debris fragment determined in accordance with § 417.209(c)(9).

(c) Straight-up time analysis products. The products of a straight-up-time analysis to be submitted to the FAA in accordance with § 417.203(c) must include the following:

(1) Straight-up time.

(2) A description of the methodology used to determine straight-up time.

(3) At least one example set of straight-up-time calculations.

Wind analysis.

(a) General. A launch operator shall perform a wind analysis to determine wind magnitude and direction as a function of altitude for the air space through which its launch vehicle will fly and for the airspace through which malfunction and jettisoned debris will travel. The products of this analysis must satisfy the input requirements of the other flight safety analyses that are dependent on wind data. A launch operator operating a suborbital launch vehicle flown with a wind weighting safety system shall meet the applicable requirements in this section and the wind analysis requirements of § 417.235(e) and appendix C of this part.

(b) Input. A launch operator's wind analysis must use statistical wind data, measured wind data, or a combination of statistical and measured wind data as input unless otherwise required for a specific vehicle or mission. Wind analysis input data must satisfy the following requirements:

(1) Statistical wind data. Statistical wind input data must include altitude, month, number of observations, mean east-west component of wind speed, standard deviation of east-west component of wind speed, mean north-south component of wind speed, standard deviation of north-south component of wind speed, and the correlation coefficient of wind components. Sources of statistical wind data include, “Information on the Global Gridded Upper Air Statistics (GGUAS),” dated 1980-1995, and Volume 1.1 of the same title, dated March 1996. These documents are available from the Climate Applications Branch, National Climatic Data Center, 151 Patton Ave, Room 468, Asheville, NC 28801-5001.

(2) Measured wind data. Measured wind input data must include altitude, wind magnitude, and wind direction.

(c) Wind analysis constraints. A wind analysis must incorporate the following constraints:

(1) Altitude. A launch operator's wind analysis must provide wind data from the altitude of the launch point to an altitude of 100,000 feet.

(2) Azimuth. For each of the other analyses that are dependent on wind analysis products, a launch operator shall determine wind magnitudes as a function of altitude for the worst-case wind direction (azimuth). This generally requires the determination of wind magnitudes along an azimuth that is in the direction of, and normal to, the nearest protected area such that the wind would carry any hazard toward the protected area. The wind analysis products must demonstrate how each selected azimuth represents the worst-case for its application.

(3) Statistical winds. When using statistical wind input data, a launch operator shall ensure that the wind analysis products represent three-sigma statistical winds assuming a one-sided normal univariate Gaussian distribution. In the absence of inter- and intra-altitude correlation coefficients, a launch operator shall ensure that wind analysis products do not exceed the altitude intervals supplied by the statistical wind input data source. Any temporal combination of statistical wind data must satisfy the following requirements:

(i) Statistical wind data shall be derived from a single data source.

(ii) Any temporal combination of statistical wind data must account for the source's temporal division of samplings, such as weeks, months, or quarters.

(iii) When performing a flight safety analysis with statistical wind data, a launch operator shall use the worst case wind from the statistical wind data source's individual temporal divisions as a function of altitude interval.

(iv) When using statistical wind data that provides height intervals in terms of millibar pressure, a launch operator shall use the mean height for the range of the temporal profile.

(4) Measured and forecasted winds. When using flight-day wind measurements, a launch operator shall forecast wind conditions to account for any changes that may occur between the time the measurements are made and the scheduled flight time and any planned impact time. A launch operator shall forecast wind conditions based on wind measurements taken not more than eight hours before the scheduled liftoff time and any predicted impact time. A launch operator's forecasted wind data must include a scalar wind speed that accounts for the wind measurement error created by the latency of the measured data and any Start Printed Page 64008other error created by the wind measurement methods used. The following requirements apply when using flight-day wind measurements:

(i) Launch area forecasted winds. Using the last measured wind, a launch operator shall forecast the launch area wind speed and wind direction as a function of altitude for the scheduled flight time.

(ii) Downrange area forecasted winds. Using the last measured wind, a launch operator shall forecast for any predicted impact time, the downrange area wind speed and wind direction as a function of altitude in the region of the no-wind three-sigma impact dispersion of each normally jettisoned stage or component.

(5) Wind data for trajectory analysis. A launch operator shall select a wind profile for launch vehicle trajectory development that is as severe as the worst wind conditions under which flight might be attempted. (This wind is not necessarily the wind above which the launch vehicle would lose control or the launch vehicle would fail to maintain structural integrity. Other mission concerns may limit wind conditions.) The following constraints apply to wind analysis performed to determine the wind data needed for the development of the specific launch vehicle trajectories required by § 417.205(d):

(i) Three-sigma maximum performance trajectory and fuel exhaustion trajectory. For this trajectory, a wind analysis must determine the wind magnitude for each trajectory computation point, in the azimuthal direction zero degrees to the projection of the launch vehicle velocity vector azimuth into the horizontal plane that is tangent to the ellipsoidal Earth model at the launch vehicle sub-vehicle point.

(ii) Three-sigma minimum performance trajectory. For this trajectory, a wind analysis must determine the wind magnitude at each trajectory computation point, in the azimuthal direction 180 degrees to the projection of the launch vehicle velocity vector azimuth into the horizontal plane that is tangent to the ellipsoidal Earth model at the launch vehicle sub-vehicle point.

(iii) Three-sigma left lateral trajectory. For this trajectory, a wind analysis must determine the wind magnitude at each trajectory computation point, in the azimuthal direction 90 degrees counter-clockwise to the projection of the launch vehicle velocity vector azimuth into the horizontal plane that is tangent to the ellipsoidal Earth model at the launch vehicle's sub-vehicle point.

(iv) Three-sigma right lateral trajectory. For this trajectory, a wind analysis must determine the wind magnitude at each trajectory computation point, in the azimuthal direction 90 degrees clockwise to the projection of the launch vehicle velocity vector azimuth into the horizontal plane that is tangent to the ellipsoidal Earth model at the launch vehicle's sub-vehicle point.

(6) Flight safety limits. A launch operator shall ensure that the statistical wind percentile used in developing flight safety limits in accordance with § 417.213 is such that when the flight safety limits are used during flight, a normally performing launch vehicle will not trigger flight termination. For example, a launch could not successfully take place at a given location for a given time of year where the statistical winds were such that the resulting launch vehicle debris impact dispersion, determined in accordance with § 417.213, would cross over the flight control lines, developed in accordance with § 417.211, during normal flight.

(7) Flight constraints. When using flight-day wind measurements, a launch operator shall ensure wind dispersion effects based on measured and forecasted wind conditions do not exceed any statistical wind dispersion effects used in developing flight safety limits. A launch operator shall implement launch safety rules, in accordance with § 417.113, that ensure that flight will not be initiated if forecasted winds based on flight-day wind measurements invalidate any wind assumption made when developing flight safety limits.

(d) Wind analysis products. The products of wind analysis to be submitted to the FAA in accordance with § 417.203(c) must include the following:

(1) Statistical wind profiles. A launch operator shall submit a graphic and tabular description of each statistical wind profile used as input for any other flight safety analysis and an explanation of how each profile provides the worst-case wind direction safety margin required by paragraph (c)(2) of this section. A launch operator shall identify each source of its statistical wind data and submit a single graph and table for each statistical percentile and wind direction combination as follows:

(i) Graphic description. A launch operator shall provide a graphical depiction of each statistical wind profile for a given wind direction, showing the wind speed as a function of altitude. This plot must have the vertical axis normal to, and centered on the horizontal axis, with negative wind speeds on the left of the vertical axis and positive wind speeds on the right of the vertical axis. Zero-altitude must be positioned at the intersection of the axes and the altitudes shall be positive in the up direction. The altitude increments must not exceed 1000 feet. Figure 417.217-1 provides an example of a statistical wind profile plot.

Start Printed Page 64009

(ii) Tabular description. A launch operator shall provide a tabular description of each statistical wind profile, including the statistical wind percentile and direction of wind as the title of each table. The altitude and wind speed data must be in columnar format with altitude in column 1 and wind speed to the right side of column 1 in column 2. Altitude shall be in feet, rounded to the nearest foot, and wind speeds shall be in feet per second, rounded to two decimal places. Each altitude increment must not exceed 1000 feet.

(2) Measured wind profile. When using measured wind data, a launch operator shall submit a description of its process for measuring and forecasting winds in the launch area and downrange areas in accordance with paragraph (c)(4) of this section. A launch operator shall provide a tabular description of each measured wind profile in the post launch report required by § 417.117(h). Each table shall include the launch vehicle identification, mission name, date of the measurement, time of the measurement, and the measurement source. The tabular wind data shall include the altitude, wind speed, and wind direction in columnar format, with altitude in column 1, wind speed to the right side of column 1 in column 2 and wind direction to the right of column 2 in column 3. Altitude shall be in feet, rounded to the nearest foot, wind speeds shall be in feet per second, rounded to two decimal places, and wind direction shall be in degrees measured from True North, rounded to one decimal point. Each altitude increment must not exceed 1000 feet.

(3) Flight constraint wind data. A launch operator shall provide the wind magnitude and wind direction information that the launch operator used to develop any wind flight constraints in accordance with paragraph (c)(7) of this section.

(4) Wind data source information. A launch operator shall submit a description of each wind data source, including the type of equipment used to obtain the data, measurement accuracy, and data latency to the flight safety wind analysis process.

No-longer-terminate (gate) analysis.

(a) General. A launch operator shall perform an analysis to determine the portion, referred to as a gate, of a flight control line or other flight safety limit boundary, through which a launch Start Printed Page 64010vehicle's tracking icon is allowed to proceed without a launch operator being required to terminate flight. A tracking icon is the representation of a launch vehicle's present position or instantaneous impact point position displayed to a flight safety official at the flight safety official console during real-time tracking of the launch vehicle's flight. A launch operator may use a gate for planned launch vehicle flight over a populated or other protected area only if the launch can be accomplished while meeting the public risk criteria of § 417.107(b).

(b) No-longer-terminate (gate) analysis constraints. The following analysis constraints apply to a gate analysis.

(1) For each gate in a flight safety limit boundary, the criteria used for determining whether to allow passage through the gate or to terminate flight at the gate must use all the same launch vehicle flight status parameters as the criteria used for determining whether to terminate flight at the flight safety limit boundary developed in accordance with § 417.213. For example, if the flight safety limits are a function of instantaneous impact point location, the criteria for determining whether to allow passage through a gate in the flight safety limit boundary must also be a function of instantaneous impact point location. Likewise, if the flight safety limits are a function of drag impact point, the gate criteria must also be a function of drag impact point.

(2) For each established gate, the analysis must account for:

(i) Launch vehicle tracking and map errors.

(ii) Launch vehicle plus and minus three-sigma trajectory limits.

(iii) Debris impact dispersions.

(3) A gate must restrict a launch vehicle's normal trajectory ground trace, within three-sigma of nominal, to a geographic overflight region specifically defined for that gate.

(c) No-longer-terminate (gate) products. The products of a gate analysis to be submitted to the FAA in accordance with § 417.203(c) must include the following:

(1) A launch operator shall describe the methodology used to establish each gate.

(2) A launch operator shall submit a tabular description of the input data.

(3) A launch operator shall submit the analysis computations performed to determine a gate. If a launch involves more than one gate and the same methodology is used to determine each gate, the launch operator need only submit the computations for one of the gates.

(4) A launch operator shall submit a graphic depiction of each gate. A launch operator shall provide a small-scale depiction showing latitude and longitude grid lines, flight control lines, flight safety limits, landmass outlines, and nominal and three-sigma trajectory ground traces in their entirety. A launch operator shall also provide a large-scale depiction showing latitude and longitude grid lines, flight control lines, flight safety limits, landmass overflight regions, applicable portions of the nominal and three-sigma trajectory ground traces, and applicable predicted impact dispersion outlines. A launch operator shall show the gate latitude and longitude labels and the map scale on both depictions. Figures 417.219-1 and 417.219-2 provide examples of the gate depictions for overflight of Africa when launching from Florida.

Start Printed Page 64011

Data loss flight time analysis.

(a) General. A launch operator shall perform a data loss flight time analysis to determine the shortest elapsed thrusting time during which a launch vehicle can move from its normal trajectory to a condition where public endangerment is possible. A data loss flight time analysis must also determine an earliest destruct time, which is the earliest time after liftoff that public endangerment is possible, and a no longer endanger time, which is the time after liftoff that public endangerment is no longer possible from that time forward. Data loss flight times are used following any malfunction that prevents a flight control officer from knowing the location or behavior of a launch vehicle and that occurs during flight before the no longer endanger time is reached. A launch operator shall incorporate the results of its data loss flight time analysis into its flight termination rules in accordance with § 417.113(c).

(b) Earliest destruct time. A launch operator's earliest destruct time is the earliest possible time after liftoff that the launch vehicle debris impact dispersion could contact a flight control line. When calculating the earliest destruct time, the launch operator shall assume that the launch vehicle loses control immediately after ignition, that vehicle performance and orientation are optimized for maximum debris impact range, and all flight directions are equally likely. In all cases, the earliest destruct time must be greater than the predicted earliest tracking acquisition time plus the time delay determined in accordance with § 417.223.

(c) No longer endanger time. A launch operator's no longer endanger time is the time after liftoff after which flight termination need not be initiated even if a malfunction results in launch vehicle data loss. The no longer endanger time must be the point of orbital insertion or the nominal time after liftoff where, from that time onward, a launch vehicle no longer has the physical ability for its debris impact dispersion to contact a flight control line, whichever comes first.

(d) Data loss flight times. For each launch vehicle trajectory time, from the predicted earliest launch vehicle tracking acquisition time to the no longer endanger time, a launch operator shall determine the data loss flight time in accordance with the following:

(1) A data loss flight time must be the minimum thrusting time for a launch vehicle to move from a normal trajectory position to a position where a flight termination would cause the malfunction debris impact dispersion boundary to contact a flight control line.

(2) A launch operator's data loss flight time analysis must assume a malfunction that causes the launch vehicle to proceed from its position at the malfunction start time toward the flight control line, regardless of the probability of occurrence.

(3) The launch vehicle thrust vector shall be modeled to produce the highest instantaneous impact point range-rate that the vehicle is physically capable of producing at the trajectory time being evaluated, regardless of the probability of occurrence.

(4) Each data loss flight time must account for the system delays at the time of flight.

(5) A launch operator shall determine a data loss flight time for time increments of no less than one second along the launch vehicle nominal trajectory.

(e) Data loss flight times products. The products of a launch operator's data loss flight time analysis to be submitted in accordance with § 417.203(c) must include the following:

(1) A launch operator shall describe the methodology used in its data loss flight times analysis, including identification of all assumptions, Start Printed Page 64012techniques, input data, and equations used. A launch operator shall submit calculations performed for one data loss flight time in the launch area and one data loss flight time in the downrange area. The launch area calculation time shall be separated from the downrange calculation time by at least 50 seconds, or by the greatest time otherwise feasible.

(2) A launch operator shall submit a launch area graphical description that shows flight control lines, flight safety limits, the launch point, the launch site boundaries, the surrounding geographic area, any protected areas, the earliest destruct time, the no longer endanger time (within any applicable scale requirements), latitude and longitude grid lines, and launch vehicle nominal and three-sigma instantaneous impact point ground traces from the launch point to 100 nautical miles downrange. Any launch vehicle trajectory instantaneous impact points must be plotted with sufficient frequency to provide a conformal estimate of the launch vehicle's instantaneous impact point ground trace curvature. A launch operator shall provide labeled latitude and longitude lines and the map scale on the depiction.

(3) A launch operator shall provide a downrange graphical description that shows the flight control lines, flight safety limits, all gates, protected areas, earliest destruct time, no longer endanger time, latitude/longitude grid lines, and any nominal and three-sigma instantaneous impact point ground traces from liftoff through orbital insertion or final stage impact. Any launch vehicle trajectory instantaneous impact points must be plotted with sufficient frequency to provide a conformal estimate of the launch vehicle's instantaneous impact point ground trace curvature. A launch operator shall provide labeled latitude and longitude lines and the map scale on the depiction.

(4) A launch operator shall provide a tabular description of the data loss flight times that includes malfunction start time and the geodetic latitude (positive north of the equator) and longitude (positive east of the Greenwich Meridian) coordinates of the intersection of the launch vehicle instantaneous impact point trajectory with the flight control line. The earliest destruct time and no longer endanger time shall be identified in the table. The tabular description must include data loss flight times for trajectory time increments not to exceed one second.

Time delay analysis.

(a) General. A launch operator shall perform a time delay analysis to determine the mean elapsed time between the start of a launch vehicle malfunction and the final commanded flight termination. The time delay must include a flight safety official's decision and reaction time. A launch operator shall also determine the time delay plus and minus three-sigma values relative to the mean time delay.

(b) Time delay analysis constraints. A time delay analysis shall account for data flow rates and reaction times due to hardware and software and decision and reaction times due to personnel that comprise a launch operator's flight safety system as defined by subpart D of this part. A launch operator shall conduct time delay analyses for all data used by a flight safety official for making flight termination decisions. A launch operator's time delay analysis shall account for all significant causes of delay in receiving data. A launch operator's time delay analysis shall account for all delays caused by hardware and software, including, but not limited to, the following:

(1) Tracking system. A launch operator's time delay analysis must account for delays associated with the hardware and software that make up the launch vehicle tracking system, whether or not it is located on the launch vehicle, such as transmitters, receivers, decoders, encoders, modulators, circuitry and any encryption and decryption of data.

(2) Display systems. A launch operator's time delay analysis must account for delays associated with hardware and software that make up any display system used by a flight safety official to aid in making flight control decisions. A launch operator's time delay analysis must also account for any manual operations requirements, tracking source selection, tracking data processing, flight safety limit computations, inherent display delays, meteorological data processing, automated or manual system configuration control, automated or manual process control, automated or manual mission discrete control, and automated or manual failover decision control.

(3) Flight termination system and command control system. A launch operator's time delay analysis must account for delays and response times associated with flight termination system and command control system hardware and software, such as transmitters, decoders, encoders, modulators, relays and shutdown, arming and destruct devices, circuitry and any encryption and decryption of data.

(4) Software specific time delays. A launch operator's time delay analysis must account for delays associated with any correlation of data performed by software, such as timing and sequencing; data filtering delays such as error correction, smoothing, editing, or tracking source selection; data transformation delays; and computation cycle time.

(c) Time delay analysis products. The products of a launch operator's time delay analysis to be submitted in accordance with § 417.203(c) must include the following:

(1) A description of the methodology used to produce the time delay analysis.

(2) A schematic drawing that maps the flight control official's data flow time delays from the start of a launch vehicle malfunction through the final commanded flight termination on the launch vehicle, including the flight safety official's decision and reaction time. The drawings shall indicate major systems, subsystems, major software functions, and data routing.

(3) A tabular listing of each time delay source and its individual mean and plus and minus three-sigma contribution to the overall time delay. All time delay values shall be provided in milliseconds.

(4) The mean delay time and the plus and minus three-sigma values of the delay time relative to the mean value.

Flight hazard areas analysis.

(a) General. A launch operator shall perform a flight hazard areas analysis to determine the regions of land, sea, and air (hazard areas) exposed to the potential adverse effects of planned and unplanned launch vehicle flight events and that must be monitored, controlled, or evacuated in order to ensure public safety. The flight hazard area requirements of this section apply to orbital and ballistic launch vehicles that use a flight termination system to protect the public. Flight hazard area requirements that apply to launch of an unguided suborbital rocket that use a wind weighting safety system are contained in § 417.235. A launch operator's flight hazard areas analysis for an orbital launch must satisfy the following:

(1) A launch operator shall use the methodologies for determining hazard areas for orbital launch provided in appendix A of this part. In addition, for both orbital and suborbital launch, a launch operator shall use the methodologies of paragraphs C417.5(f)-(i) of appendix C of this part for determining ship and aircraft hazard Start Printed Page 64013areas for planned debris impacts. A launch operator shall use the methodologies for determining hazard areas provided in appendixes A and C of this part unless the launch operator demonstrates, clearly and convincingly, through the licensing process that another methodology achieves an equivalent level of safety.

(2) A launch operator's analysis must account for all adverse effects and hazards from planned and unplanned launch vehicle flight events, including impacts of inert components, blast effects due to explosive debris impact, projected debris due to debris impact, release of any toxic substance from normal propellant combustion, vehicle breakup or impacting debris, and any other hazard due to planned or unplanned launch vehicle events that may be unique to a launch.

(3) A flight hazard areas analysis must account for debris resulting from planned flight and potential launch vehicle failure determined according to the debris analysis of § 417.209. A launch operator shall determine the debris impact points and dispersions in accordance with the following:

(i) A flight hazard areas analysis must account for drag corrected impact points and dispersions for each class of impacting debris as a function of trajectory time.

(ii) The dispersion for each debris class must account for the position and velocity state vector dispersions at breakup, the delta velocities incurred from breakup produced by either aerodynamic forces or explosive forces from flight termination system activation, the variance produced by winds, variance in ballistic coefficient for each debris class, and any other dispersion variances.

(iii) A launch operator's flight hazard areas analysis may account for the survivability of debris fragments that are subject to reentry aerodynamic forces or heating. A debris class may be eliminated from the analysis if the launch operator performs a survivability analysis and demonstrates that the debris will not survive to impact.

(4) A launch operator's analysis must account for launch vehicle trajectory dispersion effects in the surface impact domain. The analysis must account for trajectory variations, including plus and minus three-sigma variations in the jettison time for each intentionally jettisoned launch vehicle component.

(5) A launch operator's analysis must define the ship and aircraft hazard areas for which Notices to Mariners (NOTMAR) and Notices to Airman (NOTAM) must be issued and the areas where the launch operator must survey in accordance with § 417.121(f). The results of a launch operator's flight hazard areas analyses shall be used to establish launch safety rules in accordance with § 417.113.

(b) Flight hazard area. For each launch, a launch operator shall establish an overall flight hazard area as an area surrounding the launch point that encompasses all hazard areas and safety clear zones established in accordance with paragraphs (d) through (h) of this section. Figure 417.225-1 illustrates a flight hazard area for a coastal launch site. Figure 417.225-2 illustrates a flight hazard area for a land locked launch site. A flight hazard area must account for planned launch vehicle events and potential launch vehicle failures, including any potential commanded flight termination. A flight hazard area must be contained inside the flight control lines established in accordance with § 417.211.

(c) Flight corridor. For regions outside the flight hazard area, a launch operator shall define a flight corridor, which extends downrange from a flight hazard area as illustrated by figure 417.225-3. A flight corridor must be bounded by the flight control lines established in accordance with § 417.211, and must include any land overflight permitted by a gate established in accordance with § 417.219. Any land overflight area must be bounded by a five-sigma cross range trajectory dispersion about the nominal launch vehicle trajectory. A flight corridor must extend for all downrange positions from the flight hazard area to the no longer endanger time determined in accordance with § 417.221(c).

(d) Debris impact hazard area. A launch operator shall determine a debris impact hazard area that accounts for the impact of debris resulting from a commanded flight termination or spontaneous breakup due to a launch vehicle failure and accounts for individual impact locations for each non-inert debris fragment, including explosive or toxic debris. A launch operator shall ensure that a debris hazard area is contained within the flight hazard area and is derived in accordance with the following:

(1) Except as permitted by paragraph (d)(2) of this section, a debris hazard area must be bounded by an individual casualty contour that defines where the individual casualty probability (PC) criteria of 1×10−6 required by § 417.107(b) would be exceeded if one person were assumed to be in the open and inside the contour during launch vehicle flight. A launch operator shall determine an individual casualty contour in accordance with the following:

(i) The determination of an individual casualty contour must be an iterative process of evaluating person location points in the uprange and downrange directions and both crossrange directions. A launch operator shall use the methodology contained in A417.7 of appendix A of this part unless the launch operator demonstrates, clearly and convincingly, through the licensing process that another methodology achieves an equivalent level of safety.

(ii) For each uprange or downrange distance along the nominal instantaneous impact point trace, individual person location points shall be investigated at progressively increasing crossrange distances until one is found that produces an individual casualty probability of less than the 1×10−6 criteria.

(iii) As impact points being investigated progress downrange or uprange, the individual casualty contour will come to a close at a point where the individual casualty criteria can no longer be exceeded for any person located further downrange or uprange on the nominal instantaneous impact point trace.

(2) Rather than calculating an individual casualty contour uprange of the launch point as required by paragraph (d)(1) of this section, a launch operator may elect to define the uprange debris impact hazard area as an area surrounding the launch point with a radius equal to the greatest inert debris impact radius and any additional radius due to non-inert debris.

(3) The input for determining a debris impact hazard area must include the results of the trajectory analysis required by § 417.205, the malfunction turn analysis required by § 417.207, the wind analysis required by § 417.217, and the debris analysis required by § 417.209 to define the impact locations of each class of debris established by the debris analysis.

(4) A debris impact hazard area must account for the greatest potential debris impact dispersion. The analysis must assume that the launch vehicle flies until it exceeds a flight safety limit associated with the greatest potential debris impact displacement. The analysis must also assume trajectory conditions that maximize a change in debris impact distance during the flight safety system delay time determined in accordance with § 417.223 and use a debris model that is representative of a flight termination or aerodynamic breakup, whichever results in the greatest debris dispersion. For each launch vehicle breakup event, the analysis must account for trajectory and breakup dispersions, variations in Start Printed Page 64014debris class characteristics, and debris dispersion due to wind.

(5) A debris impact hazard area must account for each impacting debris fragment classified in accordance with § 417.209(c). A debris impact hazard area need not account for debris with a ballistic coefficient of less than three.

(6) The analysis must account for classes of debris and the maximum number of debris fragments within a debris class in accordance with § 417.209(c). Debris classes shall be defined for potential launch vehicle failures that may result in launch vehicle breakup in the flight hazard area.

(7) The analysis must account for the probability of occurrence of each type of launch vehicle failure. The analysis must account for vehicle failure probabilities that vary depending on the time of flight. The analysis must also account for the type of vehicle breakup, either by the flight termination system or by aerodynamic forces that may result in a different probability of existence for each debris class.

(8) The analysis must account for the debris classes produced by a launch vehicle failure or a commanded flight termination and the resulting three-sigma debris impact dispersions. The impact point and the three-sigma debris impact dispersions shall be determined for each debris class at each failure time.

(9) In addition to failure debris, the analysis must account for nominal jettisoned body debris impacts and the corresponding three-sigma debris impact dispersions. The analysis must account for the planned number of debris fragments produced by normal separation events during flight with a probability of occurrence equal to the launch vehicle success rate at the time of each separation event.

(e) Blast overpressure hazard area. A launch operator shall define a blast overpressure hazard area as a circle extending from an explosive debris impact point with a radius equal to the 3.0-psi overpressure distance produced by the equivalent TNT weight of the explosive debris. The analysis must account for the maximum possible total solid and liquid propellant load capability of the launch vehicle and any payload at debris impact. A launch operator shall compute the overpressure radius using the TNT equivalency equation used for quantity distance computations and in accordance with the methodology provided in appendix A of this part. A launch operator shall add the overpressure radius to each explosive debris impact to define the overall blast overpressure hazard area.

(f) Other hazards. A launch operator shall identify any additional hazards, such as radioactive material, that may exist on the launch vehicle or payload that in the form of debris may be an additional hazard to the public. For each such hazard, the launch operator shall identify a hazard area that encompasses any debris impact point and its dispersion and includes an additional hazard radius that accounts for the additional hazard. A launch operator shall account for any hazards due to toxic release and distant focus overpressure blast in accordance with § 417.229 and § 417.231, respectively.

(g) Flight hazard area ship-hit contours. Where applicable, a launch operator shall perform an analysis to define ship hazard areas, referred to as ship-hit contours, to ensure that the probability of hitting a ship satisfies the collective probability threshold of 1×10−5 required by § 417.107(b). The flight hazard area shall encompass all ship-hit contours. A launch operator shall determine ship-hit contours in accordance with the following:

(1) A launch operator shall determine ship-hit contours for one to 10 ships in increments of one ship. For each given number of ships, the associated ship-hit contour must bound an area around the nominal instantaneous impact point trace where, if the given number of ships were located on the contour, the collective probability of impacting any ship would be less than or equal to the 1×10−5 ship-hit criteria. A launch operator shall determine each ship hit contour in accordance with the following:

(i) The determination of a ship-hit contour for a given number ships must be an iterative process of evaluating ship location points that have increasing downrange and crossrange distances from the launch point. The total surface area for the given number of ships shall be centered at each ship location point evaluated. A launch operator shall use the methodology for computing ship-hit probability and generating the ship-hit contours contained in A417.5 of appendix A of this part unless the launch operator demonstrates, clearly and convincingly, through the licensing process that another methodology achieves an equivalent level of safety.

(ii) For each downrange distance along the nominal instantaneous impact point trace, ship location points with progressively increasing crossrange distance shall be evaluated until a ship location point is reached that corresponds to a ship-hit probability that is less than or equal to 1×105.

(iii) As the ship location points being evaluated progress downrange, each ship-hit contour will come to a close on the nominal instantaneous impact point trace at a point where the ship-hit criteria can no longer be exceeded for any point further downrange for the number of ships for which the contour is being generated.

(2) The analysis must account for all classes of debris and the number of debris fragments within a debris class as determined in accordance with § 417.209(c). A ship-hit contour need not account for debris with a ballistic coefficient of less than three.

(3) A launch operator shall account for debris classes in accordance with § 417.209(c) for both nominal staging events and potential vehicle failures that may result in vehicle breakup in the flight hazard area. Vehicle failures shall be analyzed as a function of probability of occurrence. As applicable, debris classes shall be produced for both flight termination and for aerodynamic breakup and modeled as a function of probability of occurrence.

(4) Each debris class shall describe the mean impact point and the three-sigma debris impact dispersions. The analysis must account for launch vehicle failure probabilities as a function of flight time. The analysis must also account for the type of vehicle breakup, either by the flight termination system or by aerodynamic forces that may result in a different probability of occurrence for each debris class.

(5) A launch operator shall determine the need to survey the ship-hit contours during the launch vehicle countdown procedures in accordance with A417.5(c) of appendix A. When surveillance is required, a launch operator shall survey for ships in accordance with § 417.121(f). A launch operator shall implement launch safety rules in accordance with § 417.113 where flight shall not be initiated if, at the time of flight, the number of ships within any ship-hit contour is greater than or equal to the number of ships for which the contour was generated.

(6) A launch operator shall use the ship-hit contour for 10 ships as a ship hazard area for providing notice to mariners in accordance with § 417.121(e).

(h) Flight hazard area aircraft-hit contour. A launch operator shall determine an aircraft-hit contour to ensure that the probability of hitting an aircraft satisfies the individual probability threshold of 1×108 required by § 417.107(b) for the flight hazard area around the launch point. A launch operator shall ensure that the aircraft-hit contour is contained within the flight hazard area and is enforced for altitudes extending from zero to 60,000 Start Printed Page 64015feet. A launch operator shall determine an aircraft-hit contour in accordance with the following:

(1) A launch operator shall determine an aircraft-hit contour that bounds an area around the nominal instantaneous impact point trace where, if an aircraft were located on the contour, the individual probability of impacting the aircraft would be less than or equal to the 1×108 aircraft-hit criteria. A launch operator shall determine an aircraft-hit contour following the same method used to determine ship-hit contours required by appendix A of this part.

(2) A launch operator shall use the dimension of the largest aircraft operated in the vicinity of the launch or, if unknown, the dimensions of a Boeing 747 aircraft.

(3) The analysis must account for all classes of debris and the number of debris fragments within a debris class as determined in accordance with § 417.209(c). An aircraft-hit contour need not account for debris with kinetic energy of less than 11 foot pounds.

(4) The analysis must account for debris classes in accordance with § 417.209(c) for both nominal staging events and potential vehicle failures that may result in vehicle breakup in the flight hazard area. Vehicle failures shall be analyzed as a function of probability of occurrence. Debris classes shall be produced for both flight termination and for aerodynamic breakup and modeled as a function of probability of occurrence.

(5) Each debris class must describe the mean impact point and the three-sigma debris impact dispersions. The analysis must account for launch vehicle failure probabilities as a function of flight time. The analysis must also account for the type of vehicle breakup, either by the flight termination system or by aerodynamic forces that may result in a different probability of occurrence for each debris class.

(i) Flight corridor ship hazard areas. Within a flight corridor outside the flight hazard area, a launch operator shall establish a ship hazard area for each planned debris impact for the issuance of notice to mariners in accordance with § 417.121(e). The ship hazard area must consist of an area centered on the planned impact point and defined by the larger of the three-sigma impact dispersion ellipse or an ellipse with the same semi-major and semi-minor axis ratio as the impact dispersion, where, if a ship were located on the boundary of the ellipse, the probability of hitting the ship would be less than or equal to 1×105. A launch operator shall determine ship hazard areas for planned debris impacts using the methodologies contained in paragraphs C417.5(h) and C417.5(i) of appendix C, which apply to both orbital and suborbital launch unless the launch operator demonstrates, clearly and convincingly, through the licensing process that another methodology achieves an equivalent level of safety. A launch operator shall determine if surveillance of a ship hazard area is required in accordance with paragraph C417.5(g) of appendix C of this part.

(j) Flight corridor aircraft hazard areas. Within a flight corridor outside the flight hazard area, a launch operator shall establish aircraft hazard areas for each planned debris impact for the issuance of notices to airmen in accordance with § 417.121(e). Each aircraft hazard area must encompass an air space region, from an altitude of 60,000 feet to impact on the Earth's surface, that contains the larger of the three-sigma drag impact dispersion or an ellipse with the same semi-major and semi-minor axis ratio as the impact dispersion, where, if an aircraft were located on the boundary of the ellipse the probability of hitting the aircraft would be less than or equal to 1×108. A launch operator shall determine aircraft hazard areas for planned debris impacts for both orbital and suborbital launch using the methodology contained in paragraph C417.5(f) of appendix C of this part.

(k) Flight hazard area analysis products. The products of a launch operator's flight hazard area analysis to be submitted in accordance with § 417.203(c) must include, but need not be limited to, the following:

(1) A chart that depicts the flight hazard area, including its size and location.

(2) A chart that depicts each hazard area required by this section.

(3) A description of each hazard for which analysis was performed; the methodology used to compute each hazard area; and the debris classes for aerodynamic breakup of the launch vehicle and for flight termination. For each debris class, the launch operator shall define the number of debris fragments, the variation in ballistic coefficient, and the standard deviation of the debris dispersion.

(4) Charts that depict the ship-hit contours, the individual casualty contour, and the aircraft-hit contour.

(5) Charts and a description of the flight corridor, including any regions of land overflight.

(6) A description of the aircraft hazard area for each planned debris impact inside the flight corridor, the information to be published in a Notice to Airmen, and all information required as part of any agreement with the FAA ATC office having jurisdiction over the airspace through which flight will take place.

(7) A description of any ship hazard area for each planned debris impact inside the flight corridor and all information required in a Notice to Mariners.

(8) A description of the methodology used for determining each hazard area.

(9) A description of the hazard area operational controls and procedures to be implemented for flight.

Start Printed Page 64016

Start Printed Page 64017

Debris risk analysis.

(a) General. A launch operator shall perform a debris risk analysis to determine the expected average number of casualties (EC) to the collective members of the public exposed to inert and explosive debris hazards from the proposed flight of a launch vehicle. The results of the debris risk analysis must be included in the launch operator's demonstration of compliance with the public risk criteria required by § 417.107 (b). A launch operator's debris risk analysis must include an evaluation of risk to populations on land, including regions of launch vehicle flight following passage through any gate in a flight safety limit boundary established in accordance with § 417.219. The debris risk analysis requirements of this section apply to all launches.

(b) Debris risk analysis constraints. A launch operator's debris risk analysis must be performed in accordance with the following:

(1) A launch operator shall use the methodologies and equations provided in appendix B of this part when performing a debris risk analysis unless, through the licensing process, the launch operator provides a clear and convincing demonstration that an alternate method provides an equivalent level of safety.

(2) A launch operator's debris risk analysis must account for the following populations:

(i) The overflight of populations located outside a flight hazard area and inside any flight control lines established in accordance with § 417.211.

(ii) All populations located within five-sigma left and right crossrange of a nominal trajectory instantaneous impact point ground trace and within five-sigma of each planned nominal debris impact.

(iii) Any planned overflight of the public within any gate overflight areas established in accordance with § 417.219.

(iv) Any populations outside the flight control lines identified in accordance with paragraph (b)(10) of this section.

(3) [Reserved]

(4) A debris risk analysis must account for both inert and explosive debris hazards produced from any impacting debris caused by planned launch vehicle events and breakup of a launch vehicle due to activation of a flight termination system or spontaneous breakup due to a launch vehicle failure during launch vehicle flight. The analysis must account for the debris classes determined by the debris analysis required by § 417.209. A debris risk analysis need not account for debris with a ballistic coefficient of less than three. The analysis must account for all debris hazards as a function of flight time.

(5) A debris risk analysis must account for debris impact points and dispersion for each class of debris in accordance with the following:

(i) A debris risk analysis must account for drag corrected impact points and dispersions for each class of impacting debris resulting from planned flight events and from launch vehicle failure as a function of trajectory time.

(ii) The dispersion for each debris class must account for the position and velocity state vector dispersions at breakup, the delta velocities incurred from breakup produced by either aerodynamic forces or explosive forces from flight termination system activation, the variance produced by winds, variance in ballistic coefficient for each debris class, and any other dispersion variances.

(iii) A launch operator's debris risk analysis may account for the survivability of debris fragments that are subject to reentry aerodynamic forces or heating. A debris class may be eliminated for the debris risk analysis if the launch operator performs a survivability analysis and demonstrates that the debris will not survive to impact.

(6) A debris risk analysis must account for launch vehicle failure probability. For the purposes of a debris risk analysis, a launch operator shall determine the launch vehicle failure probability from theoretical or actual launch vehicle flight data in accordance with the following: Start Printed Page 64018

(i) For a launch vehicle with fewer than 15 flights, a launch operator shall use an overall launch vehicle failure probability of 0.31.

(ii) For a launch vehicle with at least 15 flights, but fewer than 30 flights, a launch operator shall use an overall launch vehicle failure probability of 0.10 or the empirical failure probability, whichever is greater.

(iii) For a launch vehicle with 30 or more flights, a launch operator shall use the empirical failure probability determined from the actual flight history.

(iv) For a launch vehicle with a previously established failure probability that undergoes a modification to a stage, that could affect the reliability of that stage, the launch operator shall apply the previously established failure probability to all unmodified stages and the failure probability requirements of paragraphs (b)(6)(i) through (iii) of this section to the modified stage.

(7) A debris risk analysis must account for the dwell time of the instantaneous impact point ground trace over each populated or protected area being evaluated.

(8) A debris risk analysis must account for the three-sigma instantaneous impact point trajectory variations in left-crossrange, right-crossrange, uprange, and downrange as a function of trajectory time, due to launch vehicle performance variations as determined by the launch operator's trajectory analysis performed in accordance with § 417.205.

(9) A debris risk analysis must account for the effective casualty area as a function of launch vehicle flight time for all impacting debris generated from a catastrophic launch vehicle malfunction event or a planned impact event. A launch operator shall include both payload and vehicle systems and subsystems debris in the effective casualty area. The effective casualty area must account for bounce, skip, and splatter of inert debris, a 3.0-psi blast overpressure radius and projected debris effects for all potentially explosive debris, and a hazard radius for any other non-inert debris. The effective casualty area must account for all debris fragments determined as part of a launch operator's debris analysis in accordance with § 417.209.

(10) A debris risk analysis must account for current population density data obtained from a current population database for the region being evaluated or by estimating the current population using traditional population growth rate equations applied to the most current historical data available. A debris risk analysis must account for the population density of population centers whose grid dimensions on Earth's surface do not exceed 1° latitude by 1° longitude. A debris risk analysis must account for any city with population equal to or greater than 25,000 as an individual population center.

(11) For a launch vehicle that uses a flight termination system, a debris risk analysis must account for the collective risk to any populations outside the flight control lines in the area surrounding the launch site during flight, including people who will be at any public launch viewing area during flight. A launch operator shall use the screening methodology provided in B417.7 of appendix B of this part to identify any populations for which the launch operator shall perform debris risk analysis. For such populations, in addition to the constraints listed in paragraphs (b)(1) through (b)(10) of this section, a launch operator's debris risk analysis must account for the following:

(i) The probability of a launch vehicle failure that would result in debris impact in the areas outside the flight control lines.

(ii) The failure rate of the launch operator's flight safety system. A launch operator may use a flight safety system failure rate of 0.002 if the flight safety system is in compliance with the flight safety system requirements of subpart D of this part. For an alternate flight safety system approved in accordance with § 417.107(a)(3), the launch operator shall demonstrate the validity of the probability of failure on a case-by-case basis through the licensing process.

(iii) Current population density data for the areas being evaluated that are outside the flight control lines. This data shall be determined based on the most current census data and projections for the day and time of flight.

(c) Debris risk analysis products. The products of a launch operator's debris risk analysis to be submitted in accordance with § 417.203(c) must include the following:

(1) A debris risk analysis report that provides the analysis input data, probabilistic risk determination methods, sample computations, and text or graphical charts that characterize the public risk to geographical areas for each launch.

(2) Geographic data showing the launch vehicle nominal, five-sigma left-crossrange and five-sigma right-crossrange instantaneous impact point ground traces; all exclusion zones relative to the instantaneous impact point ground traces; and populated areas included in the debris risk analysis.

(3) A discussion of each launch vehicle failure scenario addressed in the analysis and the probability of occurrence, which may vary with flight time, for each failure scenario. This information must include a failure scenario where a launch vehicle flies within normal limits until some malfunction causes spontaneous breakup or results in a commanded flight termination. For a launch that employs a flight safety system, this information must also describe the most likely launch vehicle failure scenario and probability of occurrence for a random attitude failure as described in B417.7(e) of appendix B of this part.

(4) A population model applicable to the launch overflight regions that contains the following: area identification, location of the center of each population cell by geodetic latitude and longitude, total area, and number of persons in each population cell.

(5) A description of the launch vehicle, including general information concerning the nature and purpose of the launch and an overview of the launch vehicle, including a scaled diagram of the general arrangement and dimensions of the vehicle. A launch operator's debris risk analysis products may reference other documentation submitted to the FAA containing this information. The launch operator shall identify any changes in the launch vehicle description from that submitted during the licensing process according to § 415.109(e). The description must include:

(i) Weights and dimensions of each stage.

(ii) Weights and dimensions of any booster motors attached.

(iii) The types of fuel used in each stage and booster.

(iv) Weights and dimensions of all interstage adapters and skirts.

(v) Payload dimensions, materials, construction, any payload fuel; payload fairing construction, materials, and dimensions; and any non-inert components or materials that add to the effective casualty area of the debris, such as radioactive or toxic materials or high-pressure vessels.

(6) A typical sequence of events showing times of ignition, cutoff, burnout, and jettison of each stage, firing of any ullage rockets, and starting and ending times of coast periods and control modes.

(7) A launch operator shall submit the following information for each launch vehicle motor:

(i) Propellant type and ingredients. Start Printed Page 64019

(ii) Values of thrust.

(iii) Propellant weight and total motor weight versus time.

(iv) A description of each nozzle and steering mechanism.

(v) For solid rocket motors, internal pressure and average propellant thickness, or borehole radius, as a function of time.

(vi) Maximum impact point deviations as a function of failure time during destruct system delays. Burn rate as a function of ambient pressure.

(vii) A discussion of whether a commanded destruct could ignite a non-thrusting motor, and if so, under what conditions.

(8) A launch vehicle's launch and failure history, including a summary of past vehicle performance. For a new vehicle with little or no flight history, a launch operator shall provide summaries of similar vehicles. The data shall include the launches that have occurred; launch date, location, and direction; the number that performed normally; behavior and impact location of each abnormal experience; the time, altitude, and nature of each malfunction; and descriptions of corrective actions taken, including changes in vehicle design, flight termination, and guidance and control hardware and software.

(9) A discussion of the analysis performed for any populations outside the flight control lines in accordance with paragraph (b)(11) of this section.

(10) The value of EC for each populated area evaluated.

Toxic release hazard analysis.

For each launch, a launch operator shall perform a toxic release hazard analysis to determine any potential public hazards from any toxic release that will occur during the proposed flight of a launch vehicle or that would occur in the event of a flight mishap. A launch operator shall perform a toxic release hazard analysis using the methodologies contained in appendix I of this part. A launch operator shall use the results of the toxic release hazard analysis to establish for each launch, in accordance with § 417.113(b), flight commit criteria that protect the public from a casualty caused by any potential toxic release. The public includes any members of the public on land and any waterborne vessels and aircraft that are not operated in direct support of the launch.

Distant focus overpressure explosion hazard analysis.

(a) General. A launch operator shall perform a distant focus overpressure blast effects hazard analysis to demonstrate that the potential public hazard resulting from impacting explosive debris will not cause windows to break with related injuries. A launch operator shall evaluate potential distant focus overpressure blast effects hazards in accordance with the requirements of this section, which require a launch operator to employ either the deterministic analysis requirements of paragraph (b) of this section or the probabilistic analysis requirements of paragraph (c) of this section.

(b) Deterministic distant focus overpressure hazard analysis. Except as permitted by paragraph (c) of this section, a launch operator shall perform a deterministic distant focus overpressure hazard analysis in accordance with the following:

(1) Explosive yield factors. A launch operator's distant focus overpressure hazard analysis must identify the explosive yield factor curves for each type or class of solid or liquid propellant used by the launch vehicle. For a launch vehicle that uses class 1.3 solid propellant HTPB or PBAN, a launch operator shall perform a distant focus overpressure hazard analysis using the explosive yield factor curves provided in figures 417.231-1 and 417.231-2 unless the launch operator demonstrates, clearly and convincingly, through the licensing process that other explosive yield factor curves apply to the launch and provide for an equivalent level of safety.

(2) Determine the maximum credible explosive yield. A launch operator shall determine the maximum credible explosive yield resulting from the impact of explosive debris resulting from potential launch vehicle failures and flight termination as determined by the debris analysis of § 417.209. The explosive yield shall be determined as a function of impact mass and velocity of impact on the Earth's surface. A launch operator shall determine the explosive yield, expressed as a TNT equivalent, using the explosive yield factor curves determined in accordance with paragraph (b)(1) of this section. This shall be accomplished for impacts of HTPB or PBAN in accordance with the following:

(i) Impacts of intact motors or motor segments on soil. For an intact impact of a HTPB or PBAN solid propellant motor or motor segment, a launch operator shall use the explosive yield factor curves in figure 417.231-1 to determine the explosive yield, expressed as a TNT equivalent. For impact speeds of less than 100 feet per second, the launch operator shall assume the results to be zero. For impact speeds exceeding 800 feet per second, the launch operator shall use the results produced by a speed of 800 feet per second. For a motor or motor segment with a diameter smaller than 40 inches, the launch operator shall use the yield factor for a diameter of 40 inches. For a motor or motor segment with a diameter larger than 146 inches, the launch operator shall use the yield factor for a diameter of 146 inches. For a motor or motor segment with a diameter between 40 and 146 inches, not otherwise specifically represented in Figure 417.231-1, the launch operator shall obtain the yield factor by linear interpolation between the curves represented in Figure 417.231-1.

(ii) Impacts of propellant on soil. For an impact of a HTPB or PBAN solid propellant chunk, a launch operator shall use the explosive yield factor curves in figure 417.231-2 to determine the explosive yield, expressed as a TNT equivalent. For impact speeds less than 100 feet per second, the launch operator shall assume the results to be zero. For impact speeds exceeding 800 feet per second, the launch operator shall use the results produced by a speed of 800 feet per second. For a propellant chunk smaller that 300 pounds, the launch operator shall use the yield factor of a 300-pound propellant chunk. For propellant chunk larger than 60,000 pounds, the launch operator shall use the yield factor of a 60,000-pound propellant chunk. For a propellant chunk between 300 and 60,000 pounds, not otherwise specifically represented in figure 417.231-2, the launch operator shall obtain the yield factor by linear interpolation between the curves represented in figure 417.231-2.

Start Printed Page 64020

(3) Characterize the population exposed to the hazard. A launch operator shall determine if any population centers are vulnerable to a distant focus overpressure hazard using the methodology provided by section 6.3.2.4 of the American National Standard Institute's ANSI S2.20-1983, “Estimating Air Blast Characteristics for Single Point Explosions in Air with a Guide to Evaluation of Atmospheric Propagation and Effects.” The launch operator shall perform these calculations in accordance with the following:

(i) For the purposes of this analysis, a population center is defined as any area outside the launch site and not Start Printed Page 64021under the launch operator's control that contains an exposed site. An exposed site is any structure that may be occupied by human beings, and that has at least one window, excluding automobiles, airplanes, and waterborne vessels. A “single residence,” as used in section 6.3.2.4 of ANSI S2.20-1983 shall be treated as an exposed site. A launch operator shall use the most recent census information on each population center evaluated.

(ii) A launch operator shall determine the distance from the maximum credible impact explosion site to each population center potentially exposed. Unless the launch operator demonstrates, through the licensing process, that the potential explosion site is positively limited to a defined region, the distance between the potential explosion site and a population center must be the minimum distance between any point within the region contained by the flight control lines and the nearest exposed site within the population center.

(iii) A launch operator shall assume that weather conditions are optimized for a distant focus overpressure hazard and use an atmospheric blast focus factor (F) of 5 as defined by ANSI S2.20-1983.

(iv) For the purposes of this analysis, a population center shall be deemed vulnerable to the distant focus overpressure hazard if the “no damage yield limit,” calculated for the population center using the methodology in section 6.3.2.4 of ANSI S2.20-1983, is less than the maximum credible explosive yield. If there are no exposed sites that have a “no damage yield limit” that is less than the maximum credible explosive yield, the launch is exempt from any further requirements in this section.

(4) Estimate the quantity of broken windows. A launch operator shall use a focus factor of 5 and the methods provided by ANSI S2.20-1983 to estimate the number of potential broken windows within each population center determined to be vulnerable to the distant focus overpressure hazard in accordance with paragraph (b)(3) of this section.

(5) Determine and implement measures necessary to prevent distant focus overpressure from breaking windows. For each population center deemed vulnerable to a distant focus overpressure hazard, a launch operator shall determine and implement mitigation measures to protect the public from serious injury from broken windows. This may be accomplished by using one or more of the following measures:

(i) Apply 4-millimeter thick anti-shatter film to windows at all exposed sites.

(ii) Evacuate the exposed public to a location that is not vulnerable to the distant focus overpressure hazard at least two hours prior to the planned flight time.

(iii) If less than 20 windows are predicted to break, as determined in accordance with paragraph (b)(4) of this section, advise the public of the potential for glass breakage.

(iv) Measure the speed of sound as a function of altitude for the time of flight and conduct launches only when an inversion in the sonic velocity profile does not exist within ±30 degrees azimuth toward any population center vulnerable to a distant focus overpressure hazard, accounting for uncertainty in the meteorological conditions present during flight. For a launch operator to use this approach as a mitigation measure, a launch operator shall demonstrate that no window breakage is predicted in any population center due to a maximum credible yield explosion using the analysis methods in section 6.3.2.4.1 of ANSI S2.20-1983. A launch operator may also refine its analysis by performing acoustic ray path calculations to determine the actual focusing region and the focusing factor (F) that apply to a launch as described in section 5.1.3 of ANSI S2.20-1983 using the referenced computer methods.

(c) Probabilistic distance focusing overpressure analysis. When mitigation measures cannot be used a launch operator may apply statistical risk management to control the distant focus overpressure hazard. When proposing to follow this approach, a launch operator shall demonstrate through a distant focus overpressure risk analysis that the launch will be conducted in accordance with the public risk criteria contained in § 417.107(b). The FAA will evaluate any distant focus overpressure risk analysis on a case-by-case basis.

(d) Distant focus over pressure blast effect products. The products of a launch operator's distant focus overpressure analysis to be submitted in accordance with § 417.203(c) must include the following:

(1) A launch operator shall submit a description of the methodology used to produce the distant focus overpressure analysis results, a tabular description of the analysis input data, and a description of any distant focus overpressure mitigation measures implemented. If the launch operator elects to measure the speed of sound as a function of altitude and conduct launches only when a focusing condition toward populated areas does not exist, the launch operator shall submit a description of the method for evaluating weather parameters to determine the existence of conditions that will permit the launch operator to comply with the distant focus overpressure requirements of this section.

(2) A launch operator shall submit one example set of any distant focus overpressure risk analysis computations.

(3) A launch operator shall submit the values for the maximum credible explosive yield as a function of time of flight.

(4) A launch operator shall identify the distance between the potential explosion site and any population center vulnerable to the distant focus overpressure hazard. For each population center, the launch operator shall identify the exposed populations by location and number of people.

(5) A launch operator shall describe any mitigation measures established to protect the public from distant focus overpressure hazards and any flight commit criteria established to ensure the mitigation measures are enforced.

Conjunction on launch assessment.

(a) General. A licensee shall obtain a conjunction on launch assessment performed by United States Space Command. A licensee shall implement any launch waits in a planned launch window identified by the conjunction on launch assessment during which flight must not be initiated, in order to maintain a 200-kilometer separation from any inhabitable orbiting object in accordance with § 417.107. A licensee may request a conjunction on launch assessment be performed for other orbital objects to meet mission needs or to accommodate other satellite owners or operators.

(b) Conjunction on launch assessment analysis constraints. A launch operator shall satisfy the following when obtaining and implementing the results of a conjunction on launch assessment:

(1) A licensee shall provide United States Space Command with the launch window and trajectory data needed to perform a conjunction on launch assessment for a launch as required by paragraph (c) of this section, at least 15 days before the first attempt at flight. The FAA will identify a licensee to United States Space Command as part of issuing a license and provide a licensee with current United States Space Command contact information.

(2) A licensee shall obtain a conjunction on launch assessment performed by United States Space Start Printed Page 64022Command 6 hours before the beginning of a launch window.

(3) A conjunction on launch assessment is valid for 12 hours from the time that the state vectors of the inhabitable orbiting objects were determined. If an updated conjunction on launch assessment is needed due to a launch delay, a licensee shall submit the request at least 12 hours prior to the next launch attempt.

(4) For every 90 minutes, or portion of 90 minutes, that pass between the time United States Space Command last determined the state vectors of the orbiting objects, a licensee shall expand each launch window wait by subtracting 15 seconds from the start of the launch window wait and adding 15 seconds to the end of the launch window wait. A launch operator shall incorporate the resulting launch window waits into its flight commit criteria established in accordance with § 417.113.

(c) Information required. A launch operator shall prepare a conjunction on launch assessment worksheet for each launch using a standardized format that contains the input data required by this paragraph. An example conjunction on launch assessment worksheet is provided in figure 417.233-1. A launch operator licensee shall submit the input data to United States Space Command for the purposes of completing a conjunction on launch assessment. A launch operator license applicant shall submit the input data to the FAA as part of the license application process according to § 415.115 of this chapter.

(1) Launch information. A launch operator shall submit the following launch information:

(i) Mission name. A mnemonic given to the launch vehicle/payload combination identifying the launch mission from all others.

(ii) Segment number. A segment is defined as a launch vehicle stage or payload after the thrusting portion of its flight has ended. This includes the jettison or deployment of any stage or payload. A separate worksheet is required for each segment. For each segment, a launch operator shall determine the “vector at injection” as defined by paragraph (c)(5) of this section. Each segment number shall be provided as a sequence number relative to the total number of segments for a launch, such as “1 of 5.”

(iii) Launch window. The launch window opening and closing times in Greenwich Mean Time (referred to as ZULU time on the sample form) and the Julian dates for each scheduled launch attempt.

(2) Point of contact. The person or office within a licensee's organization that collects, analyzes, and distributes conjunction on launch assessment results.

(3) Conjunction on launch assessment analysis results transmission medium. A launch operator shall identify the transmission medium, such as voice, FAX, or e-mail, for receiving results from United States Space Command.

(4) Requestor launch operator needs. A launch operator shall indicate which of the following analysis output formats it requires for establishing flight commit criteria for a launch:

(i) Waits. The times within the overall launch window during which flight must not be initiated.

(ii) Windows. The times within an overall launch window during which flight may be initiated.

(5) Vector at injection. A launch operator shall identify the vector at injection for each segment. The term “vector at injection” is used to identify the position and velocity vectors after the thrust for a segment has ended. The term was originally used to refer to a segment upon orbital injection, but in practice is used to describe any segment of a launch, whether orbital or suborbital.

(i) Epoch. The epoch time, in Greenwich Mean Time (GMT), of the expected launch vehicle liftoff time.

(ii) Position and velocity. The position coordinates in the EFG coordinate system in kilometers and the velocity coordinates in the coordinate system in kilometers per second, of each launch vehicle stage or payload after any burnout, jettison, or deployment.

(6) Time of powered flight. The elapsed time in seconds, from liftoff, for the launch vehicle to arrive at the vector at injection. For each stage or component jettisoned, the time of powered flight shall be measured from liftoff.

(7) Time span for launch window file (LWF). A launch operator shall provide the following information regarding its launch window:

(i) Launch window. The launch window measured in minutes from the initial proposed liftoff time.

(ii) Time of powered flight. The time given in paragraph (c)(6) of this section measured in minutes rounded up to the nearest integer minute.

(iii) Screen duration. The time duration, after all thrusting periods of flight have ended, that a conjunction on launch assessment must screen for potential conjunctions with orbital objects. Screen duration is measured in minutes and must be greater than or equal to 100 minutes for an orbital launch.

(iv) Extra pad. An additional period of time for conjunction on launch assessment screening to ensure the entire first orbit is evaluated. This time shall be 10 minutes unless otherwise specified by United States Space Command.

(v) Total. The summation total of the time spans provided in paragraphs (c)(7)(i) through (c)(7)(iv) of this section expressed in minutes.

(8) Screening. A launch operator shall select spherical or ellipsoidal screening as defined in this paragraph for determining any conjunction. The default shall be the spherical screening method using an avoidance radius of 200 kilometers for habitable orbiting objects. If the launch operator requests screening for any uninhabitable objects, the default shall be the spherical screening method using a miss-distance of 25 kilometers.

(i) Spherical screening. Spherical screening utilizes an impact exclusion sphere centered on each orbiting object's center-of-mass to determine any conjunction. A launch operator shall specify the avoidance radius for habitable objects and for any uninhabitable objects if the launch operator elects to perform the analysis for uninhabitable objects.

(ii) Ellipsoidal screening. Ellipsoidal screening utilizes an impact exclusion ellipsoid of revolution centered on the orbiting object's center-of-mass to determine any conjunction. A launch operator shall provide input in the UVW coordinate system in kilometers. The launch operator shall provide delta-U measured in the radial-track direction, delta-V measured in the in-track direction, and delta-W measured in the cross-track direction.

(9) Orbiting objects to evaluate. A launch operator shall identify the orbiting objects to be included in the analysis.

(10) Deliverable schedule/need dates. A launch operator shall identify the times before flight, “L-times,” that the conjunction on launch assessment is needed.

(d) Conjunction on launch assessment products. A launch operator must submit its conjunction on launch assessment products according to § 417.203(c) and must include the input data required by paragraph (c) of this section. A launch operator licensee shall incorporate the result of the conjunction on launch assessment into its flight commit criteria established in accordance with § 417.113.

Start Printed Page 64023

Analysis for launch of an unguided suborbital rocket flown with a wind weighting safety system.

(a) General. The requirements of this section apply to the launch of an unguided suborbital rocket. A launch operator shall perform a flight safety analysis to determine the launch parameters and conditions under which an unguided suborbital rocket may be flown using a wind weighting safety system. The results of this analysis must demonstrate that any adverse effects resulting from flight will be contained within controlled operational areas and any flight hardware or payload impacts will occur within planned impact areas. The flight safety analysis must Start Printed Page 64024demonstrate compliance with the safety criteria and operational requirements of § 417.125 and must include the other analyses required by this section. The flight safety analysis must be conducted in accordance with appendixes B and C of this part.

(b) Trajectory analysis. A launch operator shall perform a trajectory analysis to determine an unguided suborbital rocket's nominal trajectory and three-sigma dispersed trajectories using the methods provided in appendix C of this part.

(c) Hazard area analysis. A launch operator shall perform a hazard area analysis to determine the land, sea, and air areas that must be monitored, controlled, or evacuated in order to protect the public from the adverse effects of planned unguided suborbital rocket flight events. A flight hazard area, impact hazard area, ship hazard area, and aircraft hazard area must be determined using the methods required by appendix C.

(d) Debris risk analysis. A launch operator shall perform a risk analysis to determine public risk for the expected average number of casualties (EC) due to potential inert and explosive debris impacts resulting from planned or unplanned events occurring during the flight of an unguided suborbital rocket. The analysis shall account for the risk to all populations on land. A debris risk analysis must account for unguided suborbital rocket failure probability, flight dwell times over populated or other protected land areas, five-sigma lateral trajectory dispersion for a normal unguided suborbital rocket, effective casualty area of impacting debris, and population densities. The results of a launch operator's debris risk analysis must demonstrate that the launch will be conducted in accordance with the public risk criteria contained in § 417.107(b). A launch operator shall perform a debris risk analysis for the launch of an unguided suborbital rocket in accordance with § 417.227 and using the methodology provided in appendix B of this part.

(e) Wind weighting analysis. A launch operator shall perform a wind weighting analysis to determine launcher azimuth and elevation settings that correct for the windcocking and wind-drift effects on an unguided suborbital rocket due to wind forces. A launch operator shall perform a wind weighting analysis using the method provided in appendix C of this part and in accordance with the following:

(1) A wind weighting analysis must ensure that three-sigma of all wind weighted stage or other component impacts are contained within a three-sigma performance impact dispersion ellipse about the nominal no-wind impact point, assuming a normal bivariate Gaussian distribution. When determining stage (or impacting body) wind weighted impact points, a launch operator shall account for three standard deviation variations in ballistic performance error parameters, including wind measurement errors and errors in modeled response to wind forces.

(2) A launch operator shall perform an initial wind weighting analysis prior to flight to predict the effects of forecasted or statistical winds on impact point displacement during thrusting phases of flight as well as ballistic free-fall of each unguided suborbital rocket stage until impact.

(3) A launch operator shall perform a final wind weighting analysis as part of the launch-day countdown process with actual measured wind data.

(4) A launch operator shall use the results of a wind weighting analysis and the wind conditions for which the analysis is valid as the basis for flight commit criteria developed in accordance with § 417.113.

(f) Conjunction on launch assessment. A launch operator shall ensure that a conjunction on launch assessment is performed for the flight of an unguided suborbital rocket in accordance with § 417.233.

(g) Products. The products of a launch operator's flight safety analysis for launch of an unguided suborbital rocket to be submitted in accordance with § 417.203(c) must include the trajectory analysis products, hazard area analysis products, and wind weighting analysis products required by appendix C of this part. A launch operator shall also submit debris risk analysis products in accordance with § 417.227 and conjunction on launch assessment products in accordance with § 417.233.

Subpart D—Flight Safety System

General.

(a) A launch operator shall use a flight safety system that provides a means of preventing a launch vehicle and its hazards, including any payload hazards, from reaching the public in the event of a launch vehicle failure during flight. Requirements that define when a launch operator must employ a flight safety system are provided in § 417.107(a).

(b) A flight safety system must consist of a flight termination system, a command control system, and the support systems defined in this subpart, including all associated hardware and software unless the requirements of § 417.107(a)(3) apply. A flight safety system also includes the functions of any personnel who operate flight safety system hardware and software. A launch operator shall satisfy each requirement of this subpart, including all requirements contained in referenced appendices, by meeting the requirements or by using an alternate method approved by the FAA through the licensing process. If a flight safety system does not satisfy all the requirements of this subpart, the requirements of § 417.107(a)(3) apply. The FAA will approve an alternate method if a launch operator provides a clear and convincing demonstration that its proposed method provides an equivalent level of safety to that required by this subpart. A launch operator shall obtain FAA approval of any proposed alternate method before its license application or application for license modification will be found sufficiently complete to initiate review pursuant to § 413.11 of this chapter.

(c) A launch operator's test program, required by § 417.115, must demonstrate the ability of a flight safety system to meet the design margins and reliability requirements of this subpart and the ability of the flight safety system to function without degradation in performance when subjected to non-operating and operating environments. The test program must satisfy the requirements of § 417.115 and include tests of the flight termination system and command control system as required by § § 417.315, 417.317 and 417.325. The test program must include tests of the support systems required by § 417.327 and the equipment and instrumentation associated with the flight safety system, including real-time computers, display systems, consoles, telemetry, command control, tracking systems, and video systems. The cause of any test failure must be determined, corrective actions implemented, and additional testing performed to demonstrate that the test criteria are satisfied before flight.

(d) Any change to a licensee's flight safety system design or flight safety system test program that was not coordinated during the licensing process must be submitted to the FAA for approval as a license modification prior to flight.

(e) Prior to the flight of each launch vehicle, a licensee shall confirm to the FAA in writing that its flight safety system is as described in its license application, including all applicable application amendments and license modifications, and complies with all terms of the license and the requirements of this part. Start Printed Page 64025

(f) Upon review of a proposed launch, the FAA may identify and impose additional requirements needed to address unique issues presented by a flight safety system, including its design, operational environments, and testing.

Launch vehicle flight termination system functional requirements.

(a) A launch operator shall use a flight termination system as part of a flight safety system. A flight termination system consists of all hardware and software onboard a launch vehicle needed to accomplish all flight termination functions in accordance with this section.

(b) Once initiated, a flight termination system must render each stage and any other propulsion system, including any propulsion system that is part of a payload that has the capability of reaching a populated or other protected area, non-propulsive, without significant lateral or longitudinal deviation in the impact point. A flight termination system must terminate flight in each thrusting stage and propulsion system. Any stage or propulsion system not thrusting at the time the flight termination system is initiated must be rendered incapable of becoming propulsive.

(c) The flight termination of one stage must not sever interconnecting flight termination system circuitry or ordnance of another stage until the flight termination of the other stage has been initiated.

(d) A flight termination system must destroy the pressure integrity of all solid propellant stages and strap-on motors. A flight termination system must terminate all thrust, or any residual thrust must cause a solid propellant stage or strap-on motor to tumble without significant lateral or longitudinal deviation in the impact point.

(e) A flight termination system must cause dispersion of any liquid propellant, whether by rupturing the propellant tank or other equivalent method, and initiate burning of any toxic liquid propellant.

(f) A flight termination system must not detonate any solid or liquid propellant.

(g) A flight termination system must include a command destruct system that is initiated by radio command and implemented in accordance with § 417.309. The FAA will approve another method, such as an autonomous flight termination system, if a launch operator provides a clear and convincing demonstration, through the licensing process, that its proposed method provides an equivalent level of safety.

(h) A flight termination system must provide for flight termination of any inadvertently or prematurely separated stage or strap-on motor capable of reaching a populated or other protected area before orbital insertion. Each stage or strap-on motor that does not possess its own complete command destruct system in accordance with § 417.309 must be equipped with an inadvertent separation destruct system that complies with the requirements of § 417.311.

Flight termination system reliability.

(a) Reliability design. A flight termination system must have a reliability design of 0.999 at a confidence level of 95 percent. A launch operator shall conduct system reliability analyses according to § 417.329 to demonstrate whether a flight termination system has the required reliability design.

(b) Single fault tolerant. A flight termination system, including monitoring and checkout circuits, must not have a single failure point that would inhibit functioning of the system or produce an inadvertent output. Exceptions to this requirement apply to certain components that are identified in this subpart and that meet the design and test requirements in appendixes D and E of this part.

(c) Redundancy. A flight termination system must utilize redundant component strings in accordance with the following:

(1) Redundant components shall be structurally, electrically, and mechanically separated and mounted in different orientations on different axes.

(2) A flight termination system need not use redundant linear shaped charges, if, when employing a single linear shaped charge, the charge initiates at both ends, and the initiation source for one end is independent of the initiation source used for the other end.

(3) Passive components such as antennas and radio frequency couplers are not required to be physically redundant if they satisfy the requirements of appendix D of this part.

(d) System independence. A flight termination system must not share any power sources, cabling, or any other component with any other launch vehicle system. With the exception of any telemetry monitor signal and any engine shut-down output signal, a flight termination system must operate independently of all other vehicle systems.

(e) Components and parts. A licensee is responsible for the overall design of a flight termination system and shall ensure that all flight termination system components satisfy the requirements of appendix D of this part and all electronic piece parts used in a flight termination system component satisfy the requirements of appendix F of this part. A launch operator shall ensure that each flight termination system component and electronic piece part has written performance specifications that contain the particulars of how the component or piece part satisfies the requirements of appendixes D and F as related to the specific design of the flight termination system that contains the component or piece part.

(f) Testability. The design of a flight termination system and associated ground support and monitoring equipment shall provide for preflight testing performed in accordance with § 417.317.

(g) Software and firmware. A launch operator shall ensure that each software safety critical function associated with a flight termination system is identified, and that all associated computing systems, software, or firmware is designed, compiled, analyzed, tested, and implemented in accordance with § 417.123 and appendix H of this part. The requirements of appendix H also apply to any computing system, software, or firmware that must operate properly to ensure that the flight safety official has the accurate vehicle performance data needed to make a flight termination decision.

(h) Component storage, operating, and service life. All flight termination system components must have a specified storage life, operating life, and service life. Service life is the total time that a component spends in storage and after installation on the launch vehicle through the end of flight. The storage or service life of a component must start upon completion of the component's acceptance testing. Operating life must start upon activation of the component or installation of the component on a launch vehicle, whichever is earlier. A flight termination system component must function without degradation in performance when subjected to the full length of its specified storage life, operating life, and service life. A launch operator shall ensure that each component used in a flight termination system does not exceed its storage, operating, or service life before flight. A launch operator shall ensure that age surveillance testing, in accordance with appendix E of this part, is performed to verify or extend a component's storage, operating, or service life.

Start Printed Page 64026
Flight termination system environment survivability.

(a) General. The design of a flight termination system and its components, including all mounting hardware, cables and wires, must provide for the system and each component to function without degradation in performance when subjected to dynamic environment levels greater than those that it will experience during environmental stress screening tests, ground transportation, storage, launch processing, system checkout, and flight up to the point that the launch vehicle could no longer impact any populated or other protected area, or when subjected to dynamic environment levels greater than those that would cause structural breakup of the launch vehicle.

(b) Maximum predicted environments. A launch operator shall determine, based on analysis, modeling, testing, or flight data, all maximum predicted environments for the non-operating and operating environments that a flight termination system is to experience. The non-operating and operating environments must include, but need not be limited to, thermal range, vibration, shock, acceleration, acoustic, and other environments where applicable to a launch, such as humidity, salt fog, dust, fungus, explosive atmosphere, and electromagnetic energy. The specific environments that apply to the design of flight termination system components are identified in appendix D of this part. A launch operator shall determine each maximum predicted environment in accordance with the following:

(1) If there are fewer than three samples of flight data, a launch operator shall add no less than a 3 dB margin for vibration, 4.5 dB for shock, and plus and minus 11°C for thermal range to each maximum predicted environment identified through analysis.

(2) For a new launch vehicle or for a launch vehicle for which there is no empirical data available or empirical data for fewer than three flights, a launch operator shall monitor launch vehicle flight environments with telemetry to verify each maximum predicted environment. A launch operator shall ensure that each maximum predicted environment for any future launch is adjusted to reflect the flight data obtained through monitoring. A launch operator's post-launch report, submitted in accordance with § 417.117(h), must contain the results of any flight environment monitoring performed to verify the maximum predicted environments.

(3) A launch operator shall monitor each transportation, storage, launch processing, and system checkout environment, and adjust the associated maximum predicted environments to reflect the true environments.

(4) The launch operator shall notify the FAA of any change to any maximum predicted environment.

Command destruct system.

(a) A flight termination system must include a command destruct system that is initiated by radio command and meets the redundancy and other component requirements provided in appendix D of this part. Redundant radio command receiver decoders must be installed on or above the last propulsive launch vehicle stage or payload capable of reaching a populated or other protected area before orbital insertion.

(b) The initiation of a command destruct system must result in accomplishing all flight termination system functions in accordance with § 417.303.

(c) A command destruct system must operate with a radio frequency input signal that has an electromagnetic field intensity of 12 dB below the intensity provided by a command control system transmitter over 95 percent of the radiation sphere surrounding a launch vehicle at any point along the launch vehicle's trajectory.

(d) The design of a command destruct system must provide for the command destruct system to survive the breakup of the launch vehicle to the point that all flight termination functions would be accomplished in accordance with § 417.303. Otherwise, the stage containing the command destruct system must also include an inadvertent separation destruct system implemented in accordance with § 417.311. A launch operator shall perform a breakup analysis in accordance with § 417.329 to demonstrate the survivability of a command destruct system.

(e) A command destruct system must receive and process a valid arm command before accepting a destruct command and destroying the launch vehicle. For any liquid propellant, a command destruct system must non-destructively shut down any thrusting liquid engine as a prerequisite for destroying the launch vehicle.

Inadvertent separation destruct system.

(a) Each stage or strap-on motor capable of reaching a populated or other protected area before orbital insertion, and which does not possess its own complete command destruct system, including command destruct receivers and associated radio frequency hardware, must be equipped with an inadvertent separation destruct system. An inadvertent separation destruct system is an automatic destruct system that uses mechanical means to trigger the destruction of a stage. If a command destruct system on a stage does not satisfy the requirement of § 417.309(d) that the command destruct system survive breakup of the launch vehicle, a launch operator must also use an inadvertent separation destruct system on that stage.

(b) The initiation of an inadvertent separation destruct system must result in accomplishing all flight termination system functions required by § 417.303 and that apply to the stage or strap-on motor on which it is installed.

(c) An inadvertent separation destruct system must be activated by a device that senses launch vehicle breakup or premature separation of the stage or strap-on motor on which it is located.

(d) An inadvertent separation destruct system must be located to survive during launch vehicle breakup and to ensure its own activation. A launch operator shall perform a flight termination system survivability analysis that accounts for breakup of the launch vehicle and the timing of planned launch vehicle staging events. The analysis shall be used to determine the method of activation and location of an inadvertent separation destruct system that will ensure its survivability and activation during breakup of the launch vehicle.

(e) An electrically initiated inadvertent separation destruct system must have a dedicated power source that supplies the energy to initiate the destruct ordnance.

Flight termination system safing and arming.

(a) General. The design of a flight termination system must provide for safing and arming of all flight termination system ordnance through the use of ordnance initiation devices or arming devices, also referred to as safe and arm devices, that provide a removable and replaceable mechanical barrier or other positive means of interrupting power to each of the ordnance firing circuits to prevent inadvertent initiation of ordnance.

(b) Flight termination system arming. The design of a flight termination system must provide for each flight termination system ordnance initiation device or arming device to be armed prior to arming any launch vehicle or payload propulsion ignition circuits. For a launch where propulsive ignition Start Printed Page 64027occurs after first motion of the launch vehicle, the design of a flight termination system must provide an ignition interlock that prevents the arming of any launch vehicle or payload propulsion ignition circuits unless all flight termination system ordnance initiation devices and arming devices are armed.

(c) Preflight safing. The design of a flight termination system must provide for remote and redundant safing of all flight termination system ordnance initiation devices and arming devices before launch and in case of launch abort or recycle operations.

(d) In-flight safing. If flight termination system ordnance is to be safed after a stage or strap-on motor is spent, attains orbit, or can no longer reach any populated or other protected area, the flight termination system safing design must provide for the following:

(1) Any onboard launch vehicle hardware or software used to automatically safe flight termination system ordnance must be single fault tolerant against inadvertent safing. An automatic safing design must satisfy the following:

(i) Any automatic safing must depend on at least two independent parameters, such as time of flight or altitude. The safing criteria for each independent parameter must ensure that the flight termination system on a stage or strap-on-motor can only be safed once the stage or strap-on motor attains orbit or can no longer reach a populated or other protected area.

(ii) An automatic safing design must ensure that all flight termination system ordnance initiation devices and arming devices remain armed during flight until the safing criteria for at least two